SOC 2 Compliance on a Shoestring Budget

This is not some fluffy article explaining the basics of SOC 2 compliance. I’m guessing you are not here because you need a basic overview. If that is what you are looking for, I covered the topic in a previous blog post here.

It’s very likely that you are here because you are actively looking to get a SOC 2 compliance report. You may not have been through a SOC 2 assessment or audit before and you may not know what is needed or how to implement any of the SOC 2 controls. There is also a good chance that you don’t know how much to expect to pay and have very little, if any, budget pre-allocated to the effort. All that you are sure of is that your customers and your management team is demanding SOC 2 compliance NOW!

SOC 2 compliance cost is unbalanced for small businesses

SOC 2 on a Shoestring Budget

The cost question is typically the first one that comes to mind as it is an especially important one for an early stage company. Achieving SOC 2 compliance status is no small feat. The cost can vary significantly based on your organization’s size and complexity. For many organizations, SOC 2 Type 2 implementation and maintenance can easily cost upwards of $100K, in addition to the added cost of the audit itself.

Most early stage companies haven’t got to $100K in annual revenue yet let alone that much cash to spend on compliance. Spending more money than the business makes to protect the business does not make any sense at all, yet the lack of security and compliance attestation may be an inhibitor to growth and larger business opportunities.

To break this chicken-and-egg problem, here’s a playbook of how to get your SOC 2 compliance on a shoestring budget — at a cost of almost zero outside of the annual penetration test.

Become SOC 2 compliance at near zero cost

The table below lists all of the baseline controls that are needed for an early stage technology startup to build an initial security program that will lead to a successful SOC 2 compliance audit.

A few notes:

  • The list provides mostly cloud-native and open-source security solutions to establish a solid baseline. Commercial alternatives can be adopted based on the organization’s demand and maturity.
  • Some of the examples provided are based on services in AWS. Equivalent solutions are available in Azure and Google Cloud. Links to resources are provided, when available.
  • JupiterOne provides a completely free tier for pre-revenue startups for the first year, and 50% ongoing discount. The 50% discount is also available to startups with less than $1M in annual revenue.

Controls and Solutions

Control Solution Extra Cost Description
Policies and Procedures JupiterOne $0.00 You need a robust set of formal information security policies and procedures for your organization. JupiterOne provides a library of >150 policy and procedure templates that have been field tested in actual SOC 2 audits and other assessments such as HIPAA and PCI.

JuptierOne Link
Asset Inventory JupiterOne $0.00 Knowing what you have is the foundation to any security and compliance program. JupiterOne auto discovers cloud-based assets and allows you to upload your own via JSON/CSV/API. Free for 1000 asset entities.

JupiterOne Link
Vendor Management JupiterOne + Google VSAQ $0.00 Google VSAQ is an interactive questionnaire web app to support security reviews by facilitating the collection of information and the redisplay of collected data in templated form. A third party vendor registry can be kept in JupiterOne.

GitHub VSAQ Link
JupiterOne Link
Risk Assessment JupiterOne + Jira $0.00 Risk assessment is a foundational step to any security governance program. It is a mandatory step by regulations and compliance frameworks like HIPAA and GDPR. Unfortunately, performing a risk assessment is a fairly involved process that happens every year and typically takes days, if not weeks, each time. There are many risk management software aimed at solving just this challenge, yet that's another tool, another cost. Using JupiterOne together with a issue tracking solution like Jira can help streamline this process down to hours without any additional tooling cost. See linked article for additional details.

JupiterOne Blog Post
Control Solution Extra Cost Description
Security Awareness Training Wizer Training $0.00 Free security awareness training platform with paid version when you grow.

Wizer Training
Background Checks Better Future $0.00 Here's a no-cost approach to cover the compliance requirement to perform pre-employment background checks for your employees: ask them to obtain and provide their own free background check report, provided by Better Future. Plenty of paid alternatives are available, with pricing usually starting at $20 per applicant, including Checkr, ClearChecks, and GoodHire.

Better Future
CheckR
Clear Checks
Good Hire
Employee Onboarding and Offboarding HRSM or JIRA $0.00 Leverage the onboarding / offboarding capability included in your organization's HR Service Management software (e.g. BambooHR or Gusto). Alternatively, simply set up an HR project in your existing ticketing system (such as Jira) with a templatized checklist for each ticket.

