Despite what some believe; the SOC and ISO standards were not created to have companies implement nonsensical business and security control practices. They are frameworks for good practices that support the companies objectives. For SOC 2 in particular, a large portion of the criteria are explicitly stated as "to support the system objectives".
Although it's often referred to as "compliance", the distinct difference of these optional standards to regulations, is that regulations are mandatory rules. They often restrict the business activities. Optional standards are designed to enable business opportunities by supporting the companies long term objectives and demonstrating your good practices to customers.
How do you put together your control framework?
Even in early stage tech startups, many of the "controls" necessary for SOC and ISO already exist in some form. They are intuitive needs of a business. The frameworks are simply formalising those requirements. If you've undergone any form of due diligence or security questionnaires, it's likely prompted you to implement some of the controls that may be less intuitive to early stage businesses; like business continuity and disaster recovery plans, or security event monitoring.
'The controls exist in some form; it's about piecing them together'
When there's a lower headcount and scale of customers, there's less need for formal processes and checks. This need grows over time. SOC and ISO standards fast-track that, whilst still enabling a "fit-for-purpose" approach to your company.
Piecing together a control framework, is simply identifying what you already do and formalising it. Putting it into written terms provides clarity to the business and gives a holistic way of viewing your control practices and whether that addresses all the risks and requirements relevant to your business. By doing so, you may identify gaps. Our Readiness Assessment solution automates this process for you, with a focus on SOC and ISO standards.
Where do the control frameworks fail in practice?
There are two main issues where controls fail; people simply did not know they exist or they do not know how to properly execute them.
This can happen for a number of reasons but the same underlying issues plague large and small companies alike. When creating and implementing controls, the ownership, clarity, and knowledge are key to having the controls be implemented and operating successfully. As businesses scale and people and operations change, information tends to get lost among the shuffle.
That's why it's important to have a clearly documented control framework with assigned ownership and supporting information that empowers the owners of each area responsible for it.
How do you maintain a control framework?
Controls should be tested in line with the risk they are trying to mitigate, the higher the risk the more frequent the testing.
Proper testing of controls can identify areas where controls need to be updated and modified to address new risks and the knowledge of personnel who own and operate controls to ensure proper training has been performed. As companies grow and scale the controls in place need to scale and grow as well to be effectively mitigating risks.
Some businesses manage this process through a simple quarterly or annual review process to look over the control framework as a management team and revise it as needed. On the other end of the scale, some have audit teams and independent review functions that formally test each of the controls and report to management or even the Board.
If you subscribe to SOC or ISO standards, it adds that independent testing function to help maintain and improve your control framework over time. It also provides the report that you can share with customers.
The SOC 2 Perspective
The Control Framework is an overarching means to support all of the control practices within SOC 2. However, it also directly supports 4 of the individual criteria (out of the total 33 common criteria), for the Monitoring of Controls and Control Activities sections.
COSO Principle 16 (Common Criteria 4.1): The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
COSO Principle 17 (Common Criteria 4.2): The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
COSO Principle 10 (Common Criteria 5.1): The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
COSO Principle 11 (Common Criteria 5.2): The entity also selects and develops general control activities over technology to support the achievement of objectives.
AssuranceLab's Best Practices Series
AssuranceLab's best practices series, is about highlighting the "real operational benefits" that comes from effective control practices. At best, they support your company culture, provide structure and clarity, and enable scalable growth. At worst, they tick the box of what your customers expect, reduce the reactive "firefighting" and time-wasting, and help you demonstrate your compliance with leading standards like SOC 1, SOC 2 and ISO 27001.