It’s such a common theme. You need to establish a cyber security program so that you can get your SOC 2 certification and the first thing that an "expert" recommends is writing policies. A quick search of the web reveals hundreds of types of policies, thousands of templates and a ton of pseudo legal jargon. Where to even start? Is this all necessary? Is this really required for an audit? How does this help me earn money? 100% of our customers wrote a policy that was irrelevant to their organization before joining Strike Graph.

Determine which policies are relevant.

Strike Graph helps eliminate the security theater by eliminating low-value activities. This is especially true of unnecessary policies.  We find that there are only a few policies that are common when formalizing a security program and others come as the security program matures or as an outcome of a comprehensive security risk assessment.  Go ahead — create a Physical/Logical Access Control Policy, a Change Management Policy and an overarching Information Security Policy. These policies are essential to your program and will often be required to be shared with some customers as part of their vendor management program. Remove the guesswork! The results of the Risk Assessment will establish your roadmap for the additional policies or procedures that are truly relevant to your organization.

System description — always relevant‍

With Strike Graph you can also create a document that can have more relevance to a wider group than policies and is especially useful in the seed round for startups. This document can help win deals pre-audit, impress investors, and is required to pass an audit when you're ready. A win-win-win! 

System Description to win deals!

The System Description is prepared by management and is a required element of a SOC 2 report. According to the AICPA, in a SOC 2 report, a System Description is designed to enable customers, partners, and other intended users to understand the service organization’s system. In other words, this document needs to clearly and accurately describe the service your customers will be using and also provides a narrative of your organizational maturity and the security activities related to your organization and to your product or service.

The System Description is ultimately meant to create trust with your customers as part of a SOC 2 certification, but some organizations find that a version of the system description has been useful in gaining customer trust prior to the SOC 2 certification. Sharing a preliminary draft of this document with potential customers prior to receiving the SOC 2 certification can help them understand that your company is carefully analyzing security and developing important habits that will keep their business and data safe.

Tackle it early!

Strike Graph helps eliminate the security theater by eliminating low-value activities.  This is especially true of unnecessary policies.  With Strike Graph you can create something better than any policy.  A document that can help win deals pre-audit and is required to pass an audit when you're ready.  

The System Description is a critical part of a SOC 2 report and writing it early can be incredibly helpful. Having this document written before wading into an audit can help the SOC 2 auditor understand the scope of the audit, meaning it outlines exactly what you want them to assess and may help to limit any "gotchas" during the audit assessment. Typically consultants will charge up to $15k to $20k to help draft a System Description for your SOC 2.

The Strike Graph approach

The Strike Graph approach eliminates the need for consultants while ensuring you meet important requirements. Our customers are publishing a System Description to get deals closed before passing an audit.  With Strike Graph you create early trust with customers.