SOC2 is a security compliance standard governing a set of policies for keeping company data safe; due to its rigor and neutral approach, has become an essential standard for consideration in conducting business. However, SOC2 can be expensive just for the audit, and implementing the auditors' recommendations can still cost even more.
Outlined here are fundamental and help non-security personnel understand and navigate the world of SOC2 compliance. So, without further ado, let's jump into the most critical questions: What is SOC2?
At its core, the SOC2 certification consists of the five primary themes shown in the above chart: privacy, security, confidentiality, processing integrity, and availability. Translated into everyday language, these mean that your services:
are not hackable using simple vulnerabilities caused by not adhering to current best practices
Your security or compliance engineers can likely break these general principles further down into actionable deliverables (and 3rd party consultants can - but we'll talk about them in a moment). But with that overview, if you're anything like me, you're already much less intimidated by the menace of SOC2. So, let's keep going; maybe soon you won't see it as a menace at all.
There's a good chance your business already has processes and policies in place to serve the same goals listed above. SOC2 doesn't aim to replace your current processes but merely to make sure that parts of your policies aren't deficient compared to the current best practices in the industry. Attaining SOC2 compliance means analyzing your organization for processes that could be better from a security point of view and bringing them up to speed with current best practices. The SOC2 standard itself is just a guideline for doing that. In other words, SOC2 helps you do something you probably already care about and are almost certainly doing on some level.
**So why not adopt industry best practices?
Before you even begin your company's journey towards becoming certified for SOC2 compliance, there are three pretty big questions you'll want to ask yourself and your team.
First, does becoming certified as compliant with SOC2 even matter for your business needs? Despite its explosion in popularity over recent years, SOC2 is just a certification, not a cult. Our goal is to guide you and help you understand SOC2, not proselytize. And there are companies for whom SOC2 certification doesn't make the most business sense. For example, small, consumer-facing startups aren't likely to benefit as much from SOC2 because the standard primarily exists to assist with problems of scaling security that emerge in larger enterprises. So unless your company has already grown to medium or large size, or you're working with other companies, and they insist that your company also be audited and attain SOC2 compliance, then you can probably skip this certification.
After all, you can still follow the principles of SOC2 and pursue other security strategies more suitable for smaller organizations, like bug bounties. OWASP's guides are also free and great for startups. But assuming you've decided to stick around and learn more about this whole SOC2 trend, then we can move on to the next important consideration for folks on the business (or just the non-technical) side of the spectrum.
Second, do you want to rely on in-house security and compliance engineering talent or outsource to a third-party auditor? Unless your enterprise is large (as at least 1,000 people), a third-party auditor is almost certainly a necessity. Your internal engineering team might have no problem competently implementing the recommendations produced by a third-party auditing team, but reliably interpreting the standards is an act of divination best left to the masters. In the end, you're likely to spend more money when you have to fail and retry audits. For small startups, it can feel tempting to try to read the specs and do your best, but if you want to save money, unfortunately, your best bet is to fork up a small amount of cash from the get-go and contract a reputable auditor.
If dedicated internal compliance (SOC2 and others included) team is justified, then it is essential to maintain duality; with a combination of Compliance and Security Engineers, former to créate actionable tasks and the latter to implement technical and process controls to achieve the desired security posture. The compliance plus security engineer combo of interpreter and doer is a magic recipe for success for internal compliance. And not just for SOC2, but for almost any compliance standard relating to security.
Third, how will you choose an auditor, and how much should it cost? This price question at least has an easy, objective answer based on market research. It should cost anywhere between 20,000 USD to 50,000 USD, depending on the size and complexity of your organization, as well as the depth and rigor of the audit. But that's not the total price because it is also costly and time-consuming to implement recommendations generated by these audits. Consultants can help with this, but that can easily consume another 10,000 USD, if not more.
As for choosing a specific auditor, that's a bit hairier. Technically speaking, any certified public accountant affiliated with the AICPA can do a SOC 2 audit. But in reality, you will probably want to go with a compliance engineering firm with significant experience in this specific work. Laika has the best prices when it comes to the big firms, but Vanta is hailed as the most in-depth audit on the market, offering perhaps more bang for your buck. In the end, it's primarily a trade-off between price and quality, and which direction you lean in will depend on the specific priorities that are motivating you to look into SOC2 compliance in the first place.
SOC2 compliance is often time-consuming and expensive, but these traits aren't intrinsic to becoming compliant. In fact, for businesses who've mastered the tricks to maintaining compliance, it's often seen as a standard, simple part of quarterly policy enforcement. We hope this guide will give you a solid start towards reaching that position. SOC2 isn't an end in and of itself; instead, it's a ladder that will elevate you to better business relationships with a broader array of clients willing to do business with your newly compliant company. Security compliance standards, like everything, are only hard until you understand them. We hope you feel a little closer to understanding and less confused than when you woke up today.