Please provide copies of your most recent audit reports (SOC 2 report, ISO certificate, penetration test summary).

Explanation & Context

Understanding the Question

This question is asking you to share documentation that demonstrates your organization has undergone rigorous security assessments and audits. Specifically, it requests three types of reports: a SOC 2 report, an ISO certificate, and a penetration test summary. These documents serve as evidence that your organization adheres to high security standards and regularly evaluates its security posture.

Why It Matters

These audit reports are critical because they provide third-party validation of your security practices. A SOC 2 report shows that your organization meets the American Institute of CPAs (AICPA) standards for managing customer data. An ISO certificate (such as ISO 27001) indicates that your information security management system aligns with international best practices. A penetration test summary details the results of simulated cyber-attacks conducted by security experts to identify vulnerabilities in your systems. Providing these reports assures stakeholders that your organization is committed to maintaining robust security measures.

Example of Evidence

To fulfill this question, you might provide a SOC 2 Type II report from a reputable auditing firm, an ISO 27001 certification document issued by an accredited certification body, and a summary report from a recent penetration test performed by a trusted security firm. These documents should be up-to-date and clearly demonstrate your organization's compliance with the relevant standards and the outcomes of security assessments.

Example Responses

Example Response 1

We have recently completed a SOC 2 Type II audit and have undergone a penetration test by a reputable third-party firm. However, due to our current size and resource constraints, we have not yet pursued ISO certification. The SOC 2 report and penetration test summary are available upon request.

Example Response 2

We have undergone a SOC 2 Type II audit, obtained ISO 27001 certification, and regularly conduct penetration tests. These reports are available for review and demonstrate our commitment to maintaining high security standards.

Example Response 3

As our software is exclusively on-premises and does not handle sensitive customer data, we have not pursued SOC 2 or ISO certifications. However, we conduct regular internal security assessments and penetration tests to ensure the integrity and security of our systems. A summary of our latest penetration test is available upon request.

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron