If your organization currently serves, or is seeking to serve, cloud products or solutions to a federal agency then you already know you must undergo a Federal Risk and Authorization Management Program (FedRAMP) assessment. The experts at A-LIGN have put together a comprehensive FedRAMP Authorization guide to help you prepare for the assessment.

Created in 2011, FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services relied upon by federal entities that store, process, and transmit federal information. The goal of FedRAMP is to provide a set of agreed-upon standards to be used for cloud product approval.  

Once you’ve secured agency sponsorship and developed a System Security Plan (SSP) based on your defined categorization level (Low, Moderate, or High), it’s time to work with a FedRAMP 3PAO to perform your Security Assessment. That’s where A-LIGN comes in. A-LIGN is an accredited FedRAMP 3PAO (third-party assessment organization) and one of the top 3 FedRAMP assessors in the world.  

Here is a look at the step-by-step process you’ll need to complete to earn FedRAMP authorization with A-LIGN.  

Before you begin 

This article is intended for companies that have already secured a sponsor and developed an SSP. If you haven’t yet done that, we recommend you take some time to research the FedRAMP process and potentially conduct a FedRAMP readiness assessment. 

Research 

At A-LIGN, we recommend organizations review the following materials to ensure they have a baseline level of knowledge to help prepare for the FedRAMP assessment process: 

Readiness assessment 

Organizations that are familiar with the controls within NIST 800-53, and are FISMA certified, can jump right into the FedRAMP process. If you are not familiar with FISMA or FedRAMP, and have never written a system security plan, we recommend that you perform a FedRAMP readiness assessment, or gap assessment, to determine your level of readiness for the 3PAO assessment. 

A-LIGN can conduct a readiness assessment for you, in which we will review your environment and determine if it is technically capable of meeting FedRAMP requirements. This is a great way to get a pulse on your current environment before investing time and resources into a full assessment.  

Step 1. Pre-assessment review (1-4 weeks) 

If you are ready for an official assessment and have signed a contract with A-LIGN, then we’ll kick off our work with a pre-assessment review phase. During this phase, you will finalize the Cloud Service Offering System Security Plan — which you previously developed — and provide the SSP package (including all attachments) to A-LIGN for review. 

We will use that information to perform a FedRAMP Pre-Assessment Review. During this review, we’ll ensure we have everything we need to proceed with the assessment without any delays. Keep in mind that the quality of the evaluation is dependent on the accuracy and volume of information you provide to us. The more you can provide, the better. 

Once the review is complete and it has been determined you are ready for the FedRAMP assessment, we will schedule a kick-off meeting with you, and our team at A-LIGN to plan out the full assessment.  

Step 2. Planning activities (4 weeks) 

After the Pre-Assessment Review phase, you will need to submit responses to the initial Information Request List (IRL) that A-LIGN provides. While you are working on the IRL responses, we will submit a few materials to your sponsor to review. These include: 

• An Authority to Test (ATT) – This is part of our penetration test planning. 
• A Security Assessment Plan (SAP). 

Step 3. Assessment activities (7 weeks) 

This is the longest phase of the FedRAMP process and consists of fieldwork. The fieldwork is split into phases where we interview members of your team about your cloud service offering and the security controls implemented and review the evidence confirming the proper implementation of FedRAMP security requirements. Keep in mind that we do not begin our evidence review until at least 90% of the IRL evidence is provided by your team. It’s important to plan ahead, so we can stay on schedule throughout the assessment process and avoid delays.  

We will also conduct a penetration test at this time. The penetration test is required for all FedRAMP Authorization assessments for Moderate and High impact systems. Although the penetration test is not a requirement for FedRAMP Ready assessments, it is recommended as a safety net to eliminate any surprises we may encounter during the actual authorization testing. 

Once we conduct the penetration test and get through a majority of the evidence review, we will analyze and discuss the findings with your team via a draft risk exposure table (RET). Once that draft RET is provided to your team, you can create a plan of action and milestones (POA&M) to remediate these issues.  

Step 4. Reporting activities (5 weeks) 

Upon completion of our full evidence review and penetration test and any remediation to correct findings outlined in the draft RET, a draft Security Assessment Report and penetration test report will be provided for review.  

We will analyze and discuss the findings with your team after the remediation period and before drafting a report for you. Once the final report is complete, it will be sent to your Sponsor who will review the SSP and the SAR together. 

Step 5. Sponsor issues authority to operate (2-3 weeks) 

After the Sponsor completes their review, the Sponsor will issue an ATO and the FedRAMP Authorization Package will be sent to FedRAMP to review. Once FedRAMP’s review is complete, you will get your cloud solution offering’s official designation as a FedRAMP Authorized. FedRAMP will list your cloud solution offering as “Authorized” on the FedRAMP marketplace.   

Step 6. Maintain authorization 

It’s important to remember that FedRAMP authorization is not a set-it-and-forget-it process. Ongoing assessments are required to maintain FedRAMP authorization, as annual assessments are required along with meeting FedRAMP continuous monitoring requirements with your Sponsor. 

The A-LIGN team can provide annual assessments (including penetration testing, control assessments, systems scanning, and more) to ensure your cloud solution offering maintains FedRAMP compliance. 

We can also conduct one-off assessments to ensure compliance after your organization undergoes major changes (like an acquisition). During a “Significant Change Request Assessment,” we will review and assess any significant changes that may impact your compliance with FedRAMP requirements. 

Get Started with A-LIGN 

At A-LIGN, we are one of the top FedRAMP assessors in the world, with a 96% satisfaction rating from our customers. Our experts can help you through every step of the process  — from a readiness assessment to final authorization.  

Contact A-LIGN today to learn more about our FedRAMP services. 

