Back in May 2020, Cobalt achieved their SOC 2, Type 1 compliance and is excited to say it is now SOC 2 Type 2 compliant as well. Drata helps companies like Cobalt successfully achieve and maintain SOC 2 and ISO 27001 compliance. This article delves into the differences between SOC 2 Type 1 and Type 2, how to obtain Type 2, and how a compliance automation platform like Drata can help you easily achieve these goals.
Why become SOC 2 Type 2 compliant?
With security top-of-mind for most companies, achieving SOC 2 compliance offers tangible proof that the security controls your organization put in place meet industry standards. When customers request to confirm your security posture, providing a clean SOC 2 attestation report ensures you’re processing and storing their data securely.
Companies may have different reasons for pursuing SOC 2. A few common drivers include:
- Contracts: Particularly around cloud services, customers are increasingly requesting vendor SOC 2 reports for review.
- Third-party Vendor Questionnaires or Customer Requests: Prospects and customers need to assess security risk for all new service providers. If a provider does not have a SOC 2 or equivalent attestation, they are required to answer questionnaires related to security controls. Standard security questionnaires like the CAIQ can have just under 300 questions.
- Marketing and Business Strategy: For young or growing companies, a SOC 2 report can be used as a competitive differentiator showing the market that a baseline level of security and process maturity has been achieved.
Difference between SOC 2 Type 1 and Type 2
- SOC 2 Type I - This report attests to the design of your organization’s security controls at a single point-in-time.
- SOC 2 Type II - This report attests to the design and operating effectiveness of your organization’s security controls over a period of time, typically 6 months to a year.
Why it is important to use a platform that automates compliance
Drata alleviates the burden of manually overseeing and maintaining compliance. Its highly automated platform continuously monitors your organization’s security controls, while automatically collecting control evidence, and streamlining security training, vendor management, and reporting to provide visibility into your entire security posture.
- Continuous Control Monitoring - Real-time monitoring and assurance of your security controls, with alerts to notify you if your security is at risk or a gap is formed
- Automated Evidence Collection - Significantly reduce the time traditionally spent on manual compliance tracking of spreadsheets, screenshots, and more.
- Policy Templates - Stay up-to-date with ongoing industry standards with auditor-approved security policies to kickstart your security program
- Dedicated Support - A team of experts ready to support you every step of the way, whether you’re new to or familiar with compliance
Why pentesting is a requirement
Process Controls demonstrate the steps a company is taking to control risk, including the documentation and proof the company is following these steps. For example, one way to mitigate risk is to implement and maintain a vulnerability management program. One area of your vulnerability management program is your pentest program.
Because of the ever-evolving security landscape and exponential rise of threats, it is recommended to establish a cadence of pentesting to ensure your applications are continuously evaluated. Your schedule and process should be documented and followed repeatedly. Also required in a vulnerability management program is the remediation of vulnerabilities.
While continuous evaluations sound like an intensive and highly manual process, compliance and pentesting tools can connect to alleviate much of the work for your security team. One such example is the combination between Cobalt’s Pentest as a Service platform and Drata’s security and compliance automation platform — together, they can automate large portions of your compliance roadmap.
Hear from the Founder and CEO of Jarvis Analytics how his team was able to achieve this from this on-demand webinar recording: “Building a Security & Compliance Roadmap: The Why & How for Health Tech Companies”