Is it time to get a SOC2?

Written By Patrick Farwick

If you are here… probably yes

Likely you are starting to talk to potential enterprise clients who already have their SOC2 and they ask you for yours. You may have never heard of a SOC 2, you may know it’s something for enterprises to deal with, but if nothing else it is clear to you now that if you want to land enterprise deals you will have to get one. Well, the good news is that you are soon to be landing enterprise clients and hopefully making some real money. The bad news is that it is likely going to be a bit bumpy to get there. Fortunately for you we are happy to deal with those bumps for you!

What is a SOC 2?

SOC stands for Service Organization Control, which is an auditing procedure developed by the American Institute of CPAs (AICPA) that tech companies undergo to assure their clients that they meaningfully handle their data with security and confidentiality in mind.

A common misconception is that SOC 2 is a certification, but that is incorrect. It is an audit report that measures a company's controls against the AICPA’s Trust Service Principles, which include security, availability, processing integrity, confidentiality, and privacy.

There are two types of SOC 2 reports: SOC 2 Type 1, which evaluates and reports on the design of a company’s controls at a specific point in time, and SOC 2 Type 2, which assesses the effectiveness of these controls over a defined period, typically six months to a year.

SOC 2 Type 2 has become the standard for companies to ensure they are trustworthy when working with each other.

Great, so how do you get a SOC 2?

Well, this is the part where you hear some bad news. You likely have very little of what you need from a document standpoint to get a SOC 2. But that is Okay! Let’s walk through what getting a SOC 2 will look like at a very high level.

  1. Engage with a third party firm that will be the one to audit your Information Security program.

  2. Perform a Gap Analysis to identify where you are falling short

  3. Remediate Identified Gaps

  4. Create any necessary Policies and Procedures to document all of your controls

  5. Undergo the Audit and address any findings

  6. Receive your SOC 2 Report

  7. Enter Maintenance phase and review your controls regularly to make your next audit season a breeze

I need a SOC 2 Fast…

Great, we are here to help. There are SaaS platforms that can help you fast track your compliance program and we can help guide you with the rest. A lot of this is marrying up where you are at with where you need to be in a meaningful way and it helps if you have someone who has been through it countless times.

Luckily for you we have great relationships with some of these SaaS Compliance platforms to provide a fast track into the platform and can even provide a discount along the way.

Thoropass is a tier one amomitto partner and fantastic to work with. They provide every policy and procedure you could need for SOC 2, SOC 1, GDPR, ISO 27001 and 27002, PCI, HIPAA, and CCPA.

 
Patrick Farwick