There are four different baselines and impact levels of FedRAMP authorization: Low Impact SaaS (FedRAMP Tailored or LI-SaaS), Low, Moderate, and High impact. These categories differ based on the number of control sets each has as its baseline. 

The majority of FedRAMP-authorized organizations pursue Moderate authorization. But today, more and more cloud service providers (CSPs) are looking to move from their Moderate authorization to a High authorization. This higher authorization allows organizations to work with government entities that require more stringent protocols to protect the Federal government’s most sensitive unclassified data. 

Along with opening the door to more business opportunities, higher impact levels can make an organization look more attractive to clients. A higher impact level highlights an organization’s stringent adherence to specific cybersecurity controls, which can provide an extra level of reassurance for clients.  

Here’s how organizations can move from the Moderate impact level to the High impact level. 

FedRAMP Impact Levels Explained 

The Federal Risk and Authorization Management Program, or FedRAMP, is the U.S. Federal government’s internal approach to securing the cloud services that its agencies use. FedRAMP grants authorizations at four impact levels: Low Impact SaaS (FedRAMP Tailored or LI-SaaS), Low, Moderate, and High. Each level has different control sets as its baselines: 

• Low Impact SaaS (FedRAMP Tailored or Ll-SaaS): Ll-SaaS is a subset of low impact and typically includes at least 50 of the controls to be independently assessed. This tailored baseline accounts for SaaS applications that do not store personal identifiable information beyond what’s required for login capability, such as usernames and passwords. Therefore, organizations that achieve the LI-SaaS level would only experience minor adverse effects should a loss of confidential information occur. Information about the security controls required for this designation can be found here. 
• Low Impact Level: Low includes approximately 125 controls. Organizations that achieve the low authorization status would only experience limited adverse effects should a loss of confidential information occur. Information about the security controls required for this designation can be found here. 
• Moderate Impact Level: Moderate includes approximately 325 controls. Nearly 80% of organizations that receive FedRAMP authorization fall into this category. The loss of confidential information in this category would have a serious — but not catastrophic — impact on an organization. Information about the security controls required for this designation can be found here. 
• High Impact Level: High includes approximately 425 cybersecurity controls. Organizations that should seek a High ATO most commonly include those working in law enforcement and emergency services systems, financial systems, and health systems. However, any organization can achieve the High impact level authorization, and they should especially pursue this level if any loss of confidential information could be expected to have a catastrophic impact on the organization. Information about the security controls required for this designation can be found here. 

The Process of Moving from FedRAMP Moderate to FedRAMP High 

The process of moving impact levels is relatively straightforward and is also simpler than achieving initial FedRAMP authorization. The three main steps that organizations need to take to move up an impact level include: 

1. Receive approval from your sponsor. To begin the process of moving to a higher impact level, you first need permission from your sponsor. Identify a new sponsoring agency if the existing sponsor does not want to maintain sponsorship for a High authorization. 

2. Complete the Significant Change Request (SCR) Form. This document, which is published on the FedRAMP website, outlines all of the additional control requirements that would need to be met to move up an impact level. The form includes a checklist of the new controls required when changing from Moderate to High impact levels and identifies those Moderate controls that change under a High impact level.  

3. Undergo a Significant Change Assessment. Finally, an organization should complete a Significant Change Assessment with a third-party authorization organization (3PAO). It is suggested, if applicable, to perform the Significant Change Assessment during your Annual Security Assessment for continued Authorization. This would help reduce audit fatigue that can result from doing an out-of-cycle assessment and help control time and cost. 

How A-LIGN Can Help You Move from FedRAMP Moderate to FedRAMP High 

Even if an organization isn’t actively handling federal data, it can still use FedRAMP’s impact levels as a baseline to evaluate cloud security standards. Moving from FedRAMP Moderate to FedRAMP High means an organization has increased the number of controls it uses to keep sensitive information secure — something that can be attractive to clients.  

As an accredited 3PAO, A-LIGN is one of the top FedRAMP assessors in the world. We help organizations achieve FedRAMP Authorized and move to a higher impact level.  

If you are a Cloud Service Provider (CSP) looking to move from a Moderate to High FedRAMP authorization, A-LIGN can make your FedRAMP process seamless. Contact us today. 

A SOC 2 is a third-party review that attests to an organization’s ability to protect data and information. In a world where data breaches and cyberattacks are on the rise, a SOC 2 report is a valuable tool to:  

• Increase insight into your organization’s security posture  
• Understand opportunities for control improvements   
• Position your company more competitively in your market (prospects want to ensure your organization takes security seriously)  

There are a lot of vendors out there that cater to different aspects of the SOC 2 process — from software providers who help you get audit-ready to certified auditors from CPA firms who can test your environment and issue a final SOC 2 report. Ideally you will want to find a firm that can take you all the way from SOC 2 readiness to report.  

Use this checklist of important questions to vet your SOC 2 auditor before signing a contract. Following this checklist will help you complete a thorough due diligence process to ensure that you partner with the right team and get the most out of your audit.  

1. Are you a licensed CPA firm?  

SOC 2 audits are regulated by the American Institute of Certified Public Accountants (AICPA) and must be completed by an external auditor from a licensed CPA firm. This is the only way a company can receive an official SOC 2 report. It’s important to confirm that the SOC 2 vendor you are considering working with has the proper accreditation.   

2. Can you provide us with a final report?   

If you are considering using a SOC 2 compliance software provider, it’s important to confirm that they also provide audit services that will result in a SOC 2 report, ideally without having to shift your information to another vendor in the middle of the audit process.   

As discussed above, a final report can only be issued by an auditor from a licensed CPA firm. Many SOC 2 software providers only offer a solution to assess your readiness to complete a SOC 2 audit — they cannot perform and/or issue the SOC 2 audit and report itself.   

