One of my favorite things about being a human being is that we are all a work in process. It is something that every person on the planet has in common – we are all learning, developing, adapting and changing from the day we are born until the day we die. Those who resist this often find the world to be a very hard and unforgiving place.
The same concept applies to businesses and every type of organization – in order to be successful it is necessary to continuously develop, change and adapt to the environment. Applying this line of thinking to SOC audits can drive tremendous value from the audit process. I encourage my clients to continuously improve and evolve the controls that are covered in their SOC reports. (This applies equally to SOC 1 and SOC 2). A good way to do this is to ask you auditor what you can do to improve and what the auditor sees other organizations doing in the marketplace. In today’s environment, if your controls are stagnant year over year, then you are not keeping up with the threat landscape and evolving cyber risks.
The Center for Internet Security (CIS) provides valuable tools to drive improvement in your overall control environment. CIS publishes and continuously updates a list of the top 20 controls that all organizations should have in place. They also provide implementation guidance for these controls. You can access the list and their recommendations for cybersecurity best practices here: https://www.cisecurity.org/controls/cis-controls-list/
So how can you incorporate the CIS Top 20 into your SOC audit and the controls covered by your SOC report? It’s quite simple – on a periodic basis, pull up the CIS Top 20 and compare it to the controls in your SOC report. If any of the CIS Top 20 are missing from your SOC report, evaluate whether they would benefit your organization and consider adding them to your SOC control inventory. And never hesitate to reach out to your auditor for help and guidance. Auditors strive to be your business partners and always appreciate collaborating with you on how to improve your SOC report and make your organization more secure.