Most startups only consider SOC 2 certification after a request from a new or potential new client. At that point there’s a decision to make: Will the time and money spent on attaining SOC 2 certification be worth the revenue it creates in new business?
Having worked as a CISO across multiple industries, I’ve managed SOC 2 compliance for a variety of businesses. I wrote this guide to help startups understand when it’s the right time to undergo SOC 2 certification, the costs associated with it, the process that is typically followed, and the benefits you’re likely to attain.
My goal is that if you’re weighing SOC 2 for your own startup, this guide will help you to know whether now is the right time, and if so, how you can go about SOC 2 certification in the least costly, most efficient manner.
- Quick Overview of SOC 2
- Why Would a Startup Consider SOC 2?
- Which Startups Would Benefit From a SOC 2?
- When Should Startups Apply for SOC 2?
- The Process for Startups to Get SOC 2
- How Much Will a SOC 2 Cost a Startup?
- How Startups Can Accelerate SOC 2 Attestation?
Quick Overview of SOC 2
Comparing SOC 2 to other security compliance frameworks (like ISO27001 or HITRUST), the first big difference is that SOC 2 is not a certification. Unlike the others, which have dedicated certification bodies that allow consultancies to certify against the standard, SOC 2 only allows accredited accounting firms to perform an audit, make observations, and attest to the security control efficacy for the organization.
Additionally, SOC 2 is different from ISO27001 in that it has two different levels, or observation periods, for attestation.
There is a SOC 2 Type I, which is a single point-in-time audit of controls, and a SOC 2 Type II, which is an audit over a period of time (usually no less than 6 months and as long as 12 months). The Type I audit is meant to show the control operation at a single point in time, while the Type II attempts to show that the control is not only implemented but performing consistently over time.
Most organizations requesting a SOC 2 will not accept a Type I, so an organization looking for attestation against SOC 2 should take that into account.
Beyond the key differences in the audit outcome and the versions of SOC 2, there is also the structure of the requirements. ISO27001 for example, is broken into clauses (program management requirements) and statements of applicability, or the controls that the organization will implement within its security program.
By contrast, SOC 2 is broken down into Trust Services Criteria (TSC), with Security being the only one required. There are 4 additional trust services criteria that, while not required, an organization can choose to add to their attestation: Availability, Processing Integrity, Confidentiality, and Privacy.
Why Would a Startup Consider SOC 2?
Revenue is what every startup is chasing and part of this mission is to remove any blocker to revenue growth. This is one of the main reasons to pursue SOC 2. The reality is that no certification or security framework is going to alleviate all blockers or friction in building trust with prospective clients, but having something, almost anything, certainly helps.
A SOC 2 for startups will make conversations easier when prospective clients’ security teams get involved, and could possibly eliminate a request for an audit, making ongoing customer management easier.
Would you rather have 10 customers auditing you on a yearly basis with differing security control requirements, or work towards a SOC 2 so you can demonstrate the efficacy of your security program with no further audits?
SOC 2 has become almost table stakes for most organizations operating in the US, as far as requirements from vendors.
In some cases, ISO27001 will suffice for an organization in North America, but in general, ISO27001 is more recognized and required outside the US. SOC 2 has picked up popularity in Europe over the last 5 years, due to the number of US-based companies that are operating in the market, but it is not as commonly requested outside of these two large markets.
Another reason to consider a SOC 2 for your security program is that it will provide direction and coverage for your security measures. This will allow your organization to establish a set of expectations and requirements to operate within, which will make any future security frameworks or requirements easier to attain and manage. By selecting a framework to build a security program foundation on, it is easier to adapt and map to additional frameworks as needed, and will allow for rapid maturity of the security program.
Which Startups Would Benefit From a SOC 2?
The reality is that SOC 2 attestation may not be extremely relevant for a business-to-consumer company. Most consumers are not going to ask for a SOC 2 attestation before doing business with that company. However, it could still help in establishing a strong set of controls and requirements to assist with meeting all the varying customer data privacy requirements that exist. It will not satisfy them or show compliance with the data privacy regulations but will certainly establish a foundation to assist with meeting the requirements.
For any SaaS-based or more importantly, business-to-business company, it is a base requirement to have a SOC 2 attestation or other equivalent certification.
Further, there are industries that will have more stringent requirements for a partner to have an attestation or certification. Some of these industries include banking or finance, insurance, investments, and working with any large Fortune 100 company.
Why is it expected by these industries and larger companies? Well, SOC 2 is a little different from other frameworks that only provide a certification. Since this is an attestation of compliance, the report itself provides high-level information on how the control is designed, operated, and if there were any observed exceptions or operational issues with the security controls.
This is extremely powerful for prospective client security teams to better understand the internal security program without needing to conduct their own audit.
When Should Startups Apply for SOC 2?
The reality is that security measures are expected to be baked into a company from the start. However, this is not always feasible, as there may not be enough operational budget or personnel to take on the additional tasks.
In any case, the realistic expectations would be that founders start to think about security and security frameworks from the beginning. This can be accomplished by using compliance frameworks to help build and operate the systems without attaining certification or attestation. The reason this is recommended is that it is easier to build it right the first time than to rebuild it to meet the requirements later.
If even this is not possible, then any startup should start to work towards a security framework once the first one or two clients have been signed. As more clients are signed, or as the company continues to grow, a level of security maturity will be expected, regardless of age.
With additional revenue, customer data, and customer information, a company will become a larger and larger target, which means the security of the systems, people, and data needs to improve to prevent a breach. As a young company, any data or security breach could end any chance of success.
Knowing that security should be considered early, the next question is when to go after a SOC 2 attestation. This depends on the Trust Services Criteria (TSC) that the company is looking to certify against.
