<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

SOC 2 Team | Roles & Responsibilities

StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

Are you ready to pursue your SOC 2 certification - either Type 1 or Type 2?

One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff.

Although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.

🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.

SOC 2 Team Essential Positions & Responsibilities

Executive Sponsor

Ultimately, this person must be able to answer why the organization is pursuing SOC 2. This person must also be able to understand and continuously explain why, for example, next year's revenue depends on completing SOC 2. It will also help if this individual had some experience with risk management. If you have a particularly complex organization, your executive sponsor will have a lot of work to do.

Project Manager

This person will help drive the SOC 2 effort and manage the day-to-day responsibilities of gathering information, scheduling resources, etc. Your project manager doesn't necessarily need to fully understand the requirements for SOC 2 certification or have compliance expertise, but they need to be good at getting tasks completed across the organization.

Primary Author

You need someone senior in the primary author position who can handle some quasi-legal technical writing. This person also needs to understand the business and operations, otherwise, that person will be ineffective when interviewing other teams, thus slowing down your entire SOC 2 progress.

Legal

As you begin creating and refining policies, ask your legal team for input early in the process. They will also play an important part in working with your business partners and third-party vendors when contracts need to be updated. Your legal team’s counsel and support of your audit will be an ongoing need even after the initial audit is finished, as you will continually tune your documentation year over year.

IT/Security

Your security and technology teams will have a large volume of technical functionality that needs to be conceptualized, built, and proven during an audit. This is high-intensity work, and much of it revolves around making sure your organization can detect and respond to a security incident. Coming out of the audit, you will likely need to purchase additional tools, such as an intrusion detection system. And you may need to change the way your organization controls physical access to your office building or data center. Thus, you may need to hire additional security and technology resources to help these teams shoulder the workload due to the sheer volume of items that are required during and after the audit.

External consultant (optional)

If your organization or team is new to SOC 2, it might make sense to also hire a third-party consultant to help guide you through the process. This consultant, likely a CPA (Certified Public Accountants), will bring a broad range of expertise to your audit and have extensive knowledge of the Trust Services Principles (renamed to Trust Services Criteria in 2018). The Trust Service Principles, defined by the AICPA (American Institute of CPAs), include security, availability, processing integrity, confidentiality, and privacy. The consultant will help you figure out which principles apply to the scope of your audit and how any of your organization’s compliance requirements, such as PCI or HIPAA, incorporate into SOC 2. Once you receive the SOC reports from your auditing firm, the consultant can help you interpret the changes that need to be made to each specific internal control.

Also, keep in mind that although your other employees aren’t officially part of your team, treat them as auxiliary members. They will be significantly affected by the changes you make during the SOC 2 initiative. Specifically, the new policies and procedures you create will change the way they work, particularly around the processing integrity of sensitive data such as customer data and personal information. For example, SOC 2 requires that service providers have fairly strict password requirements, which may prompt you to install a password management system. Learning and using this new password system will create more work for your users - at least initially. Be prepared for some pushback, and ensure your SOC 2 team is ready to handle questions and criticism.

Don't Panic

If you read the team requirements above and now feel completely overwhelmed, don’t panic. You might find that the skills you need for SOC 2 might already exist in your organization - within one person or many. For example, you can’t start the project without an executive sponsor, project manager, and writer - but it could be that your executive sponsor and project manager are the same people. Additionally, that person might be in the security department, so they will bring some security know-how to the table as well. At the end of the day, the leadership team can come from any department. But their expertise in that department is separate from the responsibilities they hold on the SOC 2 team.

SOC 2 Team Workload & Timelines

As far as the amount of work to expect for your SOC 2 team, it mostly depends on your organization’s current configuration and history. For example, if you have been through three acquisitions and had to merge complex legacy infrastructures, be prepared for your technical team and your technology leader to do a larger share of the work. But on the flip side, if you have a global team with multiple offices, your executive sponsor is going to have a substantial amount of work selling the SOC 2 initiative and securing buy-in.

In addition to understanding the workload balance between departments, you need to set realistic timelines for each team’s tasks. Typically, your legal and HR teams should be able to handle the workload on their own, but you should expect longer lead times for certain items, such as updating legal contracts. On the other hand, the IT and security teams may be able to churn through their workload faster, but due to the larger volume of tasks, you may need to support them with extra temporary staffing help from leading staffing agencies.

Picking a great team is your first big step towards SOC certification. The members you select will need to work hard and wear many different hats, but with the right combination of organization and determination, your team will be on its way to a successful audit.

Looking for more resources on SOC 2? Check out Comply, a free resource center for SOC 2 certification.

To learn more on how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

logo
💙 this post?
Then get all that strongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.