Once common for only large enterprises, more companies now benefit from security certifications. Today, companies of all sizes —from small 5-person startups to Fortune 500 companies — must show their customers how they’re protecting customer data and themselves from potential threats. The most common way software companies highlight their security practices to prospects is with a SOC 2 report.
SOC 2 is one of the Service Organization Control (SOC) frameworks developed by the American Institute of CPAs (AICPA). Certified accounting firms use this framework to audit, assess and attest to a company’s compliance and security practices.
What does a SOC 2 Report Entail?
A SOC 2 report consists of two categories of information that auditors consider:
- Organizational — examples include conducting performance reviews, maintaining an org chart and providing employee security awareness training
- Technical — examples include vulnerability scans on your servers, encrypting your S2 buckets and backing up your databases
There are two types of SOC 2 reports used to evaluate organizations:
- SOC 2 Type I assesses your controls for a point in time
- SOC 2 Type II assesses your controls for a period of time, typically between 3-12 months
Most companies start with a SOC 2 Type I and then transition to a SOC 2 Type II, which needs to be renewed every year.
When preparing for a SOC 2 report, your auditor will provide you with a list of controls (consider these rules for your company) that you have to comply with, and you need to provide evidence that you’ve actually implemented these controls to meet SOC 2 requirements.
Unfortunately, this checklist of controls can go into hundreds of items and the requirements aren’t always very clear. Collecting all of this evidence across your entire tech stack can take hundreds of hours of your team’s time to track down the information and document it as evidence. However, more and more companies are beginning to use compliance software to automate the manual process of evidence collection through integrations.
How do I go about getting a SOC 2 Report?
The idea of an audit can seem scary and confusing, but the process doesn’t need to be that complicated. To prepare for a SOC 2 audit, you’ll want to allocate:
- Budget — between $10-40k for audit costs depending on the complexity of your business and the auditor you work with, as well as another $3-30k for a penetration test
- Time — between 3-4 months and 10+ hours a week from a few core team members from your engineering or IT department, but Secureframe can bring this time down to a few weeks
Once you’ve allocated budget and time, the first step is finding an auditor. There are thousands out there that you can work with or, with Secureframe, we’ll connect you with our vetted auditor network and ease the burden of time and effort right from the start.
Once an auditor is assigned, together you’ll establish appropriate policies and controls for your company to meet SOC 2 requirements. Then, you’ll apply these controls and collect evidence that these controls are properly in place. The process of reconfiguring your software, implementing new security policies and processes, and encrypting your company devices and servers can take months.
But after you’ve collected all of your evidence, you will begin the audit assessment period, which can range from 3-12 months depending on how long you want to assess your environment.
How can Secureframe and Jamf streamline your compliance checks?
Using Jamf supports your efforts to establish a more secure company. SOC 2 requires companies to have policies and processes in place for:
- Access control and termination
- Password management
- Inventory management
- Anti-malware technology
- Device encryption
Jamf can support all of these controls — auto-installing antivirus software, continuously updating software across devices, encrypting devices at scale and removing device access from terminated employees. With the Jamf integration, Secureframe can automatically collect documentation that demonstrates device security and compliance as well as satisfy the auditor’s requirements.
Secureframe has over 40 integrations across cloud services (eg. AWS, Azure), HR tools (e.g. Gusto, Zenefits), developer tools (e.g. Github, Gitlab), and more. We continuously — and automatically — collect audit evidence, run security awareness training, manage vendors, monitor infrastructure and more. Through our software and integrations, we help companies get SOC 2 compliant within weeks rather than months, and help companies save around 50% on audit costs.
If you find yourself manually deploying Apple devices and scrambling your way through the SOC 2 compliance process, consider Jamf and Secureframe for a secure and auditable Apple enterprise.