Our journey towards SOC2 Compliance

Who are we?

Our company

UpSlide was founded in 2013 by Antoine Vettes and Philippe Chazalon to provide innovative software solutions to empower the financial sector through Microsoft Office applications. We provide a Microsoft Office Add-In that helps our users streamline document creation thanks to features such as corporate libraries or robust linking systems between Excel/PowerBi and Word/PowerPoint.

My Journey at UpSlide

I joined the company as a System Administrator in September 2016, There were 30 people at the time and the company had offices in London, Paris, and New York.

Fast forward to 2023, the company grew quite a lot, with offices now in Paris, London, New York, Berlin, and Singapore and around 160 Employees. Since then, I became the Head of Infrastructure and Security.

At the end of 2022, we started our journey to SOC2 Compliance.

Why did we need SOC2 Compliance?

Some history first.

As our company grew, we started to sign significantly bigger deals. If you’re dealing with Security / Compliance in a SaaS company, you already know where this is going: Due diligence and Security Assessments

Around 2019 our first big clients were signed, and we had to undergo strict due diligence by them, requiring us to provide a lot of elements such as our policies, and detailed questions about how we handle Security at the company. At the time we were still a small company, and we were lost and had a lot of questions:

• What is the purpose of a security policy? How to write meaningful and compliant policies?
• What elements are needed to ensure trust between our clients and us?
• What are we missing to sign those bigger deals?

We always took security seriously in our software offering, but we lacked knowledge on compliance topics.

In 2019 we decided to work on our Cybersecurity program, and we achieved many milestones:

We formally wrote our Policies (including, but not limited to)

• General Security Policy
• Data Protection and Management Policy
• Business Continuity plans / Disaster recovery plans
• Incident Response plans
• Vulnerability Management Program

We gathered tools to improve our posture

• MDM Solution to manage remotely all our devices
• EDR for our end devices
• Vulnerability scan engine on our infrastructure
• Static Code analysis tools
• And many more…

This program has improved over the years, our clients were pleased with the results of the assessment they sent us and we sold happily UpSlide for many years.

You would ask me: But why go the route of SOC2 Compliance if you have a strong cybersecurity program, and your clients are happy with it?

The answer is simple: We don’t want to sign big deals now, we want to sign Enterprise-wide agreements with our clients.

And to do this third-party audit of our security program and posture is not an option anymore, it is a requirement.

Common false ideas that I thought were right before starting.

It won’t solve all your problems.

SOC2, ISO 27001, or any standards won’t solve all your problems:

Being Certified / Compliant won’t avoid having to answer Security Assessments

• You will, in the better case maybe have less intensive assessments to answer.

It is not a one-time thing to do, you will need to renew it.

• Yearly for SOC2
• Up to 3 years for ISO27001 (but with yearly, lighter reaudits)

If you’re doing this to avoid those assessments, check standards assessments like SIG or CAIQ, and prepare them so that if your client uses these kinds of standards you won’t have to redo the job. But as always, be aware that clients can use their custom-made assessments, and you’ll have to answer them anyway.

SOC2 is not a certification, but compliance to a standard.

I see a lot of companies bragging that they are SOC2 “Certified”, but it is false.

You are SOC2 Compliant, and an auditor reviewed your compliance with the SOC2 Standard. If you’re going the ISO 27001 route, it is indeed a certification and you can safely say that you are Certified

It is only a Security Team matter.

Oh dear… You’re in the wrong, trust me I learned it the hard way.

SOC2 / ISO 27001 or any security certifications or standards are the matter of a whole company, you will need to involve:

• Legal team to review/validate policies.
• HR for all the changes that will make you compliant (i.e. background checks)
• Dev / IT / Infra Teams for bringing evidence that your auditor will review
• Management / Board to ensure that your project is widely adopted.
• And so on.

The road to SOC2 Compliance is a team effort, if (like me) you are the security guy who wants to push this project by itself you will quickly have issues. Involve your team as soon as you start this project.

Our journey towards SOC2 Compliance

Choosing a Compliance Platform

We are not a big corporation, we don’t have a dedicated 15 People Compliance team, so we needed tools to help us go through our SOC2 Journey. The requirements were:

• Having integration on our tech stack (Azure, Azure DevOps, Microsoft Intune, Entra ID, Trello, and Notion mainly) for automatic evidence collection.
• Monitoring the Status of our compliance towards SOC2
• Helping us centrally store our policies
• Managing People Onboarding (Security training, Background checks, etc.)
• Connecting us with auditors, and tracking the audit on a unified platform for both the auditor and ourselves
• Having a dedicated point of contact with the platform to help us with compliance questions.

There are many tools on the market, so we decided to go with Drata as they were the platform with the best Price to Integration ratio during our benchmark.

