There is a saying that the cobbler's kids have no shoes. Not in our case! We ate our own dog food and tackled a SOC 2 Type 1 using our Strike Graph platform and services. And getting our SOC 2 didn't suck!
Having endured a number of manual SOC 2 Type 1 audits in the past, using our own product in this effort was hands down the most efficient audit that any member of our internal team has participated in. Since we had the tools to quickly identify and assign relevant controls based on our unique risk profile, and to efficiently create our system description, we were able to kick off our journey smoothly with an appropriately sized set of controls. We knew exactly what we needed to document to demonstrate we had each SOC 2 Common Criteria covered. No busy work or Security Theater!
What We Learned:
- Executive and Process Owner Buy-in is KEY to Success. We found that a few processes needed to be matured and some supporting procedures needed to be created or memorialized. Buy-in from leadership was key, because the SOC 2 journey did introduce a bit of organizational change. We found ourselves confronted with some decisions: who was going to roll out the All Hands Security Training and when? Where should we formalize the patching procedures and is it time to set up SLAs? Could the new hire provisioning process be a bit more efficient?
- Take Credit for What you are Already Doing. That back up recovery process may be manual and a little clunky, but you have done it a few times so take credit! The flip side of this advice is don't try to create a slew of new processes when the wonky old ones are working. Tackle the fancy new monitoring tool or HR tracking tool when you hit a defined tipping point. Don't implement more software solutions just for the SOC 2.
- Find a Decent Project Manager. Select one individual to be the liaison between the auditor and the internal stakeholders. It helps if that person knows a bit about a SOC 2 audit, but it is not required. That person should have the operational prowess to delegate assignments appropriately, and to facilitate folks meeting their deadlines. These assignments generally look like polishing up a policy, documenting a disaster recovery process, or facilitating an all hands security training. This person should expect to make accommodations in their daily schedule and workload, and the organization should prepare accordingly. This blogger, for example, needed to skip a week of blog posts so that she could herd the Strike Graph cats.
- Chip Away Each Day. Our CTO was swamped with enhancements, new releases and meetings. She set a goal to work on at least three tasks a day, and because she planned ahead she was able to tackle her workload and still go on her three weekly bike rides.
- Lean on Your Experts. We were lucky to be able to utilize our Strike Graph Customer Success Managers to help us with templates and process guidance along the journey. Our Auditors were also excellent partners. They met with us weekly to check on our status or chat through some of our trickier processes. Each group of experts brought something unique to the table, from templates, to tweaking control wording to better capture our process, to refining our System Description. Our audit process was smooth sailing thanks to the foresight to plan ahead, the collective efforts of our entire team, and our carefully selected audit partners.