If you haven't heard of the term, you will soon enough. SOC 2, meaning System and Organization Controls 2, is an auditing procedure developed by the American Institute of CPAs (AICPA). Having SOC 2 compliance means you have implemented organizational controls and practices that provide assurance for the safeguarding and security of client data. In other words, you have to show (e.g., document and demonstrate) that you are acting in good faith with other people's information. In its simplest definition, it's a report card from an auditor.
At Rewind, before SOC 2, we had some processes in place, such as change management procedures for when emergency fixes need to be released to production quickly. But after beginning our SOC 2 journey we realized that we did not have a great way to track the reasoning behind a required emergency change, and this was required for our SOC 2 audit. So we worked with our auditor to set up a continuous auditing system for these requests, providing a long-term solution and a massive procedural improvement, offering this solution to other companies in our position. Achieving SOC 2 compliance signals to a market, that you are willing to provide assurance in the form of a third-party audit report that you will protect customer information. Information your business relies on.
Why Have SOC 2 at All?
In short, more data is collected by more organizations today, than at any point in history. As a whole, private and public sector groups are becoming more conscious about how their proprietary data is handled by other parties. For highly regulated industries such as finance, healthcare, or publicly traded companies, SOC 2 has essentially become a cost of doing business. For any SaaS companies that want to "grow up" and sell to big brands, the question "Do you have your SOC2?" will be one of the first things your sales team gets asked.
SOC 2 reports also give companies a leg up in providing assurance to customers in today's cybersecurity landscape. The volume of cyberattacks is increasing every year. A breach can trigger fines, damage a company's reputation, cause an exodus of customers, and much more. SOC 2 compliance goes a long way in mitigating losses from these scenarios by providing assurance that you have key processes in place. A compliant business is more likely to respond to a breach quickly, thus limiting its impact.
Getting SOC2 the Swift and Smart Way
Before I joined Rewind, and similarly for most growing SaaS companies, SOC 2 seemed like an intimidating task to achieve. We had processes in place, but we had work to do to formalize them to be SOC 2 compliant and audit ready. The sales team was also consistently getting asked about Rewind and our plans for SOC 2 compliance because our customers wanted that assurance, and getting SOC 2 became a priority. The next step is understanding your company's SOC2 goals, priorities, and identifying what steps need to be taken to become compliant.
I've spent my entire career as an Information Security Professional with a focus on governance, risk and compliance. Much of this is second nature to me. For newcomers it can be a daunting and overwhelming process. So here is a quick framework to help you get prepared for the road ahead.
1 — Choosing your scope
The first step is to decide on the scope of your audit, what service or product will be the focus,
and what Trust Service Principles you want to be audited. For example, Security is a mandatory principle, but you can also include confidentiality, availability, processing integrity, or privacy principles.
Here's an easy way to think about this: the service you provide to your customers, can determine what Trust Service Principles to focus on. For example, if your company processes financial data, "processing integrity" may be an important principle to showcase. An ecommerce or marketing service would likely focus on security and privacy because of the sheer amounts of personal data that they handle.
Rewind provides SaaS backups, so the scope was our own software platform. For our first SOC 2 rodeo, within this scope, the focus was on security and confidentiality controls. Confidentiality was an important principle, since customers are trusting us with their backup data, and we want to demonstrate how we ensure the confidentiality of the information entrusted to us.
It's also important to remember that if you want to pursue other Trust Service Principles in the future, you can nourish and grow your SOC2 compliance program and internal processes to meet that goal down the line.
2 — Assessing Your Level of Controls
Requests from the sales team can definitely help you determine what Trust Service Principles to focus on, but that doesn't mean you can start the audit process tomorrow. I always recommend companies complete readiness assessments. This helps establish the benchmark of how many controls you may already have in place, and for those that you may not, you can identify what areas to focus on. Once you get to 100%, you can prepare for your audit.
You can find various readiness assessment documents on the web from various third parties or visit the AICPA website. Auditors can also help you with your readiness assessment as part of your engagement.
As an added bonus, a readiness assessment can help you understand how to better budget for your SOC2 program going forward.. For example, you could identify that you need to perform a third-party penetration test on your application periodically, or invest in an employee background check process, all of which have ongoing costs to budget for.
3 — Organizing Controls and Evidence Collection
There is no wrong way to organize your SOC2 compliance program and controls. Yet in the long run, there are ways that make it more difficult and ways that make it easier. Spreadsheets are fine to list out all of your controls, assign owners, record notes and add links to where your evidence is stored for audits. Over time though, this gets messy and difficult to monitor.
At Rewind, we wanted to focus on the longevity of our SOC2 compliance program. Control ownership and evidence collection needed to be centralized and accessible to all stakeholders. To help with this, we invested in a Security Assurance Platform to help us manage our compliance program. I'd recommend as part of your SOC2 budget to consider a tool that can help you organize your controls and monitor them going forward.
The difficulty here is finding the right solution that fits your needs. You'll commonly see companies advertise their solutions with promises of "Get SOC2 in two months!". Your compliance program should be a machine that keeps going. It's not a shiny medal to win in record time. We wanted a tool that shared that mission also.
4 — Choose and Train Control Owners
These are individuals in your business responsible for the implementation and ongoing compliance of your controls. The main challenge here is that on the surface you're essentially asking people to do more work. Yet it shouldn't be seen this way. This is a collaborative effort to design controls and processes to be SOC2 compliant, that become woven into each team's everyday processes.
Any new process added should be an improvement to the security (or other Trust Service Principle related process/control) of your company. Rewind's approach was to go with a collaborative approach led by our "Trust Team" but at the same time, empowering control owners to be responsible for their own areas of compliance. SOC2 should be a common goal for your entire company, not just the security team.
5 — Choose your auditors
There are many reputable CPA's out there to perform your audit for you, but different auditing companies offer a variety of services. At Rewind, our choice of auditor (Moss Adams) is recommended and trained to use our Security Assurance Platform (Tugboat Logic), which we use to manage our SOC2 program. This means we can manage the compliance of our entire program including providing evidence to our auditors in the same tool. This reduces the workload of our control auditors and means we can have a centralized place to manage our controls, evidence collection and audits.
A hurdle here could be really knowing where to start. You don't want to tie yourself to a specific security assurance tool or CPA if it doesn't work out for you in the long run. Choose a reputable CPA that is open to working with you and your workflows. You want a collaborative relationship where you can also ask for advice and know that they also want to be a part of your success.
6 — Consider a Type 1 report before a Type 2
A SOC2 Type 1 audit can be incredibly beneficial to get your feet wet in the SOC2 audit process. A Type 1 audit gives you an opportunity to get experience with the SOC2 audit process and build a rapport and develop a working relationship with your auditor. You also get a report to provide customers which signals your commitment to your compliance program. This is the approach we took at Rewind and I am happy we did.
There is obviously much more to this process than what I've provided. However, based on my experience, I think this can help you set the stage for the next steps. Thinking about how SOC 2 controls fit into your business today, will save you a world of headaches in the future.