What is SOC2 compliance?
System and Organization Controls 2 (SOC 2) is an audit procedure applicable to all technology services or SaaS companies that collect and store customer data in the cloud. It is designed to ensure that a company’s organizational security controls and practices can effectively safeguard the privacy and security of client data. SOC 2 is often the first compliance standard that SaaS companies choose to comply with and has become the defacto standard of choice for many customers assessing the security of their SaaS suppliers.
Who needs to be SOC2 compliant?
As a service provider, your clients rely on you to protect their valuable data. Increasingly, businesses choose to work with providers who can prove their ability to handle data securely. Be SOC2 compliant – unlock your business potential and give reassurance to your clients and prospects
SOC2 Type I
SOC2 Type I
SOC2 Type II
SOC2 Type II
SOC2 Trust Principles
| Security | Availability | Processing Integrity | Confidentiality | Privacy |
|---|---|---|---|---|
Information and systems are protected against unauthorized access, disclosure, and damage that could affect the entity’s ability to meet its objectives. | Information and systems are available for operation and use to meet the entity’s objectives. | System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives. | Information designated as confidential is protected to meet the entity’s objectives. | Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives. |
What are the Common Criteria?
- CC1 – Control Environment
- CC2 – Communication and Information
- CC3 – Risk Assessment
- CC4 – Monitoring Activities
- CC5 – Control Activities
- CC6 – Logical and Physical Access Controls
- CC7 – System Operations
- CC8 – Change Management
- CC9 – Risk Mitigation
Why SOC2?
Broadly accepted
Povides a competitive edge
Improves information security practices
Ensures sensitive information is protected
Protects organization from negative effects of breaches
Graduated approach
“Kobalt.io gives us peace of mind as our trusted advisor. They are responsive and provide advice quickly when needed.”
– Hieg Khatcherian, Chief Information Security Officer, Thrive Health
Achieving SOC2 with Kobalt.io
Kobalt.io is a certified service partner of Vanta. Kobalt.io and Vanta work together to provide our clients with value beyond compliance. With Kobalt.io cybersecurity, compliance and data privacy expertise, combined with Vanta’s best-in-class technology, you can quickly achieve your security compliance goals at a lower costs, proving trust and driving growth.
Typical SOC2 Process
Preparation for audit
Typically 3-12 months, depending on maturity and needed pace
Type I audit
Typically runs for a month, first “point in time certification”
Type II audit
Typically the first audit runs 6-12 months after completion of the Type 1
Annual audits
Once the initial audit is complete, additional audits will run every 12-18 months to prove recent compliance
Chat with us now
Kobalt.io SOC2 Quickstart Package
If you have recently acquired a Vanta license to automate compliance and security across your organization, we are excited to offer our Quickstart package to further accelerate your compliance journey. If you don’t have a license, we are happy to help get you one so that you can fast track your compliance journey.
- SOC2 Quickstart Package USD $2500
- Vanta License Starting at USD $7500 Annually
based on company size
Compliance Made Easy
Kobalt.io is a certified service partner of Vanta. Kobalt.io and Vanta work together to provide our clients with value beyond compliance. With Kobalt.io cybersecurity, compliance and data privacy expertise, combined with Vanta’s best-in-class technology, you can quickly achieve your security compliance goals at a lower costs, proving trust and driving growth.
We are a team of Vanta trained and security experts who will work closely with you to address your needs where time and resources are limited. Our Quickstart package includes:
- Policy creation
- Adapting Vanta policies to the specifics of your business
- Maximizing the automation and integration capabilities of the Vanta platform
- Leveraging the System Description Generator to build the System Description, a core scoping requirement for SOC2, and upload the completed evidence into Vanta
- Reviewing, organizing, and assigning ownership for you on key technical tests related to items such as change management and version control
- Working with your key technical staff members in technical delivery meetings
- Providing a checklist of work completed at the end of engagement
Kobalt.io’s team can also provide other services, such as risk assessments, 3rd party vendor reviews, penetration tests, fully managed compliance programs. Chat with us to learn more.
Kickstart your SOC2 journey
Complete the order form below
Sign the agreement
Grant Vanta access to Kobalt.io
Order a SOC2 Quickstart Package Now
Frequently asked questions
When going through a SOC2 audit it is important that your teams are prepared in order to avoid delays in assessment and additional assessment costs. In order to achieve SOC2 compliance, you should take the following steps to prepare for a SOC2 audit:
- Implement all applicable administrative policies and internal controls
- Perform a SOC2 readiness assessment
- Collect all policies, security documentation, and agreements with vendors and contractors
In order to ensure SOC2 compliance, organizations should perform a SOC2 audit before the current report pasts its effective coverage period. Typically, organizations go through a SOC2 audit annually to keep their SOC 2 Type 2 report current.
This means that organizations generally continue to maintain all SOC2 internal controls in place to pass future audits. You will want to ensure that administrative policies are current and that security controls continue to stay in place and are applied to newly created infrastructure and resources.
