# What is SOC 2 & Why is it important?
SOC 2 or Service Organization Controls 2 is a framework that is governed by the American Institute of Certified Public Accountants (AICPA). With a SOC 2 audit, an independent service auditor will review an organization’s policies, procedures, and evidence to determine if their controls are designed and operating effectively. A SOC 2 report communicates a company’s commitment to data security and protection of customer information.
# Improving your security posture
SOC 2 compliance exemplifies an organization’s commitment to their customer’s trust and is a major milestone towards improving their overall security posture. With increasing cybersecurity threats and data breaches, it is paramount that organizations prioritize information security and the protection of their systems and data. By undergoing a SOC 2 audit, our controls and processes were validated by a third-party who attests to the functioning of the controls relevant to our application.
# Why we pursued SOC 2 Type II
SOC 2 compliance is an integral step in proving to customers, stakeholders, and interested parties that our organization values their trust and has effectively implemented security controls.
We decided to pursue SOC 2 Type II compliance at the very early stages of building our company Artie. As a data processing company, we knew it was extremely important to protect our data, our customer’s data, and mitigate potential security risks early and on an ongoing basis. With achieving SOC 2 Type II compliance and our plans to renew SOC 2 annually, we are showing our commitment to and maintaining the trust of our customers.
# Artie's journey to SOC 2 Type II compliance
# Compliance Partners
Vanta
We partnered with Vanta, the leader in the Trust Management space, to help us automate the collection of our audit evidence. Vanta provides us with the strongest security foundation to protect our customer data.
Advantage Partners
Our audit firm, Advantage Partners, was extremely helpful in creating a seamless audit experience. With their guidance and support, we were able to achieve SOC 2 compliance in a swift, efficient manner.
# Process
While SOC 2 can be a big undertaking, our compliance partners streamlined the process. We leveraged Vanta to integrate our key systems and guide us in implementing policies and procedures to quickly become audit ready. Vanta gave us the direction we needed to pursue our compliance journey.
Advantage Partners then confirmed our audit readiness and we kicked off our Type II audit. For the audit, Advantage evaluated the controls we have in place and opined on their state. Shortly after our audit window ended, Advantage Partners drafted and issued our report.
# Timeline
One key takeaway is understanding that improving our security posture and achieving compliance is a monumental task. This can be made easier with the right compliance partners but it will take dedicated focus and time from your organization. The readiness period can take the most time but we were able to make compliance a priority to get audit ready in a matter of weeks versus months.
We also found it important to review the audit timeline with Advantage Partners, set an ideal audit date, and then work backwards to be ready in time. However, now that controls are implemented and security is a priority for our team, subsequent SOC 2 audits will be even more seamless.
# Lessons we learned
# Start the process earlier rather than later
My co-founder experienced the SOC 2 process at a much larger organization, and it was an extremely heavy lift that took multiple years. In comparison, getting SOC 2 compliant at Artie was much more streamlined.
It is easier to implement policies and build secure procedures and infrastructure as a smaller organization. More importantly, starting the process early means we can incorporate security controls into product development, instead of retrofitting controls into a more elaborate system later on. This way, we’re able to craft controls that allow us to balance product development velocity with product security.
# Improving security and achieving compliance help unblock deals
Vendor security reviews are highly requested in sales cycles, especially in the context of larger deals. Having SOC 2 in place, or even just being in the process of obtaining SOC 2, can help unblock deals and accelerate the sales cycle. It’s also a great way to show prospects and customers your company’s commitment to security and compliance, and that you’re maturing as a business.
# Finding the right partners is a game changer
While implementing policies and getting SOC 2 ready is relatively easier at the earlier stages of a company’s lifecycle, it is still quite a monumental task. Finding the right tool (we used Vanta) and the right audit firm to partner with (we used Advantage Partners) was a game changer. They really made the whole experience so seamless and we emerged from the other side with no complaints and the best outcome! I could not imagine going through the process alone.
