After dreading it for ages, we embarked on our SOC 2 compliance journey a few weeks ago. In this blog series we want to take you through the work we’re doing as a small SaaS company to achieve certification.
You can find lots of Google results for SOC 2 compliance that explain the differences between Type 1 and Type 2, but we really struggled to understand the actual work we’d have to do. Our hope is that these posts might answer that same question for you.
We partnered with Laika for our SOC 2, and they gave us 10 draft policies we’d need to adopt. In this series, we’ll take these policies one at a time, illuminate what they say, and detail our actions to get compliant. For more background information on the SOC 2 process details you can watch our SOC 2 webinar video here.
Here’s the full list of policies we had to implement for our SOC 2 compliance.
- Information Security Policy
- Business Continuity and Disaster Recovery Plan
- Compliance and Risk management policy
- Configuration and Change management policy
- Data protection and handling Policy
- Employee Handbook
- Hiring Policy
- Incident Response Policy
- Privacy Notice Policy
- Supplier Risk Management Policy
The key point to understand is that certification is about verifying that what you said you’d be doing in your policies is what you’re actually doing. You get to customize your policies to match the way you want to work, as long as it achieves the objectives of SOC 2. Keep that in mind as you’re reading these posts, and considering your own SOC 2 journey. It’s all about right-sizing your process.