YCBM is a SOC 2 Type 2 certified SaaS!
Our users trust us with a lot of sensitive data, so we set out to prove we can keep it safe and secure. And we did! Check out the story behind our latest certification.
In an era where data security is paramount for everyone, we know our customers need more than just our promise to keep their data safe and secure.
Data privacy regulations such as GDPR and CCPA require organizations to have technical and organizational measures in place to ensure the confidentiality, integrity, and availability of personal data.
So what better way to show our customers just how secure their data is then achieving a successful SOC 2 Type 2 audit with no control exceptions!
Our external security audit journey
If you run a SaaS company, it will not be long before a customer asks you to fill out a ‘security vetting questionnaire’.
We’ve filled out hundreds of them. It’s the beginning of a security journey for many companies, who want to offer their customers not just words, but a demonstration of security compliance by a prospective supplier.
Although we knew we could pretty much tick every box, it’s also not a scalable way as everyone knows, every questionnaire is just a little different.
So in 2021, we started our journey to offer more to our customers, by achieving the external security certification of our security measures - ISO 27001.
An ISO 27001 certification says we have met the requirements of an international standard that defines the requirements of an Information Security Management System (ISMS). We are proud of the documentation, risk assessment, and audit work we could already demonstrate, which are all required by the standard.
But ISO27k is a point-in-time audit - it reviews, then goes away. So for us, it didn’t prove we actually do what we say we do over time.
Enter SOC2 - for many of our customers, this is the report they need to give them the assurance that, over a 3-6 month period of audit, we stick to what we say we do.
Preparation is key!
Our ISO 27001 audit highlighted the importance of having a dedicated person within the business to manage and maintain our security and regulatory compliance.
Hence in 2021, I was hired as YouCanBookMe’s Compliance Manager ready to kick start our SOC 2 journey.
I report to our CEO and COO and was hired to make sure we do what we say we do.
My role in YouCanBookMe is to make an informed assessment on business decisions and ensure we follow the constantly evolving laws and regulations we must adhere to, like GDPR and CCPA. It’s my job to be objective when a decision could be a risk to the business or our customers, communicating this to those involved.
It has been a joke that I can sit and listen to a new idea, say no, mic-drop, and leave the room without needing to explain any further - I don't, but definitely could!
With a proven background in Compliance within a SaaS environment, I have implemented improvements to our existing processes and documentation, maintained our ISO 27001 for another year during our surveillance audit, and took over our next goal - a SOC 2 Type 2 audit.
So what is a SOC 2 Audit?
The Service Organization Control, better known as SOC 2, is a set of criteria for service providers managing customer data. This set of criteria is developed by the American Institute of Certified Public Accountants (AICPA).
The SOC 2 framework is based on five Trust Services Criteria (TSCs); Security, Availability, Confidentiality, Processing Integrity, and Privacy. Each principle has a subset of controls, with Security having the largest set of associated controls.
There are two types of SOC 2 reports; a SOC 2 Type 1 and a SOC 2 Type 2.
Type 1 reports are an audit similar to an ISO27001 audit. The audit provides assurances that an organization has suitably designed controls at a point in time.
Type 2 report audits have the same criteria to meet as a Type 1, but they cover a period of time testing the organization's design and operating effectiveness of key internal controls throughout that period.
At the end of a SOC 2 Type 2 audit, the auditor will issue an opinion based on the description the organization has provided versus the actual operating efficiency of the controls.
What was involved in achieving our outstanding SOC 2 Type 2 report?
A lot of screenshots!
My biggest takeaway from the SOC 2 audit would be screenshots, so many screenshots!
A SOC 2 Type 2 audit isn’t about ticking all the required compliance checkboxes, it’s about showing, over a period of time, that your organization has well-defined policies, procedures, and practices and that these can be seen in action.
An audit trail is key, we have a lot of automated logging of our processes which made providing screenshot evidence for our audit so much easier.
Take Access Control as an example, specifically how we implement and manage an employee's access to our business systems.
During our audit, the auditor reviewed a number of our policies which cover access control along with the associated procedures.
They asked to see examples that
- Access requirements for roles had been defined
- We have this detailed in our Job Specifications for each role
- Access requests were made by the employee's manager when a new employee starts or changes roles
- We create a Jira ticket with the access requirements which is actioned by the business system administrator
- Access was granted
- The administrator records their actions in the Jira ticket
- Access was reviewed
- We perform regular access reviews of our business systems which we record in Jira tickets
This area alone required a review of numerous procedures, a walk-through of the start-to-finish process of how we request access, and of course screenshots of each of the above points for not just one employee, but five!
A SOC 2 audit isn’t about how secure our service is alone, it’s how secure the whole business is.
From HR, to Support, Finance, to Engineering; a SOC 2 audit reviews how the business runs in relation to our defined policies and procedures.
While I project managed our SOC 2 journey it was and continues to be a team effort. We wouldn’t have achieved the report we have without the dedication and input from everyone at YouCanBookMe.
We can talk the talk, but do we walk the walk?
At the end of our SOC 2 Type 2 audit, our auditor commented on how well organized, structured, and culturally apparent our data security controls are throughout the business.
That wasn’t a surprise to us though, it is one of our company values - Commitment to excellence!
We live and breathe security (or indeed, we live and breathe securely). That is why we received an amazing SOC 2 Type 2 report with no control exceptions.
What did we take away from our SOC 2 audit?
Our SOC 2 Type 2 report has provided us with insights into our security posture, internal controls, governance, and regulatory oversight, which we are using to further mitigate risks, improve our service and systems, and improve compliance readiness.
We are confident we maintain the highest level of security for our customers, but we are always looking for ways to make improvements.
Everyone at YouCanBookMe knows and follows our Company Values, and our continuous improvements to data security put them into practice.
Commitment to excellence
- We have an ISO 27001 Certification and a SOC 2 Type 2 audit report with no control exceptions, and we are continuously improving our information security management system.
Curiosity and optimism
- Technology is constantly evolving and we are always looking for new solutions to improve our service and security.
Find and share the solution
- Two heads are better than one, and the team at YouCanBookMe is always sharing thoughts and ideas about solutions that can improve our service and security.
Confidence in transparency
- We are instinctively open. We listen, learn, adapt, and document our journey, and share it with our customers!
Simple is beautiful
- The best solution is often the most simple, or the one that has the least amount of risk. Technology is providing more and more ways in which we can implement simple but elegant solutions.
Tolerance and respect
- We are respectful of everyone and of everyone’s opinion. We know how we would want our information to be secured, so we make sure we do the same for our customers.
We want to continue building trust with our customers and end users about the secure nature and operation of our service.
We can provide you with a copy of our SOC 2 Type 2 auditors report under NDA. Please reach out via email at firstname.lastname@example.org
Subscribe to our newsletterGet productivity tips, news, articles and resources.
Charlie is YouCanBookMe’s Compliance Manager with over a decade of experience in compliance, specializing in ISO 27001 and Data Protection. She loves a good sense of humor and garlic is her secret weapon to make everything taste well. In her free time she’s learning how to grow her own vegetables (somewhat successfully!) and learning to play the guitar with her son.