“Are you SOC 2 certified?”
These few words strike fear in the hearts of so many startups. Even larger companies without their SOC 2 can go into panic mode when they get asked the question.
Having a SOC 2 certification is a must-have for companies that serve enterprise customers. It’s also a huge effort that takes many months (and sometimes years!) of hard work and can be intimidating to companies of all sizes.
Why is something so common such a scary undertaking?
Smaller companies with a few dozen or even a few hundred employees often don’t have the in-house expertise or the resources to devote to all the tasks required for an annual SOC 2 certification.
Most haven’t gone through a SOC 2 certification before, so the entire process is new for them. They also don’t have the luxury of time to manually do all of the tedious and challenging work required to satisfy SOC 2 requirements. That time is instead typically focused on making improvements to their products and shipping new features to their customers.
Companies with a larger headcount that are getting their SOC 2 for the first time face massive issues as well. Like needing to revamp and change processes they’ve been using for years. It’s also challenging to get employees to change their behavior when they’ve gotten used to a totally different process. It’s a lot more than going through a simple SOC 2 compliance checklist. The earlier a company adopts SOC 2 controls, the easier it is to grow and scale the business while keeping compliant.
SOC 2 software helps make the entire process of getting a SOC 2 certification easier.
It automates a lot of the tasks that would otherwise take a tremendous amount of time to monitor, remediate, and report on.
Plus, the software provides auditors with a place to go to see relevant information about a company and evidence of compliance, in preparation for the audit.
In our experience to date, these tools seem to work best for smaller companies with a few dozen or a few hundred employees max. They’ve still got some work to do before they can service companies with thousands and tens of thousands of employees.
Vanta was the first company to provide SOC 2 compliance software back in 2017. They’ve got a head start on the rest of the tools in this space, so the feature set is more robust.
With Vanta, companies can have a single place that automates monitoring of systems and evidence gathering for SOC 2.
Vanta connects to services like AWS, Google Cloud, Okta, Google Workspaces, Office 365, GitHub, GitLab, Asana, in order to monitor a company’s compliance with SOC 2 and alert users about any issues.
Vanta also helps with onboarding and offboarding of employees, has a desktop agent to monitor compliance of things like antivirus and encryption, and helps with annual security training and policy acceptance.
They also offer SOC 2 policy templates, which gives companies a good base of initial processes to then modify based on their business needs. Instead of taking weeks to write policies from scratch, companies get a head start with Vanta.
Here are a few of the things Vanta does well:
- Inventory management – Vanta pulls in inventory from AWS automatically and then alerts customers if it’s not meeting certain compliance checkpoints. It completely handles the asset management registry.
- Automation around onboarding – Vanta presents new users with the policies they need to read, recording their reading of the policies, all in the app. No need to manage this stuff manually.
- Tracking of policy acceptance outside of onboarding – when there’s a new policy or update to an existing one, Vanta will go through the loop again to get all staff to acknowledge.
- Acknowledging/commenting on/dismissing alerts – Vanta lets companies acknowledge dismissed alerts with a note stating why an alert doesn’t apply to the company.
- Endpoint agent – the agent makes it so that companies don’t need to manually chase employees to make sure they have their firewall, encryption and antivirus on.
- SLA tracking – Vanta tracks SLAs of security incidents in Github and alerts to violations. It allows users to specify a custom internal SLA to which they can hold their teams accountable.
Here are a few of the things Vanta doesn’t do as well:
- Doesn’t cover everything – there are a lot of things for which companies can only partially rely on Vanta for. For example, companies need to track some of the tasks manually for onboarding or else they could risk breaching SLAs. Other SOC 2 vendors have this same gap.
- Risk register – the risk register features pre-canned risks that aren’t one size fits all for all businesses. Companies might not want to use the Vanta register if they are looking to truly understand all the risks to their business and then determine how to remediate going forward.
