Maintaining SOC 2 Compliance for Tech Companies

Many companies, especially start-ups, need to maintain a SOC2 certification but would rather not hire a full-time CISO. So who is going to make sure that you will pass your next SOC2 audit? . Outsourcing your Information Security program is a great way to support sales with the SOC2 certification without breaking the budget by staffing a large team.

What is SOC2?

Why get a SOC2?

A SOC2 report lets you get audited once; after that, you just provide the SOC2 report to the customers or prospects to allay any concerns and satisfy their internal auditors.

How do you get a SOC2 report?

  • Security
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

Based on that choice, there will be a set of trust services criteria that you need to achieve. These are not the controls that you need to comply with; these are the criteria that your controls need to meet.

So now you write your controls. At this stage, you should always consult with the CPA who is going to perform your audit to agree that your chosen control set is going to satisfy the necessary control criteria when they audit. If you have not chosen a CPA yet to perform your audit, we can refer you to some that our customers have used and recommend for SOC2 assessments.

Type 1 report

To be honest, this is going to be of little comfort for any customer or prospect as it only really describes your plan to be trustworthy and not your achievement of that goal.

Type 2 report

So what does that mean? Well, if you have a control that states that you are going to do background checks on every new employee before hiring, then the auditor will pick a number of new hires, check their hire dates, and ask to see proof of the background check being done first. If you have a control that requires annual penetration testing, then the auditor will want to see the penetration test report and confirm the date of the report.


1. Implement the controls so that compliance is the path of least resistance

2. Automate wherever possible

3. Compliant behavior should leave its own audit trail

4. Monitor every control


Yaron Chelouche — אבטחת מידע :ירון שלוש CISO



Recent Posts