In November 2022, we released our SOC 2 Type I report to demonstrate our commitment to securing our clients sensitive information assets.
Achieving SOC 2 Type I was a 6 month project for us. We could have done it quicker, but we saw it as a good opportunity to lay all the right foundations. It was ongoing in parallel with the implementation of our new platform, Pillar, which the SOC 2 report scope was centred on. Along the way we used partners:
- Citadel-One to help us implement high-compliant AWS infrastructure;
- Drata for continuous monitoring of our compliance and to centralise audit documentation; and
- MJD Advisors as our CPA firm to complete the audit.
We're now in a live SOC 2 Type II audit period that we'll complete over 6 months through to April 2023 when we plan to issue the Type II report.
Why we did SOC 2 and what it means
SOC 2 is a global standard issued by the American Institute of Certified Pubic Accountants (AICPA). It covers a comprehensive set of criteria across a companies operations that embeds effective information security principles. This includes from how the company is managed, to how candidates are hired, onboarded and developed as employees, the processes for effectively communicating with third-parties, managing risk and internal controls in a formal way, and through to the more technical and systematic controls around the infrastructure, systems and sensitive data. Most security breaches have a human element involved, so this broad operational focus and covering the people element of how the company is managed, is really important.
For us, it was important to demonstrate our commitment to information security to our clients. We handle sensitive documentation as part of our audits, and that are uploaded into our platform, Pillar. The flexible criteria-based approach to SOC 2 allows us to customise our controls, to include both our controls over our software platform as well as our people and audit firm related control activities that protect sensitive data during the services we provide to clients.
Our Journey to SOC 2
We started planning for compliance a few months into building our product. We knew it would be important, and that getting ahead of it would save a lot of pain down the road.
We officially “started” in April 2022, with a workshop to map out our compliance options. Our leadership team each presented a case for which standard(s) we thought were best. We kept our options open, and did a readiness assessment to SOC 2, ISO 27001, CSA STAR, and ESG combined (since we’re a B-Corp and plan to issue ESG Reports as well). There’s a surprising amount of overlap between those, including ESG!
We used our readiness assessment software for this. It’s free for anyone to use. It mapped out our controls and gaps to provide a clear path to achieve each standard and with the detailed scoping, criteria mapping, and audit evidence requirements to support compliance with each standard.
This was prior to engaging Drata, so we set up a project board in Trello, and imported cards for each of the outputs from our readiness assessment; including whether they were control gaps or implemented. We assigned owners to each card so we had a view of who was looking after each part.
We got a quote from MJD Advisors. Of course usually we would get a couple of quotes, but being an audit firm ourselves we were happy with their proposal and knew the going rates. We agreed that was the way forward. We spent a bit of time in understanding their approach to ensure we were factoring that into our plans and knew what to expect for the audit.
Then we parked our compliance to put our full focus back onto product and business building. In our business planning we earmarked compliance for Q3/Q4 to coincide with the full launch of our platform, Pillar.
The value of those first steps was that knew what was involved. We had a plan together that we could communicate to customers. We had a rough view of the time required from each person for capacity planing. We also found thereafter, the control gap items would come up organically and we could then kill two birds with one stone. For example, we knew we needed to define our security objectives, so when we did our business planning we included that as part of the overall company objective setting. There were plenty of other examples - it’s definitely worth mapping out your compliance early to have awareness of what’s coming down the line.
In early June we started using Citadel-One for our infrastructure implementation. We had a clear view of the security and compliance requirements from the readiness assessment, and knew what we needed from a product and engineering perspective. So that implementation was able to address both goals easily.
In July, we focused back on compliance as a priority. We had addressed a dozen or so control gaps organically as they came up since April like an org chart, Board meetings, and onboarding and off boarding checklists. But otherwise, we hadn’t put any direct effort into it.
We started using the Drata platform in July and our compliance implementation took about 6 weeks from there. Almost every day, I would log in to Drata and ClickUp, and make progress implementing and documenting our systems, processes and policies.
The timeline for compliance might be the most common question for those initially exploring it. You’ll hear wildly different answers. Software companies have a value prop built around speeding it up. Audit firms want to win your business by showing a quick and easy path, but also need to be careful about expectations since they then need to deliver on them. And there’s a bunch of horror stories out there about companies that took many months, even years. Some that are still in progress for large companies yet to achieve SOC 2.
The most important thing to note, is the timeline is up to you. Theoretically, you could achieve compliance in a few days - if you focused on the key requirements, and didn’t sleep. The audit may be more variable based on the firm you choose, but again it could be done in a few days if everything lined up effectively. The reason you never hear of anyone achieving Soc 2 in days, is because of the practicalities of it. That is:
- It’s not your top business priority
- It usually involves multiple team members
- If you do the minimum to tick a box, it usually means more work and headaches later
- There’s a knowledge gap and learning curve involved
- Compliance is not one-size-fits all, it varies for each company
- You can’t automate it all
- Auditors need to retain independence so they can’t do it for you and sign it off.
We had completed most of our requirements but parked SOC 2 with a few bigger ticket items remaining. With the launch of our platform, it sidelined our attention away from compliance. We regularly see this with our own audit clients, when funding rounds, new feature releases, and other opportunities come up that often take priority over compliance.
When we got back to it in November with our penetration testing scheduled and our infrastructure controls completed, the wrap up was pretty quick. Our report was issued 10th November 2022. Even after issuing hundreds of SOC 2 reports ourselves, it’s hard to explain the excitement we felt in achieving our own SOC 2. Regardless of how you approach it, there’s a lot of hard work involved. Achieving SOC 2 reflects a strong baseline of information security and operating practices that scale.