SOC 2 Requirements for Startups | An Easy 4 Step Approach to Compliance

July 20, 2022

A SOC2 attestation can support client comfort and trust for a startup or small business. This tool can be a leg up in marketing efforts versus competitors, demonstrate the integrity and security of a product, and be a key leverage point in customer discussions.

Step One: Define Scope (This is both your value point and resource management factor!)

Understanding the scope of a SOC 2 is key for obtaining the value of a SOC2 attestation with the limited resources a startup has available. Typically, end customers are concerned about specific risks an organization poses to their business or data. Understanding these specifics will guide a startup to the scope of its SOC 2 report. What does your product or service do that will impact your end customers’ operations, data security, or service delivery? The answer to that question will focus your scope – and scope can be as narrow or broad as you desire. (Hint: start with a narrow and purposeful scope!)

In addition, which of the SOC2 Criteria do you want to include? The SOC2 Criteria include Security, Confidentiality, Availability, Privacy, and Processing Integrity. Security is required, but you can include or exclude the others based on the nature of your services or product.

Step Two: Readiness Assessment (Optional, but so useful!)

Once you know your scope, one of the best ways to begin the SOC 2 process is to perform a Readiness Assessment. This provides both a current state summary and a roadmap for actions. Completing a thorough review of the overall environment used to provide services to customers will also highlight risks or activities that have been outsourced to customers and to third-parties. This effort provides a risk assessment for the organization as well. Not only will this assist in defining the controls and processes a startup must have in place, it will highlight how to frame contracts to ensure that only the necessary risks are maintained by the startup.

Step Three: Identify Controls and Establish Policies & Procedures (Create the first building blocks!)

The next step in the Readiness process is to evaluate the controls currently in place and identify any control gaps that may exist relative to achieving the Criteria required for the SOC2 attestation. The controls expected to be in place are dependent on the scope and related risks identified in Steps One and Two. Once the controls have been determined, management will want to establish formal policies that can be shared with personnel and later with auditors during the SOC 2 examination.

In addition to determining control gaps, you will also want to identify any documentation gaps. For instance, if there is a control that states, “access is granted only after an approval from an authorized individual”, then the documented approval needs to be maintained for at least a few months longer than the time period covered by the report. (Most SOC 2 examinations cover a period of six or twelve months.)

One thing to remember when preparing for a SOC 2 is that the Criteria are not just technical areas like access control or incident response, but also governance areas like tone-at-the-top, risk assessments, vendor management, and communication methodology.

Step Four: Embed Expectations into Culture (Roles, Responsibilities, and People are critical to the process!)

As a key step in preparing for the SOC2 examination, management will want to confirm that all control and documentation gaps are remediated and that personnel understand the expectation and importance for following the controls. It is not possible for management to hover over personnel and monitor that they are following all the controls, so it is important to embed the expectations into the culture – everyone needs to know their role!

Consider a pre-audit internally, or with a partner, to confirm that documentation is in place as expected, and available for the examination process.

Looking Ahead: What will the SOC2 examination look like?

When it comes time for an audit, management should know that auditors will dig in deep to test the controls. Auditors are expected to determine whether personnel and systems are following the controls defined by management that are required to achieve the Criteria. This is done in two parts.

  1. The first is to perform “walkthroughs”. This is where the auditor will sit down with subject matter experts to discuss how things are done. For instance, the auditor will meet with the Application Development lead to discuss the process they go through to identify need for changes, evaluate change impacts, write code, perform testing, and complete migrations.
  2. The second step is for the auditor to obtain documented evidence the control is operating effectively. This could include screenshots of configurations, selecting samples of activity (e.g. – tickets for a sample of changes migrated to production), or observation of things like physical badges on server room doors. Sampling is based on the volume of activity so for a control area like change management that could mean upwards of 25 samples, but for a low volume area like new hires or terminations it could only be 1-3 samples.

Conclusion: Yes, a SOC2 can be a valuable tool, and is possible for even a small organization or start-up!

A SOC 2 examination can be seen as a daunting task for a startup to take on, but it doesn’t have to be if scope is defined, a quality readiness is performed on the front-end, and management embeds controls and documentation expectations into the culture. Creating a culture of risk awareness and operating based on the SOC criteria can also provide a solid baseline of operational consistency and efficiency for a small organization. For a startup or small business, a SOC2 can be a powerful tool from the very beginning.

Contact us today to build your SOC examination plan!