What's inside

We talk a lot about trust at Drata. It’s our ethos. There are few assets more precious, in life and in business. Jeff Weiner famously defined trust as “consistency over time.” But that begs the question, what if we don’t have a lot of time and still need to earn the trust of a prospective customer in terms of how our company secures their data?

We believe the best way to earn trust is first prove that you deserve it.

That proof today for companies storing customer data in the cloud comes in the form of a clean SOC 2 report. In fact, more and more companies will only do business with partners and vendors that are SOC 2 compliant, because it shows a commitment to data security that goes beyond just regulatory requirements.

Let Companies Know They Can Trust You With Their Data

A SOC 2 report allows your company to show that it’s operating in a secure manner so you can win and retain more business. The report is the result of an audit in which an independent auditor assesses your company’s security posture according to the SOC 2 standard.

Your security posture is made up of “controls.” A control is a policy, process, or procedure that is created to achieve a desired event or to avoid an unwanted event (example: a bicycle helmet is a control against damaging your head in the event of an accident).

The audit is where you prove that your company has specific controls in place and that they’ve been operating effectively during the audit period. Every audit is conducted in accordance with the AICPA audit guide and Attestation Standards Section 101 more commonly known as AT Section 101.

“Attestation” means “evidence or proof of something.” So in other words, to prove your security controls to an auditor, your company’s employees need to routinely collect and store evidence of these controls, which can span an entire organization; from infrastructure to human resources (background screenings of employees), and almost everywhere in between.

What Is the SOC 2 Standard?

SOC 2 stands for the second of three System and Organization Controls (SOC) audits and reports that are critical to information security. The SOC 2 compliance standard was developed by the American Institute of CPAs (AICPA), a member network of more than 425,000 CPAs around the world.

SOC 2 specifically assesses how your company manages customer data based on five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. There are two types of SOC 2 reports, each requiring a different level of assessment:

SOC 2 Type 1

Type 1 reports cover your company’s systems and controls, and whether the assessor believes you properly address all included Trust Service Criteria. The assessment for Type 1 reports is conducted at a single point in time.

SOC 2 Type 2

Type 2 reports also cover your company’s systems and controls, but also tracks the operational effectiveness of those systems and controls over a period of time. While Type 1 reports have their place and are still worthwhile, most companies place higher value in Type 2 reports, especially when making decisions about which vendors and partners to do business with.

Where Do We Start?

Standing up your company’s security program and marching towards SOC 2 audit-readiness can be a colossal task, regardless of your experience level. From policies, procedures, and best practices to testing and collecting evidence of each—the time and resources required stack up quickly—and it only grows more complex as your company grows in size (employees, assets, etc.).

Drata was built from the ground up to help take companies from day one through audit-ready and beyond. From initial policy creation, workflow management, employee onboarding to control monitoring and evidence collection—no stone was left unturned.

The mission is simple, help companies earn and keep the trust of their customers and prospects when it comes to securing their data.