When you’re a SaaS business, safeguarding customer data is, to use a technical term, a Pretty Big Deal. This is the key motivation behind Ardoq’s Information Security Program, and something we keep top-of-mind as we scale our business.
When I joined Ardoq as Chief Information Security Officer (CISO) in March of this year, it was already evident that this was a top priority for Ardoq’s executive management team, and was reflected in Ardoq’s product and engineering culture.
As part of our ongoing efforts to maintain a high level of security, Ardoq recently underwent a SOC 2 (Type II) audit. We have received the results of the audit and are happy to share the report with our customers.
What is SOC 2?
SOC 2 was created by the American Institute of Certified Public Accountants (AICPA) as an auditing framework. A SOC 2 report is an attestation of an organization's policies and procedures related to security and uses the AICPA’s Trust Service Criteria (TSC) as a basis.
For a lot of customers, it can be a great help in optimizing the security assurance processes that are often part of procurement. Instead of using a custom set of questions and criteria to evaluate a vendor, customers can use the report to get a consistent and independent view of a vendor’s security program.
Although SOC 2 may have been created with the US market in mind, it is also used by customers and technology vendors globally as a basis for how they set expectations around and provide assurance of information security respectively.
Going One Step Further with SOC 2 Type II Attestation
Ardoq already went through a SOC 2 audit in 2020, but with one key difference: our 2020 audit was a Type I audit, while our most recent audit was a Type II audit. So what’s the difference?
A Type I SOC 2 report attests that security controls are in place and designed appropriately. In other words, you could consider a Type I audit to be a “point in time” audit, where auditors review documentation and other evidence to check that the security controls exist.
A Type II SOC 2 report takes this one step further. Not only does the report attest that controls are in place and designed appropriately, but also that they have been operating effectively over a period of time. In our case, the Type II audit covers the past 12 months of Ardoq operations.
Valuable to Us and Our Customers
For many vendors, the motivation for getting a SOC 2 audit report is to make it easier to demonstrate their commitment to security to customers and potential customers. This is true for Ardoq as well, but we also had a strong internal motivation for achieving the attestation.
“Our customers trust that we keep their information secure, this has always been a top priority for Ardoq. During this certification process, we’ve focused on verifying our existing processes and looked for areas to advance security even more. I’m very proud that our team has used this as an opportunity for continual improvement and that our culture of building security into how we work is so strong at the company.“ - says Erik Bakstad, Ardoq CEO.
Security in Ardoq has been scaling along with the rest of the company over the years. Since our SOC 2 (Type I) audit in 2020, I have joined as Ardoq’s CISO to lead our Security Department and cross-functional security competencies, which we have been growing through hiring as well as enabling internal security champions.
As we keep increasing our number of customers and employees, it is crucial for us that our security processes scale at pace with the growth of our business. Receiving our Type II SOC 2 attestation has been a valuable validation that we are achieving this scaling goal.
The report has also been an excellent way for us to identify opportunities for improvement. As technologists-at-heart, we are always looking for efficiency gains. We identified several manual evidence-gathering activities during the audit that we’ll be working to automate for the future. That’s something we are pretty excited about.
Security doesn’t stop at a certification or attestation report. Our business is growing, threats evolve, and our risk landscape is far from static. We are growing our Security Department, scaling our Information Security Program, and constantly looking for ways to optimize how we manage risk. We have aligned our Information Security Management System with ISO 27001, and aim to achieve ISO 27001 certification in the future.
Our customers expect us to take security seriously, and we will continue to hold ourselves to the highest standard as we scale.
📧 Are you an existing Ardoq customer? Contact your CSM to receive a copy of our latest SOC 2 report.
Nick Murison is Ardoq’s Chief Information Security Officer. He is passionate about helping Ardoq to meet our customers’ needs - safely and securely.