Achieving SOC 2 Readiness With a Scalable, Risk-Based Security Program
EdTech | Assessment | SOC 2
This leading ed tech provider built a scalable security program while improving internal alignment and strengthening data protection that positioned the company to meet SOC 2 requirements.
“Working with Seiso was the turning point for our security program. They helped us build a roadmap, align our teams, and focus on what really mattered. We’re now in a position to protect our data and our reputation as we grow.”
Customer Situation
Carnegie Learning is a leader in K–12 education technology, delivering research-driven math curricula, AI-powered tutoring, and digital learning tools to schools across the United States. Their impact spans both public and private education, supporting educators and students with intelligent platforms designed to improve outcomes at scale.
As their digital products matured and client base expanded, so did their obligation to secure sensitive student and institutional data. With growing expectations around cybersecurity maturity—and clients increasingly requiring SOC 2 attestation—Carnegie Learning recognized that informal security practices were no longer enough.
Challenges
When we first engaged with Carnegie Learning, their IT leadership had already begun exploring how to strengthen the company’s security posture. While there was growing awareness of the need for a more structured approach, the organization hadn’t yet aligned around a unified vision or roadmap for cybersecurity.
At the same time, new external pressures were emerging. Key clients were beginning to require SOC 2 attestation as part of their vendor due diligence. The IT team also identified the need to onboard a dedicated security talent to help scale efforts. It was clear that improving the security program would require both technical enhancements and broader organizational alignment.
Seiso’s initial assessment surfaced several opportunities to mature Carnegie Learning’s security capabilities:
- Software inventory and management processes were informal, with some tools deployed without centralized visibility or governance
- Application development teams didn’t always have access to necessary log data, limiting their ability to troubleshoot security issues independently
- Opportunities existed to strengthen communication between IT and other departments around secure data handling practices
- Security responsibilities were stretched across generalist IT staff, creating challenges in maintaining and updating core security technologies
These findings confirmed what IT leadership had already begun to suspect: the foundation was in place, but a more coordinated, risk-informed strategy was needed to support Carnegie Learning’s next phase of growth and meet increasing client expectations.
Our Solution
Carnegie Learning turned to Seiso to build a simplified, scalable security program that could address immediate risks while preparing the organization for long-term growth and audit readiness.
We began with a one-day security workshop to engage leadership and align priorities, while assisting in the process to identify, vet, and hire a dedicated security resource. From there, we conducted a full Security Program Review using Seiso’s 10 Domains framework, which gave us a structured way to surface key risks and improvement areas across the organization.
Governance & Risk
- Designed a formal Information Security Management System (ISMS)
- Completed a NIST 800-171 readiness assessment
- Created a SOC 2 Description of a System and began pre-attestation readiness work
- Rolled out a third-party risk management (TPRM) process to better vet vendors
Technical & Program Assessments
- Mapped and assessed tooling across Google Workspace and Azure
- Provided system integration support to connect vulnerability management activities to documented remediation plans
- Evaluated existing practices and recommended improvements to the secure development lifecycle (SDLC)
Implementation & Operational Support
- Advised and directly supported the hiring of Carnegie Learning’s first cybersecurity analyst
- Prioritized a roadmap focused on Governance, Technical Controls, and Security Awareness
Throughout the engagement, we worked closely with the IT team to strengthen their capabilities, bridge communication gaps across the business, and bring management into the conversation with business-focused risk insights, not technical jargon.
Results
Carnegie Learning moved from fragmented security initiatives to a formal, organization-wide security program with leadership buy-in and dedicated resources.
Key outcomes included:
- Security roadmap approved by management, enabling long-term investment
- First cybersecurity hire onboarded, accelerating implementation and freeing IT to focus on strategic goals
- Optimized use of existing tools, driving greater visibility and efficiency without new software spend
- Improved coordination across departments, with clear guidance on secure data practices
- Risk-informed governance that supports executive decision-making and aligns with client expectations
- Readiness for SOC 2 attestation, positioning Carnegie Learning to meet contractual requirements and strengthen trust with education partners
Carnegie Learning now has a security program that matches the scale and sensitivity of its mission—and a partner to help it grow stronger over time.
Accelerated Security Program Roadmap
Earned leadership buy-in, added dedicated security talent, improved cross-team coordination, and established governance aligned to risk and client needs.
Optimized Security Tool Adoption
Driving greater visibility and efficiency without new software spend.
SOC 2 Readiness
Positioning to meet contractual requirements and strengthen trust with education partners.
Need Help with Your SOC 2 Readiness?
Schedule a free consultation to see how Seiso can help you get ready with a fast and simplified approach.