Every SaaS provider goes through the review process before the integration phase with a large or medium-scale business. This is especially important for American corporations but is also widely accepted worldwide. WebLab Technology had its own experience with the SOC2 certification while working with Shaman BV.

Why not ISO 27001?

ISO 27001 is a standard for ensuring proper management of digital assets such as financial information, intellectual property, employee details, or information entrusted by third parties.

SOC 2 is more widely accepted and is usually preferred by US and Canadian companies.

Also, I find it helpful that SOC is split into SOC 1 and SOC 2. First stands for financial control. So, SaaS Providers could focus only on SOC 2.

During a SOC 2 certification, a company is evaluated against a set of trust service categories that provide the backbone of the assessment:

1. Security. Systems and the data stored are protected against unauthorized access and disclosure.
2. Availability. Information and systems are available for operation and use.
3. Confidentiality. Confidential information is protected.
4. Processing integrity. System processing is complete, valid, accurate, timely, and authorized. Customer data remains correct throughout data processing.
5. Privacy. Personal information is collected, used, retained, disclosed, and disposed of by pre-stated policies.

SOC 2 Technical Components

It’s important to understand that SOC 2 is not only about security.

Data managed by SaaS providers could be crucial for businesses as a whole. Depending on the integration depth, even a short-term outage might lead to considerable financial or reputational losses. That’s why it is essential to ensure that a SaaS provider maintains best practices.

SOC 2 consists of numerous control points, for example:

• Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation.
• The company utilizes a log management tool to identify events that may potentially impact the company’s ability to achieve its security objectives.
• The company’s penetration testing is performed at least annually. A remediation plan is developed, and changes are implemented to remediate vulnerabilities in accordance with SLAs.

And so on. In total, at the moment, there are 235 similar technical control points. Control point statuses should be regularly updated and maintained.

SOC 2 Type 1 & 2

SOC 2 is represented in Type 1 and Type 2.

Type 1 stands for a point-in-time audit on a date chosen with the audit request. It is reasonable to plan for at least six months to prepare for Type 1.

Type 2 shows how controls operate over a period of time, usually 6–12 months after Type 1. During this process, the auditor goes through all control points in the historical view.

However, suppose there are misses for control points for a substantial period. Then, even if it successfully passes control points at this very moment, it is possible that the auditor would request an additional 6–12 months. Consistency is required.

SOC 2 is not about technical points

SOC 2 has numerous administrative principles:

Management:

• The entity identifies risks.

  The entity internally communicates information, including objectives and responsibilities for internal control.

• The entity communicates with external parties, including clear risk identification.

Board of directors:

• The board of directors demonstrates independence from management.
• Management establishes, with board oversight, structures and reporting lines.

HR:

• The entity demonstrates a commitment to attracting, developing, and retaining competent individuals in alignment with its objectives.
• The entity holds individuals accountable for their internal control responsibilities.

The list of principles is not complete. These principles reduce to numerous more concrete control points.

Apart from a strong team, you need tooling and processes. It is not one-time work — it is constant maintenance.

We should ensure that change and control are not just something that is only talked about. There is an excellent quote from.

We had to introduce dozens of policies, improve architecture and introduce numerous monitoring solutions like Trendmicro Conformity, Wazuh, Sentry, and DataDog.

We prefer to work with AWS, so we have also been using a dozen of their tools, like AWS Inspector, AWS WAF, AWS KMS, AWS Secrets Manager, AWS CloudTrail, etc.

But the biggest game changer is Vanta. They provided us with a better preparation framework and continuous monitoring of security and compliance.

We also find the AWS Well-Architected Framework a good starting point, even if SOC2 is not yet required. Operational, Security, Reliability, and Sustainability pillars heavily overlap with what is expected in SOC2.

And finally — how to set up for success?

Like with many other things, you need Team, Approach, and Process.

1. Hire a skilled R&D team with DevOps and SysOps. A subteam should be allocated to be responsible for preparing for SOC 2 with clear leadership.
2. Get a security consultant. It is better to choose an external consultant or a company. For most SaaS companies, having a full-time security specialist on the team is overkill.
3. Have clear timelines. Expect 6–12 months for Type 1 and another 6–12 months for Type 2.
4. Start early, especially with documentation, policies, and architectural changes.
5. Request Penetration testing early.
6. Integrate frameworks and compliance monitoring tools.

Audit time

SOC auditors are independent certified public accountants (CPA) who work with the SOC suite to evaluate and report on the controls at a service organization. It is worth looking at Sensiba San Filippo, Seiler, Hood & Strong. We in WebLab had been working with the first one.

There are numerous CPAs on the market. Suggested selection criteria:

1. Communication. It is wise to have a meeting with CPAs while choosing one. Even if they are highly professional, communication with some CPAs is smoother than with others.
2. Timelines. Some CPAs might not be available during the period you need.
3. Client preference. If integration happens based on the request received from the client, they might also have some expectations.

An audit for Type 1 takes a few weeks, usually up to 5.

Good luck!