This is not some fluffy article explaining the basics of SOC 2 compliance. I’m guessing you are not here because you need a basic overview. If that is what you are looking for, I covered the topic in a previous blog post here.
It’s very likely that you are here because you are actively looking to get a SOC 2 compliance report. You may not have been through a SOC 2 assessment or audit before and you may not know what is needed or how to implement any of the SOC 2 controls. There is also a good chance that you don’t know how much to expect to pay and have very little, if any, budget pre-allocated to the effort. All that you are sure of is that your customers and your management team is demanding SOC 2 compliance NOW!
SOC 2 compliance cost is unbalanced for small businesses
The cost question is typically the first one that comes to mind as it is an especially important one for an early stage company. Achieving SOC 2 compliance status is no small feat. The cost can vary significantly based on your organization’s size and complexity. For many organizations, SOC 2 Type 2 implementation and maintenance can easily cost upwards of $100K, in addition to the added cost of the audit itself.
Most early stage companies haven’t got to $100K in annual revenue yet let alone that much cash to spend on compliance. Spending more money than the business makes to protect the business does not make any sense at all, yet the lack of security and compliance attestation may be an inhibitor to growth and larger business opportunities.
To break this chicken-and-egg problem, here’s a playbook of how to get your SOC 2 compliance on a shoestring budget — at a cost of almost zero outside of the annual penetration test.
Become SOC 2 compliance at near zero cost
The table below lists all of the baseline controls that are needed for an early stage technology startup to build an initial security program that will lead to a successful SOC 2 compliance audit.
A few notes:
- The list provides mostly cloud-native and open-source security solutions to establish a solid baseline. Commercial alternatives can be adopted based on the organization’s demand and maturity.
- Some of the examples provided are based on services in AWS. Equivalent solutions are available in Azure and Google Cloud. Links to resources are provided, when available.
- JupiterOne provides a completely free tier for pre-revenue startups for the first year, and 50% ongoing discount. The 50% discount is also available to startups with less than $1M in annual revenue.
Controls and Solutions
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Policies and Procedures | JupiterOne | $0.00 | You need a robust set of formal information security policies and procedures for your organization. JupiterOne provides a library of >150 policy and procedure templates that have been field tested in actual SOC 2 audits and other assessments such as HIPAA and PCI. JupiterOne Link |
| Asset Inventory | JupiterOne | $0.00 | Knowing what you have is the foundation to any security and compliance program. JupiterOne auto discovers cloud-based assets and allows you to upload your own via JSON/CSV/API. Free for 1000 asset entities. JupiterOne Link |
| Vendor Management | JupiterOne + Google VSAQ | $0.00 | Google VSAQ is an interactive questionnaire web app to support security reviews by facilitating the collection of information and the redisplay of collected data in templated form. A third party vendor registry can be kept in JupiterOne. GitHub VSAQ Link JupiterOne Link |
| Risk Assessment | JupiterOne + Jira | $0.00 | Risk assessment is a foundational step to any security governance program. It is a mandatory step by regulations and compliance frameworks like HIPAA and GDPR. Unfortunately, performing a risk assessment is a fairly involved process that happens every year and typically takes days, if not weeks, each time. There are many risk management software aimed at solving just this challenge, yet that's another tool, another cost. Using JupiterOne together with a issue tracking solution like Jira can help streamline this process down to hours without any additional tooling cost. See linked article for additional details. JupiterOne Blog Post |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Security Awareness Training | Wizer Training | $0.00 | Free security awareness training platform with paid version when you grow. Wizer Training |
| Background Checks | Better Future | $0.00 | Here's a no-cost approach to cover the compliance requirement to perform pre-employment background checks for your employees: ask them to obtain and provide their own free background check report, provided by Better Future. Plenty of paid alternatives are available, with pricing usually starting at $20 per applicant, including Checkr, ClearChecks, and GoodHire. Better Future CheckR Clear Checks Good Hire |
| Employee Onboarding and Offboarding | HRSM or JIRA | $0.00 | Leverage the onboarding / offboarding capability included in your organization's HR Service Management software (e.g. BambooHR or Gusto). Alternatively, simply set up an HR project in your existing ticketing system (such as Jira) with a templatized checklist for each ticket. Jira Core for HR |
