SOC2 Compliance Enterprise Playbook 2020
SOC2 Compliance Enterprise Playbook 2020
SOC2 Compliance Enterprise Playbook 2020
As early-stage enterprise technology investors, Work-Bench has worked with dozens of enterprise
startups navigating SOC 2 audits. Although “SOC 2 audit” have become dreaded words for these
leaders, it’s an inevitable process you’ll be faced with at some point - we like to think of it as an
enterprise startup right of passage.
Becoming SOC 2 compliant isn’t an easy feat. It takes significant time, effort, and resources to get that
first clean report. What’s more, it seems like the bulk of SOC 2 resources are meant for larger, more
traditional companies. So, what’s a startup to do?
This Enterprise Playbook collates the best practices within the SOC 2 industry to help enterprise
startup leaders stay ahead of their organization’s internal controls for information security and
privacy, and be able to remain competitive in the market.
If you’re an enterprise startup whose been through the SOC 2 process and has feedback or a successful
game plan that you’ve rolled out, we would love to hear from you! Additionally, you can watch our
webinar recording on this topic here.
2
TABEL OF CONTENTS
4 What is SOC 2?
5 SOC 2 Scope & Trust Services Criteria
• Security
• Availability
• Confidentiality
• Privacy
• Processing Integrity
• SOC 2 Type 1 vs. Type 2
12 SOC 2 Timeline
15 SOC 2 Cost
16 SOC 2 Preparation
18 Recommended Resources
21 Once You Get the Report
22 Contact Information
3
WHAT IS SOC 2?
SOC 2 is an auditing standard maintained by the American Institute of Certified Public
Accountants (AICPA) to test an organization’s internal controls for information security and
privacy. It’s an objective, third-party system that tells customers that they can trust your startup to
handle their information with the utmost care.
Enterprise customers expect startups to go through the same sales procurement processes and meet the same
security, privacy, and compliance requirements as other vendors. In many cases, enterprise customers will ask you
to become SOC 2 compliant before working with them.
Savvy startups also use SOC 2 compliance as a competitive differentiator. Compliance doesn’t just tell enterprise
customers that you’re open for business. It’s a powerful brand and marketing message that signals to the world
that your startup is more established, credible, and attuned to customer needs.
4
SOC 2 SCOPE PRO TIP
In our experience, most enterprise customers
want to work with startups that are SOC 2
To become SOC 2 compliant, your startup needs to undergo an
compliant in security and confidentiality.
audit and receive a clean report testifying to the quality of your
controls. Just what that audit tests depends on which criteria and If you’re struggling to decide which criteria to
type you choose. tackle in your first audit, security and
confidentiality are good starting points. And
Trust Services Criteria (TSC) add any criteria your target customers are
A SOC 2 report tests against five Trust Services Criteria: asking for.
1. Security
2. Availability
3. Confidentiality
4. Privacy
5. Processing Integrity
5
#1: SECURITY
Also known as the “common criteria,” security is the foundational criteria that is required in every SOC 2
assessment.
That’s because the security criteria not only sets over-arching security standards for your company, but it also
overlaps each of the other criteria, setting security controls for availability, confidentiality, privacy, and processing
integrity. You can’t complete a SOC 2 audit without the security criteria.
6
#2: AVAILABILITY
This criteria makes sure your systems are secure and available for customers to use when they expect to. This is
important for startups that promise customers access to their data and your services at key times.
For example, your team worked hard to get your platform’s uptime to 99.31percent. By validating your uptime and
other availability considerations with this criteria, you’re further demonstrating your reliability to your customers.
7
#3: CONFIDENTIALITY
This criteria ensures the protection of confidential information. Did you agree to keep some of your customers’
information confidential? Then this criteria is for you.
In addition to the protections outlined in the security criteria, the confidentiality criteria provides guidance for
identifying, protecting, and destroying confidential information.
For example, your platform manages a customer’s documentation about their trade secrets and intellectual
property. For obvious reasons, they only want people within the company (and only some of them) to have access
to this sensitive information. The confidentiality criteria signals that you’re set up to protect that information and
secure access as desired. It also shows that you’re set up to appropriately destroy confidential information if, say,
the customer decides to stop using your platform.
8
#4: PRIVACY PRO TIP
GDPR (EU), CCPA (California), and PIPEDA
This criteria focuses on the protection of personal information. (Canada) are data protection and privacy
Similar to confidentiality, the privacy criteria tests whether you regulations.
effectively protect your customers’ personal information. If you need to be compliant with one of these
Confidentiality, on the other hand, applies to any information you regulations, there is a lot of overlap with the
agreed to keep confidential. Given the rise of privacy regulations Privacy TSC. Start by working towards these
such as GDPR and CCPA, many enterprises want assurances that regulatory frameworks then work on the
their vendors protect personal information. Privacy TSC.
