About 8 months ago, we announced Sigstr’s SOC 2 Type I with a commitment to continue moving our security program forward. We are very excited to announce Sigstr’s SOC 2 Type II certification! Sigstr went through a rigorous third party audit to receive this prestigious status among SaaS organizations.
What is a SOC 2 Report?
SOC stands for System & Organization Controls and the standards are set forth by the AICPA. The AICPA developed SOC 2 as comprehensive evaluation of a company’s controls, processes and policies when it comes to Information Security, privacy, confidentiality, risk management, change management, and more.
There are varying levels of SOC 2 audits, based on the Trust Service Principles you are audited against. The 5 Trust Service Principles are:
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
Just like Sigstr’s Type I audit, our SOC 2 Type II was also against all 5 Trust Service Principles. Most organizations choose to be audited against 1 or 2 Principles, but Sigstr made the choice to be audited against all of them. With new InfoSec and privacy laws coming into effect (like GDPR and CCPA), these audits are becoming more and more crucial.
The difference between a SOC 2 Type I and Type II is that a Type I is a snapshot of the controls and measures in place at a given time. A Type II audit is proving that those controls are effectively in place over a minimum duration of 6 months, showing ongoing adherence. Evidence that controls have been running effectively are reviewed over the audit period, which is why a SOC 2 Type II is typically the more desired audit report.
What did we learn?
Several people have asked us what the audit process is like and what things we can share about our experience. These are our 3 main takeaways from our Type I and Type II audits.
There is a LOT of preparation
Before going into a SOC 2 audit, you should research what it entails and measure your company’s preparedness. There are dozens of controls and policies that need to be in place prior to starting the audit, and it would be daunting to try to write and implement them during an audit. Many audit firms offer a “gap analysis” for such a thing, but that will cost time and money. It may be worthwhile if you have no experience in audits or don’t have the time to do the many hours of research yourself. An easy place to start is to document the processes and controls you currently have in place.
It takes longer than you think
It is easy to underestimate the time the audit will take end to end. Audit timelines will vary based on your company size and scope of the engagement, but know that it is a full time job for a few people for approximately 3 months. Your security team should allocate their time appropriately, since the majority of the work will be on them.
Set yourself up for success
When going through the process of creating controls and policies to govern your InfoSec program, it can be very tempting to embellish and add aspirational controls. This can come around to bite you, because controls that you put into policies will be audited. Whatever you put into a policy, you will be asked to furnish evidence of that during your Type I and Type II audit. If you fail to do so, it will show up as an exception on your report. One InfoSec representative told us a simple phrase that is easy to remember: “Do what you say and say what you do”.
We aren’t stopping here…
An important part of SOC 2 compliance is ongoing adherence and improvements made to security systems and processes. The standards for SOC shift as the tech ecosystem changes, and ongoing improvements to controls are needed in order to stay up to date. Sigstr plans on annual SOC 2 Type II audits as a mission for customers to have confidence that their data is safe with us.
If you ever have questions for Sigstr’s Security Team, you can reach out to us directly at [email protected].
