Happy Cybersecurity Awareness Month! Webapp.io became SOC2 Type 2 certified in 2021. We’re seeing more companies starting their SOC2 journey, we wanted to share our experience as a resource for other startup founders. Read on to learn more about why we chose SOC2 Type 2 vs. other standards, and the vendors we selected to ensure a smooth audit process.

What is SOC2?

SOC compliance is a type of certification founded by the American Institute of Chartered Accountants (AICPA) in the 1970s. It indicates that a service organization has passed a third-party audit demonstrating that it has certain controls in place. There are three levels of SOC - SOC 1, SOC 2, and SOC3. SOC2 is audited based on Statement on Auditing Standards (SAS) 1 and there is a series of items that are monitored by a trusted third-party auditor.

Why compliance is important to us

Despite the long history of SOC compliance, it hadn’t become a popular audit form until recent years. We learned about SOC2 compliance through one of our team members with a background in cybersecurity and then again through our peers in the SaaS industry. We felt that it was important to look into early on, as developer trust is something we value deeply.

We spoke to CTOs that were a couple of years into building their companies and many of them recommended SOC2. But after speaking to several CTOs from the early 2000s - 2010s (some with public companies), it was surprising to us that many of them hadn’t heard of compliance certifications. The interesting insight is that many of them did not need to go through these audits in the early days of company building even if their companies handled extremely sensitive data.

We wondered why compliance was becoming so popular and here’s our take - in the past, it required a very skilled developer to create a web application due to a lack of infrastructure. AWS for example only existed starting in 2006. It was easier to pick software vendors because it was impressive that they created it with such constraints and likely was one of the few products that solved a gap in the market. Over time, more developer infrastructure, was created and with the advent of resources like no-code tools, pretty much anyone could create a piece of software with little to no experience. Today businesses and the people who run them are choosing between hundreds of vendors. It makes sense that there are some basic checklists in place to evaluate tools. This created a need for industry standards so that vendors can prove to both current and future customers that they have educated their team on security measures.

Why we chose SOC2 Type 2

SOC2 made the most sense for us as a developer SaaS. There are two versions of SOC 2 - Type 1 and Type 2. Type 1 reports only evaluate an organization’s controls at a single point in time. Auditors have recommended startups in getting a Type 1 as almost a “trial run” for their Type 2 report. The Type 2 report usually evaluates a longer period (3-12+ months) and requires more resources.

Steps to get SOC2 Type 2

Step 1: research SOC and other standards in your specific industry

If you’re considering SOC compliance for your company, take the time to educate yourself through the official AICPA website first. We’d also recommend taking the time to understand SOC vs. other certifications such as ISO 27001, PCI, GDPR, and HIPAA. Depending on your industry such as finance and health those might be more important to obtain first or in addition to your SOC audit.

Step 2: Find an AICPA-approved auditor and monitoring tool

After researching and if you’re considering beginning a SOC2 audit, it's time to choose an auditor that is AICPA trained. A monitoring tool like Vanta, Secureframe, or Tugboat is optional f you want to save money on the audit, but their monitoring helps speed up the preparation process of gathering evidence.

Step 3: Pick your trust services criteria

There are 5 trust services criteria to consider. You don’t need to be audited on all 5, but your auditor will need to know which ones you want to be evaluated on.

Step 4: Ask your auditor to conduct a readiness assessment

Usually, auditors will include this as a mock trial of your SOC 2 report so you should ask if it’s included in the fee. This is an optional step and you can also conduct this yourself.

Step 5: Set up vendors, start the audit and complete the security questionnaire

Your auditor will let you know the audit has started, a timeframe you set together depending on the audit type. They will ask you to complete a security questionnaire that will be included as part of your SOC report which asks questions about vendors and internal processes. Mandatory steps can include having a password manager, employee security training, employee background checks, setting up a CI/CD tool, and getting a third-party penetration test.

The main vendors we chose were Vanta for monitoring, Johanson Group for auditing which came recommended by a fellow YC founder, and pen testing from Practical Assurance.

Conclusion

SOC2 is now an industry standard for SaaS companies like ours, especially in the developer world. Since it is a vigorous process, make sure you know why you're getting certifications for your company and which ones are important for your product focus. We hope our experience provides a bit of insight into our compliance journey.