Overview: Getting Started with Your SOC2 as an Early Stage Startup

As our first Webinar of the year, Edward Gardner guided us through the SOC2 process for early-stage startups on January 9. Ed covered the process from scratch during this informative webinar and visualized each step. So, here is a quick recap of the hot topics we've discussed! 

Quick-Introduction

New England Safety Partners provides security consulting services to help clients prepare for processes like SOC2, ISO 27, and others. As the principal consultant at NESP, Ed walked through the SOC2 process for early-stage startups under the guidance of our co-founder, Serhat Can.

Here are the key takeaways from the webinar:

  • The right time to begin your SOC2 audit process

SOC2 is an attestation from a certified public accountant (“CPA”) that describes how you control your organization's behavior, so it's essential to have policies and procedures in place. Following this, a starting point is reached when people want to start working with a large bank, university, or healthcare system where vendors look at an artifact that demonstrates you are organized and systematic. It's all about checks and balances.

  • The benefits of starting with your SOC2 early

As soon as you start writing policies and procedures, selling them to your employees, especially engineers, will be much easier once you get into the auditing process. Thus, it is an advantage to start early as you need to engage people. When starting it, it is recommended to begin it six months in advance.

  • Timeline of the SOC2 audit process

As described above, documentation for the first step takes a few months to complete. Next, it takes two to three months to invite the Auditors in, and then they take a couple of weeks to do what they call the fieldwork, which involves interviews, sampling and reading your documentation. After that, it can take them up to two months to issue the report.

  • SOC2 type 1 and type 2 - How do they differ

SOC2 Type 1 is a point in time; it is an attestation that you have the system security, system availability, and some of the other trust principles. SOC2 Type 2 still evaluates the design and controls, but it also evaluates their efficacy. Type 2 audits the process from beginning to end, while Type 1 reads the documentation and says it's pretty good.

  • Why you should start with a Type 1

It is recommended to start with Type 1 since it gives everyone a taste of the bureaucracy. Tune up, then move on to Type 2 when you've got used to the process since you need to slow down to get fast.

  • Trust Services Principles 

In terms of Trust Services Principles, there are five categories to consider:

  1. Security 
  2. Availability
  3. Confidentiality
  4. Privacy
  5. Processing Integrity
  • Cost of the SOC2 audit process

The audit depends on the auditor but put aside upwards of fifty thousand dollars just for the audit. The consultant will spend three months doing the work; the consultancy might cost the same as the audit. You might have to dedicate some time to implementing things correctly. Depending on your assets, you may need to buy subscriptions for vulnerability scanning for Amazon, Google, and Microsoft.

  • Challenges you may face during your SOC2 process

Bureaucracy is the main driving force, so the challenges are positioning around this:

  • Getting engineers to slow down is a challenge, as well as getting technical staff to do so since they have to give up access and wait. 
  • Making sure everything is written down in other parts of the organization, such as finance and HR, is another critical challenge.
  • Tracking who can reach where to implement IAM policies in terms of segregation of duties is also important and not easy to manage.

Join our next Webinar to learn more from the experts!

Continue Reading