Journey to SOC 2 Compliance:

Axiscades embarked on their journey to find a trusted partner for their SOC 2 consultation and audit needs. With a commitment to securing their digital landscape and ensuring the utmost data integrity, Axiscades recognized CertPro as a beacon of expertise in the field. The first step of Axiscades’ SOC 2 journey was a meeting with consultants at CertPro, where the overall scope of the audit and SOC 2’s Trust Service Criteria (TSC) were discussed. Due to Axiscades’ extensive operations and services, it was decided to include all of its services, supporting teams, and infrastructure in the SOC 2 audit scope.

Axiscades had ISO 9001 and ISO 27001 certifications. CertPro consultants reviewed the details and planned Axiscades’ SOC 2 compliance framework around their existing quality and information security management systems to save time and reduce repetitive work.

The discussions about which TSCs should be included in the SOC 2 report were led once again by Axiscades and which criteria would be most relevant and appropriate depending on the nature of their services and product offerings. Based on its experience dealing with businesses in a variety of business areas with a wide range of client requirements, CertPro was able to provide guidance on the consequences of the TSC option.

While security is a mandatory criterion, it was felt that availability would be an increasingly sought-after requirement for Axiscades, as they don’t depend on any SaaS platform for their core business offerings; rather, they work using their local servers. Further, due to the nature of the services Axiscades provides and the types of data potentially accessible via their systems, the confidentiality of data is naturally a key concern for Axiscades clients. Therefore, the selection of security, availability, and confidentiality (3 principles) was clear-cut. Further, Axiscades management appointed their Chief Information Security Officer (CISO) to coordinate with the CertPro team for the entire project.

Gap Assessment:

CertPro consultants performed a gap analysis on Axiscades’ processes to see if they met SOC 2 audit requirements. Since Axiscades was already certified for ISO 9001 and ISO 27001, the analysis showed they had a solid foundation with an existing information security management system (ISMS) and related policies and processes in place.

To meet SOC 2 audit requirements, some processes needed more documentation and ongoing proof of their execution. CertPro developed a strategy to build Axiscades’ SOC 2 compliance framework using their current procedures and controls, reducing duplication and speeding up the project. Additional changes were needed for SOC 2 compliance. This included making Axiscades’ risk assessment process formal and providing clear evidence of proactive risk management. They also had to ensure that their business objectives were communicated throughout the organization.

Nature of the SOC 2 audit:

Early on in the project, Axiscades had to decide whether to undertake a SOC 2 Type 1 or Type 2 assessment. With a Type 1 assessment, a report is produced on security procedures and controls that are in place at a specific point in time, while a Type 2 assessment assesses how effective the controls are over time by observing operations over a period of time, typically at least six months. 

CertPro recommended a Type 2 audit for Axiscades based on the benefits of the SOC 2 audit. This option provides more relevant and consistent proof of control and process adherence. As a result, the audit observation time was set at 6 months.

SOC 2 Preparation Phase:

Following the gap analysis, there was a 3-month period where Axiscades started to work with CertPro and understand what was needed to meet the different requirements of the 3 TSC principles. 

Many of the existing controls and processes, such as incident management and change management, were relatively straightforward. However, some of the governance-related controls were more challenging. CertPro’s experience was essential in understanding SOC 2 requirements and defining the evidence needed. For example, they assisted in establishing the right processes and controls for classifying information and assets to maintain consistent and appropriate confidentiality. They also standardized document management review meetings.

The process was quite iterative, with Axiscades presenting what was currently available and CertPro commenting on its suitability and, where required, suggesting refinements that would increase its acceptability.

Collecting and Submitting Evidence

Consultants at CertPro provided the CISO of Axiscades with the list of evidence required for the 3 TSC principles for the SOC 2 audit at the end of the observation period (6 months). The CISO of Axiscades was responsible for ensuring that all information security-related activities were carried out without any problems and that all the relevant evidence for the 3 TSCs was generated on a timely basis.

Consultants at CertPro were also guiding the CISO on the level of detail needed to go to when submitting the system description document for the front of the SOC 2 report, as well as identifying Axiscades’ applicable sub-service organizations. 

Axiscades was also conscious of the need to demonstrate that all its processes had been operating effectively over the entire 6-month reporting period. So, taking the example of the joiners and leavers process, Axiscades needed to ensure that if the auditor were to take a sample, those processes had been operating effectively for the whole 6 months. If the process had only been operating effectively for the last month or so, it could be expected that an exception would be raised in the audit report.

Audit Process

CertPro employs an in-house Certified Public Accountant (CPA) licensed by the American Institute of Certified Public Accountants (AICPA). After a 6-month observation period, we submitted all the necessary evidence and documentation for review by the CPA. Based on the benefits of the SOC 2 audit, CertPro suggested a Type 2 audit for Axiscades. This alternative gives more consistent and relevant verification of control and process adherence. As a result, the audit observation period was extended to six months. During the audit, CertPro facilitated communication between Axiscades’ CISO and the CPA to ensure any missing evidence was supplied, minimizing the risk of significant non-compliance. Eventually, Axiscades received the SOC 2 Type 2 report with the CPA’s report and official attestation, with no exceptions raised.

Key Factors for Success:

Resource Allocation: Axiscades allocated the necessary resources, including financial investments and personnel, to support the SOC 2 compliance initiative. This ensured that the project had the required infrastructure and expertise to succeed.

Leadership Involvement: The CISO led the company’s leadership in actively participating in the compliance process. They provided guidance and direction and demonstrated a clear understanding of the importance of SOC 2 compliance for the organization.

CertPro’s Expertise: CertPro’s experience of the SOC 2 audit process was critical at various stages of the project, including scoping, gap analysis, and interpreting the requirements. A key aspect of CertPro’s role was ensuring that Axiscades didn’t waste time sourcing and submitting unnecessary information and rather focusing on critical areas, i.e., delivering the required evidence in an effective and efficient manner.