Congratulations! You've reached the point in your business where you are mature enough to start thinking about cybersecurity and security compliance, but there's a lot of new information to get your head around.

SOC 2 certification is achieved by proving that certain security controls are in place and working as intended. While this sounds straightforward, the reality involves months of preparation, company-wide coordination, and careful evidence collection that many growing companies underestimate.

In this article, I share my experiences with SOC2 and the things I learnt along the way.

Type 1 vs Type 2

Firstly, there are two types of SOC 2 certification. Type 1 is promising the things you will do and Type 2 is proving you did them. Most companies expect their vendors to be Type 2 compliant, but it can take months to be ready for audit and then further months to collect evidence to prove you are compliant. A SOC 2 Type 2 audit period of 6 months or higher is generally considered acceptable - although it is possible to get shorter certificates.

To Infinity And Beyond

Once you are SOC 2 compliant, you need to stay SOC2 compliant. You will be audited every year, so it's important to put the checks and balances in place to ensure as you grow you will remain compliant. And you'll need an annual refresh for documentation and evidence.

Trust Criteria

There are five different trust criteria for SOC2:

• Security
• Availability
• Confidentiality
• Processing Integrity
• Privacy

Important: You do not need to be compliant in all five trust criteria! In fact most companies are not!

Only security is compulsory.

Availability and Confidentiality trust criteria are also common. Processing Integrity and Privacy require more rigorous checks and more expensive processes and monitoring.

It's critical to carefully scope your audit and understand what your business needs. Over-scoping can easily double your compliance burden.

It CANNOT Be Soloed

Let me repeat. It cannot be soloed (unless you are a company of 1). SOC 2 requires the whole company to take it seriously. It is everybody's responsibility to keep the company secure, it cannot be one person's responsibility.

There are parts of SOC 2 which are operations, HR, recruitment and even the board of directors. Some of the toughest parts of achieving compliance are trying to get buy in from the entire business.

Processes

As a CTO, there are processes you can put in place early to make passing the audit easier later on:

• A SDLC process
• CI/CD pipelines
• Mandatory Pull Request Reviews
• Linking JIRA Tickets to PRs
• Security Scanning (SonarCloud makes this easy)
• Use a Password Manager

Cheat Mode

I've carried out SOC2 processes in spreadsheets and also with specialist compliance tools such as SecFix, Drata and Vanta. The specialist tools seem expensive. But please trust me, they are more than worth it. These tools often allow you to automate certain processes to prove compliance, and to store your compliance data in a single place.

As I mentioned, these tools can be pricey - but if you shop around you can haggle a decent price. They are all fairly level in terms of feature set, so you can use this to your advantage.

Audits

Start collecting evidence from day one of your audit period, not months in. I've seen companies scramble to find 6+ months of missing evidence. This is not the way. Ensure you are collecting and know where to find your evidence from the start.

As well as tooling, you'll also need to pay for an auditor. A lot of compliance tools have recommended auditors who know their tooling well.

Toward the end of the audit period, your auditors will want to interview the team and look at the evidence you have gathered. This is a whole team effort, and auditors will want to see that the whole company is interested in security - not just technology.

It's not a Pass or Fail

Unlike a driving test, you cannot pass or fail a SOC 2 audit. You can do badly in it, but an auditor won't fail you. Instead, at the end of an audit the SOC2 auditor will list the gaps that they have found and you will be given a chance to respond to them. This report will be what you share whenever a client, customer or vendor requests it.

Whilst it's not great news for an auditor to find some gaps, it is common. I've seen many SOC2 reports with observations of controls that were not passing.

The important factor is to ensure you don't repeatedly fail for the same issues. Make sure you budget for remediation time. Even with good preparation, you'll likely need to address some findings post-audit.

Keep an Eye on Onboarding

In my experience the area that is most likely to fail an audit is the Employee Onboarding experience. A new employee who hasn't signed the code of conduct, the acceptable use policy, or completed the mandatory security training can catch you out. And unfortunately, an auditor has to report it.

What about ISO 27001?

While SOC 2 primarily focuses on proving you've implemented security controls that protect customer data, ISO 27001 also asks you to prove you have an operational information security management system (ISMS) in place to manage your InfoSec program on a continual basis.

In my experience, SOC 2 is a good stepping stone to ISO 27001 certification. ISO 27001 seems to be better regarded as a compliance standard in Europe, whilst SOC 2 is more popular in the US.

Conclusion

As you can see from this article, SOC 2 compliance is quite involved and requires a lot of planning and preparation. It's valuable once complete, but ensure you are prepared for the investment it carries.