You’re an emerging technology service provider and understand that SOC2 compliance is a critical step in bringing your solution to market. It’s an important selection criterion for prospective enterprise customers. It helps them manage their risk without spending time validating your security profile. It will also help you manage your risks and assist you in meeting other regulations like HIPAA, ISO and GDPR in the future.
SOC2 compliance is more than writing policies and checking off boxes on a form. You’ll need specific IT/security systems and processes to be in place before an auditor arrives. You can read a lot about it and still not know exactly what to do. KalioTek’s team understands the goals of SOC2 and how to implement systems to get there quickly, while establishing a solid foundation for your company’s growth. We’re tuned to the needs of companies like yours.
Learn more about the key systems and processes by downloading a brief white paper on our recommended IT foundation.
Service organizations generally take a two-phase path to achieving SOC2 compliance. Both require audits by AICPA-accredited auditors. Below are brief descriptions of each phase and how KalioTek can help to prepare for compliance and maintain it over time.
A Type 1 certification is an audit of your compliance at a moment in time, your first milestone. In this phase you’ll establish the required systems, policies, and processes. Systems typically needed for compliance include: compliance tracking , security awareness training , endpoint security, endpoint management, an IT request portal, ticketing, onboarding and offboarding automation, password management, IT asset tracking and IT vendor management.
Your auditor will have many detailed IT questions. KalioTek will work with the auditor to provide all the necessary information and adjust systems and processes as required. We’ll review the audit report from an IT perspective. To prove you are compliant over time, which is your customers primary interest, you’ll need to go on to Type 2.
Your first Type 2 certification typically takes place a few months after you achieve Type 1, then annually. In this audit you are required to provide evidence that the policies and processes you established are being followed, and that you’ve updated them to address any changes in the business. The auditor will ask to see specific records demonstrating your compliance, such as a record of how a random new employee’s IT was set up, how a terminated employee’s access was disabled, or show evidence of successful backups and vulnerability tests. Records must be kept of the production change control process and any security incidents.
KalioTek supports your ongoing compliance by managing the IT-related systems and processes for you, while updating them continuously to reflect your evolving business. We’ll then assist you in preparing for audits, answering any IT-related questions, providing technical evidence, and making any modifications as required.