Every SaaS provider goes through the review process before the integration phase with a large or medium-scale business. This is especially important for American corporations but is also widely accepted worldwide. had its own experience with the SOC2 certification while working with . WebLab Technology Shaman BV Why not ISO 27001? ISO 27001 is a standard for ensuring proper management of digital assets such as financial information, intellectual property, employee details, or information entrusted by third parties. SOC 2 is more widely accepted and is usually preferred by US and Canadian companies. Also, I find it helpful that SOC is split into SOC 1 and SOC 2. First stands for financial control. So, SaaS Providers could focus only on SOC 2. During a SOC 2 certification, a company is evaluated against a set of trust service categories that provide the backbone of the assessment: . Systems and the data stored are protected against unauthorized access and disclosure. Security . Information and systems are available for operation and use. Availability . Confidential information is protected. Confidentiality System processing is complete, valid, accurate, timely, and authorized. Customer data remains correct throughout data processing. Processing integrity. . Personal information is collected, used, retained, disclosed, and disposed of by pre-stated policies. Privacy SOC 2 Technical Components It’s important to understand that SOC 2 is not only about security. Data managed by SaaS providers could be crucial for businesses as a whole. Depending on the integration depth, even a short-term outage might lead to considerable financial or reputational losses. That’s why it is essential to ensure that a SaaS provider maintains best practices. SOC 2 consists of numerous control points, for example: Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation. The company utilizes a log management tool to identify events that may potentially impact the company’s ability to achieve its security objectives. The company’s penetration testing is performed at least annually. A remediation plan is developed, and changes are implemented to remediate vulnerabilities in accordance with SLAs. And so on. In total, at the moment, there are 235 similar technical control points. Control point statuses should be regularly updated and maintained. SOC 2 Type 1 & 2 SOC 2 is represented in Type 1 and Type 2. Type 1 stands for a point-in-time audit on a date chosen with the audit request. It is reasonable to plan for at least six months to prepare for Type 1. Type 2 shows how controls operate over a period of time, usually 6–12 months after Type 1. During this process, the auditor goes through all control points in the historical view. However, suppose there are misses for control points for a substantial period. Then, even if it successfully passes control points at this very moment, it is possible that the auditor would request an additional 6–12 months. Consistency is required. SOC 2 is not about technical points SOC 2 has numerous administrative principles: Management: The entity identifies risks. The entity internally communicates information, including objectives and responsibilities for internal control. The entity communicates with external parties, including clear risk identification. Board of directors: The board of directors demonstrates independence from management. Management establishes, with board oversight, structures and reporting lines. HR: The entity demonstrates a commitment to attracting, developing, and retaining competent individuals in alignment with its objectives. The entity holds individuals accountable for their internal control responsibilities. The list of principles is not complete. These principles reduce to numerous more concrete control points. Apart from a strong team, you need tooling and processes. It is not one-time work — it is constant maintenance. We should ensure that change and control are not just something that is only talked about. There is an excellent quote from. We had to introduce dozens of policies, improve architecture and introduce numerous monitoring solutions like , , , and . Trendmicro Conformity Wazuh Sentry DataDog We prefer to work with AWS, so we have also been using a dozen of their tools, like , , , , , etc. AWS Inspector AWS WAF AWS KMS AWS Secrets Manager AWS CloudTrail But the biggest game changer is . They provided us with a better preparation framework and continuous monitoring of security and compliance. Vanta We also find the a good starting point, even if SOC2 is not yet required. Operational, Security, Reliability, and Sustainability pillars heavily overlap with what is expected in SOC2. AWS Well-Architected Framework And finally — how to set up for success? Like with many other things, you need Team, Approach, and Process. Hire a skilled R&D team with DevOps and SysOps. A subteam should be allocated to be responsible for preparing for SOC 2 with clear leadership. Get a security consultant. It is better to choose an external consultant or a company. For most SaaS companies, having a full-time security specialist on the team is overkill. Have clear timelines. Expect 6–12 months for Type 1 and another 6–12 months for Type 2. Start early, especially with documentation, policies, and architectural changes. Request Penetration testing early. Integrate frameworks and compliance monitoring tools. Audit time SOC auditors are independent certified public accountants (CPA) who work with the SOC suite to evaluate and report on the controls at a service organization. It is worth looking at , , . We in WebLab had been working with the first one. Sensiba San Filippo Seiler Hood & Strong There are numerous CPAs on the market. Suggested selection criteria: . It is wise to have a meeting with CPAs while choosing one. Even if they are highly professional, communication with some CPAs is smoother than with others. Communication . Some CPAs might not be available during the period you need. Timelines . If integration happens based on the request received from the client, they might also have some expectations. Client preference An audit for Type 1 takes a few weeks, usually up to 5. Good luck! About the author __ __is a Solution Architect and open-source believer with a big passion for Software Development. Oleksandr Knyga Oleksandr lives the life of a digital nomad. When not tapping on the keyboard, he can be found hiking, snowboarding, fishing, and exploring the city. Oleksandr has an MBA and a Computer Science Master’s degree. Also published . here

This story contains new, firsthand information uncovered by the writer.

The writer is smart, but don't just like, take their word for it. #DoYourOwnResearch before making any investment decisions or decisions regarding you health or security. (Do not regard any of this content as professional investment advice, or health advice)

How to Manage Your SOC 2 Certification and Be Successful

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Celebrating 10 years of WebLab Technology: Our Story of Growing Through Dedicated Teams

The Noonification: How Amazon Treats Warehouse Workers Who Contracted COVID (11/30/2022)

10 Free Ways to Promote Your Amazon Products

10 Failed Startup Product Examples by Google, Microsoft and Amazon

10 Best Infographics Of 2018

Celebrating 10 years of WebLab Technology: Our Story of Growing Through Dedicated Teams

The Noonification: How Amazon Treats Warehouse Workers Who Contracted COVID (11/30/2022)

10 Free Ways to Promote Your Amazon Products

10 Failed Startup Product Examples by Google, Microsoft and Amazon

10 Best Infographics Of 2018

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps