Security and compliance qualifications, like SOC 2 and ISO 27001, demonstrate that you apply good practices in your business.
They're often classified as "security" and thought of as the technical security of your systems. However, they're actually broader, with a focus on organisational practices that supports your security AND other objectives. That includes availability (system resilience), confidentiality of data, privacy for your users, integrity of the system processing objectives, scalable process design, and operational readiness to support large business customers.
What are the five reasons startups go for security and compliance certifications?
There are five reasons we see our clients pursue these certifications, in order of the prevalence we see them.
1. Enterprise sales: Large businesses looking to use your software, consider your product AND your capabilities as an organisation. These qualifications play an important role in demonstrating your business is "enterprise ready", providing a reliable service and keeping their data secure.
2. Tick-the-box for compliance mandates: Following enterprise sales, these qualifications often become mandates. Or they can be used to demonstrate compliance with regulations (eg. GDPR), to satisfy regulator requirements, or to participate in certain schemes (eg. Consumer Data Right's data sharing economy).
3. Reduce due diligence: A major pain point for software companies is the relentless due diligence that goes with serving enterprise customers. Hundreds, even thousands of "security questions", and vendor audits, are common. Standards like SOC 2 and ISO 27001 are designed to have a single independent audit process that satisfies broad end user requirements.
4. Improve operations: Standards are a means for improving your business operations. They're based on "good" or "best" industry practices. Auditors have a lot of experience seeing these applied in different environments and can guide you on applying them in your context.
5. Satisfy other stakeholders: Last but not least is a myriad of other stakeholders that are satisfied for similar reasons above. Investors, regulators, partners, Board's, the management team and even employees benefit from implementing and validating your alignment to standards. It provides peace of mind that you are secure, compliant, and provides clarity on what your key operational practices are.
Which standard is best for these goals?
Each standard has different requirements, nuances in how they are applied, and perceptions in the market. This impacts which may be best for your business and how they help you achieve the goals above. Our CXO Guide to Security and Compliance has a table of various standards and their applicability. We'll compare the most common two standards below.
SOC 2 vs. ISO 27001
If your goal is enterprise sales or ticking the box on a mandate, then it's important to consider the preferred standard(s) of your customers. In general, more regulated industries (Finance, Healthcare) prefer the SOC standards. Less regulated customers generally prefer the ISO family of standards. SOC 2 is more prevalent in the US. ISO 27001 in Europe.
For reducing due diligence, the best standard is often linked to the last point. However, it's also important to consider that ISO 27001 provides a certificate only. SOC 2 reporting has a system description including the controls specific to your organisation, your system scope, third-party responsibilities, eg. AWS shared responsibility model, and your end users responsibilities when using your system. This reporting approach in SOC 2 helps answer more "questions" for the due diligence process. It helps your customers vendor risk teams to understand what's relevant, the associated risks of using your services, and how those risks are addressed in your specific practices.
When it comes to improving your operational practices, this is up to your organisation to pick the approach that "fits" best. The SOC 2 criteria-based approach is more flexible and focused on how the criteria is practically met in your specific context. Tech companies often see this as a better way to align the operating practices to their culture, size, scale and unique nature of their company. ISO 27001 is a more prescriptive approach aligned to a higher standard of practice, which puts more focus on policies and procedures. While some businesses feel this is more rigid and restrictive on their business, it can be advantageous and in some ways easier to follow a cross-industry, "best-practice" methodology.
Satisfying other stakeholders will depend on the specifics of what they are looking for assurance over. Regulators that require an "independent audit" of your technology, generally steer towards SOC 2. Partners generally prefer the standard they have adopted themselves or that their customers care more about. Employees and managements preference is based on which they feel "fits" best.
Whichever standard you choose initially, it's very common for tech companies in particular, to do both. The good news is, there's a lot of overlap. Customers are generally accepting if you have one of these, even if it's not their preferred. If they do require their preferred standard, they generally accept what you have in the immediate term and agree a period to achieve the other.