One of the most critical steps is selecting members to lead the initiative. Many organizations start planning for SOC 2 thinking they can delegate responsibilities solely to members of the IT and information security staff. And although members of those teams will play a big part in the process, your core SOC 2 team will also include HR, legal and other business units as well. This blog will help you understand your core SOC 2 team and how to build it.
If you sell software to businesses, clients will probably start asking if you're SOC 2 compliant? Why? Because it's a convenient way to confirm you have *some* maturity around security best practices. What SOC 2 is not! You should not confuse SOC 2 compliance for actual security best practices. Although it covers the core departments and processes that interact with sensitive data, it does not stipulate standards. It merely confirms that the processes you self declare, are actually being followed in practice. Some might argue that's a little like the fox guarding the hen house. Importantly, this is not a government regulated certification. There are no penalties for failing to fulfill declared policies. Auditors won't charge you a fine. They'll point out your shortcomings and help you resolve them. With that context, it's easy to understand why the primary motivation to become SOC2 compliant is to facilitate sales. It will
The first time I went through SOC2 I wasted way way too many hours on Google trying to figure out best practices. It drove my nuts how much was written without actually telling me anything actionable. Why wasn't there a simple summary to understand: How long will a SOC 2 Type 1 audit take? How much will SOC 2 Type 1 cost? What are best practices for each policy? Two years later, we decided to write our own. This is the first in a series of blog posts that answer each of those questions in detail. Feel free to skip around if you're farther along in the process. Click here to see the complete list of 40+ blog posts along with free policy templates.
Before our first SOC 2 Type 1 audit, I assumed you pay an auditor, they come in make a few suggestion on how to improve and sign-off. It might take a few months, but the total cost would be some distraction plus the auditor's fee. That could not be farther from the truth. If you want to skip ahead to the hard numbers, our estimate is $147,000 all-in (download the breakdown here). To learn more about the breakdown, it takes into account: Lost Productivity Build vs Buy Decisions for New Tools Security Training It's a huge undertaking that involves senior representatives from almost every team, including HR, Legal, Engineering, Sales, Customer Support and more. If you try to carry the entire burden yourself without involving other teams, you're wasting your time and will fail the audit. No one person can complete SOC 2 certification. They won't have the domain expertise
SOC 2 can be a daunting process. Policies are subjective; auditors avoid providing much guidance; advice on the internet is incomplete or vague. We decided to create Comply, an open source collection of policy templates that includes best practices. We hope it reduces the stress of SOC 2 and points fellow startups in the right direction. SOC 2 involves every team in the company -- including many which don’t report to you. You need to inventory your existing tools/infrastructure, research best practices, define policies and procedures for your teams, build consensus, and ultimately persuade every team to adopt them. The process is inevitably accompanied by acute time pressure: a major Q4 deal, an impending IPO, or a life-changing partnership that depends on successfully completing your audit. Our team recently went through another SOC2 audit, and decided this time around we'd like to share some of our lessons learned. We compiled