- Completed tasks – seeing completed tasks can be difficult to decipher and inflexible. Seeing what data populates that check and being able to add comments or link to additional evidence would be helpful.
- Vendor lock in – company processes end up being built around Vanta, like the risk assessment process and the vendor list, so it will heavily influence how companies design their processes. As a company scales and needs to use a different process, there will be some amount of extra work to move away from Vanta.
Vanta pricing starts at $15k for companies with 1-20 employees, but based on comments from their CEO and Sales team, it’s negotiable.
Secureframe is a relatively new player in the compliance software space, launching in 2020.
Their main marketing message is that it takes weeks to get SOC 2 compliant, rather than months. We looked at reviews of Secureframe and a few companies did say they were able to get SOC 2 compliant (but not certified) really quickly with Secureframe. No matter what, for SOC 2 Type 2 it does take 3-12 months of observation by auditors to achieve a SOC 2 certification.
Secureframe integrates with over 40 services like AWS, GCP and Azure to automate SOC 2 compliance tasks. Like other services, they help companies collect evidence for their audits and continuously monitor their infrastructure. They claim to have more automations and integrations than any other SOC 2 compliance platform, though Drata’s website says they have 45 integrations.
Secureframe won a Privacy focused Product Hunt Golden Kitty in 2020, which means it’s a crowd favorite new compliance tool amongst startups.
Their feature-set largely maps to the other compliance tools, like onboarding, monitoring, keeping track of people and vendors, but with more integrations.
Here’s their eight-step SOC 2 compliance framework for companies working with Secureframe:
- Meet and work with a dedicated account manager
- Scan and secure the cloud infrastructure
- Create compliance policies
- Onboard employees
- Manage vendor risk
- A SOC 2 readiness assessment from Secureframe
- SOC 2 audit
- Continuous SOC 2 compliance
The one major difference between Secureframe and other tools, beyond the number of integrations, seems to be its superior customer service.
What do customers like about Secureframe?
- Customer service – A lot of users talk about the customer service and support team, saying they are responsive, friendly and offer helpful coaching.
- Guidance – Like with other vendors, the software guides them through the entire workflow and keeps track of what they need to work on. You don’t have to be a SOC 2 or compliance expert to get your SOC 2 with Secureframe.
- Overview – Customers get an overview of all their processes, employees and vendors all in one tool.
- Onboarding – Onboarding gets taken care of, including security training and policy acceptance.
What do customers not like about Secureframe?
- Support required – Some users complain about needing to rely on customer support to do certain things, like deleting old vendors.
- Technical issues – A few people on review sites have mentioned bugs and technical hiccups, but mentioned that they were resolved.
- Lack of feature parity – The newer platform means there are fewer features, but the team is adding more rapidly.
- No desktop agent – They don’t have a desktop agent, like Vanta does. But some companies prefer that because they can get similar information with integrations.
Their pricing starts at $12k for companies with under 50 employees, or $20/user/month for larger teams. These prices include ISO 27001 too.
Overall Secureframe is a solid choice in the category.
Drata, like the other tools in this category, helps companies drastically reduce the amount of time and effort it takes to become SOC 2 compliant. It’s also a new tool, and was founded in 2020.
Drata has over 45 integrations to tools like AWS, Rippling, Google Workspace, ADP, Okta, and more.
The product provides a single place to see all of a company’s people, assets and devices, and vendors. They also provide automated monitoring of SOC 2 compliance, as well as employee onboarding and offboarding.
Drata also provides its customers with over 20 editable security policies that are auditor-approved.
What do customers like about Drata?
- Policies – People rave about the policies, which are labelled with each of the SOC 2 controls that they align with. The tool makes it easy to make edits, and assign policy owners.
- Integrations – The 45 integrations help companies monitor their compliance and prevent larger issues from happening.
- A true partner – Customers describe Drata as being incredibly helpful when it comes to support. This includes multiple people from Drata (executives, compliance experts, engineers) speaking with customers. They are responsive and quick at providing guidance.
