Navigating compliance is a critical part of running any cloud business, especially if you plan to sell to enterprise customers or customers in more regulated markets. But of course, achieving compliance takes time and costs money.
To help you more easily understand key compliance frameworks and topics, we're regularly sharing resources in the Partner Portal in the Grow Customer Trust hub. We've also teamed up with the leading compliance automation platform Vanta to streamline your compliance journey. Vanta offers Atlassian Partners 25% off of compliance services to help you get through your audit faster.
On December 12, 2023, we held an Ask Me Anything session with Matt Cooper, Sr. Manager, Privacy, Risk & Compliance at Vanta.
Here is a recap of the Q&A:
Q: If you could only pursue one security framework, how would you decide which one to start with?
A: Which framework you start with will depend on what your customers are asking for, what your company and apps look like today, and what you'd like to prioritize.
Of course, it always bears repeating that legal compliance should be on your radar (ex: GDPR, CCPA, etc). If your industry, region, or customer base requires adherence to specific regulations, start your compliance journey there. Regulatory compliance sets the foundation for secure practices.
Beyond regulatory alignment, adopting compliance with security frameworks can help customers quickly assess your app's security posture. There are two primary framework candidates to get started with: ISO 27001 and SOC 2.
Carefully weigh the requirements of each against your company's unique needs and objectives before making an informed choice. Both options can significantly enhance your security posture, providing a robust foundation for safeguarding data and building trust with customers.
- SOC 2 considerations
SOC 2 is a more controls-related audit. Auditors will basically check and ask, "Are all the security measures in place and operating effectively?" The requirements for SOC 2 are less prescriptive and it's not a pass or fail certification like ISO 27001.
That said, a SOC 2 audit is potentially more risky for your business if you're not confident in your trust practices and posture. If there are any undesirable findings or failures in your app or business, they'll be shown on your report and stay on your report for the life of the report. So if you're planning to go through a SOC 2 audit, it's crucial to make sure your controls are really dialed in.
Also, a SOC 2 framework off the shelf doesn't offer any controls so it can be a bit difficult to apply from scratch for your business.
- ISO 27001 considerations
ISO 27001 on the other hand does require a lot of business-level governance overhead, monitoring and planning, and risk assessment work up front. This may not always make a lot of sense for a very small business without much to govern. While control effectiveness is the focus for SOC 2, governance gets a deeper examination for ISO 27001. However, an ISO 27001 audit can be more forgiving because "non-conformities" are not shown to the customer. The customer only sees if you are compliant (have ticked all the boxes) or not.
Another thing to consider is this framework's similarities to other frameworks you may want to comply with later. For example, the US healthcare regulation, HIPAA, and the European automotive privacy regulation, TISAX, are derived from ISO. If you'd like to achieve compliance with these later on, you may want to start with ISO 27001 so you have the right policies, laying the groundwork for the future.
Q: Does starting with one framework make others easier?
A: There is a heavy overlap between ISO 27001 and SOC 2, so if you do one, the other will be a lot easier. But here's the trick: if you start with SOC 2, you'll have to prove you're managing things well before diving into ISO 27001. On the flip side, beginning with ISO 27001 sets you up for what you need to show in a SOC 2 audit. So, there's a bit of a strategy involved depending on which one you choose first.
Q: What does the commitment look like for an ISO 27001 or SOC 2 audit? How long does this take?
A: This will vary depending on your company's headcount, existing controls, and overall trust practices, and it's very dependent on executive buy-in and prioritization. Vanta has seen companies become audit-ready in a matter of weeks if there's internal commitment and the company already has some controls in place.
For a 10-person company, for example, it's doable in 6 months or less if the company is serious about it and have a resource like Vanta supporting the work.
That said, some companies take 6 months or even longer, or they might not make it all if they don't prioritize compliance. The key is for everyone on the team to be committed to getting compliant in a timely manner.
There are some nearer-term efforts you can make that will take less time, like getting a SOC 2 Type 1 audit. You can go through a SOC 2 Type 1 audit at any time. This shows that you're making an effort to pay attention to your security practices, but it's not as intense as a SOC 2 Type 2 audit. Keep in mind, not all customers will accept this.
Q: Are SOC 2 and ISO 27001 equivalent in a customer's eyes?
A: Basically yes, most customers will view both of these efforts as evidence of a commitment to security. There are sometimes some regional preferences (ISO in Europe, SOC in the US) but for the most part, these frameworks both hold the same weight for customers.
Q: What are companies actually looking for when they want you to have SOC 2 or ISO 27001 compliance?
A: Companies care about these frameworks for several different reasons, varying from one framework to another. Some of the main reasons include:
Showing due diligence in the event of a data leak
One key reason companies want to buy software that has been audited against these frameworks is to show due diligence. If something bad happens like a data leak, regulators, lawyers, and the customers of that company are going to go back through the chain of events to see what caused the bad thing to happen.
In this case, the company will want to avoid looking negligent. One way for companies to look like they've covered their bases is to prove they've done due diligence for 3rd parties. But, most customers don't want to or cannot do this in-depth due diligence themselves.
When the software they purchase (Jira, Confluence, or a Marketplace app) has an ISO 27001 certification or a SOC 2 report, the company can say that another 3rd party came in and validated that the 3rd party software they chose (for example, your cloud app) was secure.
Validating enterprise readiness
Some companies feel that if you haven't achieved compliance with these popular frameworks, you aren't serious about selling to enterprise customers. In seeing that you've gone through a SOC 2 or ISO 27001 audit, customers feel more confident in your ability to meet their needs.
Thank you to Matt Cooper for the answers, and thanks to the Marketplace Partners who joined live to ask questions!
If you’re looking for more information about compliance or enterprise trust in general, you can find it in the Grow Customer Trust hub on the Partner Portal. Or if you’re ready to get started, Vanta offers Atlassian Partners 25% off of compliance services to help you get through your audit faster.