9
#5: PROCESSING INTEGRITY
This criteria makes sure you provide the agreed-upon services as promised in an accurate, authorized, and timely
manner.
For example, the processing integrity criteria demonstrates to customers that your data, processes, and system
work as intended, so they don’t have to worry about inaccuracies, delays, errors and whether only authorized
people can use your product.
10
SOC 2 Type 1 vs. Type 2 PRO TIP
The next decision founders need to make is whether they want a Type 1 or Type 2 SOC 2 audit. The
Like the TSCs, listen to what your enterprise
key difference between Type 1 and Type 2 is design versus operating effectiveness.
customers are asking for. We often work with
startups to get their Type 1, which is enough for
SOC 2 Type 1 many enterprise customers, and then roll into
A SOC 2 Type 1 audit tests the design of your compliance program. It assesses your compliance at one the Type 2. A Type 1 is a good place to start
point in time. This involves checking to see that you’ve identified and documented the controls you and often sufficient to unblock deals.
have in place, and provided sufficient evidence that your controls are functional at that point in time.
But for some, it may make sense to go straight
to the Type 2 if that is what your customers are
SOC 2 Type 2 asking for.
A SOC 2 Type 2, on the other hand, tests not only your compliance program but whether you follow it
by executing on the controls over time.
For more info about SOC 1, check out A Founder’s Guide to Deciphering Which Compliance Type is Right for Your Startup.
11
SOC 2 TIMELINE PRO TIP
There are 3 key elements to shorten the
runway to audit. One, know your assets, both
How Long Does SOC 2 Compliance Take?
physical (e.g. devices) and virtual (e.g. servers).
The deciding factor of your compliance timeline is the
Two, understand what data lives where, it’s
complexity of your product and company, including:
criticality, and how it will be handled. Three,
• How many employees work for your startup? establish key roles for your team, then assign
• How many systems do you run? data and system access based on need.
Best-Case Scenario
In a best-case scenario, a SOC 2 audit for a startup can take as little as 4-6 weeks to draft. However, startups
usually spend much more time preparing for the audit. This preparation stage includes learning about and
selecting compliance frameworks, gathering documentation and policies, undergoing a readiness assessment
(pre-assessment), and vetting auditors.
The exact time depends on the scope of your audit. Testing multiple Trust Services Criteria rather than only the
required security criteria will mean gathering more evidence. Likewise, you’ll have to wait longer for your report for
a Type 2 audit, which tests your controls over a 6- or 12-month period, than a point-in-time Type 1 audit.
SOC 2 TIMELINE
Repeat Audit
1-2 Weeks 2-6 Weeks 6-12 Months 6-8 Weeks Every 12 Months
While there’s no obligation to pursue compliance to begin with, much less every year, you run the risk of upsetting customers and
blocking sales, particularly bigger enterprise deals, by operating on a stale SOC 2 report.
14
SOC 2 COST
As an example, for a Series A startup based in the U.S. with 25 employees going after two TSC’s (Security &
Confidentiality), for the audit alone, you can expect to pay around:
• $10,000 to $30,000 for a SOC 2 Type 1 audit
• $30,000+ for a SOC 2 Type 2 audit
Say you learn from your readiness assessment (more on that later) that you have gaps in your controls. You then
need to follow up with a remediation process to close those gaps before the actual audit. Depending on the size of
the tasks, this alone can take several months.
16
How to Select Your Auditor
PRO TIP
Only a CPA firm can conduct your SOC 2 audit. However, that doesn’t mean that every CPA firm is a
good fit for your startup’s SOC 2 audit. The “Big 4” firms will be more expensive, but
that doesn’t necessarily mean a more
• Certain auditors are more startup-friendly than others. Find a CPA that understands the specific comprehensive or ‘better’ audit. There is a
needs of tech-focused startups over more traditional companies, like a credit union or manufacturing price premium there and most startups don’t
plant. For example, you’ll want to work with an auditor who generally understands the impact cloud- need all the resources a massive firm provides
based information storage, co-working spaces, and other unique considerations have on to get through the SOC 2 process successfully.
compliance. It’s ok if your auditor does not have enterprise tech expertise, but it will likely slow down
the audit process. Look for a mid-level firm that has a good
reputation. Ask if they have worked with tech-
• If you’re unsure where to begin, try asking your investors and other network connections for forward, VC-backed companies. Ask if they are
recommendations. comfortable with doing most of the attestation
remotely. There are plenty of great firms out
• Don’t expect a lot of hand-holding throughout the SOC 2 auditing process. While auditors are there for startups that don’t come at too high
experienced with first-timers — startup customers may provide some general guidance (like a SOC 2 of a cost.
template or an overview of the process) — they have their objectivity to uphold. As they’re the ones
assessing your controls, it would be inappropriate to act in any way that could signal a vested
interest in the results of your report. And so you shouldn’t expect them to go out of their way to
guide you to a clean SOC 2 report.