Jira Core for HR
Directory Google G Suite $0.00 You most likely already pay for G Suite (or something similar like Microsoft 365) as part of your IT spend. There's no additional cost specific to security.

G Suite
Control Solution Extra Cost Description
Single Sign On (SSO) Google G Suite $0.00 If you use G Suite, you can easily set it up as your SSO provider with lots of pre-integrated SAML apps. Dedicated solutions are also available, such as Okta, OneLogin, or JumpCloud.

Setup SSO In G Suite
Multi-factor Authentication (MFA) Google G Suite $0.00 Make sure to enable MFA for all of your users. This is most likely already supported by your identity provider such as G Suite.

G Suite MFA
Password Management Any password manager $0.00 Use a password manager to generate a random, unique, and strong password for each site. Many are free to start.

Google Passwords
Lasspass
Nordpass
Control Solution Extra Cost Description
Secure File Sharing Deadbolt $0.00 From time to time, you may have to share a confidential document or sensitive file with someone by email or via USB drive. Before sharing, use Deadbot and select the file to encrypt, enter a password, and … that’s it.

Deadbolt
Secure Cloud Storage Cryptomator $0.00 To better provide your sensitive data stored in the cloud (Dropbox, Google Drive, etc.), encrypt files in a vault before uploading to the cloud.

Cryptomator
Secure Production Data Cloud-native encryption $0.00 Cloud service providers already include data encryption as a feature for most, if not all, of their services at no extra cost. This includes encryption for data-at-rest (e.g. AWS S3, RDS, EBS, DynamoDB, etc.), data-in-transit, and encryption key management. All you have to do is enable it.

Amazon Encryption
Control Solution Extra Cost Description
Disk Encryption FileVault (macOS)
BitLocker (Windows)
$0.00 Enable disk encryption for all user endpoints.

Filevault
Bitlocker
Ubuntu Disk Encryption
Endpoint Configuration JupiterOne (Stethoscope App) $0.00 For small teams, it is completely feasible to have each team member self manage their own user device, as long as there is a way to monitor the configuration compliance. Netflix's open source Stethoscope app does exactly that, and JupiterOne provides a wrapper for easy installation and reporting.

Netflix Stethoscope
JupiterOne Endpoint Compliance
JupiterOne Blog Post
Anti-malware Trend Micro $0.00 Trend Micro Antivirus One is a free app for macOS. Windows 10 comes with Windows Defender that is enabled by default. Or you can purchase the commerical solution from Trend Micro or Malwarebytes with centralized management. JupiterOne integrations can then be enabled to provide compliance evidence.

Apple AV One
Microsoft Malware Bytes
Malware Bytes Pricing
Control Solution Extra Cost Description
VPN Pritunl $0.00 Practicing secure by design is important for the development lifecycle. However, threat modeling exercises can get very complicated and confusing very quickly. A lightweight approach is to document major features, each with required sections for data flow, security considerations, and privacy considerations — e.g. in the form of an RFC (Request for Comments).

JupiterOne GitHub
Control Solution Extra Cost Description
Source Code Management (SCM) Github
GitLab
Bitbucket
$0.00 Each of the three leading Git source code management platforms has a free plan to start.

Bitbucket
Gitlab
Github
Code Review Git PR + JupiterOne $0.00 Enable and enforce pull requests and review approvals for your Git repos. JupiterOne integrates with all three leading Git SCM platforms — Bitbucket, Github, GitLab — to provide analysis and compliance reporting to ensure and provide evidence that code has been approved by an authorized person other than the code author.

JupiterOne Usecase
Software Composition Analysis (SCA) Snyk.io or Dependabot $0.00 Software Composition Analysis (SCA) tools provide visibility into your open source inventory and any security vulnerability in the dependency code.

Snyk.io is a commercial solution with a Free starter plan. If your code is hosted on Github, Dependabot is a great free alternative.

Dependabot
Open Source Licensing FOSSA $0.00 It is important to keep track of all open source dependencies used in your code and their licenses. Misuse of open source license could result in your code being exposed to legal liabilities.

FOSSA is a solution that provides both compliance and security scans. The compliance (licensing) part is free for small teams.

FOSSA
Static Application Security Testing (SAST) AppThreat/sast-scan $0.00 Static application security testing (SAST) software inspects and analyzes an application’s code to discover security vulnerabilities without actually executing code.

