As a compliance management software company, we at Hyperproof believe it’s important to hold ourselves to the highest standards in all that we do. Even before we’ve made our product publicly available, we’re already making a significant investment in compliance. We believe that if we are thoughtful about the processes, policies, and procedures we put in place now, we’ll be well-positioned to succeed in the long term.
Given the industry and regulatory environment we operate in, we feel it is especially important for our company to focus on data protection and privacy and pay close attention to our security controls. To ensure that security and compliance are baked into our daily operations, we set a goal to obtain SOC 2, ISO 27001, and HIPAA reports within the next 12 months.
We recently reached a couple of key milestones in our compliance journey: We’ve hired an auditing firm to conduct the examinations, defined some key internal processes, and created some fundamental policies for our compliance program. Additionally, we met with our auditor in person to do a readiness assessment for SOC 2 and ISO 27001.
In this post, we’ll discuss the thought process behind our decision to obtain these compliance certifications, why we chose to undergo a readiness assessment prior to the audits, and what we’ve learned from completing the audit readiness assessment with our auditor. Our goal is to help those who are relatively new to compliance understand what to expect during the initial phases of their compliance journey and provide some insights on how to make the journey smoother.
Pursuing compliance: our journey to SOC 2, ISO 27001, and HIPAA Certification
At a high level, we decided to get SOC 2 and ISO 27001 compliant because these certifications are extremely applicable to Software as a Service (SaaS) companies that still need to target particular industries. HIPAA would be a good standard to achieve because it provides us the license to serve healthcare customers, who have to meet stringent regulatory requirements. We decided to tackle these three standards simultaneously rather than one at a time because it helps us save time and money.
Once we decided to work towards compliance with these regulations, we selected an auditing firm with expertise in SOC 2, ISO 27001, and HIPAA audits. The audits would evaluate our company’s processes, technology, policies, procedures, and controls against the requirements set out in these regimes. Additionally, we’ve opted to engage with our auditor immediately by going through a readiness assessment.
What is an audit readiness assessment?
The readiness assessment is a process that should be done months before an audit. It involves inviting your selected auditor to your office to interview key personnel within your organization. For Hyperproof, the readiness assessment was a two-day process. During this time, the auditors gave us some details on what it takes to meet SOC 2 and ISO 27001 requirements, understand our business processes, and review our existing policies.
Once the on-site discussions are complete, the auditor will produce a report that outlines the gaps in our compliance program so we know which controls work and which ones are likely to fail in an audit. The auditor will also provide a set of notes on how to strengthen our controls.
The benefits of going through an audit readiness assessment
Although the readiness assessment is an optional step, we decided to go through it because it provided us with an opportunity to learn more about the standards we are aiming to achieve, and it is an excellent relationship-building exercise with our auditor. Establishing a collegial working relationship with our auditor now should help ensure smoother audits next year.
Consider signing up for a readiness assessment for an additional reason. Suppose your colleagues, including executives and engineers, must fully commit to dedicating resources and time to compliance. In that case, the assessment can serve as a valuable tool to unify everyone’s focus. When you have to “get your house in order” in time for an auditor’s visit, it can impress upon your stakeholders, such as executives and other colleagues, a sense of urgency to jumpstart your compliance program.
How to prepare for an audit readiness assessment
Even though it’s not required, it is beneficial for your organization to have some things in order before the auditor visits your office. At a minimum, you should get familiar with the standards you’re working towards (e.g., SOC 2). If you have a working knowledge of the standards, you can have more fruitful conversations with your auditor once you meet in person.
During the assessment, the auditor will take a look at the policies, procedures and processes you already have to see how they hold up against relevant industry standards (e.g., SOC 2 requirements). Thus, having a few critical assets or foundational policies (e.g., a code of conduct, information security policy) already developed before the auditor arrives at your door is extremely helpful.
If you can review the policies you already have with your auditor, they can provide you with insights on how to strengthen your policies and controls rather than talk about the need for policies and controls. The more work you put in, the more you can get in return from this engagement.
Here at Hyperproof, we developed an employee handbook/code of conduct and an information security policy ahead of the readiness assessment. We also began documenting our software development lifecycle (SDLC) so we would have it ready in advance of the audit.
The audit readiness assessment agenda
The auditor interviewed our CEO, VP of Product, VP of Engineering, and some of our developers who do security-related work. Here is a high-level agenda of how we spent our time:
- Company background — We provided company background to our auditor. We discussed why we founded Hyperproof, what we are trying to achieve, and the key capabilities of our software.
- ISO 27001 standard—The auditor educated our personnel on ISO 27001 and how it’s structured and scoped. This session helped us understand the boundaries of this framework and what auditors look for. For example, we discussed how much we do with third parties like CRM systems and how third-party systems are considered in these audits.
- Security policy and roles—Hyperproof shared our current security policy with our auditor. Our auditor asked us some questions about data, such as how data is segmented for different roles, what the roles are, and how the data architecture is structured.
- Risk management program — Our auditor talked to us about what we need in a risk management program and the different ways we could analyze and categorize the risks we identify.
- Incident management and disaster recovery — Our auditor reviewed Hyperproof’s incident management and disaster recovery plan.
- Vendor management — We had a discussion with our auditor about the types of vendors we work with (e.g. infrastructure vendors such as Microsoft Azure vs people who do one-off work). We talked about the importance of adding stipulations to our contracts to specify compliance requirements for our vendors.
- Application development — We discussed the need for a software development lifecycle policy and how we handle issues like version control, testing, and development.
Achieving compliance made easier with Hyperproof
Is your organization navigating the complexities of SOC 2, ISO 27001, or HIPAA audits? Share your experiences and preparation strategies with us. Meanwhile, simplify your path to compliance – request a demo of Hyperproof to see how it can streamline your audit preparation process.
Monthly Newsletter