• Keep in mind the importance of sticking with one vendor throughout the compliance process
regardless of the type of compliance you choose.
17
RECOMMENDED RESOURCES
18
Who Should Be on Your Internal SOC 2 Team?
Your auditor can’t do all the work for you. You’ll need to rely on your team to gather the
PRO TIP
documentation and evidence your auditor requires. Most early stage startups will not have a
dedicated risk and compliance team member,
As compliance doesn’t start and end in engineering, you will need involvement from all aspects of that’s ok.
your startup, including sales, operations, HR and legal (if you have these departments already built
Assign a lean team (2-3 people) to the project,
out). This not only allows you to leverage your startup’s varied expertise, but it also helps cultivate a
including one highly technical person (can be
culture of compliance and ownership within teams for their controls.
the CTO depending on your team’s size) and
an ops-focused person.
You’ll Also Need:
• A team lead to delegate and drive progress.
• A tech lead to act as a liaison between the auditor and the rest of the team for more technical
matters.
• Someone who is comfortable documenting a lot of your company’s processes. This person doesn’t
need to be a writer, but they should expect to do a lot of writing.
19
How Do You Know If Your Startup Will Pass the SOC 2 Audit?
We recommend doing a gap analysis or a readiness assessment before your audit. These can help
you close any lingering gaps in your compliance. Used interchangeably, a gap analysis or readiness LAIKA PRO TIP
assessment alerts you to anything that might cause you to receive less-than-favorable results in your A SOC 2 is not pass or fail, per se, but the more
report. It gives you an opportunity to right these missteps before the official assessment. prepared you are the less headache there will
be and the sooner you will make it through the
FOR EXAMPLE…Let’s say you forgo a readiness assessment and skip straight to the audit only to audit.
realize that to comply with SOC 2 criteria, you need a risk assessment performed. Proper audit prep helps to minimize the loops
required to remediate issues identified by the
• If you fail to perform these assessments properly you may fail to notice there is a control missing auditor, this is where extensive delays occur.
such as a change management procedure that could potentially impact the security of your
Gap assessments on the front end can help
application. This could cause you significant delays as you will need to remediate the issue, write
project manage what needs to be done to
the policy and procedure, and then implement it.
implement SOC 2 controls. Then a risk
assessment, after implementing all controls,
• Readiness and risk assessments bring these potential blocks and issues to your attention sooner,
policies, and procedures can minimize any
before the audit. If you wait until the auditor points out issues, it could take months to close some
loops needed during the audit process in
of the gaps identified, and will only add amplify the disruption to your team’s day-to-day priorities
order to “pass.”
in running your business.
20
ONCE YOU GET THE REPORT
Finally! You spent the time scoping, preparing, and delivering countless documents to your auditor. Now all your hard
work is about to pay off. Here’s what to expect.
Written by your auditor, your report serves mainly as auditor-to-auditor communication. It’s meant to be read,
understood, and evaluated by other compliance or information security professionals.
For example, enterprise customers that require startups to meet SOC 2 compliance before working with them will
request a copy of your report, so their procurement or compliance team can review it.
Unless driven by detailed procurement processes, most people won’t want to sift
through your audit report to know your startup is safe to work with. Instead, you
can show off your startup’s commitment to compliance by adding the appropriate
AICPA-approved logos and other certification seals to your website. To see this in
action, check out Slack’s dedicated security page.
21
ABOUT LAIKA
Laika helps growing companies implement and manage compliance, obtain security certifications,
and build trust with enterprise customers. Through a modern compliance platform coupled with
dedicated experts, Laika minimizes the time, cost, and headaches for early stage companies to
implement scalable, audit-ready compliance programs.
Laika streamlines audit prep and management for SOC 2, as well as other security certifications and
regulatory frameworks. Through an expert-in-the-loop model, Laika performs gap and risk
assessments, provides implementation guidance, and automates document and evidence collection
to ensure a smooth audit process.
Check out Laika’s comprehensive compliance solution to streamline your SOC 2 process.
22
ABOUT WORK-BENCH
• To be written last
Work-Bench is an enterprise-focused venture capital firm based in New York City. Work-Bench was
founded in 2013 with a unique, thesis-driven approach that flips traditional enterprise venture capital
upside down by first validating Fortune 500 IT pain points through our extensive corporate network
and then investing in the most promising companies addressing these challenges.
Sign up for the Work-Bench Enterprise Weekly Newsletter, to stay up-to-date on all things enterprise
tech with 18K+ subscribers.
23