If you choose to work with a software provider, you must ensure that they also have certified auditors on-staff. Otherwise, you’ll need to sign on a secondary vendor to complete the actual audit. This is not recommended, as it leaves too much room for things to be “lost in translation” between the two entities leading to wasted resources and delayed audit and report timelines.  

A-LIGN offers an end-to-end compliance solution — with a SaaS automation compliance platform to help you complete a readiness assessment and streamline the entire audit process, as well as certified auditors to produce a final report. This creates efficiencies while maintaining control of your environment.  

3. Do you offer SOC 2 readiness services?  

A SOC 2 readiness assessment is a valuable tool to help you understand your company’s position before completing an official audit. A readiness assessment can help you identify gaps in your cybersecurity procedures (and the severity of those gaps) that need remediation before a SOC 2 audit. This will ultimately help you save time, set priorities, and put your company in a better position to perform well during the SOC 2 audit.  

Companies like A-LIGN provide readiness services via automated software — which offers easy-to-read dashboards outlining gaps and priorities, and provides tips to navigate the audit process better.   

4. What is the timeline of a SOC 2 examination?  

Many software providers tout they can complete a SOC 2 audit in 14 days. It’s important to clarify this statement before signing a contract. A lot of times, the two-week timeline is an estimate for an expedited evidence collection process — but evidence collection is only one step in the SOC 2 audit process and does not result in a full audit or final report.  

Ask your vendor for a complete timeline and have them outline their step-by-step process for moving through the SOC 2 audit. This is essential for you to resource appropriately. It’s also crucial to know when you can expect to have a report in hand so you can properly communicate with prospects who ask about a SOC 2 report during the sales process.   

5. What does the evidence collection process entail?  

The evidence collection process varies significantly based on the scope of your audit. Often it can include hundreds of requests for evidence.  

We recommend using compliance automation audit software to streamline the evidence collection process and organize assets. Ask your vendor if they provide software to assist in this process.   

Through our partnership with leading GRCs and our integrated platform, evidence can be automatically collected through our audit management platform, A-SCEND.

Once collected, A-SCEND creates readable reports that are mapped to corresponding evidence requests from the “information request list” (provided earlier in the audit process). This helps you see what information is already collected and what else your team still needs to gather and provide.   

Audit management software significantly reduces the time it takes to collect, share, and analyze evidence. With A-SCEND, this information can also be stored and re-used to help complete other audits, which delivers a harmonized audit experience that minimizes deduplication and saves time and effort on your audit.​

6. How many SOC 2 audits have you completed to date?  

There is no substitute for experience. Choosing a seasoned SOC 2 auditor will be the difference between a fast and painless audit process that results in a reputable final report and being issued a piece of paper that no one accepts.   

In addition to asking about the number of audits completed to date, you can also get a sense of a company’s experience based on the resources and information they provide about the SOC 2 process on their website. A trusted, experienced partner will be able to provide you with plenty of information to educate you about the SOC 2 process and detailed information about their services and tools.  

7. In what industries do you have experience?  

You’ll want to ensure your SOC 2 auditor is familiar with the ins and outs of your industry, so they understand how the SOC 2 criteria fit your organization. Plus, many elements of SOC 2 overlap with those of other necessary, industry-specific audits. If your auditor has experience in the healthcare sector, for example, they’d be familiar with the overlap between SOC 2 and HIPAA (Healthcare Insurance Portability and Accountability Act) compliance. They may be able to offer you a SOC 2 + HIPAA combined security assessment. This would allow you to complete both audits simultaneously while saving time and resources.    

8. What other services do you provide that could help as we continue to grow as a company?  

SOC 2 is just one of the many important audits and assessments in the world of compliance and cybersecurity. It’s common for companies who complete a SOC 2 audit to pursue other compliance priorities as well.  

Plus, as mentioned above, SOC 2 overlaps with other audit criteria. Completing a SOC 2 audit positions you well to pursue other complementary certifications. Look for a vendor that offers other audits, attestations, and assessments so you can create a long-term partnership that meets all your cybersecurity and compliance needs. It’s advantageous to build a relationship with one vendor, so as not to duplicate efforts related to evidence collection and fieldwork.  

From Readiness to Report with Trusted SOC 2 Auditors  

A-LIGN is a licensed CPA firm and the top issuer of SOC 2 reports in the world. We have completed more than 5,000 SOC 2 audits and employ over 170+ SOC 2 auditors located around the world.   

In addition to the expertise of our auditors — and our deep experience — we also offer a compliance automation software solution. A-SCEND streamlines the evidence collection process and provides you with all of the tools you need to successfully complete a SOC 2 audit, from readiness to report.  

Contact us today to learn more about A-LIGN’s SOC 2 services.  

  

In today’s security landscape, it’s crucial you assure your customer and partners that you are protecting their valuable data. SOC 2 compliance is the most popular form of a cybersecurity audit, used by a growing number of organizations to prove they take cybersecurity seriously. A SOC 2 report will provide you with a competitive advantage in the marketplace while allowing you to close deals faster and win new business.  

Below we provide everything you need to know about a SOC 2 audit and final report.  Let’s jump in! 

What is SOC 2? 

A Service Organization Controls (SOC) 2 audit examines your organization’s controls in place that protect and secure its system or services used by customers or partners. The security posture of your organization is assessed based on the requirements within the SOC 2 framework, known as the Trust Services Criteria (TSC). 

What is the AICPA and why does it matter in SOC 2? 

The American Institute of Certified Public Accountants (AICPA) organization is the governing body of the SOC framework and set the U.S. auditing standards that auditors use for SOC 2 examinations. When you complete the SOC 2 attestation and receive your final report, your organization can download and display the logo issued by the AICPA. 

Why is SOC 2 compliance important? 

