In November 2023, we achieved SOC 2 Type 2, demonstrating our commitment to best practice information security and privacy.
To achieve this milestone, we worked closely with:
- AssuranceLab, information security auditors
- Drata for continuous monitoring of our compliance and centralised storage of policies and controls
- PolarSeven to manage and support our AWS infrastructure
Why we did SOC 2 and what it means
Service Organisation Control 2 (SOC 2) is an internationally recognised standard with a framework and criteria to manage and report on modern technology risk and control practices. I think of it as a guide to ensuring information security is embedded in the day-to-day operations of a business.
From hiring and onboarding employees to selecting vendors, storing and deleting data, access control, maintaining cyber insurance, and plans for what to do in an incident such as a breach. It also covers the technical side of things, like safeguarding infrastructure, systems, and sensitive data. Since many security breaches involve human error, this holistic approach to operations and people management is critical.
For us, embracing SOC 2 was crucial in reinforcing our commitment to information security. It helps us protect sensitive data while providing our services to customers, ensuring we maintain the highest information security standards.
Our information security journey began back in 2018. We started hearing talk about information security and frameworks such as ISO 27001. And for the first time, a few enterprise customers asked us about our information security approach.
We researched and decided to find out where we stood at the time against these frameworks. We engaged a consultant to complete a gap analysis against ISO 27001. It's fair to say there were plenty of gaps!
I remember feeling overwhelmed at this point. We were a team of 6 with minimal experience in frameworks such as ISO 27001. We agreed that we wanted to improve our info security posture and invest time and effort into making it happen. Little did we know we'd still be at it five years later!
We pasted ISO 27001 controls into an Asana board and worked through them individually. There were over 200 controls grouped by policies such as Human Resource Security, Asset Management, Access Control, Vendor Management, Info security incident management, etc. Once we understood each control, we had to map it back to the relevant policy and then write it. There were approximately 15 policies at the time, or 200+ pages in total!
This was a significant amount of work, and we were a young startup already being pulled in many different directions. It took us over 12 months to grind our way to a comfortable position. However, the ISO 27001 framework felt ill-suited to our business and customer offering. It seemed designed for large enterprises, not small startups.
Security was becoming more of a focus in pre-sales for our enterprise customers and was time-consuming for us since they'd ask for slightly different things each time. We thought getting certified in a framework would help everyone involved. However, we weren't sold on ISO 27001.
SOC 2 Type 1
We persisted with ISO 27001 adherence until late 2021 when Darrell @ PolarSeven introduced me to Paul @ AssuranceLab. AssuranceLab was a young auditing business, simplifying a complex area filled with jargon. Paul was a welcome light in the dark, explaining the different frameworks available to us at the time in lay terms. After these discussions and completing AssuranceLab's free readiness assessment, we decided SOC 2 was the right framework for us.
In October 2021, we engaged AssuranceLab to undertake a SOC 2 Type 1 report. AssuranceLab created a Trello board listing all the controls for us to provide evidence against. Paul @ AssuranceLab recommended we chat with Vanta, a compliance platform that supports the audit process and can save everyone time.
We decided to engage Vanta and moved our controls and policies over. We also integrated Vanta with key platforms for automated infrastructure monitoring, employee authentication and employee hardware.
Over the next 12 months, we worked with AssuranceLab and PolarSeven to make the required changes to meet SOC 2 Type 1. Even though we'd already done much of the work with ISO 27001, more was needed to meet the SOC 2 controls. PolarSeven was a welcome help with their AWS and infrastructure expertise.
In October 2022, we celebrated achieving our SOC 2 Type 1! It culminated four years of hard work, tears (just me?) and persistence. However, we weren't done yet! Achieving certification with SOC 2 Type 2 was always the end goal, and it was next.
Type 1 vs Type 2
You'll notice I've referred to SOC 2 Type 1 and SOC 2 Type 2 in this post. What's the difference?
- Type 1 is a point-in-time audit against the SOC 2 trust criteria
- Type 2 is an audit over a period of time, usually 12 months, against the SOC 2 trust criteria
So, Type 1 confirms you have the right processes and controls. And Type 2 demonstrates you use them as you say you do.
SOC 2 Type 2
In early 2023, we began preparing for SOC 2 Type 2. Type 2 requires evidence for controls over and above Type 1, so we spent time adding detail to our existing processes. We also switched compliance platforms from Vanta to Drata. That changeover required some effort to import all our controls and policies and re-integrate platforms for the automated monitoring.
In September 2023, our Type 2 audit started and culminated in SOC 2 Type 2 compliance in November. 🎉
It's a process.
It took five years in elapsed time for us to achieve our SOC 2 Type 2. It's a significant investment of time and effort for any business, especially for a small business with everyone already running at capacity. Most involved at Yarno were Paul, our CTO; Steph, our Product Manager; and Lachy (me), Managing Director.
The business landscape has changed.
In 2018, I felt adhering to an information security framework was onerous and overkill for a business of our size. Now, in 2023, I see it as imperative. Yes, many of the controls are designed for much larger businesses, yet ultimately, it's a commitment to implementing best practice approaches and processes to keep customer and business data safe.
The security landscape has changed significantly in the past five years. Data breaches have become an unwelcome regular feature of the news. Cyber criminals frequently target Australia because it has the world's highest median wealth per adult. 83% of organisations in APAC have been breached by ransomware at least once in the past five years. (source) And that figure's much higher, yet most organisations (private and public) breached by ransomware don't publicly disclose the attacks. (source)
When we started our information security journey five years ago, finding information and help on standards and best practices was hard. Not so now! Companies like AssuranceLab and PolarSeven are guiding customers through the audit process. And platforms like Drata help by providing a real-time dashboard on adherence to controls and policies.
Security awareness training.
Lastly, it wouldn't be a Yarno post if I didn't mention training. Both ISO 27001 and SOC 2 require evidence of annual security training. Yet there's a significant opportunity for organisations to train more regularly than this. So we recently launched CyberBite, a cyber security awareness training platform. CyberBite aims to reduce human error through fun and engaging team-based learning. Check it out!