Your choice may vary, but if you are a small/mid-sized SaaS Company this is a must-have.

You want to spend more time on meaningful actions and not evidence collection, based on our experience we had 75% of our evidence automatically collected.

Assessing ourselves and filling the gaps

We were confident that we were not that far from SOC2 Compliance thanks to the maturity of our existing cybersecurity program, but we never had to undergo such audits. Thanks to the compliance Platform, we had a comprehensive view of all items required for SOC2:

Our first mission was then to :

• Connect integrations for automatic monitoring and evidence collection
• Bring our policies / start with provided templates for those missing
• Bring first unmonitored control evidence (Pentest results, Vulnerability scan results, etc...)

Once done, you’ll get a list of gaps to assess, and you know exactly what you are missing to achieve SOC2 Compliance.

SOC2 Type 1 or SOC2 Type 2 ?

Once we had the confidence that our cybersecurity program was in line with SOC2, we had to make a choice: do we go for SOC2 Type 1 or SOC2 Type 2? The difference is simple:

SOC 2 Type 1: It is a point-in-time audit, the auditor will check your current compliance with SOC2.

• Pros: It is quicker to achieve, and is a good way to check if your cybersecurity program is compliant
• Cons: It reflects a point in time, not a period and some clients may require you a Type 2 Audit anyway

SOC2 Type 2: You will be audited through a period (usually 3 to 6 months) for your compliance with SOC2

• Pros: Much more trusted by your clients
• Cons: It will require more involvement, being always on your compliance monitoring to ensure you don’t miss something (i.e: you push a BIOS update, BitLocker stopped encrypting during the update, and you need to ensure it is properly re-enabled after).

At UpSlide, we decided to choose SOC2 Type 2 because it reflects our continuous involvement in security, proving to our clients that behind policies real actions are made to ensure their data security.

How long for our Audit Period?

Industry recommends having a minimum 6-month audit period, but due to commitments towards our clients, we decided for the first year to go with a 3-month audit period.

Now that we are used to the audit process and SOC2 Compliance we will go for a 6 Month audit period starting next year.

Going under audit period

We were ready:

• Our policies were written and signed by relevant parties (employees, management, etc…)
• Our compliance status was at 100%
• We were constantly monitoring our compliance

We needed to find an auditor, after discussions with our Compliance Platform point of contact, we were in relation with Sensiba.

During this period, you want to be 100% Compliant every day, continuously monitoring and fixing gaps that may occur like

• Disk Encryption that fails on a specific device
• MFA not properly detected for a User Account
• Unmonitored evidence renewal needed

Are one of the many reasons you may see less than 100% on your compliance score.

Don’t stress: You need to be reactive, but issues may (and will) occur. Your job is to remediate them promptly.

It is really important to involve teams (IT, Infrastructure, HR…) at this moment and remind them of the importance of SOC2 Compliance to prioritize the remediation actions and bring back your compliance to 100%.

Key things to keep in mind during your audit period

Here are some elements that may help you during your audit period

Test your plans (including, but not limited to)

• Incident Response Plan
• BCP / DRP

Review manual evidence before the end of the period

• You will want to ensure you uploaded the right evidence that reflects your audit period
• Contact compliance experts at your compliance platform to help you review those items

You need to prepare a System Description

• Your auditor may help you with this, but this is a global explanation of your company, your software, and your cybersecurity program

The audit period is over, time to stress.

Your auditor will now gather all the evidence from your compliance platform, review them, and come back with some requests:

You may have “Outstanding” elements:

Maybe someone left the company but for some reason, you had to temporarily reenable the account after its leaving date

• You will need to prove that you have the requests made by management (i.e: helpdesk tickets)

Or you just missed uploading a piece of evidence on an item

Your auditor may request additional evidence (some examples)

• Code changes into production during the audit period
• Evidence that regression testing took place

Your experience may vary, and you will need to provide the auditor with additional evidence for them to wrap up your audit report.

Congratulations, you are SOC2 Compliant!

If everything goes well, you will have a report with an “Unqualified” opinion, which means you have successfully proved that your company is SOC2 Compliant. If you have a “Qualified” opinion, that means you still have items to work on, but you’re on track to achieve your goals!

Don’t forget that SOC2 Compliance is not a one-time thing, you will need to continue your efforts to ensure smooth renewals of your audits.

Conclusion and Special Thanks

This project took us a year, but we achieved our goals and are now SOC2 Compliant, I hope this (long) post may help you go through this process.

Special Thanks to the UpSlide Team (especially Lounis Hammar , Steve Garnier and Vincent Vettes ), the Drata team that helped us a lot going through this project, and Sensiba, our auditor.