AppThreat/sast-scan is a fully open-source SAST scanner supporting a range of languages and frameworks. Integrates with major CI pipelines and IDE such as Azure DevOps, Google CloudBuild, VS Code and Visual Studio. No server required!

AppThreat
sast-scan
Shiftleft
Dynamic Application Security Testing OWASP ZAP $0.00 Dynamic application security testing (DAST) tools automate security tests for a variety of real-world threats. These tools typically test HTTP and HTML interfaces of web applications. Use it to identify vulnerabilities in their applications from an external perspective to better simulate threats most easily accessed by hackers outside your organization. OWASP ZAP is a free and open source web scanner.

ZAProxy
Control Solution Extra Cost Description
Provisioning Terraform $0.00 Use Infrastructure as Code to provision and manage any cloud, infrastructure, or service. Terraform supports all major cloud platforms and more.

Terraform
Deployment Github Actions
Travis CI
$0.00 Travis CI and Github Actions are probably the best free solution for continuous integration and continuous deployment (CI/CD). Many alternatives are available, such as CircleCI and Jenkins.

Travis CI
Github Actions
Ticketing and Approval JupiterOne + JIRA $0.00 You probably already use Jira (or something equivalent) to track issues for your development. The same issue tracking system can be used to track production change tickets and their approval. JupiterOne can be used to integrate with your CI/CD pipeline as the security decision engine / gate to make automated approval decision using a change management bot.

JupiterOne Change Management Example
JupiterOne Change Management Client
Control Solution Extra Cost Description
Vulnerability Scanning AWS Inspector $0.00 AWS Inspector performs vulnerability scans of your EC2 instances and applications. It is free for the first 250 instance-assessments.

The equivalent in Microsoft Azure is Security Center and Web Security Scanner in Google Cloud.

Amazon Inspector
MS Security Center
Google Security Center
Penetration Testing Cobalt.io
Bugcrowd
HackerOne
$10,000.00 Hire a security professional to perform a real penetration test — an automated scan with a tool is not a pen test — at least once a year.

Cobalt.io
Bugcrowd
HackerOne
Vulnerability Disclosure
Bug Bounty
Bugcrowd
HackerOne
$0.00 It's important to let users proactively report security risks and findings to you before the bad guys exploit them.

To start, simply create a vulnerability disclosure page and post on your website (it costs nothing!). Graduate to a full bug bounty program later on.

Bugcrowd
HackerOne
Centralized Vulnerability Findings Management JupiterOne $0.00 Aggregate vulnerability findings from all kinds of scanners and manage the findings and exceptions from one place.
Control Solution Extra Cost Description
Configuration Monitoring JupiterOne $0.00 Get alerted when configuration drifts away from your security guardrails and when new misconfiguration occurs.

JupiterOne Rules Alerting
Event Auditing AWS Cloudtrail $0.00 Enable AWS CloudTrail to audit account activities. The first trail is free.

AWS Cloudtrail
AWS Services Monitor
Cloud Audit Logs
Application Logging AWS Cloudwatch $0.00 If your application runs in the cloud, start with a native logging solution from your cloud service provider, such as AWS CloudWatch, which includes a free tier.

Amazon Cloudwatch
Google Cloud Logging
Google Cloud Monitoring
SIEM AWS GuardDuty $48.00 AWS GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data. It analyzes events from AWS CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs. It starts at $4/month for the first million of events as of the time of this article.

Amazon GuardDuty
JupiterOne Vulnerability Management
Control Solution Extra Cost Description
Incident Response Dispatch + Slack + JIRA + JupiterOne $0.00 Dispatch is an open source tool created by Netflix to manage security incidents. It integrates with existing tools used throughout an organization — Slack, G Suite, Jira, JupiterOne, etc. — and leverages the existing familiarity of these tools to provide orchestration instead of introducing another tool.

Netflix Dispatch
Netflix Github
Control Solution Extra Cost Description
Evidence Collection JupiterOne $0.00 Use JupiterOne queries to generate evidence from configuration data or attach evidence uploads to each compliance requirement.

JupiterOne Compliance Dashboard

Spending more money than the business makes to protect the companies sensitive systems and data is just bad business. Let’s break the vicious cycle of companies spending outrageous sums of money to achieve compliance. Use this recommended SOC 2 compliance on a shoestring budget playbook and achieve complete SOC 2 compliance for as little as $48.00.