From April 10 to May 2, 2024, I did all the work myself to get SOC 2 Type II certified. I'm now half way through the observation period to get Type II. The observation period is easy, you just have to babysit the controls. Getting to Type I is much harder. It took me somewhere around 100 hours.
SOC 2 is a security framework that, for many customers, eliminates the need to have you, as a vendor, fill out a lengthy security questionnaire. The SOC 2 controls and audits ask pretty much all the questions you'd get from a customer's security team. In fact, that is a great way to think about SOC 2. It's essentially a very thorough questionnaire you fill out once, an independent auditor forms an opinion of it in a report, and you share with all your customers.
There are two parts to SOC 2. The initial audit, where an auditor writes a Type I report sharing their opinion of your current setup. Then there's a 3 month observation period where you have to prove to an auditor that you are following your own policies and maintaining compliance over an extended period, after which the auditor will write a Type II report. The vast majority of the work is getting to Type I, the observation period just requires an hour or so a week to keep up on things.
I highly recommend using a tool like Vanta, Drata, etc. I got a free trial of both, played with them for a few hours and then chose Vanta. Vanta gave us a great price, had much better integrations with Google Cloud Platform at the time, and their UI was more intuitive to me. Their support has been good too. I emailed them about a control that wasn't passing and some tier 2 or 3 support looked into it within a day or two and found that my Rippling account had duplicate employees. Vanta has been a godsend and I literally would have paid $7k+ out of my own pocket for it.
I had heard so many incorrect things about SOC 2, like that it REQUIRED devops and engineers to be separate roles and engineers can never ever touch production. Or that code reviews are REQUIRED and you can't do pair programming trunk based development. The thing to keep in mind is that these controls are ambiguous on purpose (so that they can stay relevant over time) and if you've implemented them correctly is 100% up to your customers. I'm not even sure an auditor will fail you, they will just call out a weak implementation in their report so that your customers can read their opinion and judge for themselves. You can also justify things to your auditor and they will include that in their report. As long as you are actually being secure and can justify it clearly in a way your customers will buy, you can do it however you want.
I mistakenly thought I could "fail" the 3 month observation period and start over. Nope, like I explained, a lack of compliance is noted in the report and you can justify or explain it. These reports are written for your customers.
With that said, there are 157 tests Vanta runs continuously to check commonly accepted implementations to help you prove you are complying in a standard way. Vanta will suggest a common way to comply with a control for a particular integration (like Google Cloud Platform or Github) and then provide a test to help you prove you are configured correctly over time. So you pick and choose where you just do it the standard way and save time (like turning on restricted branches in Github), or if pair programming trunk base development is your competitive advantage, you do the extra work to convince customers it complies with the "Change management procedures enforced" control.
From what I remember, the bulk of the work fell into 3 categories:
- Configure Google Cloud with alerts, settings, etc: I did all this with terraform. If you want my terraform config that sets all this up I'm happy to share. I suggested Vanta just provide it :)
- Documents: Policies. So many policies. And minute notes, screenshots of tickets, etc. I generated a ton of policies with Claude as a starter point and then edited them to my liking. Many times Claude created a policy that included things that made me think "Oh yes, good idea, we should be doing that." We made a cheat sheet of all the stuff we committed to do in the policies so we can regularly review and make sure we are complying with our own policies. No one reads these except the most thorough customers btw.
- Vendor & people management: Filling out all the risks, soc 2 reports, etc of vendors was a pain. I have my employees install the lightweight Vanta agent, which I think is fantastic and simple. Vanta provides an onboarding experience for new people and has a great integration with Rippling.
All-in-all I don't want to do this again. Not by myself anyway. It was a ton of tedious repetitive, boring administrative work. If we had already had a strong set of policies in place, it would have been much easier, but we are a brand new startup, so I had to create them all. My advice is to use a SaaS that can hold your hand through it like Vanta did for me. Worth way more than we paid, TBH.