| Directory | Google G Suite | $0.00 | You most likely already pay for G Suite (or something similar like Microsoft 365) as part of your IT spend. There's no additional cost specific to security. G Suite |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Single Sign On (SSO) | Google G Suite | $0.00 | If you use G Suite, you can easily set it up as your SSO provider with lots of pre-integrated SAML apps. Dedicated solutions are also available, such as Okta, OneLogin, or JumpCloud. Setup SSO In G Suite |
| Multi-factor Authentication (MFA) | Google G Suite | $0.00 | Make sure to enable MFA for all of your users. This is most likely already supported by your identity provider such as G Suite. G Suite MFA |
| Password Management | Any password manager | $0.00 | Use a password manager to generate a random, unique, and strong password for each site. Many are free to start. Google Passwords Lastpass Nordpass |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Secure File Sharing | Deadbolt | $0.00 | From time to time, you may have to share a confidential document or sensitive file with someone by email or via USB drive. Before sharing, use Deadbot and select the file to encrypt, enter a password, and … that’s it. Deadbolt |
| Secure Cloud Storage | Cryptomator | $0.00 | To better provide your sensitive data stored in the cloud (Dropbox, Google Drive, etc.), encrypt files in a vault before uploading to the cloud. Cryptomator |
| Secure Production Data | Cloud-native encryption | $0.00 | Cloud service providers already include data encryption as a feature for most, if not all, of their services at no extra cost. This includes encryption for data-at-rest (e.g. AWS S3, RDS, EBS, DynamoDB, etc.), data-in-transit, and encryption key management. All you have to do is enable it. Amazon Encryption |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Disk Encryption | FileVault (macOS) BitLocker (Windows) |
$0.00 | Enable disk encryption for all user endpoints. Filevault Bitlocker Ubuntu Disk Encryption |
| Endpoint Configuration | JupiterOne (Stethoscope App) | $0.00 | For small teams, it is completely feasible to have each team member self manage their own user device, as long as there is a way to monitor the configuration compliance. Netflix's open source Stethoscope app does exactly that, and JupiterOne provides a wrapper for easy installation and reporting. Netflix Stethoscope JupiterOne Endpoint Compliance JupiterOne Blog Post |
| Anti-malware | Trend Micro | $0.00 | Trend Micro Antivirus One is a free app for macOS. Windows 10 comes with Windows Defender that is enabled by default. Or you can purchase the commerical solution from Trend Micro or Malwarebytes with centralized management. JupiterOne integrations can then be enabled to provide compliance evidence. Apple AV One Microsoft Malware Bytes Malware Bytes Pricing |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| VPN | Pritunl | $0.00 | Practicing secure by design is important for the development lifecycle. However, threat modeling exercises can get very complicated and confusing very quickly. A lightweight approach is to document major features, each with required sections for data flow, security considerations, and privacy considerations — e.g. in the form of an RFC (Request for Comments). JupiterOne GitHub |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Source Code Management (SCM) | Github GitLab Bitbucket |
$0.00 | Each of the three leading Git source code management platforms has a free plan to start. Bitbucket Gitlab Github |
| Code Review | Git PR + JupiterOne | $0.00 | Enable and enforce pull requests and review approvals for your Git repos. JupiterOne integrates with all three leading Git SCM platforms — Bitbucket, Github, GitLab — to provide analysis and compliance reporting to ensure and provide evidence that code has been approved by an authorized person other than the code author. JupiterOne Usecase |
| Software Composition Analysis (SCA) | Snyk.io or Dependabot | $0.00 | Software Composition Analysis (SCA) tools provide visibility into your open source inventory and any security vulnerability in the dependency code. Snyk.io is a commercial solution with a Free starter plan. If your code is hosted on Github, Dependabot is a great free alternative. Dependabot |
| Open Source Licensing | FOSSA | $0.00 | It is important to keep track of all open source dependencies used in your code and their licenses. Misuse of open source license could result in your code being exposed to legal liabilities. FOSSA is a solution that provides both compliance and security scans. The compliance (licensing) part is free for small teams. FOSSA |
| Static Application Security Testing (SAST) | AppThreat/sast-scan | $0.00 | Static application security testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code. AppThreat/sast-scan is a fully open-source SAST scanner supporting a range of languages and frameworks. Integrates with major CI pipelines and IDE such as Azure DevOps, Google CloudBuild, VS Code and Visual Studio. No server required! AppThreat sast-scan Shiftleft |
