Frequently Asked Questions
-
You can reach out to your platform CSM or to your Johanson Group CSM.
-
No. It depends on what says “needs attention” and why. For example, if you just hired a new employee a number of items will turn red. We can assume that the background check and signoff on policies will be completed within the SLA. On the other hand if something has been red for a while with no action taken, then that should be resolved before the audit period starts.
-
A pen test is not a hard requirement. It is an industry standard practice. Your customers may ask for a copy of your most recent pen test report.
A pen test is not needed for the SOC 2 Type I.
If you have the pen test as a control, your policy usually states that the pen test is done annually. That cadence may not occur if you do a shortened audit period (3-6 months). On the following Type II audits we would expect to see a pen test completed if it is part of your controls.
-
In the US background checks are the normal process. For some counties, background checks are not able to be performed. You may look at other options such as, reference checks, local police reports, etc.
The reason for this is to identify any risks with hiring the employee that may have access to your and your customer’s data.
-
Management can decide how they want to treat contractors based on their level of access. In your own risk assessment, based on their level of access, you can either determine that the risk is low and exclude them from background checks, or you decide to have another mitigating control in place (i.e. U.S. based contractors have background checks performed, but international contractors have reference checks performed if their home country doesn't allow BG checks). Ultimately, it's up to management how they want to go about this.
-
That is ok. On the report it will say “no events to test”. We will reach out during the audit to confirm that the event did not occur.
These “no events to test” typically occur when you have a reporting period less than 12-months; like an initial 3-month report. Please note that during the subsequent 12-month period, it will be expected that your control operates as stated, for things like performance reviews performed annually, or a penetration test is performed annually. In those cases, non-performance would be an exception on the report because these are controls you can schedule during the 12-month period.
-
Please fill out our Ethical Management Questionnaire. The purpose of the control is to demonstrate that the company establishes “tone at the top,” and management has a formal structure for providing oversight, guidance, risk reducing control responsibilities, etc. This doesn’t require a formal Board to be in place.
-
The important takeaway here is that the controls in the platform are provided as samples that you could use for the audit to meet the SOC 2 criteria requirements. The goal is to have controls that meet the stated criteria, but those controls are YOUR controls (not the platform’s, not Johanson Group’s); they are controls you selected, based on your risk assessment, in order to protect your systems and data (not just to pass a SOC 2 examination).
If you are presented with a control in the platform and asked to prove you have the control in place, but the control doesn’t exist in your system, because based on your risk assessment around that criteria you chose not to do things that way, then you do NOT need to implement a new process in order to satisfy the sample control.
If presented with this scenario and need clarification, please reach out to your platform CSM first, then your Johanson Group CSM.
-
Three (3) months.
-
Once the audit period ends, it takes us about 4-6 weeks to complete the audit and issue the final report.
-
You will want to provide them with the full report. We suggest that you have the customer sign a NDA first.
-
• Making sure evidence is uploaded in the platform or another place that is organized and readily available.
• Being responsive to questions or additional requests for information.
• Having the system description completed before the end of the audit period.