It finally happened - you’re out there, building your company, trying to close deals, and a big enterprise customer (or maybe someone in a regulated space) sent you a security questionnaire.

“Hey, do you have a SOC 2 report?”

If you stop reading right now, let this be the one thing you take away from the article. What your potential customer is really trying to tell you is this:

“Hey, we care about being secure & we don’t want you to compromise our security. Can you prove to us that you are secure?”

This is the #1 mistake that we constantly see startups make when it comes to the SOC 2 process. They think that it’s like ISO 27001 with a set list of controls, or HIPAA where you are either following the law or not - but a SOC 2 report isn’t a binary value of “you have it or you don’t.”

A SOC 2 report is a report of your system and organization’s security controls audited by a 3rd party for accuracy.

Key concepts here:

1. It’s audited for accuracy, not for value.

2. It outlines & describes your security controls.

3. It is going to be evaluated by a CISO or IT manager, etc.

Technically, you can put whatever you want into your SOC 2 report. You can describe your controls as “we leave the door open, the windows unlocked, and there’s a huge hole in our ceiling” … and as long as you describe your controls accurately and provide evidence that they are as you say, you can go get a valid audited SOC 2 report by a CPA.

It’s like having audited financial statements. They can be accurate, but they might describe a company that’s about to die.

What you want to achieve at the end of the SOC 2 process (which is going to cost tens of thousands of dollars, and take a minimum of 4 months), is to have a SOC 2 report that attests to the fact your company is extremely secure.

This is the absolute core thing that Oneleet solves - we help companies build real-world security. We create the security program, do the penetration testing, provide a suite of tools that identify vulnerabilities and reduce your likelihood of being compromised.

Then, we automate and guide you through the relevant compliance frameworks (SOC 2, ISO 27001, GDPR, etc), holding your hand along the way, answering your questions, keeping you accountable, integrating and monitoring your entire stack.

This way you don’t just end up with a “SOC 2 report” that simply attests to a system of security theater, but you obtain an audited report that attests to an “actually secure” organization. A SOC 2 report that is going to help you breeze through security reviews & enable you to sell into other organizations that care about security.

When do you need a SOC 2 report?

The first thing we try to do when working with new clients, is to make sure they actually need a SOC 2 report. The SOC 2 process is painful. We make it less painful (and hopefully even fun!), but it’s still going to cost tens of thousands of dollars and take 4-6 months to complete a type 2 audit.

Signs you need a SOC 2 report:

1. Your customers start asking for a SOC 2 report.

2. NOT having a SOC 2 report is preventing you from closing important deals or building partnerships.

3. You can’t go 0-1 on selling to your ICP without a SOC 2 report.

Signs you DON’T need a SOC 2 report (at least not yet):

1. You’re a pre revenue startup that wants to do enterprise deals one day.

2. You think your customers will want it, but you’re not sure yet.

3. You’re bootstrapping, under $50k MRR, & a small percentage of customers are asking for a SOC 2 report.

Basically - you want to make sure that you have truly vetted the need first for going through the SOC 2 process & dedicating the time + money required, and that you’re in a place where you can afford it.

What is the difference between a SOC 2 type 1, and SOC 2 type 2 report?

A SOC 2 type 1 report, is a report where the auditor looks at your controls as you have described them, compares it to the evidence you have submitted, and then evaluates if it is accurate within that specific point in time.

Because the SOC 2 type 1 report only looks at a specific point of time, these are usually much quicker to obtain than a type 2 report - although the costs will remain very similar.

Oneleet recommends clients to get a SOC 2 type 1 report only if it will immediately unlock business that would not be possible to obtain without one.

Often there are other ways to close deals without needing the type 1 report:

1. Beginning the full SOC 2 type 2 process, and obtaining a Letter of Engagement.

2. Completing a Penetration Test to prove security.

3. Simply describing your current security controls in an authoritative way.

It’s actually fairly rare to exist within the window of “other options aren’t good enough” but “a SOC 2 type 1 report will close the deal”.

In contrast with a type 1 “point in time” audit, a SOC 2 type 2 report looks at everything that a type 1 does, but it includes a minimum 3 month monitoring window.

If a type 1 report asks “is the door locked at this point in time” a type 2 report asks “did it stay locked for 3 months”.

Because of this, 99% of the time when a potential user asks for your SOC 2 report they are almost always asking for a SOC 2 type 2 report. This is considered the gold standard for SOC 2 within the security and compliance industry. It will unlock the most business for your organization.

It also costs basically the same as the type 1 report, it just involves the additional 3 month monitoring window. This is why we almost always recommend going for the type 2 report.

If you DO need both a SOC 2 type 1, and a type 2 report, the only additional cost is for having two audits preformed.

What is the SOC 2 process?

All together, it will take most organizations anywhere from 20 - 60 hours of implementation work to be “audit ready” and then an additional 3 months for the monitoring window. On average we see most companies go from beginning to end within 4-6 months.

This is the basic outline of the SOC 2 process with Oneleet (using another vendor will add steps as you have to hack together vendors for penetration testing, CISO services, and auditing).

[Step 1 - Start ] Kick off the engagement! Time to get started. 🔥

[Step 2 - Scoping] Meet with your Security Program Engineer. These scoping calls generally take about an hour where we learn about your organization. We’ll go over your stack, current policies and procedures, and learn about the humans within your organization.

[Step 3 - Security Program] We put together your custom security program!

