The Impact of COVID-19 on SOC 2 Attestation

COVID-19 has changed how we work, and as the first third of 2021 comes and goes many IT and cloud companies have adapted. However, companies that still need to undergo SOC 2 attestation, or who still have not done so for one reason or another, might find the current challenges of auditing and compliance under pandemic restrictions intimidating. 

Here, we’ll discuss an overview of some of the challenges that might come up during SOC 2 attestation during COVID-19. Rather than seeing these challenges as hopeless, we believe that, with the right security partner, they are easily dealt with as part of getting back to business. 

The Impact of COVID-19 on Security Measures

Implementing and maintaining security controls is an involved job that requires an investment in time and money. As companies feel the pinch of COVID-19 and adjust at the beginning of 2021, changes in infrastructure and workforce will impact how readily these companies can fulfill requirements under SOC 2.

If your business has transitioned to a remote workforce or undergone (or continues to undergo) personnel changes, then there are several ways in which you might find SOC 2 attestation difficult. 

Consider the following questions:

1. Has IT or security leadership been consolidated, changed, or cut due to changes in your workforce or technology demands? If so, there could be critical areas where new leadership will need to wear multiple hats to recognize places where SOC 2 attestation could be impacted.
2. Does your organization have the right security measures in place to support workers in multiple areas? Remote work is the norm for many companies right now, and many have adjusted their security measures enough to meet the challenges of security. However, if you have existing or upcoming SOC 2 attestation maintaining critical security measures could slip through the cracks of a hybrid workforce.
3. What kind of cloud environment are you using, and who has access to it? Businesses have increasingly moved production and other operations to public cloud environments, which can pose additional challenges for security (not to mention adding another layer of security audits and certification to the entire system). Does your documentation include increased reliance on public or hybrid cloud infrastructures, if you use them?
4. Can you recover from furloughed or lost staff that managed documentation? Gaps in employment can severely limit how security controls work (or don’t) in testing and operational situations. Furthermore, if an individual is responsible for managing documentation (if you don’t have an automation solution, for example) hasn’t maintained that documentation well, or in a way that can be easily transitioned, your compliance could be impacted. 

Even small changes in location, technology, or personnel can call for a reexamination of your security controls and configuration. 

COVID-19 and Risk Assessment

It’s not just security controls that have been impacted by COVID-19. SOC-2 risk assessment has also taken a hit and called for businesses to re-evaluate and reorganize their assessment procedures:

1. Any organization conducting risk assessment now needs to take into account all the above-listed changes to security controls and the attack surface available for hackers due to remote workers, cloud infrastructure, etc.
2. Risk assessment should also consider additional efforts for training and education for employees. The reality of employees failing to practice good cyber hygiene in terms of simple practices like avoiding phishing scams, not utilizing secure connections, or failing to use secure devices will factor into the risk an organization takes on.
3. Any new technologies added to your system will necessarily call for new attention to the scope and scale of risk in terms of resilience and continuity. Secure tools like secure managed file transfer, secure email, and file sharing for third parties introduce entirely new levels of security problems that must be considered in the risk assessment process.
4. As your company moves into a more distributed business model to account for remote work and social distancing, you may also be working with a larger pool of third-party vendors. Does your risk model incorporate working with these vendors, particularly if they are handling and sensitive data or introducing potential risks to your system?

The growing universe of threats and security due to restructuring in the time of COVID-19 will inevitably shape risk assessment for SOC 2 attestation.  

Physical Security and On-Site Audits During COVID-19

“Security” is the core of SOC 2 and the 5 Trust Service Criteria. Security covers several layers of security of a system, including both technical and physical security. An integral part of SOC 2 attestation is the physical security controls that you have in place to protect data centers and workstations from unauthorized access.

The introduction of COVID-19 has changed how individuals interact physically, which also means that there are several ways in which physical security measures may have changed (and could impact physical safeguards and SOC 2 attestation):

1. SOC 2 audits are usually conducted in person. This can include a physical examination of security measures on-premises, like a walkthrough of your office or data center. There will certainly be changes to how these audits are conducted.
2. Along that same line of thinking, SOC 2 audits will often include interviews with employees in charge of security controls to attest to proper safeguards… which will, again, most likely work differently with a distributed workforce.
3. Physical attestation for security with remote workers using company tools will also need a space in your audits, even if that is an inventory and catalog of all remote devices and their security features. This can also include a blanket restriction on certain kinds of systemic access for remote workers to mitigate risk. 

As we enter 2021, most auditors have combined some form of remote walkthroughs, virtual interviews, and automated report and documentation generation to streamline physical SOC 2 audits. 

SOC 2 Audit Partners in 2021

Companies looking to establish or reestablish SOC 2 attestation should already have a reputable security partner. As we’ve all been through the wringer in terms of learning how to function in the pandemic, the top-tier security vendors working with SOC 2 audits have also adapted to the challenges we’ve discussed above. 

Selecting a solid SOC 2 is more important than ever, and there are some criteria to selecting that partner that is colored by COVID-19:

1. Automation is key. Your partner should be able to automate your entire SOC 2 audit process, even remotely. A partner with a SaaS cloud platform to streamline audits will be critical for fast and easy audits.
2. Physical requirements are dealt with. Virtual walkthroughs and interviews should be no problem, and there should be little or no break in the speed or reliability with which your partner conducts audits using these tools.
3. Sample testing. In some cases, sample testing of remote sites, if you have numerous offices or data centers, can work towards attestation. Your partner should be able to determine the viability of this approach and, if possible, undertake it.
4. A clear and unbroken chain of evidence. All observations, claims, walkthroughs, tests, and documents should be part of a clear chain of evidence, ideally as part of a cloud platform, to ensure that your audit is transparent.

Conclusion

If your organization is facing SOC 2 attestation or considering it as part of your operation, contact Lazarus Alliance at 1-888-896-7580 or through the form below to learn how we can help you navigate the process.

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→