When you’re looking down the SOC 2 requirements listed out in the Common Criteria, one of the first controls you’ll find isn’t about technology, data security, or anything very technical — it’s actually about oversight, governance, and your board of directors.
Enterprise clients require businesses to ensure that their data is kept secure and private. Often, this comes with the request of a SOC 2 certification that often seems like a trial to get (especially for startups or smaller companies), considering all the detailed requirements. The burning question we want to answer in this article is, how involved does your Board of Directors need to be? And further, as a small business without a board of directors, can you still achieve SOC 2? To answer these questions, we first need to understand what SOC 2 governance is and what is required to achieve it.
Governance with SOC 2 is actually quite simple. First, there needs to be a commitment to integrity and ethical values by the business, which is demonstrated at the outset. Secondly, the AICPA holds a principle in which the board of directors exercises independent oversight over the development and performance of internal control in relation to established requirements and expectations. They perform their duties independently of management involvement. The board of directors provides its expertise in accordance with SOC 2’s five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. This governance is among one of the first controls listed in the AICPA’s principles.
Who Needs a Board of Directors?
Before we get deeper into it, let’s quickly look at who needs a board of directors and who does not. Every publicly listed company, along with all C corp and S corp companies and non-for-profits, needs a board of directors. Limited Liability Companies (LLC) and sole proprietorships do not require a board of directors by law. Some companies that are not required to have a board of directors will institute one anyway. To determine which route is best for your company, you should look at the complexity of your organization and not just the size of your workforce and yearly revenue.
How to Meet the SOC 2 Governance Requirements for Your Board of Directors?
Businesses looking to pass a SOC 2 audit and become fully compliant must abide by the Trust Services Criteria. According to the COSO (Committee of Sponsoring Organizations) Principle 2 under Common Criteria 1.2, the board of directors must, “demonstrate independence from management and exercises oversight of the development and performance of internal control.” The governance requirements for a board of directors break down further into three main points, according to AICPA’s documentation on SOC 2 controls:
- Establishes Oversight Responsibilities — The board of directors identifies and accepts its oversight responsibilities in relation to established requirements and expectations.
- Applies Relevant Expertise — The board of directors defines, maintains, and periodically evaluates the skills and expertise needed among its members to enable them to ask probing questions of senior management and take commensurate action.
- Operates Independently — The board of directors has sufficient members who are independent from management and objective in evaluations and decision making.
The objective here is to make sure that data security and privacy is understood as a topic that gets reported up to top management and the board, not something that can be considered a low priority or delegated away to “someone in IT.” Ultimately, they hold responsibility if a data breach happens on their watch.
How Can You Meet the SOC 2 Governance Requirements Without a Board of Directors?
Companies preparing for SOC 2 will note guidance from the AICPA on Common Criteria (CC) 1.2 seems pretty black and white on the need to have an independent Board of Directors. But additional guidance from a report from COSO shows that there is a more grey area and that smaller companies may be able to meet these SOC 2 governance requirements without a BOD.
Guidelines for Companies Without a BOD
You have determined that you do not need a board of directors as you are a small company with a simplistic business structure, but you want to meet SOC 2 requirements for governance? The guidance from the COSO 2013 report states that the key for small companies is that they set independent committees that are to review the controls of the company. The name of this committee is not the most important thing, but the function and independence of the committee are. The leading guidance states that this committee should include at least one person that is not responsible for the execution of company controls, that the oversight responsibilities should be stated clearly in a legally binding charter document, and lay out effective segregation of duties. The non-controls members of the committee should have expertise and experience in the areas required so that they can effectively oversee the work and controls.
Although these guidances have been issued by industry leaders, this should only help with meeting the requirements of a SOC 2 audit and not be taken as the official statement. In the end, your SOC 2 auditor will be the one examining and writing their opinion about whether or not your board or committee has met the Common Criteria requirements.
How Carbide Can Help You Speed Up SOC 2
These kinds of real-world questions about SOC 2 compliance are what we help with all the time. If you need guidance towards meeting all the SOC 2 requirements (and help to understand some of the trickier issues), consider coming to Carbide to get you SOC 2 compliance. We have SOC 2 controls, policies, tasks, and planning tools built into the Carbide platform. And a Premium offering if you need to speed up your timeline or outsource more work. With a custom-generated security program based on the SOC 2 framework and your unique business operations, you can quickly start checking off items on your SOC 2 to-do list. Talk with us about our mission to make SOC 2 readiness as painless as possible.
Share