It’s important for customers and partners to know that your organization will protect their data and the best way to demonstrate this is through an independent, reliable source. In today’s landscape, a SOC 2 is considered a cost of doing business because it establishes trust, drives revenue and unlocks new business opportunities. This framework is a baseline expectation for a strong security program and competitiveness in the market.

Bonus: oftentimes, a SOC 2 report is an acceptable alternative to the time-consuming, 500-question security survey! 

What are the key benefits of SOC 2 compliance? 

Organizations who complete a SOC 2 assessment will benefit from the following: 

• Valuable insight into your security posture  
• A foundation for future for cybersecurity investments and initiatives  
• Increased competitive positioning in the marketplace 

How can a SOC 2 report help small businesses scale?

Your startup or small business will need a SOC 2 report to go upmarket and close large deals. Below are some of the benefits you will notice after earning a SOC 2 report.   

• Development of strong policies and procedures  
• Increased credibility with investors and partners 
• A strong competitive advantage 
• Saved time, money and resources on a potential data breach  

Who uses a SOC 2? 

Service organizations that process, store, or transmit data for their clients or partners. While SOC 2 applies to almost any organization, it’s particularly important to data centers, software-as-a-service (SaaS) companies, and managed service providers (MSPs). 

Who can perform a SOC audit? 

All SOC 2 audits must be completed by an external auditor from a licensed CPA firm. We recommend choosing a partner that has its own audit management platform that can drive efficiencies during your audit cycle, helping your team work smarter, not harder.

What are the SOC 2 Trust Service Criteria? 

The security posture of your organization is assessed based on SOC 2 requirements, known as the Trust Services Criteria (TSC). You can decide which of the five (5) TSC you would like to include in your audit process as each category covers a different set of internal controls related to your information security program. The five TSC categories are as follows: 

• Security: Comprised of 9 control families ranging from organization and management to risk assessment, to logical security and change management. This criterion is required in every SOC 2 report. 

• Availability: Addresses controls related to availability and redundancy of services to meet client SLAs. The Availability Criteria is a great add-on for most organizations. 

• Processing Integrity: Addresses controls related to accurate processing of customer data without corruption or unauthorized alteration. Processing Integrity is largely specific to an organization’s services and not often applicable to all organizations. 

• Confidentiality: Addresses controls related to protection of data deemed confidential between an organization and its client. This extends to any data deemed confidential. The Confidentiality Criteria is a great add-on for most organizations. 

• Privacy: Addresses controls related to the protection of Personally Identifiable Information (PII). This is anything that can be tied to an individual. Privacy is large and cumbersome, and only applicable to organizations that store, process, or transmit PII.

It’s worthwhile to note that the more TSC categories you’re able to include in your audit, the more you’re able to better your security posture!  

What are the top policies and procedures needed for a SOC 2 audit?  

To start preparing for your SOC 2 examination, begin with the 12 policies listed below as they are the most important to establish when undergoing your audit and will make the biggest impact on your security posture. 

For further details on each individual policy and produce, visit SOC 2: The Definitive Guide. 

What are SOC 2 controls?

SOC 2 controls are a collection of policies, procedures, and directives dictating the operation of an organization’s systems, ensuring the security, availability, processing integrity, confidentiality, and privacy of both company and customer data. These guidelines aid organizations in managing and safeguarding sensitive information, fostering the implementation of robust security measures and mitigating the likelihood of data breaches and ensuring adherence to regulatory mandates.

How to start a SOC 2 audit 

Before starting the SOC 2 audit process, it is important that you’re well-prepared to avoid any lengthy delays or unexpected costs. Prior to beginning your SOC 2 audit, we suggest you follow the below guidelines: 

• Undergo a SOC 2 readiness assessment to identify control gaps that may exist and remediate any issues 
• Decide which Trust Service Criteria to include in your audit that best align with your customer’s needs 
• Choose a compliance automation software tool to save time and cost. Pro tip- select a licensed CPA firm that also offers compliance automation software for an all-in-one solution and seamless audit process that doesn’t require you to switch vendors mid-audit. 

During the initial stage of the audit process, it’s important that your organization follow the below guidelines: 

• Review recent changes in organizational activity (personnel, service offerings, tools, etc.) 
• Create a timeline and delegate tasks (compliance automation software will make this activity much less time consuming) 
• Review any prior audits to remediate any past findings   
• Organize data and gather evidence ahead of fieldwork (preferably with automated evidence collection) 
• Review requests and ask any questions (pro tip- it’s important to choose an experienced auditing firm that’s able to answer questions throughout the entire audit process) 

What is compliance automation software? 

If you’re looking for SOC 2 software, compliance automation software may be the best solution. Compliance automation software allows users to consolidate all audit information into a single system to gauge readiness, collect evidence, management requests and continually monitor your security posture. 

When selecting a compliance automation software it is recommended that you look for one that offers: 

• Automated readiness assessments  
• Automated evidence collection 
• Policy templates 
• Auditor assistance when needed 
• Cloud integrations 
• Project dashboard 
• Consolidated audit requests 
• Continuous monitoring  

It’s important to note that compliance automation software only takes you so far in the audit process and an experienced auditor is still needed to conduct the SOC 2 examination and provide a final report.  

What’s the timeline of the SOC 2 audit process? 

SOC 2 timelines vary based on the company size, number of locations, complexity of the environment, and the number of trust services criteria selected. Listed below is each step of the SOC 2 audit process and general guidelines for the amount of time they may take:  

Step 1: Find the Right Partner and Team  

A SOC 2 must be completed by a licensed CPA firm. If you choose to utilize compliance automation software, it’s recommended that you select an auditing firm that also offers this software solution for a more seamless audit.  

Step 2: Information Requests: Estimated Timeline: 2-3 Business Days  

Your audit team will generate an Information Request List (IRL) for your organization. The information in this list is based on the scope, the chosen Trust Service Criteria, and other factors such as cloud hosting services, locations, and company size. 

