This blog seeks to place the different ways of managing your compliance management system into four distinct buckets, and to analyze the pros and cons.
As with many buying decisions, you can pay $$$$ for high convenience, or $ for low convenience, and everything in between:
$ – The Low Tech Compliance Management System
The Low Tech System provides:
- an offline spreadsheet managed by one person
- Emails for task assignments and evidence collection
- Calendar events for reminders
Recommended for: nobody, really – the following three systems are objectively better as email tends to get lost, be difficult to organize or query. And if one person is already doing the work on an offline spreadsheet, it is very easy to share that spreadsheet online.
$$ – The DIY Compliance Management System
The DIY System provides:
- an online spreadsheet, such as Confluence or Google Drive or Excel Online, used to track static items, including:
-
- controls
- control owners
- frequency
- action item, and
- a ticketing system for assigning the control activities, such as Jira, Zendesk, ServiceNow. Users create recurring tickets and assign them based on control owner (and it is automatic – yay, one thing less to remember to set up periodically).
-
Recommended for: startups who can’t afford special project management systems. Also recommended for people who have a bit of extra time to construct an organized system in commonly available tools.
$$$ – The Project Management System
The Project Management System provides:
- versatile, all-in-one software solutions such as Asana or Monday.com. These systems have dynamic grids that also allow for custom fields, assignments, notifications, and task boards. This could perform both the control listing and the activity assigning work all in one platform.
Recommended for: Scaleups, Enterprise companies who may have an existing project management system that their personnel are familiar with
$$$$ – The SOC 2 Concierge
The SOC 2 Concierge provides:
- industry-tailored solutions like Vanta, Drata, and an ever growing list of competitors. These are solutions that are optimized for SOC 2 and may come pre-loaded with automated monitoring templated controls, support, etc. (and may have the price tag to prove it)
Recommended for: Startups, who can take advantage of the heavy templates, OR established companies who want to take advantage of the integrations and automations to reduce compensation costs.
Whatever you select for your compliance management system, it pays to do the research up front and make sure the decision makes sense for your company needs.
P.S. if you’re going this route, you can check out a G2 review of usability here.
On a related note, check out our article analyzing when you should hire a compliance manager, a specialized consultant, or just make do with what you’ve got.
Looking for an auditor who can help guide you through the SOC 2 process? – Contact Render