In an era where data security is paramount for everyone, we know our customers need more than just our promise to keep their data safe and secure.
Data privacy regulations such as GDPR and CCPA require organizations to have technical and organizational measures in place to ensure the confidentiality, integrity, and availability of personal data.
So what better way to show our customers just how secure their data is then achieving a successful SOC 2 Type 2 audit with no control exceptions!
If you run a SaaS company, it will not be long before a customer asks you to fill out a ‘security vetting questionnaire’.
We’ve filled out hundreds of them. It’s the beginning of a security journey for many companies, who want to offer their customers not just words, but a demonstration of security compliance by a prospective supplier.
Although we knew we could pretty much tick every box, it’s also not a scalable way as everyone knows, every questionnaire is just a little different.
So in 2021, we started our journey to offer more to our customers, by achieving the external security certification of our security measures - ISO 27001.
An ISO 27001 certification says we have met the requirements of an international standard that defines the requirements of an Information Security Management System (ISMS). We are proud of the documentation, risk assessment, and audit work we could already demonstrate, which are all required by the standard.
But ISO27k is a point-in-time audit - it reviews, then goes away. So for us, it didn’t prove we actually do what we say we do over time.
Enter SOC2 - for many of our customers, this is the report they need to give them the assurance that, over a 3-6 month period of audit, we stick to what we say we do.
Our ISO 27001 audit highlighted the importance of having a dedicated person within the business to manage and maintain our security and regulatory compliance.
Hence in 2021, I was hired as YouCanBookMe’s Compliance Manager ready to kick start our SOC 2 journey.
I report to our CEO and COO and was hired to make sure we do what we say we do.
My role in YouCanBookMe is to make an informed assessment on business decisions and ensure we follow the constantly evolving laws and regulations we must adhere to, like GDPR and CCPA. It’s my job to be objective when a decision could be a risk to the business or our customers, communicating this to those involved.
It has been a joke that I can sit and listen to a new idea, say no, mic-drop, and leave the room without needing to explain any further - I don't, but definitely could!
With a proven background in Compliance within a SaaS environment, I have implemented improvements to our existing processes and documentation, maintained our ISO 27001 for another year during our surveillance audit, and took over our next goal - a SOC 2 Type 2 audit.
The Service Organization Control, better known as SOC 2, is a set of criteria for service providers managing customer data. This set of criteria is developed by the American Institute of Certified Public Accountants (AICPA).
The SOC 2 framework is based on five Trust Services Criteria (TSCs); Security, Availability, Confidentiality, Processing Integrity, and Privacy. Each principle has a subset of controls, with Security having the largest set of associated controls.
There are two types of SOC 2 reports; a SOC 2 Type 1 and a SOC 2 Type 2.
Type 1 reports are an audit similar to an ISO27001 audit. The audit provides assurances that an organization has suitably designed controls at a point in time.
Type 2 report audits have the same criteria to meet as a Type 1, but they cover a period of time testing the organization's design and operating effectiveness of key internal controls throughout that period.
At the end of a SOC 2 Type 2 audit, the auditor will issue an opinion based on the description the organization has provided versus the actual operating efficiency of the controls.
A lot of screenshots!
My biggest takeaway from the SOC 2 audit would be screenshots, so many screenshots!
A SOC 2 Type 2 audit isn’t about ticking all the required compliance checkboxes, it’s about showing, over a period of time, that your organization has well-defined policies, procedures, and practices and that these can be seen in action.
An audit trail is key, we have a lot of automated logging of our processes which made providing screenshot evidence for our audit so much easier.
Take Access Control as an example, specifically how we implement and manage an employee's access to our business systems.
During our audit, the auditor reviewed a number of our policies which cover access control along with the associated procedures.
They asked to see examples that
This area alone required a review of numerous procedures, a walk-through of the start-to-finish process of how we request access, and of course screenshots of each of the above points for not just one employee, but five!
A SOC 2 audit isn’t about how secure our service is alone, it’s how secure the whole business is.
From HR, to Support, Finance, to Engineering; a SOC 2 audit reviews how the business runs in relation to our defined policies and procedures.
While I project managed our SOC 2 journey it was and continues to be a team effort. We wouldn’t have achieved the report we have without the dedication and input from everyone at YouCanBookMe.
Yes!
At the end of our SOC 2 Type 2 audit, our auditor commented on how well organized, structured, and culturally apparent our data security controls are throughout the business.
That wasn’t a surprise to us though, it is one of our company values - Commitment to excellence!
We live and breathe security (or indeed, we live and breathe securely). That is why we received an amazing SOC 2 Type 2 report with no control exceptions.
Our SOC 2 Type 2 report has provided us with insights into our security posture, internal controls, governance, and regulatory oversight, which we are using to further mitigate risks, improve our service and systems, and improve compliance readiness.
We are confident we maintain the highest level of security for our customers, but we are always looking for ways to make improvements.
Everyone at YouCanBookMe knows and follows our Company Values, and our continuous improvements to data security put them into practice.
We want to continue building trust with our customers and end users about the secure nature and operation of our service.
We can provide you with a copy of our SOC 2 Type 2 auditors report under NDA. Please reach out via email at compliance@youcanbook.me