SOC 2 Compliance: 4 Ways to Prevent Personnel Problems

The global coronavirus pandemic, the Great Recession, and the Great Resignation have significantly disrupted staffing at all levels at many organizations.

• A March 2022 Harvard Business Review article reported that according to the U.S. Bureau of Labor Statistics, more than 47 million Americans quit their jobs voluntarily in 2021.
• That same month, a CNBC report cited the 2022 Global Benefits Attitudes Survey conducted by Willis Towers Watson, the third-largest insurance brokerage in the world. That survey found that 44% of employees are job seekers, indicating the continuation of the Great Resignation.
• Cybersecurity Ventures estimated that 2021 saw 3.5 million unfilled cybersecurity positions worldwide, compared with 1 million open positions in 2013 – a growth of 350% in eight years. Meanwhile, a recent report indicates that nearly half of those cybersecurity professionals with jobs are considering quitting.

Such disruptions can delay your pursuit of SOC 2 compliance or even cause it to grind to a halt. Here are four things your organization can do to insulate itself from those challenges.

Step 1: capture relevant institutional knowledge before it leaves. If anyone critical to your SOC 2 compliance efforts should give notice that they are leaving, make sure to schedule at least one in-depth interview with them. In that interview, focus on capturing as much useful, relevant knowledge from them as possible. Get their permission to record the interview, and make sure to have it transcribed, edited, and shared with your remaining compliance team members. For example, individuals often possess so-called “institutional knowledge” that can make navigating procedures and processes faster and easier. That knowledge is often undocumented. Document it and share it before you lose it.

Step 2: get your policies together. SOC 2 compliance requires your company to demonstrate that its key policies, procedures, and processes are defined, documented, and enforced. Fortunately, getting and keeping those elements compliant with SOC 2 can also make your business more resistant to disrupted operations when there are personnel changes. In addition, well-documented, consistently enforced policies, procedures, and processes can help capture and retain institutional knowledge when people leave and make onboarding, orientation, and training of new people faster, easier, and more effective.

Step 3: keep all documentation current. As you capture institutional knowledge, policies, procedures, and processes, you must ensure that documentation, like those resources, is kept up to date. Outdated documentation is less valuable and more potentially damaging to your business, as it might instruct someone to do something that creates operational disruptions or introduces cybersecurity vulnerabilities. Therefore, ensure your documentation includes policies, procedures, and processes for keeping that documentation accurate and timely.

Step 4: get compliance automation software. A modern compliance automation solution can help with all the challenges summarized above. It can be a single, easily updated central repository of policy, procedure, process information, and institutional knowledge about those resources and the technologies that enable and support them. It can also help you manage documentation and produce reports on demand.

Your ability to achieve and sustain SOC 2 compliance relies heavily on the support of people in multiple roles across your organization. The four recommendations above can help your organization respond to and weather any challenges presented by personnel changes, whenever and wherever in your company they may arise.