As a compliance management software company, we at Hyperproof believe it’s important to hold ourselves to the highest standards in all that we do. Even before we’ve made our product publicly available, we’re already making a significant investment in compliance. We believe that if we are thoughtful about the processes, policies, and procedures we put in place now, we’ll be well-positioned to succeed in the long term.
Given the industry and the regulatory environment we operate in, we feel it is especially important for our company to focus on data protection and privacy and pay close attention to our security controls. To make sure that security and compliance are baked into our daily operations, we set a goal to obtain SOC 2, ISO 27001, and HIPAA reports within the next 12 months.
We recently reached a couple of key milestones in our compliance journey: we’ve hired an auditing firm that will be conducting the examinations, defined some key internal processes, and created some fundamental policies for our compliance program. Additionally, we met with our auditor in person to do a readiness assessment for SOC 2 and ISO 27001.
In this post, we’ll discuss our thought process behind our decision to obtain these compliance certifications, why we chose to go through a readiness assessment prior to the audits, and share what we’ve learned from completing the audit readiness assessment with our auditor. Our goal is to help those who are relatively new to compliance understand what to expect during the initial phases of their compliance journey and provide some insights on how to make the journey smoother.
Why we’re getting SOC 2, ISO 27001, and HIPAA Compliant
At a high level, we decided to get SOC 2 and ISO 27001 compliant because these certifications are extremely applicable to Software as a Service (SaaS) companies that are not yet targeting particular industries. We felt that HIPAA would be a good standard to achieve because it provides us the license to serve healthcare customers, who have to meet stringent regulatory requirements. We decided to tackle these three standards all at once rather than one at a time because it helps us save time and money.
Once we decided to work towards compliance with these regulations, we selected an auditing firm that has expertise in SOC 2, ISO 27001, and HIPAA audits. The audits would involve an evaluation of our company’s processes, technology, policies, procedures, and controls against the requirements set out in these regimes. Additionally, we’ve opted to engage with our auditor immediately by going through a readiness assessment.
What Is an Audit Readiness Assessment?
The readiness assessment is a process that should be done months in advance of an audit. It involves inviting your selected auditor to your office to interview key personnel within your organization. The readiness assessment was a two-day process for Hyperproof. During this time, the auditors were able to give us some details on what it takes to meet SOC 2 and ISO 27001 requirements, understand our business processes, and review our existing policies.
Once the on-site discussions are complete, the auditor will produce a report that outlines the gaps in our compliance program so we know which controls work and which ones are likely to fail in an audit. The auditor will also provide a set of notes on how to strengthen our controls.
The Benefits of Going Through an Audit Readiness Assessment
Although the readiness assessment is an optional step, we decided to go through it because it provided us with an opportunity to learn more about the standards we are aiming to achieve and it is a good relationship-building exercise with our auditor. Establishing a collegial working relationship with our auditor now should help ensure smoother audits next year.
You may want to sign up for a readiness assessment for another reason: If you work in an organization where your colleagues (executives, engineering) are not fully bought into the idea of putting their resources and time into compliance, the readiness assessment can be a useful tool for getting everyone on the same page. When you have to “get your house in order” in time for an auditor’s visit, it can impress upon your stakeholders, such as executives and other colleagues, a sense of urgency to jumpstart your compliance program.
How to Prepare for an Audit Readiness Assessment
Even though it’s not required, it is beneficial for your organization to have some things in order before the auditor comes to visit your office. At a minimum, you should spend some time getting familiar with the standards you’re working towards (e.g. SOC 2). If you have a working knowledge of the standards, you can have more fruitful conversations with your auditor once you meet in person.
During the assessment, the auditor will take a look at the policies, procedures and processes you already have to see how they hold up against relevant industry standards (e.g. SOC 2 requirements). Thus, it is extremely helpful to have a few key assets or foundational policies (e.g. a code of conduct, information security policy) already developed before the auditor arrives at your door.
If you can review the policies you already have with your auditor, they can provide you with insights on how to strengthen your policies and controls rather than talk about the need for policies and controls. In general, the more work you put in, the more you can get in return from this engagement.
Here at Hyperproof, we developed an employee handbook/code of conduct and an information security policy ahead of the readiness assessment. We also began documenting our software development lifecycle (SDLC) so we would have it ready in advance of the audit.
The Audit Readiness Assessment Agenda
The auditor interviewed our CEO, VP of Product, VP of Engineering, and some of our developers who do security-related work. Here is a high-level agenda of how we spent our time:
- Company background — We provided company background to our auditor. We discussed why we founded Hyperproof, what are we trying to achieve, and the key capabilities of our software.
- ISO 27001 standard — The auditor educated our personnel on ISO 27001 and how it’s structured and scoped. This session helped us understand the boundaries of this framework and what auditors look for For example, we discussed how much we do with third parties like CRM systems and how 3rd party systems are considered in these audits.
- Security policy and roles — Hyperproof shared with our auditor our current security policy. Our auditor asked us some questions about data. For example: How is data segmented for different roles? What are the roles? How is the data architected?
- Risk management program — Our auditor talked to us about what we need in a risk management program and different ways we could analyze and categorize the risks we identify.
- Incident management and disaster recovery — Our auditor reviewed Hyperproof’s incident management and disaster recovery plan.
- Vendor management — We had a discussion with our auditor about the types of vendors we work with (e.g. infrastructure vendors such as Microsoft Azure vs people who do one-off work). We talked about the importance of adding stipulations to our contracts to specify compliance requirements for our vendors.
- Application development — We discussed the need for a software development lifecycle policy and how we handle issues like version control, testing, and development.
Now that the in-person phase of the readiness assessment is complete, we’re expecting to receive a report from our auditor within the next few weeks. This report will detail the readiness of the controls we have at this time and the controls that are missing. Along with our internal knowledge, this report will help us create effective controls that can meet the requirements set forth in SOC 2, ISO 27001, and HIPAA.
Once we receive the report and digest the findings, we’ll publish another piece to give you more insight into what organizations need to do to achieve these certifications.
Tell Us What You Think
Have you ever gone through audits for SOC 2, ISO 27001, and/or HIPAA compliance? If so, we’d love to hear tips you have on how to prepare for these audits.