- Ease of use – The platform is described as intuitive and easy to use, making the journey to SOC 2 compliance easier and faster for companies.
- Security focused – of all the SOC 2 compliance software vendors, Drata seems to be the most security conscious. They’ve hired a CISO and say that they are the only single-tenant architected system in the category. That means that each customer’s data is separated and doesn’t get commingled with data from other customers.
What do customers not like about Drata?
- Lack of features – Like most companies in this space, Drata is just starting out and therefore isn’t as feature rich as mature companies.
- Policy acceptance – the default screen isn’t the easiest when it comes to having employees review policies. It requires a bit of zooming and finagling to be able to see the policies well.
- Security awareness training – the training that all employees need to complete annually could have a bit more content and be more robust.
- Integrations for non-standard tools – There is no automated compliance for non-standard tools. In those cases, customers need to upload evidence but it won’t be automated. This is an infrequent issue for customers, though.
For a company with 1-25 employees getting their SOC 2, Drata costs $7,500 annually. This doesn’t include a few features though, like being able to invite your auditors into the tool, unlimited policies, the risk assessment and embedded security training.
For $15,000 annually, companies with up to 80 employees can get SOC 2 and another framework like ISO 27001, plus invite their auditors and more. Drata also lists an enterprise plan on its pricing page.
There are a few other up-and-coming tools in this space that we’re watching. The category is exploding with competition and new products seem to be popping up constantly.
Very Good Security (VGS) launched their SOC 2 product called Control in 2021, covering SOC2, ISO 27001, PCI, and more. They have a free plan that anyone can sign up for. The product is still in early stages and we’ll be keeping an eye out for more from VGS.
Sprinto provides SOC 2 exclusively for cloud-hosted companies.
Tugboat Logic is another vendor in the space to watch. They cover SOC 2, ISO 27001, PCI DSS and HIPAA.
Another recent product in the space is Laika, which helps with SOC, ISO, PCI DSS as well as a number of privacy frameworks.
Shujinko offers free SOC 2 automation and covers a number of frameworks including FedRamp, which we didn’t see any other tool covering.
How to Pick Your SOC 2 Product
Since this is a new category, you’ll need to roll up your sleeves and really get to know the vendors. Here’s how to pick your SOC 2 product.
Step 1 – Evaluate Integrations
Take a look at the websites of each of the SOC 2 tools that you’re considering, and check out their integration pages.
The category is in a race to add more and more integrations, with some vendors like Secureframe and Drata having more than others.
Make sure the tools you’re considering have integrations with the tools you use. Otherwise, you’ll need to do part of the work manually and you won’t be getting the time savings you were looking for in the first place by using a SOC 2 tool.
Step 2 – Get a Demo
Most of these tools do not have free plans, so if you want to see how the full product works, you’ll need to get a demo from the vendor themselves.
We suggest doing a demo with each of the vendors to really dig in and see which UI and set of processes you prefer. Make sure to have the people from your team who are going to be working in the tool each day on the demo call.
You’ll also get a sense of their customer support, and if you’re happy with the type of guidance you’ll get from the vendor.
Step 3 – Compare Pricing
Since this category is still in its infancy, the vendors seem to be willing to negotiate. Make sure to get a quote for your team size, and see if you can knock it down a bit too, especially if you’ve gotten a better quote from a different vendor.
This will help you have a good sense of the exact cost for your size company.
Step 4 – Determine Other Compliance Goals
Once you start working on your SOC 2, typically you’ll want to do even more. Whether it’s ISO 27001, HIPAA, PCI or something else, make sure the vendor you have in mind offers other compliance certifications and frameworks that are on your roadmap.
It’s easiest to do the audits for multiple frameworks at the same exact time, so that your team is only providing evidence one time a year, instead of multiple times. Having a SOC 2 tool that covers other frameworks will make your life easier as your company scales.