Step 3: Readiness Assessment: Estimated Timeline: Varies based on scope 

If it’s your first audit, we recommend completing a SOC 2 Readiness Assessment to find any gaps and remediate any issues prior to beginning your audit. 

Step 4: Evidence Collection for a SOC 2 Audit: Estimated Timeline: Varies  

The time it takes to collect evidence will vary based on the scope of the audit and the tools used to collect the evidence. Experts recommend using compliance software tools, like A-SCEND, to greatly expedite the process with automated evidence collection.  

Step 5: Fieldwork: Estimated Timeline: 2-6 Weeks  

This phase includes walkthroughs of your environment to gain an understanding of your organization’s controls, processes and procedures. The time it takes to complete this phase will vary based on your scope, locations, TSCs, and more but generally, most clients complete in two to six weeks.  

Step 6: The SOC 2 Report: Estimated Timeline: 3 Weeks  

The audit team will provide a SOC 2 report for your company that comes in two parts. Part one is a draft within three weeks of completing the fieldwork in which you’ll have the opportunity to question and comment. Part two is a final report two weeks after the draft has been approved with the inclusion of the updates and clarifications requested in the draft phase. 

What’s the difference between SOC 2 Type 1 and Type 2? 

When determining what type of SOC 2 assessment to undergo you will have two options resulting in two different reports, a SOC 2 Type 1 audit and a SOC 2 Type 2 audit. There are two main differences between the different audit types. The first is the duration of time in which the controls are evaluated. A SOC 2 Type 1 audit looks at controls at a single point in time. A SOC 2 Type 2 audit looks at controls over a period of time, usually between 3 and 12 months.   

In addition, SOC 2 Type 2 audits attest to the design, implementation, and operating effectiveness of controls. A Type II provides a greater level of trust to a customer or partner as the report provides a greater level of detail and visibility to the effectiveness of the security controls an organization has in place.  

What’s the difference between SOC 1 and SOC 2? 

The difference between SOC 1 and SOC 2 is that a SOC 1 audit addresses internal controls over financial reporting. A SOC 2 audit focuses more broadly on information and IT security. The SOC 2 audits are structured across five categories called the Trust Services Criteria and are relevant to an organization’s operations and compliance. 

What is a SOC 3 report? 

To be issued a SOC 3 report, you must have first earned a SOC 2 report. A SOC 3 report is a public-facing version of the SOC 2 report intended for distribution and/or publication without the need for a non-disclosure agreement (NDA).  A SOC 3 report is a SOC 2 report that has been scrubbed of any sensitive data and provides less technical information making it appropriate to share on your website or use as a sales tool to win new business. 

What’s the difference between SOC 2 and ISO 27001? 

Both a SOC 2 report and ISO/IEC 27001:2013 certification are extremely attractive to prospective customers. Below are the major differences: 

Certification vs. Attestation: ISO 27001 is a certification issued by an accredited ISO certification body and includes an IAF (The International Accreditation Forum) seal. SOC 2 is an attestation report provided by a third-part assessor such as a CPA firm. 

ISMS vs. Trust Services Criteria: ISO 27001 is a pass/fail audit focused on the development and maintenance of an Information Security Management System (ISMS). SOC 2 is structured around the five Trust Service Criteria and includes an auditor’s opinion of the controls in place for each chosen TSC. A final SOC 2 report is much more detailed than the one-page letter that you receive with an ISO 27001 certification.  

Global Reach: ISO 27001 is an international standard throughout the world while SOC 2 is primarily US-based. Note that while SOC 2 is American-born, its important for any organizations doing business in the US, and is rapidly gaining traction in Europe.  

Certifying Bodies and Renewal Timelines: SOC 2 attestations are carried out by a licensed CPA firm and valid for 12 months. ISO 27001 certifications are carried out by an accredited ISO 27001 certification body and are valid for three years with annual surveillance audits. 

ISAE 3000 and SOC 2 

The International Framework for Assurance Engagements (ISAE) 3000 is a framework introduced by the International Auditing and Assurance Standards Board (IAASB), an independent standard-setting body that is widely recognized in Europe. An ISAE 3000 is an integration to a SOC 2 report, typically requested by international clients. 

Key differences: 

• SOC 2 is the most recognized standard in the U.S., while ISAE 3000 is an international standard. 

• If an organization in the U.S. needs to demonstrate its commitment to information security and privacy, it may choose a SOC 2 report. If it needs to demonstrate compliance with international standards, it may opt to include an ISAE 3000 report as well without adding extra work. 

• A-LIGN is equipped to issue SOC 2 reports with ISAE 3000 integration, to allow organizations to meet both standards, and expand their international reach. 

Can you fail a SOC 2 examination? 

No, you cannot “fail” a SOC 2 audit. It’s your auditor’s job during the examination to provide opinions on your organization within the final report. If the controls within the report were not designed properly and/or did not operate effectively, this may lead to a “qualified” opinion. This indicates that one of the SOC 2 criteria had testing exceptions that were significant enough to preclude one or more criteria from being achieved.  Audit reports are crucial because they speak to the integrity of your executive management team and affect investors and stakeholders. 

What should I do with my final report? 

While you’re not able to publicly share your SOC 2 report unless under NDA with a prospective customer, there are ways you can utilize your SOC 2 assessment achievement for marketing and sales purposes. 

1. Announce earning your SOC 2 report with a press release on the wire and on your website.  Then, share on your social media platforms! 

2. Showcase the AICPA badge you earned on your website, email footers, signature lines and more. 

3. Send a short email to customers announcing your SOC 2 report. 

4. Write a blog around earning your SOC 2 report and how this effort further demonstrates that you take your customer’s data security seriously.  

