If you’re reading this post, it’s pretty likely that somebody at your company–maybe you!–decided that it might be smart to get a SOC 2 assessment done. Maybe one of your potential customers says it’s a requirement for them. Welcome to the wonderful world of security compliance!

You probably have some questions about what it really takes.

What is SOC 2, actually?

SOC stands for System and Organization Controls, and it’s defined by the Association of International Certified Professional Accountants (AICPA). The goal of a SOC 2 report is to provide “information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.” (There are also SOC 1 and SOC 3 reports, but SOC 2 is the most common.)

It's essentially a document that says:

The SOC 2 report itself is produced by a licensed auditor, and they’ll ask for a lot of documents, ask a lot of questions, and ask you to provide evidence that your processes and controls are working as designed. In the end, a SOC 2 report doesn’t have a pass or fail determination, but if there are any notable gaps (called “exceptions”) those will be captured in the attestation report.

There are Type I and Type II reports. You might have read somewhere that Type I focuses on the design of the controls, while Type II focuses on the effectiveness. What this really means is that Type I is just about what you say you do. In my mind, that’s not even an audit, it’s just a review of your policies and procedures. Type II is where the auditor will look for proof that you’re actually doing what you say you do, and that's the one your customers are going to want.

It’s worth noting that SOC 2 isn’t a list of specific things you have to do. It’s more like a list of high level goals, and it’s up to you to say how you address those goals (policies and procedures), and then you’re asked to show that you follow your own processes.

Who’s the audience for the report?

Your customers and prospects are the ones who are going to ask for it. Many companies–and effectively all larger, mature companies–have a process for vetting new software vendors, and SOC 2 reports are a very common way to show adherence with key practices. They’ll be read (ok, maybe skimmed) by whoever does security review for your target customer. It might be the compliance team, the security team, or a third party handling review.

Guess what? A process for vetting vendors is one of the things you’ll be asked about as part of your SOC 2 assessment. And that process usually involves asking for a SOC 2 report, if not requiring one.

What do you need for SOC 2?

An auditor

You’ll need to sign up with a auditing firm that does SOC 2 reports. That could be one of the Big Four firms, though more likely you’ll want to go with a smaller, more affordable firm, especially to start. These are the people who will ask all the questions, gather information and evidence, and write the report. There’s typically an initial review period, then the official audit window, and the report finalization and delivery.

A platform

You can make it through an audit just with a lot of screenshots and spreadsheets, but there’s a reason that compliance platforms like Vanta, Drata, and Secureframe (among others) have become popular. They provide structured management of evidence and tasks, and their integrations with third party systems like cloud providers, code repositories, and other SaaS tools mean that a fair amount of the data can be brought in automatically.

These platforms also now typically include tools to make some of the operational work easier, like vendor reviews, access reviews, and even hardware inventory tooling for company laptops and workstations.

These platforms help structure the work, and automate some of it, but at the end of the day there’s still a lot of work do.

Audit-ready policies

Policy drafting is often a major part of the first phase of SOC 2 prep work. Your auditors will want you to address a wide range of topics, including things like vulnerability management, asset management, incident response, password and secret management, business continuity and disaster recovery, HR policy, and others. These don’t have to be long, but they have to be clear and reasonable.

These should also be written such that you’re comfortable sharing them with customers and prospective customers. Some of them will ask to see your policies as part of the procurement process. Some may even require you to have them as part of the contract language.

Audit-ready operations

This is where most of the real work is, and it’s why it’s worth being very thoughtful and deliberate when you’re writing policies.

Like I said before: the SOC 2 assessment is largely checking to see if you do what you say you do. Which means anything you say you do, you have to actually do.

If you copy and paste policies from some template or some other company’s documents, you are still bound to do all the things they say. And even if you are writing your own, you should only be adding controls that you’re prepared to back up with action every time.

Or, put differently:

You will need to do things like getting an outside assessment of security, like an annual penetration test.

You’ll need good practices around backups, system monitoring, encryption, access control, code review, customer data segmentation, and remote access.

You'll need to have an incident response plan, and you'll need to use tabletop exercises or similar methods for testing the process and operational knowledge.

You’ll need to track assets: laptops, data stores, code repositories, cloud compute resources, etc.

You’ll need to track and vet third party vendors. 

What’s it cost?

That depends–are we measuring time, money, or both? You can search around to get a sense of pricing for auditors, compliance platforms, and pen testing services. All together, for a small company, those will probably run in the low 10’s of thousands of dollars.

That’s not nothing, but there are three other areas that can add up to even bigger potential costs.

The cost of your time and focus

If you’re a small company, you probably don’t have a full time compliance or security person to put on this project. Maybe you have a founder work on it, or maybe one of your engineers. That’s a huge distraction, and it’s stressful and time consuming for someone without the domain expertise to take on a high risk project like SOC 2.

The cost of new operational overhead

Anything you promise in your policies now has to actually happen. It needs to happen reliably and consistently. For that to happen, you need somebody in charge of the process, and you need time from people across your company to actually do the work. Some of this is necessary to get good practices in place, but it’s also possible to accidentally take on unneeded responsibility, and it’s definitely possible to sink a bunch of time into suboptimal processes and tools.

The cost of new SaaS vendors

Depending on the choices you make, you may need or want to invest in new tools for things like asset management, access requests and reviews, vulnerability assessment and remediation, or other areas. If you can, it’s worth carving out some budget to keep the operational burden of these new responsibilities at a manageable level.

How Monorail can help

The SOC 2 process can be really stressful, especially the first time. I advise companies and help them manage the whole process, including compliance platform setup, policy drafting, SaaS tool evaluation and setup, running table top preparedness exercises, and more. For some tools and platforms, I can offer preferred pricing, too.

I also have an initial self-assessment questionnaire that’s designed to give a sense of what gaps there might be between your current practices and what you’ll want in place for SOC 2. If you choose to fill it out and send it to me, I can provide an initial review for you free of charge, and then we can see if it makes sense for us to work together going forward.

I help companies do this with low stress, reasonable time investment, and great outcomes.

Here’s how I put it: 

Stop worrying. Don’t waste your time. Do things that make sense. Get real work done. Get great tools with excellent pricing.

Why trust Monorail?

Monorail Technology is run by Jesse Kriss, a pioneer in user-focused security who was the first security hire at Watershed, where he built out the security, compliance, and IT programs and toolsets from scratch, carried them through multiple successful audits, and ensured that multiple Fortune 500 companies had high confidence in Watershed's security practices.

Prior to Watershed, he spent 6.5 years on the security team at Netflix, widely known to be among the best in the business.

Beyond Watershed and Netflix, Jesse has experience working at companies from 3 to 300,000 people, including PricewaterhouseCoopers, IBM Research, the Obama 2012 Tech Team, and NASA/JPL.

Monorail provides hands-on SOC 2 help for startups going through it for the first time. De-stress your compliance experience and get hands-on help.

Contact Monorail