Updated: Jul 4
You've done the hard work achieving SOC 2 compliance and issuing the report. What a relief, right?
Most businesses achieve this major milestone and shift their focus immediately back to other business priorities. But after doing all that hard work, why not maximise the value you get out of the end product?!
1. Put the SOC logo and a write up on your website, proposals and RFP's
The SOC logo and having achieved a SOC report is a qualifier for your business. It positively represents your business practices and signifies that you are “enterprise ready”. Prospective customers considering your product can search your website, proposals or RFP response, for SOC 2 as an initial screening consideration. It's like a testimonial on steroids; an independent auditor has verified that your business practices are secure and reliable to support their services!
2. Submit the SOC 2 report in lieu of security questionnaires
The entire purpose of SOC reporting, is having a single auditor review your control practices once, to save many others doing it individually. That makes it well suited to replace security due diligence questionnaires. You may have residual questions from customers, but the SOC 2 report itself is a comprehensive description of your security, risk and control practices supporting the services you provide to your customers.
3. Brief your sales and marketing teams
It's a good idea to showcase your achievement in all your marketing materials, and ensuring it's well represented in sales conversations. Preparing talking points and "approved phrasing", helps ensure your SOC 2 is both accurately represented, used to differentiate your business from the competition (if applicable), and helps provide them peace of mind that onboarding will be a smooth process as you meet their security and risk management requirements.
4. Notify your existing customers
Letting your customers know you have issued a SOC 2 report, is like notifying them of other available enhancements and features of your product and services. It shows them your continued commitment, improvement and reiterates the value that you’re providing to them. Don’t be fooled by those that don’t actually obtain a copy of the report. It’s always nice to know it's there, particularly when they’re reliant on your security with their own reputation at stake.
5. Social media or press release
SOC 2 is a major achievement for any business. Especially for smaller companies, it’s a step up to a new level. It represents the maturity of your business practices to support enterprise companies. Showing you apply broad good practices to secure your customers data and the reliability of your services. In the earlier years of SOC 2, full press releases were common by companies achieving SOC 2. Now that it’s more widespread, a social media post is more common.
6. Publish a SOC 3 report
There’s a common misconception that you can use to your advantage; that SOC 3 is a level above SOC 2. It’s not. Actually, there’s no additional work or rigour in a SOC 3 report. It’s simply publishing a report with redacted content for viewing by the general public, removing the need for NDA and confidentiality concerns. That makes it well suited to potential customers during due diligence. It’s another “logo” that you hear represented like; "AWS is totally secure, they have SOC 1, SOC 2, SOC 3, everything"
Get in touch if you want to add SOC 3 on to your next SOC 2 Type 2 report (cannot be used for Type 1 reports).
7. Maintain your compliance
From time-to-time, we see clients achieve their initial SOC 2 reports, then discontinue their compliance efforts. This may be sensible in cases where there’s a change in business focus. Or if your existing customers don’t require the SOC 2 reports and you’re not expecting or pursuing further enterprise sales. The trouble with this otherwise, is that you “lose your compliance”. You may be on the verge of a large deal, only to fall short when they notice the SOC 2 report is out-of-date. But having it available for future deals is just one benefit; it also helps your business with clarity of roles and business practices, and provides a means to continually improve. Each time you go through the audit, there's feedback from independent auditors that see a broad range of business practices that you can learn from.
There's many creative ways to highlight your achievement of SOC 2. To position your business as a secure, reliable and enterprise-ready service provider. After putting in all the hard work and funds to achieve and issue your SOC 2 compliance, it would be a shame to leave the report in the archives!
Have you found other ways to use your SOC 2 report?
Do you want to discuss your "approved phrasing" and "talking points" to represent your SOC 2 success?
Let us know: info@assurancelab.com.au
You can view our own social media post here if you're interested.