Making the decision to get a SOC 2 audit is a very important one. Passing the evaluation establishes that your company takes security, and its role in responsibly utilizing data and technology, seriously. However, doing so requires a lot of time, effort, and resources to complete, and not doing it well enough can result in an audit failure. At Revio, we passed our SOC 2 Type II audit in January of 2023 and we learned a lot along the way. Below you’ll find a few of the learned lessons that were valuable to share:
The first thing to know about a SOC 2 audit is that, for some companies, it is a mandatory requirement for doing business. Since our customers are banks, the information that we ask for and provide is some of the highest forms of Personally Identifiable Information (PII). It is absolutely necessary that we ensure that we have secured every possible vector of transit, storage, and machine or human interaction. Additionally, all of the infrastructure that we create needs to be locked down to only the most limited and audited access.
Building a solution that accomplishes all of this can be done, but it requires juggling hundreds of different controls and standards. Leveraging the SOC 2 framework not only allows your accomplishments to be immediately recognized, but also gives you a guideline to follow on what steps and solutions to address.
A SOC 2 Type II audit report isn’t the only thing to consider. While you’re in the process of getting your SOC 2 audit, you can have the auditor produce a Type I report that attests that you have a strategy that appears to satisfy all of the SOC 2 controls. It takes at least three (3) months of audit and review to receive your Type II report, so having the Type I can be useful temporarily, but avoid spending too much time paying for an audit and not passing.
Another consideration is which Trust Service Principles (TSP) are valuable to achieve for your company. There are five (5) possible: Security, Privacy, Availability, Confidentiality, and Processing Integrity. Security is mandatory, but any of the others are available for you to achieve and have audited as you see fit. Whichever TSPs you choose to fulfill should best fit your industry and personal company requirements. We chose to pursue Security, Availability, and Confidentiality since they addressed the relevant concerns of cloud-based architecture, sensitive data, and SaaS businesses.
One final recommendation before getting started is to make sure you have buy-in across all of your teams. Coordinating a successful SOC 2 strategy requires collaboration across every team, from Operations to Engineering. Make sure that each team understands their responsibilities in assisting with the project, and install regular meetings or rituals to check in, remove blockers, and keep everyone focused over time.
These are key organizational elements to consider before undertaking any effort towards building your SOC 2 solution. In our next article, we’ll explore what else will be relevant when developing and implementing this solution.
Vendor Security & SOC 2 (Part II): Planning, Questions to Ask, and Aligning Functional Teams
