Hacker News new | past | comments | ask | show | jobs | submit login

(I work at/cofounded Vanta)

We work with companies doing B2B sales and looking for help with compliance certifications like ISO 27001 and SOC 2. Some folks come to us early but most come with a deal on the line — which is to say, this is a process you can start “just in time” if you must.

From what I’ve seen, saying “no I won’t go through your security review process” is an (obvious) dealbreaker, but there’s a lot of ways to get through that process: ISO cert, SOC 2, the promise to get either of those certs by your go-live/implementation date, security questionnaire hell, etc.

As mentioned previously, ISO is preferred by European companies; SOC 2 is more likely to be mandated by American companies, and you’re likely to get pretty far, even in Europe, on just a SOC 2. If I had to construct the situation that’s most likely to be deal-breaking, it’d be an old-school European company that’s operating off a rigid flow chart: “if no ISO 27001 cert, go back to start. Do not pass Go. Do not collect $200.”

A few folks have mentioned cost (dollar and organizational) — ymmv and/but the cost of obtaining ISO 27001 certification varies with the number of employees, say $10-20k for smaller companies. Implementing ISO 27001 and an ISMS can be blitzed by small teams in a few weeks but probably will take a couple of months to a year for larger organizations.

(And we’d love to help if you decide to pursue this at Vanta etc etc)




We just signed up with Vanta to do our SOC2. I have to say that the process is a lot of work but can give a +1 for any other SaaS to use Vanta, they make the process simpler and lore automated helping guide you through the complexity and you have regular calls with your Vanta account rep, who actually gets on zoom calls with you every couple of weeks to make sure you get through the process, which is amazing support.

Thanks Christina and the Vanta team for making the SOC2 compliance process… digestible :)


Check out secureframe.com as well (I like them the most, albeit just getting going)

Also in the space:

- Drata

- Laika

- Tugboat

- Kintent


My experience is that you only don’t get far with ISO 27001 in the USA but the rest of the world are fine.


How can one reach you at Vanta?


christina@vanta.com




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: