About SOC 2
The American Institute of Certified Public Accounts (AICPA) developed and introduced the SOC 2 in 2009 as an audit report with a strict focus on security and structured around five Trust Services Principles; Security, Availability, Processing Integrity, Confidentiality, and Privacy. The AICPA released two types. A SOC 2 Type 1 assesses an organization’s security controls at a specific moment in time, while a SOC 2 Type 2 assesses the effectiveness of those controls over a period of time. Although the first SOC 2 that everyone tends to go for is the Type 1, we decided to shoot right for the Type 2. Nothing is more satisfying than knowing that what you’ve been doing is actually working.
Security Is An Investment
Some will ask, “Do we need it?”. The truth is, it’s not a must-have, but it’s definitely a nice-to-have. It proves your credibility to customers, letting them know you take security seriously and that your security controls are tested and sustainable. As it is often a requirement for sales, demonstrating your compliance speeds up the sales cycle, which is always a huge plus. I like to think of a SOC 2 certification as one of an organization’s greatest assets. It pushes the organization into instilling the practices that ensure the safety and longevity of the business. Security used to be thought of as a cost center but has proved over time to be an investment.
Our Soc 2 Audit Experience
I think the IRS gave the word audit a bad wrap. However, choosing a reputable firm to perform your organization’s SOC 2 audit makes all the difference. Our experience felt more like a consultation than an audit. Our auditor took the time to go through each control and discuss our implementation because, after all, security is not so black and white. While some certifications have strict guidelines, the SOC 2 is flexible in a way where each report is unique to that organization.
It can be overwhelming to think about security controls and implementing best practices, especially in the startup stage. The best place to start is with the SOC 2 framework as it covers a lot of the security fundamentals. Also, this framework is what many customers expect to see from their vendors. From an internal perspective, we set the security tone of our organization by educating new employees during onboarding. We stress the importance of a strong SOC 2 audit is beneficial for both our own security and for the trust gained by our customers. We certainly went above and beyond a typical SOC 2 by adding controls that we felt were good for our security posture, such as requiring the use of YubiKeys for MFA, even if they aren’t always required.
Document, Document, Document
I guess you can say the auditing prep rules are ‘document, document, document’. We required all code and major infrastructure changes to go through tickets and be peer-reviewed. Being disciplined about documenting everything from our company’s early days gave us excellent traction when going through the process. We strongly suggest reading through the typical SOC 2 process before starting the monitoring period so that your organization puts itself in the best place to succeed. It should be noted that reparation is only half the battle. Gathering evidence was the most time-consuming part of the process but breaking it down by category and keeping on schedule was key to a speedy audit.
If you keep security at the forefront of your organization, compliance typically falls into place. Perfection doesn’t exist in an organization’s security program as the security landscape is in a constant state of change, not to mention the services/products your organization provides.
Look out for our SOC 2 Type 2 report, which will be published on our SafeBase Security Portal next month.