US and UK companies have tight rules for data security and privacy polices, the firms charge heavy fines and legal notices on SaaS vendors breaching any.
Overview of what SOC 2 is about.
Difference in SOC 2 Type 1 and SOC 2 Type, where they suggested SOC 1 Type 1 is not much useful after we explained what business we are into and what the customers in these countries would prefer. (SOC 2 Type 1 is mostly only for financial accountability, whereas Type 2 is more detailed and extensive audit certification)
Had a conversation on what should we prefer and what the industry demands : summary - Go for SOC 2 type 2 that's what will get us mostly covered. They would have suggested ISO27001 if we had clients in India.
Short overview of action items : Antivirus in Laptops (With Evidences of Renewal and validations), Disk Encryptions, Auto Locks, No 3rd party cracked softwares, DR plans, Data handling, Backup strategies etc.
What a manual process looks like (without sprinto) - understanding of SOC 2 from audit perspective, getting a cybersecurity expert, understanding and fixing controls, drawing down policies, gap analysis at various stages, employees need to complete cybersec trainings, document preparation, audit from 3rd party certified auditor.
What a process looks on sprinto : Templates for each stages and standards that needs to be fulfilled, checklists, auto evidence collections, live scoring and suggestions for gaps, integrates with cloud providers to monitor systems, makes you compliance ready, auto gap analysis and action items to be taken. Gap analysis -> On platform document and Evidence Mapping -> fix gaps -> go for audit on 100% score
Audit : When you go with sprinto - the audit takes place on the sprinto platform itself. You personally don't face the auditor. Sprinto sends a representative on your onbehalf. (sprinto csm), they ensure you get the certification.
Auditor evaluates last 3 -6 months guidelines, evidences, activity.
No Comments