Today, security can no longer be an afterthought when building a company. With the increased rise in hackings and data breaches, more and more companies have become sensitive to how their vendors are protecting customer data and themselves from potential security threats and vulnerabilities.
Now, companies as small as 5-person startups are required to highlight their security posture to potential enterprise prospects if they want to close a deal. The most common way for B2B software companies to build trust with their prospects is through getting a SOC 2 report.
What is a SOC 2 report?
A SOC 2 report attests to the processes and controls (essentially rules for your company) an organization has put into place to safely manage data in order to protect customer interests and data.
SOC 2 is one of the Service Organization Control (SOC) Frameworks developed by the American Institute of CPAs (AICPA). Certified accounting firms use this framework to audit, assess, and attest to a company’s compliance and security practices against the Trust Service Criteria (TSC): security, availability, confidentiality, processing integrity, and privacy.
What does a SOC 2 report entail?
SOC 2 is essentially a long checklist of hundreds of items that a company needs to comply with to pass a SOC 2 audit. There are two types of information you'll find in a SOC 2 report:
- Organizational - Examples include do you have an org chart, job descriptions for every role, and annual performance reviews
- Technical - Examples include are you encrypting your employee devices and do you have version control set up in your organization
Your auditor will provide you the checklist of controls required to pass a SOC 2 audit, and it is your responsibility to provide evidence that you've actually implemented these controls.
Collecting all of this evidence though can be very time consuming. Often, it can take hundreds of hours to track down and document all the evidence. Plus, it's not always exactly clear what you have to do to comply.
To help save time and reduce confusion, more and more companies are looking to compliance automation software to streamline the manual process of evidence collection through integrations.
What are the types of SOC 2 reports?
There are two types of SOC 2 reports an organization can get:
- SOC 2 Type I - This report assesses your controls for a point in time
- SOC 2 Type II - This report assesses your controls for a period of time, typically between 3-12 months.
Customers typically prefer a SOC 2 Type II as it provides a more robust review of a company's security practices. Companies that are just starting out with SOC 2 typically get a SOC 2 Type I first, followed by a SOC 2 Type II, which needs to be renewed every year.
What are the steps to getting a SOC 2 Report?
To prepare for a SOC 2 audit, you'll want to first allocate:
- Budget: Between $10-40k for audit costs depending on the complexity of your business and the auditor you work with, as well as another $3-30k for a penetration test
- Time: Between 4-6 months and 10+ hours a week from a few core team members from your engineering or IT department (Secureframe can bring this time down to a few weeks)
Typically, if your company doesn't have an internal security team, the first step is to hire an information security consultant who will help develop policies and processes for your company to follow. This can take around 2-3 months.
Then, you find an auditor. There are many options out there but Secureframe can connect you with our vetted auditor partners and make the selection process easier.
Once you've selected an auditor, you'll work with them to establish appropriate policies and controls for your company in order to meet SOC 2 requirements, start implementing these controls, and collect evidence that these controls are in place. Setting up new software, reconfiguring existing tools, and implementing new security policies and processes can take several months.
Finally, after you've implemented your controls and collected all of your evidence, you'll start the audit assessment window if you're collecting a SOC 2 Type II report, which can range from 3-12 months. After the assessment window, you'll receive your report if you pass the audit.
Why should B2B founders consider getting a SOC 2 report?
1. Speed up the sales cycle by eliminating security and compliance as a sales objection
It's easier to sell upmarket as having a SOC 2 report helps to build trust with larger companies. Even just showing a company you're in the process of getting a SOC 2 helps to move along enterprise sales discussions.
2. Build new and existing customer confidence, satisfy their SOC 2 requests, and edge out competitors
Having a third-party opinion that your security controls are in place and effective differentiates you against your competition who are not SOC 2 compliant and helps to retain customers in the long run. It also assures legal and risk departments at your prospects' that your service is secure.
3. Build a strong security and compliance culture
Going through the SOC 2 audit process helps bring security into a company's daily operations. It also improves company-wide security awareness with defined responsibilities and practices.
How Secureframe can help you save hundreds of hours and 50% on your audit costs when getting SOC 2
Secureframe helps hundreds of companies get enterprise-ready by streamlining SOC 2. Secureframe allows companies to get compliant within weeks, rather than months and monitors 40+ services, including AWS, GCP, and Azure. We continuously collect audit evidence, run security awareness training, manage vendors, monitor infrastructure, and more, all automatically.