Pragmatism in the real world

Successful SOC 2 Type II compliance

A very big part of my work at Covie for the last year has been putting in place the processes required for to achieve SOC 2 Type II compliance. This standard by the AICPA is all about an organisation’s security, availability, processing integrity, privacy and confidentiality controls and processes. It’s a comprehensive set of requirements covering our product’s and organisation’s security.

Essentially, it shows that the company’s processes and systems are designed to keep the data it holds secure.

This stuff is important.

There are two types of SOC 2 audits, imaginatively named Type I and Type II – yes you can tell that this came from a committee! The list of requirements is long and as detailed as you can imagine from a standards body.

A Type I audit is a snapshot in time. It confirms that we have put in place the processes and practices required to keep our customer’s data secure. This covers all sorts of things from how we’ve implemented security in AWS, access controls for our people, storage, vulnerability scanning, remediation and so on.

The Type II audit is assessment over time. This is when we put our money where our mouth is and prove that we do what we say we do. As you can imagine, this takes much longer as we need to gather data over months that show that our processes take place.

This week we received our completed SOC 2 Type II report from Insight Assurance, our auditors where they stated that in their opinion our controls have been suitably designed to provide reasonable assurance that our service commitments and system requirements meet the SOC 2 criteria and that they operated effectively throughout the assessment period.

In other words, we do do what we say we do and what we do meets the SOC 2 requirements.

I’m incredibly proud of the work that I put into this process. It required going into a lot of detail about exactly what processes are suitable for a small start-up to ensure that they achieve the requirements while also not being overly burdensome on a day-to-day basis. Writing these processes took a lot of time mainly as they had to be fit for purpose for our company, where we are today.

We achieved this with the help of Vanta to help automate as much as we could along with using processes that leveraged the issue tracker and docuemntation systems that we were already using. It was very important to both Ian and myself that security and privacy was integral to what we did and not siloed in another place where we’d forget about it until audit time.

I believe we achieved this and have confidence that we hold our customer’s data as safely as we can.