r/soc2

A few months ago one of our major clients requested a soc 2 report, but we had never had done anything like that. Me and the operations mamager was tasked with getting it done. We found a auditing company and did a gap analysis. Ive worked extensively with them. I gained a tremendous amount of experience with them, I conducted the companies first risk assessment, creates the companies risk register, drafted all types of policies for the different divisions, I mean alot. I liked doing this work so much that I took the cissp exam and passed. However, the operations manager left and now im tasked with handling the IT management for this 125 employee based company, and continuing the soc 2 efforts. Im also stuck between 2 managers, one who cares about it and another who doesn't. The one that doesn't care has been making my life a living hell, I still have to handle the deployment of computers, ms licenses, account on boarding and off boarding, and basic help desk requests for his department. I seriosuly have had barely anytime to do the soc 2 work. At this point im thinking about jumping to another position with a different company fully related to soc 2 work and/or iso 27001 work. Ive asked my company to at least hire a help desk worker and they said no. Would it be bad if left​​ at this time of the project? Everything ive set in place is pretty much on its way to be at a better standing (developed sdlc policy, new mfa requirements across the board, and upgrading the servers to be on actively supported services and deploying EDR agents to all work stations, more work as well) so if I leave I think the teams have a good idea of what to do.

--

I love this side of grc work and really want to continue focusing on this role. Is this enough experience to get a directing position related to this work? Would yoh guys do this? Or should I stick it out to the end? I expect us to be audit ready by the end of the summer

Hey guys, this might not be the best place but still wanted to ask a question and want to learn from people in the space

I'm basically fighting for my Job doing sales for Pen testing and have done what feeling like everything from cold outreach email to LinkedIn warm msging, "connect- thank you- wait some time-outreach. follow everything my boss has taught me and still nothing

would to hear any advice you guy have ether in your experience selling or what make you guys interested in a product or a person?

going through SOC2 Type II and got a specific ask from our auditor that caught us off guard. we had a billing bug in prod. fixed it. had PR approval and CI passing. auditor came back and asked for evidence that the fix was actually tested against the original crash. not just that tests passed in general, but something showing here's the crash, here's the test that reproduces it, here's proof the fix makes it pass.

is that a normal ask or is our auditor being unusually strict? how are you generating that evidence right now, manually writing it up per incident or is there tooling that handles it?

specifically asking about billing/payment code, auditor seemed to care more about those paths than everything else.

What is the least expensive fire suppression option for a very small server room?

We are mid audit right now. Auditor sent a sample of 25 user accounts and asked us to provide the approval record for each one showing who authorized access, when, and to what.

For about 20 of them we have Jira tickets. Fine. For 5 of them the access was granted because someone messaged the IT person directly in Slack and they just did it. The DM exists. The IT person remembers doing it. But a Slack DM between two people is not exactly what auditors mean when they say documented approval. No timestamp exported, no approver field, no formal record that the person being granted access had a business need that someone with authority signed off on.

Our auditor was not impressed. We are not going to get an exception on these but we are going to get a finding and they want to see a remediation plan before they close the report.

The frustrating part is that the access itself was completely legitimate. The right person got the right access for the right reason. It just was not captured anywhere that an auditor can sample cleanly. The security was fine. The evidence was not.

We are now retroactively trying to build a lightweight request and approval workflow that is not so heavy that engineers route around it by just messaging IT on Slack again. Has anyone found a middle ground between full blown IGA tooling and pure honor system that actually produces evidence auditors accept?

I’m trying to understand the practical side of SOC 2 for early-stage SaaS teams.

From what I’m seeing, the painful part is not only “getting SOC 2 ready,” but also answering buyer security questionnaires repeatedly and collecting the same evidence from AWS/GitHub/policies again and again.

For people who have gone through SOC 2 or helped teams prepare:

What evidence/artifacts were actually useful before or during customer security reviews?

For example:

1. AWS IAM/MFA evidence

2. CloudTrail/logging proof

3. S3 encryption/public access checks

4. GitHub branch protection

5. PR review requirements

6. access review records

7. incident response policy

8. security questionnaire answers

9. PDF/security packet for buyers

10. change log showing security improvements over time

I’m not looking for legal/audit advice. I’m trying to understand what small SaaS teams should prioritize first when they’re not ready for a full compliance platform yet.

What would you say are the top 5 artifacts that actually matter?

Hello everyone,

I am currently in the process of building policies and starting to collect evidence manually, due to the high cost of GRC tools.

I would like to ask if there is any checklist or any guidance that can help in collecting evidence for the following TSC:

(Security, Confidentiality, and Availability).

