SOC 2 Certification Basics, Tips, and Benefits
Yes, Your Small Company Can Get Your SOC 2 Certification!
Posted: October 27, 2021
There’s a lot of hype around data security and privacy these days and for good reason. With our digital world evolving so quickly, it’s complicated for some to keep up and establish the trust needed with their clients, buyers, and prospects. We are Aidentified, a SaaS and data services startup with just over 20 employees and 500 clients, and we’re here to tell you that security certification for data protection compliance is possible, and in fact, very attainable for small businesses focused on data services.
In this article, we will dive into the basics of the SOC 2 certification, why completing the certification is important for businesses, and offer tips based on our experience with SOC 2 to help you get started.
What is SOC 2?
SOC 2, formally known as Service Organization Controls 2, was developed by the American Institute of CPAs (AICPA) to ensure organizations have proper controls in place to protect the security and privacy of information. The security measures established by SOC 2 controls not only provide for customer data protection, but also employee data. In order to obtain this certification, an audit is performed to assess, classify and certify that all data sets and systems are secure within a company.
Types of SOC 2 certifications
There are two types of SOC 2 certifications that your company can achieve: SOC 2 Type 1 and SOC 2 Type 2. The major difference between Type 1 and Type 2 is as follows:
- Type 1: Assesses the design of your company’s security controls and processes at a specific moment in time.
- Type 2: Tests the effectiveness of those controls and processes by evaluating them over a longer period (sometimes a 6-month period, but more often a 12-month period).
We decided to start with Type 1 as it is important to get the design of your security controls right to have all the necessary elements and reporting in place before going for SOC 2 Type 2 certification.
SOC 2 Certification – what does having a SOC 2 certification mean?
To achieve a SOC 2 certification, you must hire an authorized SOC 2 auditor who can evaluate your security measures and certify that your company meets all of the standards. Speaking of standards, there are 5 categories guiding SOC 2 compliance, which are known as the Trust Service Criteria: security, privacy, availability, processing integrity, and confidentiality.
Generally, companies do not immediately seek certification against all of these trust criteria. The most common SOC 2 principles that are audited against are: security, availability and confidentiality. The criteria for these three three trust principles include:
- Security: According to the AICPA, the security principle refers to the protection of information and systems against unauthorized access and unauthorized disclosure of information. IT security infrastructures, like network firewalls and access control, are some of the ways organizations can protect against unauthorized access.
- Availability: This describes how an organization’s information and systems are maintained. Oftentimes this involves organizations implementing monitoring controls to ensure the security, availability, and performance of its product.
- Confidentiality: This refers to the organization’s ability to keep certain information confidential and available only to a specific set of people within the organization. This type of data might include personnel information, pricing lists, intellectual property, and contractual agreements.
Why should your small company get their SOC 2 Security Certification?
First, let’s answer why getting your SOC 2 is important, even as a small, growing company.
- Industry standard: It’s becoming industry standard for data and technology companies to have a security certification such as SOC 2.
- Customers require: It may be the only way you can partner with certain customers.
- Increased legitimacy: It will increase your legitimacy as a small startup company.
- Full data audit and evaluation: It forces you to review and assess your organization’s data assets, data classification and data management. This will allow you to ensure that you treat confidential data, such as consumer PII (personal identifiable information) and customer data, with the appropriate security controls.
- Due diligence and RFPs (or Request for Proposals): It will help you respond to vendor due diligence questionnaires more quickly and with more substantive information on your documented security policies and procedures.
Our road to SOC 2 certification
Since we launched our product in late 2019, we have worked hard to protect and implement the right data privacy and security practices, to handle and protect our customer data and the data in our internal systems. By mid-2020, we recognized our growth and goals, and knew that for all of the 5 reasons above, we needed to look at affirming our commitment to data security in a more pronounced way.
In late 2020, we hired Juliana Spofford, formerly Chief Privacy Officer at Dun & Bradstreet, to help ensure that we were doing the right thing from a compliance perspective and to put our security protocols into overdrive. In February of 2021, after only a few years of operating Aidentified, we knew it was time to embark on our quest for our SOC 2 Type 1 certification, and by the end of the month we had signed an agreement with a SOC 2 readiness company/platform provider, Vanta. We were off to the races!
3 Tips to Starting Your SOC 2 Certification
Here are the 3 tips we found most important in preparing and setting up for a successful completion of our SOC 2 certification:
1. Get an IT Provider in place
IT providers are critical in enabling you to secure your company systems and apps, encrypt your company devices, and manage your on- and off-boarding of employees. If you’re a small company like us, we found it made the most sense to outsource our IT services. IT providers often offer a 50% reduction in IT spend and standardized security across devices, apps, and networks, whether you’re on-site or remote. For companies up to about 100 employees in size, it may be a more cost-effective solution to manage your IT with an IT provider. There are many to choose from, but after much research and vetting, we chose to partner with Electric AI.
2. Choose your SOC 2 Core Team
At the time, our company consisted of 20 people, so here’s who we named to our internal SOC 2 squad:
- Our Chief Technology Officer
- A DevOps Engineer
- Our Chief Privacy Officer/General Counsel
- A consultant Compliance Engineer
- Our internal IT liaison with Electric, our IT provider
Additionally, we recommend to start thinking about choosing an auditor as early on in the process as possible. Auditors are valuable advisors and can help answer questions as you start preparing for the SOC 2 audit. We worked with GeelsNorton, a fantastic partner with expertise in small SaaS businesses.
3. Choose a cloud-based SOC 2 compliance management platform
There are many SOC 2 compliance readiness platforms, including Vanta, Drata, Secureframe and more. This was a critical aspect of organizing our compliance quest. Once we officially partnered with Vanta, they provided us with a secure platform that helped keep our team on task, organized our to-do’s, reminded us of items that need to be accomplished, synced with our cloud systems for critical vendors, and ran checks on vulnerabilities with vendor platforms. Being a small company, we couldn’t have done this without them!
Aligning your resources against these three tips will set your team up for the upcoming months where you’ll be doing internal auditing, reviewing, policy writing, and refining the pieces to your puzzle to achieve better internal data protection and, eventually, your SOC 2 security certification.