When do you start?

  • 23 September 2022
  • 4 replies

Badge +1

Hey thanks for creating a home for this. I Have a background in IT and helping a start-up but am curious about GRC. At what point does it make sense to go after SOC 2 Type 1?


Best answer by cybermotiv 23 January 2023, 03:50

View original

4 replies

Userlevel 5
Badge +5

That is a great question, and usually the a good way to kickstart the compliance journey. We’ve found that most startups are asked for a SOC report as part of an open opportunity or occasionally a vendor security review with partners if you are integrating with them. This piece by @Troy_Fine does a pretty good job of explaining the value/why behind it:


Badge +1

Not sure about the official starting point but for us we started the SOC 2 Type 1 and 2 process when an incoming customer asked us for the reports.

Badge +1

I don’t know if I’ll offer any more concrete evidence than what Troy says in the video as he gave great advice. I would say you will definitely hear feedback from your sales team regarding what they hear from prospects in the field during the sales process, who your competitors are and do they have their certifications if you are competing against them frequently for deals, and then what types of questionnaires/questions you are getting during the sales process or even from existing clients who are maintaining their own security programs if you are B2B.  I recommend starting any cert process as early as you can if you feel it might be a need for your company-it’s much easier to get consensus with policies/procedures etc. or rolling out certain tools when you are a smaller group or earlier in your development processes and are getting things setup versus waiting until later! 


It's always a good idea for businesses to be proactive about cybersecurity, and one way to do this is by pursuing SOC 2 Type I certification. This certification is an independent assessment that confirms a company has implemented effective controls to protect customer data and maintain the confidentiality, integrity, and availability of systems and data. This certification is becoming increasingly important as more companies rely on cloud and API technologies, and it may be requested by potential customers or partners as a way to ensure that your business is secure.

By taking the initiative and seeking SOC 2 Type I certification proactively, you are demonstrating a commitment to security and providing assurance to your stakeholders that you have taken the necessary steps to protect their data. Additionally, by establishing a baseline of security controls, it can assist in identifying and mitigating potential risks as the company continues to grow. In short, being proactive by pursuing SOC 2 Type I certification can help to establish trust with customers, partners, and other stakeholders, and can also serve as a valuable tool for ongoing risk management.