SOC2 Type II is a wrap

What, another post on SOC2? Wasn’t there one just a few weeks ago, and what’s the big deal?

If these are your thoughts, it means you’re actually reading our blog posts on security (which is good!), that your memory is better than mine on an average day, and that you will like the news: we’re SOC2 Type II certified now!

Unfortunately for me and many other CISO’s and information security maniacs around the world, this is not something companies would throw big parties for, honoring all the hard work, sweat and blood that went into passing an official audit. Yes, if you do security, you need to be happy with dwelling in the shadows of the true development rockstars - unless there is a security problem, of course, which comes with a lot of attention of the unwanted kind.

But that’s the whole point of SOC2 and security frameworks, isn’t it? Making sure things don’t go south, that everybody (customer and colleague alike) stays safe, and that us security people can stay in the background, happily snuggling up to our policies and procedures.

For a start-up like us, getting certified on the grounds of a major framework like SOC2 is a big milestone, and we made sure we got there fast. Running a tight ship when it comes to security is one thing - being able to prove it is another. This is why we hit the afterburner after completing the initial SOC2 Type I run, collected evidence over a little more than three months, and had the auditors scrutinize everything we had established before to make sure we actually ate our own dogfood, following the policies and procedures we adopted.

Needless to say that this was a team effort. It’s not enough to postulate secure processes, what really counts is that everybody in the organization understands why we submit to a strict security regime, and help each other in finding and eliminating weaknesses. In a way, getting certified also makes your team stronger because understanding of information security across the whole company deepens, and ownership grows.

For SOC2 Type I, we deliberately started out with what we thought was the simplest (and fastest) approach: just selecting “Security” as the key Trust Service Criteria (“TSC”). However, and this is also a recommendation I’d like to share, we already built the entire foundation on which “Security” is able to stand: the Information Security Management System (“ISMS”). This helped us tremendously when we decided to include four out of five TSCs for our SOC2 Type II run:

• Security
• Availability
• Confidentiality
• Privacy

Based on the feedback we received from our customers, the Security TSC is good, but it’s really just the absolute minimum. If you want to move fast to get to Type I and leave a mark, that’s ok, but going forward, doing a SOC2 Type II on Security alone isn’t something I’d recommend.

Now that we have official proof that we’re covering all relevant TSCs, our customers have one supplier less to worry about. As a CISO in a larger company in my pre-start-up days, there was a tight compliance regime which also included information security. Working with vendors which weren’t certified by a standard framework such as SOC2 or ISO 27001 always meant extra work for us because of additional reviews, questionnaires and exception reports for our cyber insurance - and even if everything looked ok from the outside, looking under the hood of a vendor is very tricky, so there always was a feeling of uneasiness on a corporate level and a clear preference to rather work with certified vendors, given the choice.

Users of WunderGraph Cosmo now have the peace of mind that an official audit confirmed that a security framework is in place which clicks into place with a customer’s compliance requirements. This means more time to spend on important stuff, not vendor security management.

If you remember my first post from March of this year, you’ll recall that I mentioned that we intended to use a compliance platform to simplify evidence collection and ensure we meet internal security SLA requirements. We opted for Vanta, which has its light and dark sides.

On the light side, Vanta is great in providing structure that helps you not to miss important deadlines (and there are a lot of deadlines to miss) or potential vulnerabilities that require analysis and mitigation. Also, auditors prefer doing audits on the basis of such a platform because it simplifies their access to evidence (in many cases resulting in a discounted audit fee), plus it means that you don’t have to collect and process it manually. This is really helpful and justifies the expense and effort involved, which leads us to the shadowy side of things.

Make no mistake: once the dark side has you, it won’t let go, and Vanta is extremely sticky as well. It also isn’t cheap for what it does, especially if you’re adding more frameworks like ISO 27001 later. What’s more, the platform may look pretty on the UI side, but the technical implementation has its quirks and ugly sides, too. Integrations don’t always work, and the policy editor is not exactly a piece of art, which is why we keep and edit our policies locally. Besides that, Vanta still feature-limits you in some areas.

So, what’s next? Can we now also sit back, relax, enjoy peace of mind and have some milk and cookies? If you are following WunderGraph, you already know that this isn’t us. :)

Our next objective on the security roadmap is ISO 27001. Thanks to the ISMS already being in place and containing all necessary policies, we will keep moving fast. After a little bit of housekeeping, you shouldn’t be surprised to read about security certifications again soon!