Our Path to SOC 2 Certification
In early 2018, WorkRails started to receive inquiries from several of its clients and prospects on whether or not our business was SOC-2 certified. These companies represented significant business opportunities for our services automation platform and were actively seeking comprehensive data privacy and security compliance documentation before they would agree to do business with us. Although we were a smaller organization, we recognized the need to obtain this certification to demonstrate compliance with high level industry standard criteria.
The timing of these requests was excellent and we embraced the discipline SOC 2 certification imposes. Not only did it help us validate a high level of organization, documentation, processes & procedures that would ultimately make us a better company, it also made us an attractive partner to our clients.
SOC 2 Audit – Type 1
The first audit for SOC 2 Type 1 began in late 2018. There is no question that going through this process is both resource intensive and requires the active participation of many key members of our team. It is time consuming but time well spent. Several of our team members have been part of larger organizations and already possessed the knowledge and discipline to develop the processes and documents to respond to the over 200+ questions in the first audit. In order to achieve compliance, your organization must be well organized and stay vigilant on documenting literally everything that you do…recruiting, hiring, training, development, security, internal controls, and risk assessments to name just some of the areas to focus on. In addition, you need to demonstrate adherence to your policies and procedures as well as communicate regularly to all of your stakeholders – employees, contractors, vendors and clients.
The good news for WorkRails is we focused on our core competencies and leveraged partners such as AWS to give us the ability to have both a strong disaster recovery / business continuity plan as well as SOC 2 compliant to support our business. Although the first audit took more time and effort than originally anticipated, we created a strong foundation and a comprehensive list of “to do’s” to properly prepare for the following year’s Type 2 audit.
The First Audit Post-Mortem
After completing the first audit in March 2019, we immediately began to assess all aspects of our organization to prepare for the Type 2 audit. This is critical to ensuring future audits go smoothly. Although we did not have any significant gaps identified in our first report, we recognized the need to be more diligent in some areas of the company and do a better job with documentation and keeping detailed minutes on meetings we held regularly at the executive, financial, product development and sales levels. We utilize both the G-Suite as well as the Atlassian (Jira/Confluence) platforms to track and record all activities of our business. We also leverage several tools in our development & production environments to track activity such as LogDNA, Security Scorecard, Intrusion Detection Services and others. All of these tools provide us better organization and visibility, enabling us to demonstrate compliance to the auditors.
The Second SOC 2 Audit – Type 2
The second audit represents a validation of all of our previously established policies and procedures and the maintenance of that discipline. It is also a “renewal” much like the annual audit of your financials. There are not as many questions in the Type 2 review and most are related to your original audit, just with updated responses. There are some new questions as well. The second time through this process was easier because we had the prior year responses to look back on for reference. We also did a lot of preparation and review of our policies throughout the year, so it was less intensive at audit time. Last, but not least, we received the questions as early as possible so we could begin planning and division of tasks well ahead of the deadlines. The result is we completed our Type 2 audit on schedule and with a reasonable level of involvement on a daily basis to produce a satisfactory result.
Obtaining our SOC 2 Type 1 & 2 certifications has yielded positive benefits to both our internal organization and for our clients. At first glance, it looks like a very daunting task for a startup. But in retrospect, the exercise instills a high level of discipline in your company and great credibility with the people you work with – prospective team members, customers, vendors & investors.
Written by Robert Hausman, Director of Finance & Operations