Also, what is the expected frequency for providing these evidences over a 6-month period?

For context, we are ISO/IEC 27001 and ISO 22301 certified, and we already have SIEM and PAM in place. All our operations are running on cloud platforms (AWS and Azure).

Additionally, if some controls are managed through workflows in a ticketing system, is this considered sufficient evidence from an audit perspective?

Thank you in advance for your support.

I'm finding situations where the primary solution to a gap is upgrading a service, for example, Mongo M2 instance to M10 to achieve 1 year of back up retention.

These instances are baked into our customers contracts and the additional cost is not supported.

How common are these types of exceptions in a first report?

SOC 2 pricing seems pretty high for small teams. How are startups generally dealing with this? Any practical ways to keep costs down?

Hello 👋🏻

When starting to draw a data flow diagram , what are the Key Points I should focus on ?

Thanx 😊

This is something I've been thinking about for a while, and I think it's worth saying plainly.

There's a growing number of GRC and compliance tools that market themselves as if buying the platform is the same thing as building a compliance program. And I get why it's appealing. You're a startup founder, an enterprise customer is asking for SOC 2, you've never done this before, and someone shows you a dashboard that says they'll get you audit-ready. Of course you're going to lean toward that.

But here's what actually happens in a lot of those situations. The tool connects to your cloud environment, pulls in some data, generates templated policies, and gives you a checklist.

That's compliance management. That's organizing information. It's useful, but it is not the same thing as understanding what controls your business actually needs, how those controls should operate in your specific environment, who owns them, what evidence looks like when things are running well, and what to do when they aren't.

That's compliance expertise. And the tool doesn't come with it.

I've walked into programs that had years of SOC 2 audits under their belt, clean reports on file, and controls that were never actually operating. Policies documented in the platform that described processes the team didn't know existed. Evidence that looked fine in a tool but couldn't survive five minutes of real scrutiny from an enterprise buyer doing due diligence.

The tool organized the mess. It didn't fix it. In some cases it made it harder to see, because everything looked tidy in the dashboard.

What bothers me most is that a lot of these vendors know the difference. They know startups don't have the context to evaluate whether what they're getting is a real program or a paper one. And they market into that gap deliberately. "Get SOC 2 in weeks" is a pitch designed for someone who doesn't know what SOC 2 actually requires to be meaningful.

I'm not saying tools are bad. I use them. I've worked across Drata, Vanta, AuditBoard, ServiceNow, LogicGate, MetricStream, and many others in my tenure. Automation and continuous monitoring are genuinely important for program maturity. But the tool is infrastructure. It is not the strategy, and it is definitely not the expertise.

If you're a founder going through this for the first time, the question to ask isn't "which tool should I buy." It's "do I have someone who actually understands what a functioning compliance program looks like and can build one that fits how my business operates." The tool comes after that. Not before.

I'd be curious if anyone else has run into this. You bought the platform, got everything set up, and then realized the hard part hadn't even started yet.

hi hope you're doing well
we are an early stage startup and we went to be certified on soc2 but we can't afford the leaders plateformes (do you think they have early stage startups programs could be under 2K ) and there is alot of choices that we don't know how to choose between them(anecdotes,drata,securedrame,sprinto,vanta,comply) any help please?

Has anyone found a firm where you haven’t questioned leadership/management on the quality/practices(IE: not looking at policies/procedures(or omitting statements) or scared to call out exceptions). A lot of firms claim they’re doing things the right way but I have found this false after working at a bunch of them and reviewing prior work of managers who are still there. (This isn’t a place to to post random audit firms you worked with unless you’re a framework expert)

So I've done a Risk assessment on the company and discovered one of the servers they use is in a bad situation. The 3 critical problems are:
EOL of services (PHP, apache, and some others)
the data is sitting undecrypted currently
back ups are done but not tested

My first priority was to get the services upgraded to no longer be on EOL services
The 2nd issue is encrypting data.

However managment cannot approve the downtime of the server since the administrator said He can not encrypt the data on there since it would break the way SQL indexs files for searching. forcing him to completely rebuild the server from scratch. The entire company relies on its services for billing purposes. It would suffer to much lost revenue from the downtime.

Im at a pretty bad crossroads and dont know how to go about this. Im thinking as a compensating control we have users manually label data that contains PII / financial data (Which is really only about 15-20% of the data on the server, rest is publicly available data) so that we can then have those encrypted with "key words" added as tags so that if they need to search the file it can come up.

What would be an acceptable compensating control if we don't encrypt the entire database?
Has anyone suffered this issue before? how did you guys go abou it?

At what stage did compliance start becoming important for your team, early on or only when customers started asking for it?