We recently polled our founder community on topics they wanted to learn more about and it turned out that one of those was SOC 2 compliance. Perhaps it shouldn’t have come as a surprise, given that it’s especially important if your company manages data in the cloud. We got a group together to discuss best practices for tackling SOC 2 and what to expect throughout the certification process. 

‍

Here’s a guide to help you navigate the complexities of achieving SOC 2 compliance and to clarify common misconceptions along the way.

‍

Why SOC 2 matters

Becoming SOC 2 compliant is absolutely critical to building trust with your customers. It demonstrates to your customers that your company meets certain security standards when handling their data. While you’re not legally obligated to get it, customers will require it to purchase your product.

‍

So what exactly is SOC 2 compliance? Does your company need it? And how much should you budget for certification, both financially and time-wise? Let’s explore the answers to those questions now.

‍

What is SOC 2?

SOC 2 is the acronym for Service Organization Control and is an information security auditing procedure maintained by the Association of International Certified Professional Accountants (AICPA). SOC 2 defines how organizations secure their customer data, according to the Trust Services Criteria (TSC), which spans five categories:

‍

Security is the only mandatory SOC 2 criteria and is often referred to as the “common criteria.” It includes elements such as two-factor authentication (2FA), maintaining firewalls, and encryption, among other measures to protect personal and business data. The remaining four categories are more focused and can be used as add-ons to your assessment. Note: the privacy criteria has lighter requirements than GDPR (General Data Protection Regulation).

‍

Do I need to become SOC 2 compliant?

YES: for service providers that process and store customer data.

NO: if you do not handle customer data.

‍

Where do I start?

These are the three primary steps to prepare for certification:

1. Begin with common criteria, the security category.
2. Build out your controls, and define what they are and how you will meet them.
3. Operationalize your controls.

‍

Zooming into SOC 2, you’ll discover there are two types of SOC 2 assessments: SOC 2 Type 1 and SOC 2 Type 2. As principal security consultant Adam Gaydosh* explains, SOC 2 Type 1 validates “what you’re going to do.” It verifies that you have the appropriate control definitions, policies, and procedures in place.

‍

Meanwhile, SOC 2 Type 2 validates that “you did what you said you were going to do.” This requires controls to be evaluated looking back at least six months to generate enough data points to review your program for things such as sampling changes in control tickets.

‍

Planning guidelines

‍

Timeframe: 6+ months

Plan ahead for when your company will need to be SOC 2 compliant. It will take a minimum of running your program for six months before you’re able to begin the SOC 2 Type 2 assessment and that doesn’t account for the time it takes to build out and operationalize relevant controls.

‍

Team impact

Consider the work and time your team will need to prepare and run the program. For example, will you dedicate a teammate full time to this certification process or hire a consultant? Additionally, keep in mind that SOC 2 certifications, which are given by external auditors, are valid for 12 months. There will be some time and effort required for annual assessments.

‍

Pricing 

A SOC 2 Type 2 assessment can be expected to cost somewhere between $20–50k. Note that this doesn’t include the time and effort of your team or external consultants to implement controls.

‍

Potential SOC 2 tools

Rather than starting from scratch, you can get started with one of several tools that can help with the SOC 2 process.

‍

• Vanta: a useful product for early-stage companies that don’t have security programs built out. 

‍

• Drata: another popular security and compliance automation platform.

‍

• Laika: an end-to-end compliance hub that combines workflows and built-in best practices.

‍

Approach SOC 2 with confidence

As businesses store more customer data on the cloud, SOC 2 compliance has become a de facto requirement for many startups. As a founder or startup leader, it’s never too early to start thinking about whether customers will look for your company to be SOC 2-certified, particularly given the time, effort, and cost that is involved in achieving compliance.

‍

*Adam Gaydosh is the principal security consultant with Online Business Systems, a firm that specializes in readiness and advisory work.