Businesses are building and deploying a wide variety of cloud computing platforms within AWS – such as SaaS, PaaS, and IaaS – and are also being asked for annual SOC 2 Type 1 and Type 2 reporting. According to auditing firm NDNB, there are five essential things that service organizations need to know now about becoming SOC 2 compliant when using AWS’ cloud services.
- Start with a SOC 2 Scoping & Readiness Assessment – Learning about SOC 2 – all the technical merits and other important considerations – begins by performing a comprehensive SOC 2 scoping & readiness assessment.
- Assess Scope and Ownership of Controls – Businesses using Amazon’s AWS services will need to assess, determine, and confirm who has ownership of various controls that will be assessed during a SOC 2. The earlier this is known, the greater the chances for auditing success, efficiency, and removal of scope creep issues. In all reality, this is a relatively straightforward process, something NDNB performs with clients every day.
- Determine the Applicable Trust Services Criteria (TSP) – Which of the TSP are going to be included in the scope of a SOC 2 audit and why? Do you have client commitments for certain TSP’s? What is the basis for choosing the relevant TSP’s? Important questions you need to get answers to, and NDNB can assist.
- Identify Amazon AWS Tools and Solutions to be Used – Amazon has numerous security, identity, compliance, and management tools and solution that greatly assist in the SOC 2 auditing process. Get to know them, and they’ll help ensure compliance with numerous SOC 2 testing criteria.
- Perform Essential Remediation – Correcting control gaps and deficiencies is a common practice during the SOC 2 auditing lifecycle, no question about it.
Founded in part by former Arthur Andersen and BDO Siedman auditors, NDNB isn auditing firm specializing in a wide-range of regulatory compliance audits, I.T. audits, and other compliance & assurance needs for organizations in select markets. Services being delivered by NDNB include the following: SOC 1 (SSAE 16/SSAE 18), SOC 2, SOC 3, EI3PA, ACH Audits, MERS compliance, internal audits, and more.
For more information on NDNB, visit their website here.