Lessons from Our Journey to Obtain Our SOC 2 Report and ISO Certifications
This blog was originally published by Grammarly here.
Written by Andrew Derevyanko, Director of Engineering, Grammarly
In June 2021, Grammarly achieved a new security and compliance milestone. We received our SOC 2 (Type 2) and SOC 3 reports as well as three certifications from the International Organization for Standardization: ISO 27001, 27017, and 27018. Together with our HIPAA compliance and PCI DSS compliance, these credentials underscore safeguards around user data, cloud service management, and the protection of sensitive user information.
How to approach security certification
Some companies tend to treat each security compliance requirement individually. Their challenges around agility can also result in inefficiencies. For example, a database engineer might be asked to provide evidence of how a particular database is encrypted based on SOC 2 requirements, then again for ISO requirements, and again for PCI requirements.
We envisioned an alternative where one set of security controls addresses multiple underlying requirements. A comprehensive approach allows us to make fewer requests of our internal teams and collect all the evidence we need for various audits. We call it our Grammarly Control Framework.
Our framework includes a list of more than 100 separate controls that describe how our security processes operate. Each control maps to requirements from the various standards we currently maintain or plan to reach. While our control framework is dynamic, every control is a security measure that we undertake, and we apply a thorough assessment before making adjustments. Any necessary changes are managed by our Governance, Risk, and Compliance team.
Preparing and conducting the audits was a two-year investment across the company. In addition to having strong principles, scalable infrastructure, and advanced encryption in place, our team wanted to validate the steps we’ve taken.
6 lessons we’ve learned along the away
Our journey led us to valuable insights that informed not just the standards we were hoping to reach—but the methods by which we could reach them:
1. Executive leaders are valuable compliance champions
Audits, independent penetration tests, and vulnerability assessments by third parties—even though they require substantial time and resources—are a vital component of working to protect your customers. Empower your team to achieve security certifications to ensure that your security protocols meet high industry standards. If your executive team hasn’t embraced investments in security yet, you might consider focusing on bringing them on board by sharing cybersecurity news, updates on threat evolution, and prevention value propositions. Make it clear: Strong security delivers value and builds trust with your customers.
2. It’s all about your culture and values
It’s essential to weave security into your company culture through regular programs and protocols. Spotlight it during hiring and onboarding so that your focus on security is visible and accountable from a team member’s first day. Also reinforce a security-first mindset across all teams. For instance, a security champions program ensures teams across the company have a security-focused adviser to support them and drive initiatives. That program can be embedded into your software development life cycle (SDLC) to minimize the risk of bugs in code and to drive awareness of best security practices. Your Engineering team can have dedicated security events, too, so they can keep your focus on security as your top priority.
3. It’s more than a call for compliance—it’s about building secure and efficient controls
Security standards are everyone’s responsibility. Use your journey toward certifications to create even stronger security controls without sacrificing efficiency. After all, safeguards shouldn’t feel like hurdles. For example, use internal password policies that adopt a simpler but more secure set of password requirements, based on National Institute of Standards and Technology (NIST) guidelines, than those that introduce complex memorization and are more likely to be written down or stored electronically in an unsafe manner.
4. Select credible, respected auditors in your industry
Work with an auditing firm with expertise in cloud organizations similar to yours. Security controls in traditional organizations can look different and may not apply to your product and culture. Ernst & Young (EY)’s expertise and focus on organizational resilience made them the right fit for us. Because they understand our industry, they were well-equipped to assess our protocols and the rationale behind them. It also created opportunities to learn what else is working in the industry and get appropriate feedback.
5. Onboard your auditors like new employees
Your auditors need to know your company and product inside and out—the software, the systems, and the third-party partnerships—as well as your employees. Onboarding them like new employees helps them to see how your company identifies and addresses risks. Align with them on your control framework and control descriptions. From there they can determine whether your mitigation controls are truly effective, within the context of your processes and culture. Before undertaking your audits, complete thorough “dry runs” to ensure nothing is missing, especially evidence of your solutions’ effectiveness. Provide all required materials in advance, and your preparation will empower you to complete the process without the need for follow-up meetings.
6. Connect with companies that have been on a similar journey
Experience is the best teacher. Don’t miss out on learning from the experiences of your peers at other companies. Establish the confidentiality and trust needed to share key learnings while setting up controls. Through this outreach, you’ll gather helpful insights, such as what they wished they’d known going into the process. Also focus on what helped things go right. Discuss things like compliance standards and fortified system design, too.
Earn brand loyalty with trust
Security standards and compliance are, first and foremost, opportunities to think about your customers. Whenever you’re entrusted with user data, it’s crucial to operate and scale with privacy protections in mind. This journey will deepen your commitment to building trust with strategies, processes, and protocols that help you move quickly and appropriately in the face of today’s needs and the compliance roadmap.
When you address the evolving risks around privacy and data head-on, you increase your company’s and customers’ security. Protecting your customers’ data is an essential aspect of building trust and lasting relationships with your product and company.