[Step 4 - Implementation] Implementation of the security program, generally speaking this will take between 20 - 40 hours worth of work. Most clients complete this within 4-6 weeks but it IS possible to rush through this with dedicated focus & urgency. Our team is here to answer questions, provide support, and assist with accountability - we’ll hold your hand as much as possible.

A question we often hear at this stage is “can’t you do this for me?” the honest answer is that even if we were sitting next to you in your office, there are large pieces of your security program that an outside party can’t take responsibility for.

There are elements of structural decisions on your tech stack, trade offs between security and speed that need to be made, and enforcement of policies that can be hard to build buy-in from the POV of an outside party.

Most importantly though - a KEY element of a strong security program, is buy in and ownership at the leadership level. For ISO 27001 (the European standard for Information Security Management Systems) this is an absolutely required control. For SOC 2, it IS more customizable, but this is an example of a “we have a hole in our ceiling” that you don’t want to show up in your report.

[Step 5 - Penetration Test] After the security program has been implemented we move on to the penetration test! This is a key element of real-world security programs & a very common reason why SOC 2 reports are rejected is if they are missing a pen test.

[Step 6 - Audit Begins] We now begin the auditing process! If it’s a type 1 report this will usually be finished within a week or two. For a type 2 report it marks the kickoff of the monitoring window.

[Step 7 - Monitoring Window] We now enter the monitoring window for SOC 2 type 2 reports. This usually takes 3 months for organizations new to SOC 2, for larger organizations this will often be extended to show an improved & more mature security stance.

[Step 8 - Completion] At the end of the 3 month monitoring window you will receive a SOC 2 type 2 report, and you’re off to the races to pass your security reviews!

Does a SOC 2 report ever expire?

Now that you have that fresh SOC 2 type 2 report in your hands, you might start asking yourself “does a SOC 2 report ever expire, do I need to do this again?”

The answer is no … but also kind of yes.

Technically - a SOC 2 report (either type) never expires … BUT, it is just an audited report of your security controls. If you have a SOC 2 report that is 2 years old, and it hasn’t been updated, what that is screaming to a CISO or IT manager is that:

1. This company hasn’t updated their security controls in over a year.

2. Have they not built anything new in the last year that needs to be included in the report?

3. There are constantly new vulnerabilities being identified and exploited, have these been incorporated into the current security controls?

The industry expectation is that organizations update their SOC 2 report each year. This involves updating your security program, getting an additional penetration test, and completing a new SOC 2 audit.

So technically the report doesn’t “expire” but you will start failing security reviews with an outdated report. It’s a major red flag and one of the most basic things that are checked during security reviews.

Example: What does a SOC 2 type 2 report look like?

While no two SOC 2 type 2 reports look exactly the same (they are extremely customizable) controls are generally grouped around the 5 Trust Service Principles.

These 5 Trust Service Principles include:

1. Security: The system is protected against unauthorized access (both physical and logical).

2. Availability: The system is available for operation and use as committed or agreed.

3. Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.

4. Confidentiality: Information designated as confidential is protected as committed or agreed.

5. Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice, as well as with criteria set forth in generally accepted privacy principles issued by the AICPA.

How to best leverage your SOC 2 report to drive sales & revenue

If the users you are trying to sell into care about security, then security can become an extremely important value proposition within both your marketing AND sales processes. The basic playbook looks something like this.

Marketing + SOC 2

• Implement “security messaging” on your website. Rippling does an incredible job here building out a dedicated landing page to share with users that care about security.

• Implement a Trust Page (included with all Oneleet SOC 2 packages) to describe your certifications, frameworks, and controls. Here is an example from one of our clients Perl Street.

• Incorporate Security + Compliance frameworks into your remarketing ads. This can be wildly effective especially with strong targeting towards visits who hit enterprise pages or your trust pages themselves.

• Build it into nurture campaigns for ICP’s who care about security. You can use a tool like Koala or Clearbit to identify if the customer is likely to care about security and then to pull that into Hubspot, Salesforce, or another CRM.

Sales + SOC 2

• It sounds basic, but actively train your sales team on how security reviews play into your sales cycles. Teach them to identify what kind of users are going to care about security, and to identify any security-focused stakeholders in your sales process.

• Give your sales reps collateral, messaging, and playbooks for objection handling - make it as easy as possible for them to reply to any clients that care about security.

• Leverage Oneleet as your security team to help with especially tricky security reviews! Our team is here to help you deal with CISO’s and to best respond to security questionnaires. We can even hop on calls to help you close deals (fair use policy in play here).

Getting a SOC 2 report with Oneleet

Oneleet began as a platform for penetration testing, often servicing companies attempting to get a SOC 2 report. We never expected to get into the compliance space, but by doing the penetration testing it opened our eyes to just how broken compliance is.

CPA’s with no technical backgrounds doing an audit on IT systems, security-theater vendors stuffing pointless controls into compliance programs, greedy sales reps taking advantage of pre-seed startups, selling them dreams of enterprise sales, and then locking them into multi-year contracts.

Oneleet is on a mission to fix compliance.

We are the industry's only security-first, all-in-one platform for both security + compliance.

When you work with us you will get a team of security professionals who will help you create stage-appropriate security controls that build real world security, and then we’ll help smoothly guide you through any relevant compliance programs.

We will never sell you on something you don’t need & we’ll do everything in our power to make your Oneleet package as valuable as possible (never charging for simple features like a Trust Page just to increase our “average dollar per customer” as soon as your contract expires).

If you’re ready to get started just schedule a demo, we’d love to chat with you about security & SOC 2 attestation. 🦾