5. Teach your sales team how to speak about SOC 2 and the benefits it provides to customers. 

If you would like a public-facing report to share, consider purchasing a SOC 3 report.

How long is my final report valid? 

When you earn your final SOC 2 report, it’s generally valid for 12 months. Therefore, a SOC 2 audit should be conducted annually as an internal benchmark to assess your security posture year-over-year.  

What are a few helpful SOC 2 resources? 

Everything You Need to Know: SOC 2 Examination 

SOC 2 Checklist: Preparing for a SOC 2 Audit 

SOC 2 Definitive Guide

SOC 1 vs SOC 2: What’s The Difference?

SOC 2 Framework: What You Need to Know

A Guide to SOC 2 Reporting: What Is a SOC 2 Report?

What are the SOC 2 Trust Services Criteria?

SOC 2 Compliance Requirements: An Overview

SOC 2 Controls: Everything You Need to Know

What’s an example of SOC 2 in the real world? 

Below are several customer testimonials in which the organization earned a SOC 2 report to drive revenue, build customer trust and better their security posture. 

Menlo Security reduces evidence collection time by 60% with consolidated audit approach

Obsidian Security scales compliance program with A-LIGN and Drata

Orbital leads the way in the European fintech & crypto market with SOC 2 compliance

Boomi showcases cybersecurity dedication with 10+ compliance certifications and attestations

Network Coverage sets standard in CMMC & multi-framework compliance for MSPs

Anthology’s commitment to compliance elevates edtech standards

Inriver reduces time spent on compliance by 45% with A-LIGN & Drata

SOC 2 Certified Companies: Real Success Stories & Insights

What is the history of SOC 2? 

In 2010, the AICPA (The American Institute of Certified Public Accountants) introduced SOC 1 and SOC 2 to combat the growing need of companies to validate their cybersecurity posture.  

Ready to start your SOC 2 audit?  

If you’re ready to take the next step, contact A-LIGN today to begin your journey to SOC 2 compliance. The A-LIGN difference is:  

• 17.5k+ SOC assessments completed  

• #1 SOC 2 issuer in the world  

• 200+ SOC auditors globally 

A-LIGN is the leading provider of high-quality, efficient cybersecurity compliance programs. Combining experienced auditors and audit management technology, A-LIGN provides the widest breadth and depth of services including SOC 2, ISO 27001, HITRUST, FedRAMP, and PCI. A-LIGN is the number one issuer of SOC 2 and a leading HITRUST and FedRAMP assessor. 

Ransomware attacks are occurring more often, have become more harmful and now cost businesses a great deal of resources. A-LIGN’s 2022 Benchmark Report showed that of those surveyed, only 39% of organizations have a plan in place, whereas 40% are “planning to develop” something in the future, and 10% said they don’t view ransomware as a main cybersecurity concern. This gap is leaving businesses vulnerable to attacks. To help you best prepare for a cybersecurity event, we break down what goes into a ransomware preparedness assessment. 

Contact A-LIGN to learn more about our one-of-a-kind Ransomware Preparedness Assessment.  

Chief Technology Officer at A-LIGN Recognized as a Top Tampa Bay Executive in Information Technology   

A-LIGN, the leading cybersecurity compliance and audit firm, today announced that the company’s Chief Technology Officer, Mike Herdegen, has been named a 2022 CIO of the Year honoree by the Tampa Bay Business Journal. This award recognizes top information technology executives and emerging leaders in Tampa Bay who are using innovative ways to create a competitive advantage and grow their companies.   

Tampa Bay Business Journal’s CIO of the Year awards program is the most prestigious recognition of Tampa Bay’s top IT leaders and executives. CIOs and CTOs play a critical role in corporate success as technology continues to be a driving factor to operational success in the Tampa Bay business world. These leading executives’ roles daily expand and evolve from IT infrastructure, platforms, and cybersecurity to hardware and software development.   

Herdegen is responsible for internal IT operations, ensuring A-LIGN operates against the highest standards for security in protecting information and system integrity. He also oversees the development of A-LIGN’s compliance management platform, A-SCEND, which enables customers to streamline their audits, save time and resources through automation, and demonstrate their security posture year-round.   

“One of the reasons I came out of retirement to join A-LIGN was because of the organization’s values. A-LIGN has a culture of collaboration, expertise, integrity, and vision,” said Mike Herdegen, CTO at A-LIGN. “The A-SCEND features we are currently rolling out include market-leading new capabilities that keep pace with the rapidly-evolving expectations of our customers. At A-LIGN, support means exceptional service for our clients and opportunities for our employees, and we focus on people and technology to achieve both.”   

The Tampa Bay Business Journal selected 2022 CIO of the Year honorees based on: accomplishments, leadership efforts, ethics in management and business practices, philanthropic contributions and involvement, significant projects spearheaded during the pandemic and over the past year, and how such initiatives have strengthened the company’s strategic market position.  

Herdegen’s team of over 50 domestic and international IT professionals and developers have reimagined the A-SCEND product from an internal facing audit tool to an external facing solution to scale the organization’s footprint in the market as a leader in the cybersecurity service industry. The SaaS platform is purpose-built, performing end-to-end cybersecurity audits through the entire compliance process.   

With an innovative single-provider, readiness-to-report approach, Herdegen’s primary goal over the last year and a half has been to transform A-SCEND into a cybersecurity platform that assists over three thousand clients in their compliance initiatives, and allows their audits to be as streamlined and successful as possible.  

Outside of A-LIGN, Herdegen serves as the primary information technology resource at Think Big for Kids, helping underprivileged youth discover their untapped potential by bringing them exciting career exploration, mentorship, and skill development opportunities. Additionally, Herdegen is on the Tampa Bay Estuary Program’s (TBEP) Community Advisory Committee, responsible for judging the grants provided by TBEP and facilitating grant decision meetings.    