If it is simply the Security TSC, an organization could attain that much more quickly than adding additional TSC to the audit. Some of the common items that will need to be in place would be:
· Security program management, reporting, and improvement tracking
· Risk management program
· Inventory management process or procedure, tracking, and identification
· Access management process or procedure that includes onboarding, offboarding, and auditing of rights
· Physical security of office space, data center, or secure areas
· Network and application security and operational procedures
· Security operations and monitoring to detect potential security events, triage, and respond
· Vulnerability and patch management process or procedure
· Disaster Recovery and Business Continuity Plan
· Change management for software, infrastructure, and network
The Process for Startups to Get SOC 2
When it comes to attaining an attestation of compliance against SOC 2, there are several decisions that must be made upfront before jumping into the process. Once the foundation has been laid, the road to SOC 2 and a strong security posture is much easier. The followings are some steps or decision points along the way in building and deploying internal controls.
- Decision #1: What trust services criteria are applicable, needed, or required for your company?
- Decision #2: Is a Type I sufficient or will a Type II be required for SOC 2 compliance?TIP: If you are attaining a Type I, is it simply to show that the security controls are in place until such time as you have built up enough evidence to attain a Type II?
- Decision #3: What will be the evidence period for Type II, 6 months, 12 months, or longer?
- Gap Analysis: Recommended to perform a thorough gap assessment against those controls in scope to determine where the company needs to invest to meet the requirements.
- Implementation: Contract for assistance or engage internal resources to review existing policy and legal documents to determine which documents need to be developed or modified to meet SOC 2 compliance
- Implementation: Working through the TSC to determine the scope of the audit, security control design, and business operations to meet the requirements.
- Implementation: License, purchase, or contract for additional tools, services, or consultants to build, deploy, and operationalize security controls, processes, and procedures
- Readiness Assessment: While it is not required for SOC 2 compliance, It is highly recommended that your company conduct a readiness assessment prior to the audit to make sure that no major gaps or deficiencies could be identified during the attestation audit.
- Remediation: Once the internal audit process has assessed the company’s controls and provided a report, it is time to work on remediation to prepare for the actual audit.
- Select Auditing Firm: Determine the appropriate or preferred SOC 2 compliance auditor to conduct the SOC 2 audit.
- External Audit: Conduct the external audit with the external audit firm. This will involve providing documentation and interviews to define the business operations, security controls, security criteria, and service level agreements.
- Post Audit: Once the audit is completed and attestation is documented, an organization will move to continuous monitoring of security controls to prepare for the next audit.
How Much Will a SOC 2 Cost a Startup?
When it comes to attestation costs, there are three main buckets from which a company will incur costs: control implementation, consultancy services, and the audit itself.
Odds are the largest bucket will be the control implementation, as a company working towards attaining its first certification or attestation will have quite a few gaps in security controls and capabilities, which then leads to additional costs in consultancy services. For a more in-depth review of the cost factors associated with SOC 2 attestation, we have broken down the factors of SOC 2 in the following article.
For this article, the focus will be on the attestation itself. When it comes to audit costs, the two main drivers are the number of employees in scope for SOC 2 and the Trust Service Criteria in scope. As an organization has more employees, it means more evidence that will need to be audited, which requires more time by the auditing firm. For most organizations, depending on the size and TSC in scope, Type II attestation can be attained for somewhere between $20,000 and $100,000.
How Startups Can Accelerate SOC 2 Attestation?
There are not really any proven ways to successfully accelerate the attestation process without a strong buy-in from leadership. A security team, or security leader, cannot force compliance with the framework without all the business assisting, as the controls reach outside of a single team. With that in mind, the following are some ways an organization can attain an attestation in an accelerated fashion.
There are several vendors in the space that offer automated tools to assist with gathering, cataloging, and providing guidance for control implementation for security frameworks. In many cases, these tools claim that they can shorten the time to attain attestation from months to weeks, which seems pretty aggressive. There is no doubt that a tool that is integrating through APIs with all the core tools, services, and infrastructure can assist in managing and attaining evidence to assist with certification. Oftentimes, the trade-off of the additional cost for this SaaS solution is that the attestation will be streamlined and lower cost.
There are many MSPs out there that can help with standing up core controls or competencies to meet SOC 2. In fact, there are companies that are designed to take responsibility for whole sets of controls to make the process faster, easier, and more efficient.
Engage SOC Consultant Experts
When in doubt, throw money at the problem. While not all organizations can drop large amounts of money for consultants to fully stand up their program, every little bit can help speed up the process. Even if your company can only afford 2 weeks of help, this will significantly increase the ability to properly design and implement the controls needed. It’s not uncommon for them to already have a strong set of tools, documents, or recommendations to assist with attaining certification.
If the entire company does not need the attestation, don’t attain it for the full organization. Scoping the audit to the right set of applications, business units, or infrastructure can significantly assist with speeding up the process. This would allow your company to attain the attestation for the required business or application unit until such time as the company can fully be compliant.
Weighing The Costs & Benefits of SOC 2 for Startups
It can be difficult to determine if there will be ROI on attaining a SOC 2 attestation. One of the best ways is to evaluate how many customers or external entities are asking for a SOC 2. Add in any external entity that would be willing to drop audit rights for SOC 2 and this could help with establishing the potential ROI for the business. A great example is if you have 4 customers that have audit rights, and you spend 1 week each conducting an audit with them, how much could the business save by utilizing SOC 2?
Beyond customers requiring or asking for audit or security certifications, the reality is that a SOC 2 can be hard to justify. After all, the attestation was built with the purpose of helping organizations to better understand the security posture of vendors, partners, and customers.