Another star has been added to our list of accomplishments as a security and compliance infrastructure. Identitypass is now SOC 2 compliant, thanks to our team’s hard work. This certification is critical to our operations because we are, first and foremost, a security company, and adhering to the most stringent security standards is as important to our customers as it is to our reputation, so we must do the same.
Today, we are proud to have received our SOC 2 Type II audit. Knowing that many companies and customers will be interested in learning some basic information about these processes and what it entails going through this process at some point in their business growth, we put together this short read detailing our journey to obtaining a SOC 2 Type II certification. We hope it will be helpful.
What is SOC 2 Compliance?
A SOC 2 Type 1 report demonstrates that you are familiar with the necessary security procedures. The Type 1 report is issued on a particular date and represents an auditor’s review and approval of your systems. A SOC Type 2 report, on the other hand, demonstrates that you understand the necessary security procedures and follow them over time. Compared to the SOC Type 1 report, the SOC Type 2 audit results in a more robust and trustworthy report.
A SOC2 report is an external audit of a company’s security practices following these AICPA guidelines:
- Security: How does your company ensure that a client’s data is securely stored, and how does it prevent unauthorized access?
- Availability: How does your company ensure that your service is always available and prevents outages?
- Confidentiality: how does your company safeguard sensitive information?
- Processing Integrity: How does your company ensure client data integrity while completing tasks in a timely and authorized manner?
- Personal information retention, storage, and disposal: how does your company retain, store, and dispose of personal information?
The auditor’s job is to ensure that a company’s policies are appropriate and that it follows them. A SOC2 Type I report is a snapshot in time report that addresses the policies. A SOC2 Type II report is one that a company receives after operating for some time and demonstrating that it has followed those policies without material breaches.
Why did we embark on this journey?
As an organization committed to assisting African digital businesses in achieving optimal security and compliance, we consistently assert that we adhere to specific policies, procedures, and operational controls that mitigate risk and enhance security. While maintaining a solid security posture, we must demonstrate to our customers that we are everything we portray. This prompted us to seek a SOC 2 Type II report, which would demonstrate our adherence to essential security practices.
Audit Timeline:
During our audit, we discovered that navigating SOC 2 can be tricky for specific reasons. One is that there is no list of requirements to guide businesses through a smooth process. Instead, we discovered a plethora of other criteria that can be used to demonstrate that your organization mitigates such risk. However, these criteria are numerous, and not all apply to every business. Another fact concerns the audit process itself, which is typically lengthy. Usually, auditors must conduct extensive checks to compile evidence that you comply with the practices, procedures, and controls you claim to implement.
We were conscious of our audit process, which informed how we prepared for the tasking process. Everything took about two (2) months in total. While it appears brief, we had very few additional controls because our infrastructure security team had already implemented a large portion of it. We spent significant time gathering relevant evidence and segmenting the processes.
Audit Processes:
We had first to document all of the policies, procedures, and operational controls that Identitypass employs. We also listed everything we are in charge of managing and operating. This includes all services, physical office hardware, employee laptops, etc. In addition, implement vulnerability monitoring where applicable if it is not already in place.
Second, we conducted an extensive vendor assessment, which included reviewing a list of all our vendors and conducting risk assessments for each one, as well as contingency plans for when they were unavailable.
Third, we conducted a disaster recovery drill to simulate what would happen if any of our infrastructures have a downtime. We also conducted a risk assessment of all potential threats to our organization.
The final stage was evidence gathering, in which we gathered and documented all necessary data for each policy, procedure, and control we claimed to implement and delivered to auditors. While Vanta covered a lot of it, there was still a lot of evidence that was unique to us that we had to gather ourselves.
What does it mean to our Customers?
Identitypass’ verification and compliance suites of products have proven to apply to businesses of all sizes and use cases ranging from start-ups to large enterprises. Compliance expectations vary greatly depending on each organization’s unique use cases, needs, and size.
“SOC 2 Type 2 Certification validates that Identitypass posture was evaluated over a period of time and has in place systems and controls to safeguard customers’ sensitive data. Our controls conform to security, availability, processing integrity, confidentiality, and privacy, all aimed at providing the best experience for customer satisfaction. SOC 2 Type 2 assures users that Identitypass has required controls to protect customer data from threats, has alert systems to detect anomalies and violations, and is well-positioned to restore service normalcy in case of system failure.”- Mayowa David, Cybersecurity Analyst, Identitypass.
As we continue collaborating with several digital businesses, we believe we must tick all the boxes required by these organizations. All of the necessary outside help on compliance practices is highly beneficial, and attaining a SOC 2 compliance status is a significant and notable step in the customer checklist. This further confirms our adherence to specific critical criteria, giving our customers confidence that they are on the right track with their verification checks moving forward.
We understand many of our customers may need the report for their internal purpose or to ascertain that their service provider is compliant. We will make our report possible for customers to download on their dashboards.
We are also currently working on deploying that new feature on our existing customers’ dashboards, and we will send an FAQ note on how they can assess it within the dashboard once it is released.
Optimize your Security and Compliance!
If you’re interested in working with Identitypass, a SOC 2-compliant company, get started with us by signing up here. For your inquiries and questions, feel free to email [email protected] or [email protected].
Leave a Reply
You must be logged in to post a comment.