To learn more about the team at A-LIGN, please visit our website.  

For more information about TBBJ’s CIO of the Year honorees and awards and programs, visit

https://www.bizjournals.com/tampabay.   

About A-LIGN  

A-LIGN is the only end-to-end cybersecurity compliance solutions provider with readiness to report compliance automation software paired with professional audit services, trusted by more than 3,300 global organizations to help mitigate cybersecurity risks. A-LIGN uniquely delivers a single-provider holistic approach as a licensed CPA firm to SOC 1 and SOC 2 Audit services, accredited ISO 27001, ISO 27701 and ISO 22301 Certification Body, HITRUST CSF Assessor firm, accredited FedRAMP 3PAO, candidate CMMC C3PAO, PCI Qualified Security Assessor Company, and PCI SSC registered Secure Software Assessor Company. Working with growing businesses to global enterprises, A-LIGN’s experts and its audit management platform, A-SCEND, are transforming the compliance experience.    

Media Contact:  

Danielle Ostrovsky 
Hi-Touch PR 
410-302-9459 
[email protected] 

Zero trust is an important part of President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity issued in May of 2021 and will continue to gain popularity as an effective cybersecurity solution. It focuses on restricting information access within an organization to only those who absolutely need to access the data. The entire point of zero trust is to assume that everyone is a potential threat actor and therefore, no internal or external users or systems are trusted. 

In our 2022 Compliance Benchmark Report, we surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs. Here’s what we learned about how organizations are implementing zero trust strategies.  

To learn more about strategically implementing a zero-trust architecture within your organization, complete our form below and one of our trusted experts will reach out directly. 

A SOC 2 report is a third-party validation that attests to an organization’s ability to protect data and information. It’s widely accepted across industries and provides a singular asset that can be used in the due diligence process with multiple prospects and customers — replacing the need to undergo a custom cybersecurity audit with each new customer.    

To obtain a SOC 2 report, a company must submit to an audit whereby assessors evaluate the internal controls used to secure information, along with the systems, technology, and staff roles within the organization. Although some organizations tout they can complete this process in two weeks, experienced CPAs repeatedly declare that 14 days is simply not enough time to properly and thoroughly complete all aspects of the SOC 2 audit process.  

In this blog, we’ll review each step of the SOC 2 audit process and explain how long each aspect of the audit process takes. This piece is meant to serve as a general guideline, as audit timelines can vary significantly based on the size of a company and the complexity of its environment and services.  

Step 1: Find the right partner and team 

The first step toward completing a SOC 2 audit is to engage with an audit partner. It’s important to note that SOC 2 audits are regulated by the AICPA and reports can only be generated by an external auditor from a licensed CPA firm — like A-LIGN. Once you engage with a partner, there will be some preliminary discussions to define the scope of the project and sign a contract. 

If this is your first time pursuing a SOC 2 report, we highly recommend completing a SOC 2 readiness assessment to examine any gaps in controls or processes prior to an official audit. This can help you save time (and money) before undergoing the bulk of the SOC 2 audit process. 

Once you’re ready to officially proceed, contracts will be signed and the official engagement will begin. At that point you will be introduced to your SOC audit team. At A-LIGN, SOC 2 audit teams typically consist of a senior manager, manager, and auditor.  

Senior managers and managers act as primary points of contact during preliminary discussions. Auditors take over as the point person when it’s time for walkthroughs, testing, and evidence review. All three of these roles work together throughout the entire audit to ensure you are supported and informed every step of the way. By leveraging the A-SCEND audit management platform, clients are able to have direct access to the audit team to flag, ask questions, and submit evidence. The tool will help companies stay organized throughout the audit process and have a clear understanding of what is required.  

Step 2: Information requests 

Estimated timeline: 2-3 business days 

First your audit team will generate an Information Request List (IRL) for your organization. This list of essential information is based on: 

• The prior year’s report (if you have completed the SOC 2 process before) 
• The scope 
• The trust services criteria 
• Other factors determined during the scoping phase (ex. new technology, locations, third-party services being leveraged, cloud hosting services, etc.) 

When partnering with A-LIGN, your audit team will publish this list for you through the A-SCEND platform. The A-SCEND platform is an audit management software tool that streamlines the audit process. A-SCEND streamlines the process in one easy-to-use dashboard, facilitates real-time collaboration between auditors and clients​​, and utilizes existing audit evidence for multiple frameworks​.

After the IRL has been published, there will be a call with the SOC audit team to re-confirm the timing and scope of the project. 

Step 3: Evidence collection for a SOC 2 audit 

Estimated timeline: varies 

Evidence collection can be a time-intensive process. Many experts recommend using audit management software to help reduce time and make the process more efficient. At A-LIGN, we encourage clients to use our tool, A-SCEND. Through our partnership with leading GRCs and our integrated platform, evidence can be automatically collected. Once the evidence is collected it is transformed into readable reports that are automatically mapped to the corresponding evidence requests from the IRL. This process reduces the amount of effort, time and resources required for providing evidence.  

If the need for a SOC 2 report is urgent, the collection period can be shortened. If you anticipate this will be the case for your company, it’s important to be prepared. Consider gathering essential materials prior to your kick-off call with your audit partner so everything is organized in one place. We also recommend you make sure you have staff resources assigned to assist with the SOC 2 process ahead of time, so you can reduce the risk of other internal priorities cutting into your SOC 2 efforts.  

Step 4: Fieldwork  

Estimated timeline: 2-6 weeks 

Once evidence collection is complete, fieldwork (formal walkthroughs of your environment) will officially begin. The goal of this phase is to gain an in-depth understanding of your organization’s controls, processes, and procedures related to people and technology. The length of fieldwork will vary depending on the scope, locations, applications, and trust criteria. Generally, you can expect this phase of the SOC 2 audit process to last anywhere between two to six weeks. 

