SOC 2 certification: challenges and opportunities

Today, I wanted to share some thoughts about Platform.sh Service Organization Control (SOC) 2 Security and Availability certification (2017 TSC). We’ve completed a SOC 2 Type 1 audit, and the Type 2 audit is now underway. If you aren’t familiar with the SOC 2 terminology, the Type 1 audit is a point-in-time audit; in contrast, Type 2 audits are monthly, verifying that an organization maintains compliance.

The challenges

Undergoing an SOC 2 audit has its challenges. The most significant for us? Employee and financial investments.

• Employee investment. We’re a fast-moving scale-up that runs as lean as possible. Interrupting our normal cadence (for weeks on end) to undergo the audit—and to close the few gaps we had—consumed a lot of staff time. The process put a tangible strain on the organization as they responded to audit requests and modified current documentation and procedures. Thankfully, no serious gaps were uncovered, and we were able to complete our audit six months ahead of schedule.
• Financial investment. SOC 2 audits aren’t inexpensive. At the low end, the investment can be staggering: tens of thousands of dollars. Other cost factors include additional services, such as third-party scanning and pen testing, and employee background checks. Some customer requests may need to be put on the back burner as the team focuses on the audit.

The opportunities

There must be tangible benefits to SOC 2 for SMBs to justify the expenses. We certainly think so. For Platform.sh, the most important benefits were:

• Third-party audits. Being audited by a third party validates that we adhere to a standard; it’s a verified, impartial result. To our team, this validation confirms we’re on the correct course. For our customers, it provides a sense of security stemming from demonstrated competence.
• Satisfying contractual requirements. SOC 2 is a business requirement for many of our prospective and current customers. To meet their needs and preserve and nurture those critical relationships, SOC 2 certification was a must-do. And it helps us validate GDPR compliance activities.
• Risk mitigation for security events. Every company has security events, and Platform.sh is no different. The SOC 2 audit forced full disclosure of our processes, incident logs, internal and customer communications, impacts on availability, software update processes, and more. Having a holistic review by an audit firm told us that we were doing things in a good manner. The review also gave us reassurance that we were correctly mitigating security risk exposures.
• Reviewing vendor-management practices. SOC 2 and ongoing GDPR compliance mandate that we have a policy and process to periodically review vendor security. Putting a regularly scheduled health check on our vendor-management practices enables us to meet these requirements.

For Platform.sh, undergoing SOC 2 was a highly relevant, worthwhile investment. The process confirmed our policies and practices measure up to today’s security standards. And we’re happy with the results. We trust our customers will be equally satisfied.