After kicking the can down the road for as long as we could stand, we decided that Arpio should pursue SOC 2 compliance in 2021. And while there are plenty of Google results that explain the basic differences between SOC 2 Type 1 and Type 2, we really struggled to understand the actual work this journey would entail.
This blog series intends to capture the work required of us (an early growth stage SaaS company) to achieve SOC 2 certification. Our hope is that these posts might give you the insight we failed to find online.
Once we committed to this journey, we partnered with Laika, who provided the 10 policies we’d need to customize and adopt. We’re looking at these policies 1-by-1 in this series, and this post is about the 3rd policy: compliance and risk management.
The compliance and risk management policy is all about ensuring that we’re taking compliance seriously. It identifies a risk & compliance officer (our CEO) who monitors the company’s adherence to its compliance obligations.It stipulates that senior employees will be held accountable for supporting the compliance mission. It mandates compliance training for all employees. It establishes the feedback mechanisms by which employees can report breaches of compliance without fear of penalty.
This was 100% new to us. Thankfully, in addition to the policy itself (which we tweaked), Laika provides us with the training modules and the documentation processes to capture and measure compliance.
Additionally, as a company we have adopted a quarterly compliance day activity where we convene our entire team to review our compliance and complete periodic activities like BCDR testing and system access review. Through this process, everybody is frequently reminded of the importance of compliance, and we have an opportunity to identify any non-compliance and remediate it. We have a standard agenda for this compliance day activity that ensures all of our practices are being reviewed and followed. We held our first compliance day a couple of weeks back, and I dare say we enjoyed it. Tackling compliance together as a team activity was kind of a bonding event.
As we stated at the outset of this series, ”The key point to understand is that certification is about verifying that what you said you’d be doing in your policies is what you’re actually doing. You get to customize your policies to match the way you want to work, as long as it achieves the objectives of SOC 2. Keep that in mind as you’re reading these posts, and considering your own SOC 2 journey. It’s all about right-sizing your process.”