| Dynamic Application Security Testing | OWASP ZAP | $0.00 | Dynamic application security testing (DAST) tools automate security tests for a variety of real-world threats. These tools typically test HTTP and HTML interfaces of web applications. Use it to identify vulnerabilities in their applications from an external perspective to better simulate threats most easily accessed by hackers outside your organization. OWASP ZAP is a free and open source web scanner. ZAProxy |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Provisioning | Terraform | $0.00 | Use Infrastructure as Code to provision and manage any cloud, infrastructure, or service. Terraform supports all major cloud platforms and more. Terraform |
| Deployment | Github Actions Travis CI |
$0.00 | Travis CI and Github Actions are probably the best free solution for continuous integration and continuous deployment (CI/CD). Many alternatives are available, such as CircleCI and Jenkins. Travis CI Github Actions |
| Ticketing and Approval | JupiterOne + JIRA | $0.00 | You probably already use Jira (or something equivalent) to track issues for your development. The same issue tracking system can be used to track production change tickets and their approval. JupiterOne can be used to integrate with your CI/CD pipeline as the security decision engine / gate to make automated approval decision using a change management bot. JupiterOne Change Management Example JupiterOne Change Management Client |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Vulnerability Scanning | AWS Inspector | $0.00 | AWS Inspector performs vulnerability scans of your EC2 instances and applications. It is free for the first 250 instance-assessments. The equivalent in Microsoft Azure is Security Center and Web Security Scanner in Google Cloud. Amazon Inspector MS Security Center Google Security Center |
| Penetration Testing | Cobalt.io Bugcrowd HackerOne |
$10,000.00 | Hire a security professional to perform a real penetration test — an automated scan with a tool is not a pen test — at least once a year. Cobalt.io Bugcrowd HackerOne |
| Vulnerability Disclosure Bug Bounty |
Bugcrowd HackerOne |
$0.00 | It's important to let users proactively report security risks and findings to you before the bad guys exploit them. To start, simply create a vulnerability disclosure page and post on your website (it costs nothing!). Graduate to a full bug bounty program later on. Bugcrowd HackerOne |
| Centralized Vulnerability Findings Management | JupiterOne | $0.00 | Aggregate vulnerability findings from all kinds of scanners and manage the findings and exceptions from one place. |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Configuration Monitoring | JupiterOne | $0.00 | Get alerted when configuration drifts away from your security guardrails and when new misconfiguration occurs. JupiterOne Rules Alerting |
| Event Auditing | AWS Cloudtrail | $0.00 | Enable AWS CloudTrail to audit account activities. The first trail is free. AWS Cloudtrail AWS Services Monitor Cloud Audit Logs |
| Application Logging | AWS Cloudwatch | $0.00 | If your application runs in the cloud, start with a native logging solution from your cloud service provider, such as AWS CloudWatch, which includes a free tier. Amazon Cloudwatch Google Cloud Logging Google Cloud Monitoring |
| SIEM | AWS GuardDuty | $48.00 | AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data. It analyzes events from AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. It starts at $4/month for the first million of events as of the time of this article. Amazon GuardDuty Azure Advanced Threat Protection |
| Threat Correlation | JupiterOne | $0.00 | JupiterOne aggregates findings, alerts, observations from different sources, including SIEM (e.g. AWS GuardDuty), and leverage graph query rules to correlate, deduplicate, prioritize, and alert. JupiterOne Vulnerability Management |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Incident Response | Dispatch + Slack + JIRA + JupiterOne | $0.00 | Dispatch is an open source tool created by Netflix to manage security incidents. It integrates with existing tools used throughout an organization — Slack, G Suite, Jira, JupiterOne, etc. — and leverages the existing familiarity of these tools to provide orchestration instead of introducing another tool. Netflix Dispatch Netflix Github |
| Control | Solution | Extra Cost | Description |
|---|---|---|---|
| Evidence Collection | JupiterOne | $0.00 | Use JupiterOne queries to generate evidence from configuration data or attach evidence uploads to each compliance requirement. JupiterOne Compliance Dashboard |
Spending more money than the business makes to protect the companies sensitive systems and data is just bad business. Let’s break the vicious cycle of companies spending outrageous sums of money to achieve compliance. Use this recommended SOC 2 compliance on a shoestring budget playbook and achieve complete SOC 2 compliance for as little as $48.00.
Get updates from JupiterOne Mission Control
Fresh content and cool cybersecurity news alerts delivered to your inboxat least 2x a month! Just let us know where to send it.
