Key Takeaways from Our Journey to SOC2 Attestation

No items found.
April 19, 2024

At ProfitOptics, we deeply value the trust our clients place in us. Ensuring the security and confidentiality of their data is a priority for our product and engineering teams. 

To stay true to our commitment to security, we wanted to align ourselves with rigorous security frameworks. Our clear goal was not just to meet but exceed those standards. 

About a year ago, we set on a journey to obtain SOC2 Type II attestation as proof of our security commitments. Today, we proudly announce that our efforts have come to fruition.

What is SOC2? 

SOC2 (Service Organization Control 2) is a crucial framework for cybersecurity and data protection developed by the American Institute of CPAs (AICPA) for service providers storing customer data in the cloud. SOC2 certifies that your data security, availability, and integrity meet important industry standards.

AICPA provides two types of SOC2 reports, and the differences lie in the scope and duration of the audits.

  • A SOC2 Type I report is essentially a snapshot and provides assurance that a service organization's systems and the design of its controls meet the relevant requirements as of a specific date. 
  • SOC2 Type II report goes a step further by evaluating the operational effectiveness of these controls over a defined period, typically a few months. This gives stakeholders a higher degree of confidence in the organization's ongoing commitment to security and compliance standards. 

While both reports validate the effectiveness of a service organization's controls, the Type II report provides a more in-depth and longitudinal analysis of their implementation and efficiency. That is what we were looking for at ProfitOptics.

The Process

We started by thoroughly reviewing our existing policies. We identified gaps between them and SOC2 requirements, which led to creating a new set of security policies. Although the overlap was already quite large, this fresh start helped us build a more solid foundation.

After aligning our policies with SOC2 criteria, we deployed Vanta’s monitoring software. By integrating Vanta across all our services, we automated significant portions of the compliance workflow. This not only streamlines our preparation for the SOC2 Type I audit but also provides continuous compliance monitoring, ensuring that we remain aligned with SOC2 requirements.

With the groundwork laid and Vanta in place, we then stepped into the SOC2 Type I audit. This stage was about verification, as auditors assessed whether our systems and controls met the relevant trust principles at a specific point in time. Successfully completing a Type I audit was a significant milestone, indicating that our cybersecurity framework was on the right track.

Our next step was initiating the SOC2 Type II observation window. Over a three-month period, we had to demonstrate our controls’ operational effectiveness. At the end of the observation period, we worked with our auditors, the Johanson Group, to collect evidence. Their role was to independently verify that our controls were not only appropriately designed but also consistently applied and monitored over the audit period.

The process took about a year, and the outcome is not only the SOC2 Type II attestation but also a set of controls and tools that will continuously monitor our security posture.

Key Takeaways

Here are the key takeaways from our year-long quest for SOC2 Type II attestation:

More Than Just Checking Boxes: We believe security is more than just meeting requirements. We use SOC2 as a foundation and add custom controls for our needs, ensuring the safety of our clients’ data.

People-Powered Security: Fancy tools are great, but true security relies on everyone at ProfitOptics being security-conscious, from CEOs to interns. We foster a culture where everyone plays a part, strengthening us.

The Right Partners Make a Difference: Partners like Vanta were invaluable. They guided us through the complexities of SOC2 and helped us stay on track.

Investment for the Future: Achieving SOC2 takes time and resources. Development may slow down as we implement rigorous security measures, but it's an important investment for the future. 

Striking the Balance: We understand the trade-off between security and development speed. Through careful planning and management, we find the sweet spot, ensuring robust security with minimum sacrifices in efficiency.

This journey wasn't just about getting a certificate; it was about building a strong security foundation. We’re committed to continuous improvement.

blog image
Stop chasing the competition and put them in your rearview mirror.
Schedule a P3 session to learn how we can help you do it faster than you think.
Let’s go