Our clients have worked through the daunting and challenging task of achieving compliance with global security standards like SOC 2 and ISO 27001.
The approaches we see across clients vary significantly. There's different ways to assign responsibilities, work through the requirements, manage the audit process, and integrate "compliance" as a function of the business - ideally all without creating operating burden and onerous activities that drain time from other business priorities.
Our clients have kindly shared their best tips and insights from their practical experience working through it.
livepro is a Customer Experience Knowledge Management system used by organisations as their single source of truth to deliver “answers” to customers, not long documents or PDFs. The SOC 2 report gave livepro (a smaller company) a level of security prestige within the market. It also helped tighten up the operations by providing clear guidelines on the best practices for managing a business. Their CEO, Brad Shaw, shared his tips for others undertaking similar projects:
Taking things in bite-sized chunks enables you to action things within
the business as you go, rather than having a big bang approach. It allowed me to continue to run the business while also using the SOC
2 process to identify best practice management processes. Lots was
achieved without the stress of deadlines.
- Brad Shaw, Founder & CEO, livepro
Vic.ai is the AI (artificial intelligence) platform for accounting firms and enterprise finance departments. The goal of their SOC 2 project was to pursue new business opportunities whilst also leveraging the report and its findings to improve their cyber posture. Project Manager, Paul Lubik, shares their insight from achieving SOC 2 Type 1 and SOC 2 Type 2:
What may appear as a daunting process is like any project. Identify the components and execute one by one. Test and validate and move on to the next component. SOC 2 will change the thinking of the team so make sure you get real buy in from the management team if you want to succeed. It needs the commitment and drive to accept the findings and being willing to put the solutions into practice.
- Paul Lubik, Project Manager, Plan Build Run Solutions
FileInvite transforms the way information and documents are collected by enterprise – hassle free and on time. For FileInvite to grow as a company, they needed to know any gaps in the business and provide the confidence to get bigger enterprise customers onboard that trust FileInvite with their data. Catherine Fromont, Operations Manager, shares her top tip from the SOC 2 Type 1 and SOC 2 Type 2 projects:
Get a spreadsheet and break down all of the controls and assign owners, this makes it so much easier to know everyones responsibilities!
- Catherine Fromont, Operations Manager, FileInvite
JAVLN's cloud-based insurance software provides solutions for insurance companies, underwriting agencies and brokerages, delivering a true end-to-end policy administration system. JAVLN required an assurance report to streamline their clients due diligence process when evaluating JAVLN. Their Project Manager, Simon Gillson, shared his top tips for managing the SOC 2 Type 1 project:
- Just do it, regardless of your InfoSec maturity, the method is collaborative and you will learn a lot during the process.
- I found putting together a swimlane based flow diagram really helpful to visually understand the dependency and relatedness of different policies, processes and documents and to communicate the final controls to the wider team.
- I also found the use of tools we were already using such as Freshdesk, Jira, Slack and G-suite were all able to be customised to support our controls which aligned with the team's existing way of doing things. If we had simply created paper based forms to gather evidence they would have been difficult to implement and perceived as a step backwards.
- Simon Gillson, Project Manager, JAVLN
Communic8 offers the latest innovation in digital engagement that's providing organisations a better way to connect, inspire, analyse and align employees and customers. Communic8 services the communication needs of many of the world’s largest enterprise organisations. With that level of service, clients expect that their data is securely managed and require the assurance accordingly. Communic8's CEO, Bryon Westmoreland, shares their insights from achieving both SOC 2 Type 1 and SOC 2 Type 2 in a 9 month period!
- Set expectations and the correct mindset with your team from the very beginning. Make your team aware that this process adds value to the organisation, and ultimately, will make their job easier (and help them sleep at night).
- Delegate tasks to people within your organisation who are most knowledgeable or responsible for the particular control and set reasonable expectations and offer support.
- Google Drive can quickly become the wild west of documentation. Develop an information management strategy and stick to it. Establish procedures around the retention and clean-up of documents, versioning, file, and folder nomenclature.
- We found that simple, shared calendar entries were most helpful in linking to documentation or resources that were being reviewed or executed and invited the individuals that were needed for the review.
- Bryon Westmoreland, CEO, Communic8 Group
Humanforce uses AI-powered technology for workforce engagement with easy onboarding, auto-rostering, smart time capture and more. Humanforce achieved both SOC 2 Type 1 and SOC 2 Type 2 in a 7 month period in order to appease their large business customers and support their enterprise sales. Jason Fischer, CTO, shared his top tips for others starting out with SOC 2.
Things to remember when planning to kick off SOC 2:
- Don’t create new processes and policies, define and document what you do today. That’s probably 80% of what you need.
- Start documenting all actions. This can be simple meeting minutes.
- Ensure the person running the evidence gathering has all the business touch points they need and that everyone in the business knows to assist.
- Security and Privacy is everyone’s responsibility, not just one person or team
- Working with AssuranceLab who can guide you through what good looks like really helped us when we had questions or were unsure about something.
- Jason Fischer, CTO, Humanforce
There's some gems of practical insight in the feedback of these five clients. While they each talk about it as if it's easy following the methods they each applied, the reality was it took time and effort to reach that point. On most projects, there's a slow start and a few headaches to really understand the process and how to work through it. Our team at AssuranceLab are always on call to support that process, but it's important for each team to find what works best for them. We hope these practical insights will help you find yours!