The 10 minute SOC 2 crash course for early stage startups
How to become compliant in 4 steps
By Chris Roth
Based on my experience working with dozens of early stage startups and discussions in the OnDeck community, I’ve created this 10 minute crash course on SOC 2 designed to help founders figure out where to start. If you want a guide aimed at more mature companies that goes into a bit more technical depth, I recommend you check out the SOC 2 compliance guide from Vendr.
For startups, becoming certified with a well-known security framework like SOC 2 can dramatically increase your company’s ability to land high-value enterprise deals as a vendor. In fact, it can actually serve as a powerful trust signal to enterprise customers.
But figuring out how to actually become compliant is unfortunately not so easy. A quick Google search on “SOC 2” yields a lot of results, but nearly all of them are written by SOC 2 auditing companies aiming to set up expensive consultations.
For larger and more complex situations, these consulting calls are probably the right first step - but for small startups, you may be able to get started faster and cheaper without hiring a consultant. This article is intended to cover the very basic, most common scenario for many startups but might not be right for your startup.
In my experience working with Thoughtful, I’ve heard founders say the same thing over and over again: SOC 2 is necessary for enterprise B2B, and the earlier in your company’s lifespan you start it, the easier it will be.
Before I continue, let me just make a few points:
- For startups, SOC 2 and similar frameworks are often more of a sales tool than they are a true security tool, though they will of course force you to do things in a proper and secure way as a positive side effect. It may be that you don’t actually need to do a SOC 2 certification and can just follow best practices if your customers don’t need a SOC 2 report.
- SOC 2 Type 2 is by far the most common security framework in the startup and enterprise B2B world and will probably have the most ROI for the time and money that it takes to become compliant - but every industry is different, so do your own research. There are other types of SOC reports like SOC 1 and SOC 3 and other frameworks like ISO 27001, which are also worthwhile to explore but out of the scope of this guide. Becoming SOC 2 compliant is likely to make it easier to become compliant in other frameworks as well.
If you do decide that SOC 2 is the right path, it’s helpful to have a brief background on it. It is a framework that originated from the American Institute of Public Accountants and audits are done by licensed CPAs (yes, CPAs - despite it being thought of as a technical / security framework). It covers 5 criteria (called “Trust Service Criteria”), but security is the only one *required* to pass an audit. However, it might make sense to meet some of the additional criteria depending on your particular industry and business model.
Within SOC 2, there are two types of reports you can get:
- Type 1 demonstrates that you are compliant at a point-in-time. Sometimes this can help if you need to immediately close a deal.
- Type 2 demonstrates that you are compliant over a period of time, generally > 3 months. Most enterprise customers will require a Type 2 report.
Now that we’ve covered the basics, you should know that SOC 2 will involve more than just your technical staff - implementing the required security practices and processes is a full-company endeavor that will require all management-level team members to be involved. If you’re the CTO / CIO and you’ve been assigned to “figure out SOC 2 compliance” - a common scenario - be prepared to educate your non-technical counterparts and get buy-in from everyone involved.
The Actual Steps You’ll Take
- Sign up for a compliance management platform like SecureFrame (I have no affiliation) to guide your company through the process. There are a number of platforms that will accomplish the same goal such as Vanta and Drata. After sifting through some Slack and Discord communities that I’m part of, I’ve come to the conclusion that these are all pretty much the same - the important part is that you have one.
- The compliance software will integrate with your systems and survey your team. In doing so, it will inform you of what process, infrastructure, and security changes you need to make. If you’re already following best practices, many of the changes that you’ll likely need to make are going to be creating standardized operating procedures (SOPs) for things like onboarding and offboarding new employees and contractors, having processes for dealing with issues like outages and data loss, and having logging and documentation in place to prove that you’re following these processes. This will be a whole team effort - definitely more than just engineering stuff here.
- Once you’ve made all of the needed changes and the compliance software confirms that you’re fully compliant, you will then hire an auditing firm which will do a formal audit. The compliance software of your choice will likely be able to refer you to an auditing agency, though it may be worth comparing prices outside of their recommendations. This generally takes 2-6 weeks for startups depending on the complexity of the company and infrastructure and how responsive and organized your team is. From my own back-channel research, I’ve seen quotes for anywhere from $7-34k for a startup audit. If you don’t need a Type 1 audit, you can probably save a little bit. The audit for getting a Type 2 certification will take 3-12 months because it is a time based audit that checks that you are staying compliant over a period of time.
- Once you get the report, the platform will monitor that you stay compliant and give potential vendors a dashboard to access your reports and verify that you are compliant. You can also use the platform to follow this process and become compliant in other security frameworks like ISO 27001 as well.
How Long It’ll Take
How long it takes you to complete the process will be a function of how big your company is, how complicated your infrastructure is, and how many changes you need to make. Many early stage startups with teams of ~10 employees with fairly standard processes have said it took them 1-3 months. Once you become compliant, it will take a few weeks for the auditing agency to become available and then another 2-6 weeks to get audited. At this point you’ll either pass or you’ll be told what you need to change and start the auditing process over. Finally, 3-12 months later you’ll get audited again and get a Type 2 report.
How Much It’ll Cost
I’ve seen quotes as low as $7k (these are 2023 prices) if you can wait for the Type 2 report and don’t need a Type 1 report while waiting. On top of that, there’s the cost of the team’s time to make the changes, which will depend on your current team size and existing processes. Lastly, there’s the cost of the compliance software.
A Lower Cost Workaround
If SOC 2 is too costly or takes too long for your company’s needs, another possibility here is that some companies might allow their vendors to complete a standard security questionnaire such as SIG and CAIQ. But the catch here is that such a questionnaire is likely to ask the same questions that a framework like SOC2 will cover, meaning that you’d basically end up doing the same work in terms of making changes and implementing processes in the end anyways - so why not get the full SOC 2 report at that point?
At Thoughtful, we can help your startup with SOC 2 from a tactical, strategic, and planning perspective. We can help you find an auditor, set up a management system, and work with your company to become compliant. If you have a complex situation requiring more than a compliance management system and audit, we can also help you hire a CISO.