If you’re preparing for your first SOC 2 report, you probably wish you could ask someone what it’s really like to go through an audit. What do they wish they knew beforehand? What would they do differently? What tips and tricks did they discover along the way?

For our latest session of Secureframe Office Hours | Ask an Expert, Secureframe compliance manager Rob Gutierrez was joined by Scott Savarie of Current to share first-hand insights into getting SOC 2 compliant. Current is a work-in-progress visibility platform for product, design, and engineering teams to communicate and collaborate in real-time. Teams can share design files, cross-post to Slack for timely feedback, and keep stakeholders in the loop with weekly digests on project progress. 

During the 30-minute live Q&A, Scott shared his experience going through a SOC 2 audit, from creating a policy library and configuring controls to working with the auditor for their Type I report. He and Rob answered a range of questions on the practical aspects of SOC 2 compliance, from how many hours it takes to prepare for an audit to deciding whether contractors are in-scope. Check out the recap of their answers below. 

What prompted Current to pursue a SOC 2 report?

Scott: We started getting some early traction for the product, but during onboarding and sales calls we would inevitably hit a wall with the vendor security team. We came to a point where we could either continue building out our product roadmap and focus on new features, or spend some of that time tightening up operations and pursuing SOC 2. 

We chose to complete a SOC 2 Type I report and are currently in our audit window for our Type II report. Once we were in progress and showing our intent to get compliant, that opened up opportunities to do internal pilots and testing. Once we got our Type I report we were able to proceed with SLAs. 

What other compliance automation vendors did Current consider? 

Scott: We spoke with a few vendors in the space, but the calls were very sales-y. That was a bit off-putting for us. Our calls with Secureframe weren’t like that — we always had a good vibe with the people from Secureframe where we felt like they would be a real partner for us as we built out our security program. 

Where do you see small companies spending excessive time on their SOC 2 efforts that could better be spent elsewhere?

Scott: In our example, we didn’t necessarily want to take six weeks to shift focus away from the product roadmap to work on infrastructure changes and putting processes in place and do security training and everything. But the tradeoff was that without it, we were never going to get feedback on the product. 

With B2B software you really have to have a SOC 2 report just to get your foot in the door. Without it, people aren’t even going to be able to use your product. 

Can you give some examples of how you used Secureframe to streamline the compliance process? 

Scott: Secureframe was very helpful with our infrastructure monitoring. We use AWS for all of our infrastructure and backend, and with Secureframe’s integrations, we were able to monitor everything 24/7 and see if certain tests were passing or failing. That’s already super helpful. 

In addition, having a library of policy templates and a place to implement them internally was very helpful. I can’t even imagine doing that without Secureframe to be completely honest. 

Not all of our employees are in-scope, there’s a subset of us working on Current, and we’re able to configure that inside Secureframe. It makes it easy to monitor things like whether the people who are in-scope for our SOC 2 have set up the proper settings on their devices. The Secureframe Agent lets you verify that those people have the right password policies, they’re using encrypted hard drives — all of those endpoint requirements are in place.

What is the typical level of effort required for a software startup company to achieve a SOC 2 Type I?

Scott: It took us about a month to get ready for the audit. We just bit the bullet and went all in on it. 

The policies were the most time-consuming for me. First you have to read them all, which takes time, and then implement them throughout the company as well. 

You might have a yearly security review meeting, which isn’t necessarily difficult to do but you need to have a page in Notion where you keep notes and set a recurring meeting invite and then upload that evidence into Secureframe. You have to follow a series of steps like that for a lot of the policies and controls.

The other time-consuming part is chasing down people to complete security training and making sure they have the right endpoint settings. 

Are there any other costs associated with the compliance process, or was the investment purely time spent? 

Scott: We did have a few other costs. We had to do a penetration test, and will have to do that again in a year, which is a couple thousand dollars. There were some minimal costs around employee background checks. Then there is the cost of the actual audit as well, of course. Secureframe has relationships with some top accounting firms that you can meet with and choose from.

What is Current’s experience with completing a readiness assessment before the audit? 

Scott: We did a pre-audit with Rob and our CSM Jared where we reviewed our overall security posture and made sure we were fully prepared before we started the audit with the CPA. 

Rob: Every customer gets a customer support manager and a compliance manager to support them throughout their journey. Part of that is a readiness call before the audit to review the customer’s instance and discuss what to expect from the audit itself. 

In Scott’s case, where he’s doing a Type I followed immediately by a Type II, we talked through some of those differences and what to expect. 

My biggest goal on these calls is always to make sure that the customer is fully prepared for their audit and more importantly feel comfortable and confident that they’re going to get their report.  

What best practices can you share for SOC 2 Type II audit prep?

Scott: I felt like I was in pretty good shape with the Secureframe team. We had just completed our Type I audit and started Type II right away so it felt like we had done all of the prep in advance. 

Maybe one thing to note is with the pen test and Type I audit, it’s not as rigid as I expected. There are conversations that can be had. For example, our pen tester found a few issues, we were able to address those issues, and then they redid the test before issuing a glowing penetration test result. Same thing with the Type I audit. There were a few things where the auditor was unclear or needed an extra piece of evidence and we were able to provide that. You don’t need to stress out so much in advance that you have all of your ducks in a row because you get the opportunity to course correct. Gaps can be remediated throughout the process and we had the guidance we needed from Secureframe to do that successfully. 

How many hours did it take the team at Current to prepare for a SOC 2 Type I? 

Scott: We went all-in for a month. Once 90% of the prep work was done there were a couple of things that we had to wait on, so we were able to get back to working on features. Things like waiting for a background check result to come in, or maybe you’ve made some changes to AWS but the tests take a little while to validate that it’s all configured properly. 

You can decide to do it a few different ways. You can allocate a task force, or spend a portion of your time over a longer period. But we decided to make it our #1 focus and get it done as fast as possible. 

Stay tuned for the next Secureframe Expert Insights Webinar

We hosting Secureframe webinars regularly to address the biggest security, privacy, and compliance pain points that we hear from prospects, customers, and our in-house compliance experts. Find upcoming webinars as well as on-demand recordings of past ones in our compliance resources library.