SOC 2 compliance. If you’re like me, you’d rather do just about anything else. It’s long, it’s nerve-wracking, a little terrifying, and quite frankly, it’s kind of confusing. Recently, we went through an audit period here at Lumos for our SOC 2 compliance certificate, and it was enlightening. As it turns out, there’s nothing to be afraid of.
Here are the three key things we learned during our SOC 2 compliance journey that can help you, right now.
You don't need a bunch of expensive tools
Managing your security doesn’t always mean running out to grab the newest, shiniest (and usually most expensive) toys off the shelf. Mitigating risk starts with smart, repeatable, enforceable procedures – and solid system design. With the right people, processes, and measured approach, you can prepare for the auditor without adding a steep learning curve on some new tool or piece of software. Use your existing investments before getting into something new, especially leading into an audit. For example, we used Notion:
Make sure your process has some meaning
This was the biggest lesson we learned, and something they don’t teach you in IT Security school. SOC 2 compliance is not about checking a bunch of boxes for the auditors. Since it’s more of a ‘choose your own adventure’, you shouldn’t pick a bunch of controls to earn your certification. Instead, you should use the certification process as an opportunity to improve your company’s security and compliance policies and procedures. To quote Simon Sinek, start with ‘why’.
By looking at each of your processes through this kind of lens, you’ll be able to better understand WHY you’re implementing certain policies and procedures, HOW they align with your objectives, and WHERE you can improve. That will ultimately help you to design a process that makes sense for your company, your customers, and your goals – all while satisfying the SOC 2 certification criteria. It will be a win-win!
Ask around to understand what you're getting into
Rather than spending hours searching the web, talk to people who have gone through the SOC 2 certification process before. Or, find a partner, such as Vanta, Drata, or Secureframe. We used Vanta. They provided guidance, templates, frameworks, auditor information, and process overviews, saving us time and sanity.
Advisors, investors, and other experts in your network can provide valuable information about auditors, processes, and what customers want. In the unlikely scenario that you don’t know anyone, companies often make SOC 2 audits public, which can help you understand different auditors—and what they might expect.
In the end, we learned a lot and found ways to be more efficient and meaningful, particularly for our system access control and vendor management policies. We were able to use our management and automation tools for this part of the audit, and they enabled us to provide information to the auditor without the typical heavy (manual) lift.
When it comes to SOC 2 compliance, there are no one-size-fits-all answers or a guide that tells you exactly which criteria make sense for your business and help you build trust with your customers. So, your mileage may vary. Clearly, this is just a starting point for any organization, but these three basic tenets are enough to help take the fear, confusion, and stress out of your next SOC 2 audit. Because if you’re prepared, you’ve got nothing to worry about.
That being said, this is just the tip of the iceberg. I created a guide detailing our SOC 2 journey. If you’d like to take a deeper dive, download it now.