Notes on compliance tools.

Recently I’ve been chatting more with Chris Stobie, Calm’s Engineering Director of Infrastructure (obligatory, come work with us!), about how we can get more value from our compliance work. As any company starts selling and partnering with larger companies, the size and quantity of security reviews increase, and fulfilling some of the better-known security regimes is the most reliable way to reduce that overhead.

To learn a bit from the community, I tweeted out curious if folks thought highly of the various related compliance tools and platforms out there, and I've collected the notes here.

Have any of you used something like eg Vanta to reduce overhead of SOC 2, ISO 27001 and HIPAA? Better than ye olde spreadsheet? How *much* better?

— Will Larson (@Lethain) November 19, 2020

Some of the considerations to think about:

• Are you willing to use the compliance work as an opportunity versus just an obligation? If you treat this as purely a burden, you'll get very little out of the process.
• Which regimes do your (enterprise) users want from you?
• Multi-tenant versus single-tenant – how well protected and isolated is your compliance data within these platforms?
• How much of the verification is automated versus just a checklist for you to follow?

Most commonly used tools:

• Vanta
• LaikaHQ
• Tugboat Logic
• ZenGRC from Reciprocity Labs
• SecurityProgram.io
• Drata is a company in "stealth mode" aiming towards this space as well

Open source tools:

• IBM's AuditTree
• StrongDM's Comply

Some useful links and such from the responses:

• John Kodumal – SOC2 is not a 4 letter word
• The Developer's Guide to SOC 2 Compliance
• Using Github Protected Branches to Make SOC 2 Audits Suck Less, and you can read Github's own docs on protected branches
• Lessons learned on our journey to SoC 2 compliance - Clubbhouse