Step 5: The SOC 2 report 

Estimated timeline: 3 Weeks 

After completing the walkthroughs and testing, the SOC audit team will generate a SOC 2 report for your company. The SOC 2 report comes in two parts: 

1. Draft: You’ll receive a draft report within three weeks of completing the fieldwork, sometimes earlier depending on deadlines and the complexity of the scope. During this draft report phase, you’ll have the opportunity to review the assertion, opinion, system description, and testing of the controls. If necessary, you can provide feedback or ask questions of the audit team. Once the draft report is approved internally, you’ll sign a management representation letter and notify your SOC 2 team that they can proceed with the final report. 

2. Final report: One to two weeks after the draft has been approved, you’ll receive a final report with any updates or clarifications requested in the draft phase. 

Partner with A-LIGN to begin your SOC 2 audit

Founded in 2009, A-LIGN is the top issuer of SOC 2 audits in the world. We have completed over 5,000 SOC 2 assessments and can confidently say that a proper SOC 2 audit takes at least eight weeks to complete. In planning for your SOC 2, beware of the “14-day audit” promise — this is likely only referring to the audit readiness timeline. At A-LIGN we provide the tools and expertise to help you during every step of the SOC 2 audit journey.

Ready to pursue a SOC 2 audit for your business? Speak to an expert at A-LIGN to get started. 

With Three-Year Revenue Growth of 145 Percent, A-LIGN Receives Ranking No. 3569 Among America’s Fastest-Growing Private Companies 

A-LIGN, the leading cybersecurity compliance and audit firm, announced today that the company is No. 3569 on the annual Inc. 5000 list, the most prestigious ranking of the fastest-growing private companies in America. This is the sixth consecutive year the company has been recognized on the list, which represents the most successful private companies with a proven track record of growth. The list represents a one-of-a-kind look at the most successful companies within the economy’s most dynamic segment—its independent businesses. Facebook, Chobani, Under Armour, Microsoft, Patagonia, and many other well-known names gained their first national exposure as honorees on the Inc. 5000. 

“We are honored that A-LIGN has received its ranking on the 2022 Inc. annual list 5000 as No. 3569,” said Scott Price, CEO at A-LIGN. “We are incredibly proud that our outstanding team is once again recognized among America’s fastest growing private companies. It is truly an honor to be named by the prestigious Inc. magazine alongside these incredible businesses. I am deeply moved by the commitment and dedication of the entire team at A-LIGN, and look forward to the coming months as we continue to provide premier technology paired with expert professional services to our global clients.” 

The companies on the 2022 Inc. 5000 have not only been successful, but have also demonstrated resilience amid supply chain woes, labor shortages, and the ongoing impact of Covid-19. Among the top 500, the average median three-year revenue growth rate soared to 2,144 percent. Together, those companies added more than 68,394 jobs over the past three years. Complete results of the Inc. 5000, including company profiles and an interactive database that can be sorted by industry, region, and other criteria, can be found at www.inc.com/inc5000.  

“The accomplishment of building one of the fastest-growing companies in the U.S., in light of recent economic roadblocks, cannot be overstated,” says Scott Omelianuk, editor-in-chief of Inc. “Inc. is thrilled to honor the companies that have established themselves through innovation, hard work, and rising to the challenges of today.”

About A-LIGN

A-LIGN is the only all-in-one cybersecurity compliance company with end-to-end-compliance automation software and auditor expertise, trusted by more than 3,300 global organizations to help mitigate cybersecurity risks. A-LIGN uniquely delivers a single-provider approach as a licensed SOC 1 and SOC 2 Auditor, accredited ISO 27001, ISO 27701 and ISO 22301 Certification Body, HITRUST CSF Assessor firm, accredited FedRAMP 3PAO, candidate CMMC C3PAO, PCI Qualified Security Assessor Company, and PCI SSC registered Secure Software Assessor Company. Working with small businesses to global enterprises, A-LIGN’s experts and its compliance automation platform, A-SCEND, are transforming the compliance experience.

More about Inc. and the Inc. 5000 

Methodology 

Companies on the 2022 Inc. 5000 are ranked according to percentage revenue growth from 2018 to 2021. To qualify, companies must have been founded and generating revenue by March 31, 2018. They must be U.S.-based, privately held, for-profit, and independent—not subsidiaries or divisions of other companies—as of December 31, 2021. (Since then, some on the list may have gone public or been acquired.) The minimum revenue required for 2018 is $100,000; the minimum for 2021 is $2 million. As always, Inc. reserves the right to decline applicants for subjective reasons. Growth rates used to determine company rankings were calculated to four decimal places. The top 500 companies on the Inc. 5000 are featured in Inc. magazine’s September issue. The entire Inc. 5000 can be found at https://www.inc.com/inc5000. 

About Inc. 

The world’s most trusted business-media brand, Inc. offers entrepreneurs the knowledge, tools, connections, and community to build great companies. Its award-winning multiplatform content reaches more than 50 million people each month across a variety of channels including websites, newsletters, social media, podcasts, and print. Its prestigious Inc. 5000 list, produced every year since 1982, analyzes company data to recognize the fastest-growing privately held businesses in the United States. The global recognition that comes with inclusion in the 5000 gives the founders of the best businesses an opportunity to engage with an exclusive community of their peers, and the credibility that helps them drive sales and recruit talent. The associated Inc. 5000 Conference & Gala is part of a highly acclaimed portfolio of bespoke events produced by Inc. For more information, visit www.inc.com.

For more information on the Inc. 5000 Conference & Gala, visit https://conference.inc.com/.  

Media Contact:

Danielle Ostrovsky
Hi-Touch PR
410-302-9459
[email protected]