The SOC 2 audit is one of the things that keeps security and compliance officers up at night. In the era of data breaches, security has never been so important for businesses. Customers, whether they’re individual people or businesses, want to know that their data is secure when they start working with you.
It’s not easy to get your certification under any circumstance. If you want an extra challenge, try to certify your office when it’s located in a coworking space. Sounds impossible, right? Good news, it isn’t. We did it (with the help of our friends at WeWork). Now, we’re going to show you how you can do it too.
Before we dive in, let’s take a step back. What is SOC 2 and why does it even matter?
SOC (short for “Service Organization Control”) 2 is a security certification that was created for companies who store customer data in the cloud. So, that means that it covers pretty much every SaaS company out there. Created by the American Institute of CPAs (AICPA) back in 2011, it sets out compliance standards that ensure that companies who store sensitive data on the cloud minimize any risk of that data falling into the wrong hands.
Officially, SOC 2 is a technical audit. The reality is that it’s much more than that. To get your certification, your company needs to create and adhere to tough security procedures that cover everything from confidentiality to security. To sum things up, this audit makes sure that your company’s IT security policies are in line with the best practices in cloud data management.
Now that we’re familiar with the certification, you probably want to know “How do I get it?” There’s a lot of technical jargon out there around what you need to do. So, we’ll put it in plain English to make it easier. There are essentially four main aspects of the certification:
Practically speaking, that means ensuring that all passwords are strong (“password123” isn’t going to fly), implementing two-step authentication, and putting strict policies on removable media, like USB drives, into place.
Policies are useless if no one actually follows them. That’s why you’ll need to train and verify that your staff adheres to all the security rules. A good way to make sure that this happens is by organizing training sessions where you help everyone set up all the necessary tools (like two-step verification).
On top of strong digital security, you’ll also need to make sure that your physical office is secure. What good is data security if someone can just walk in and take your laptop? Access control is a key part of this. To pass the audit, you need to ensure that you log the identities of everyone who enters and exits the building alongside the times that they came and left.
So, you’ve created a strong data security policy, trained your staff, and have got your building’s access control set up. Now, you need to prove it. That’s why you’ll have to document everything that you do related to security so can prove to the auditors that you are really applying your policies. You need to log internal policy updates, security incident and vulnerability reports, and modifications to access rights. Of course, using AODocs made this easy for us (and it can for you too).
Last year, we moved our corporate headquarters in San Francisco to WeWork. We’re big fans of WeWork’s flexible offices. It’s kind of like the equivalent of putting your office space in the cloud. Given our love for the cloud, it’s a match made in heaven. However, basing your HQ in a shared office space also presents some challenges when it comes to SOC 2. Security is extremely important to us. So, not passing the SOC audit wasn’t an option. However, working in a shared space is obviously a bit different than having your own office building. Since this was the first time that we had the audit while at WeWork, we were a little nervous.
Luckily, all that worrying was for nothing. The WeWork staff were great. They worked with us to make sure that the building’s access controls were compliant and provided the auditors with everything that they needed to approve our certification. All we needed to do was ask.
If you’re based in a WeWork office space or another coworking and are looking to get your certification, don’t sweat it. It can be done. Read the guidelines, create your internal policies and documentation processes, then work with your coworking to set up the proper building security protocols. If you’re having trouble convincing them, round up the other SaaS companies in your shared office and go together to ask for improved building security. You know what they say, there’s strength in numbers.
Getting your SOC 2 certification isn’t easy. Yes, being based in a shared office space makes things a bit more complicated. However, it doesn’t mean that it’s impossible. If your coworking is anything like WeWork, they’ll be happy to give you a hand and you’ll have your certification in no time.