Comment by bawolff
3 years ago
The point of these types of audits isn't so much to determine "security" its to leave a paper trail so that people aren't accidentally lying to customers. It proves that you are either doing what you claim to be doing or intentionally being decitful. It cuts out the murkey middle ground, of "we didnt do what we claimed, but its all a misunderstanding & accidental so you can't blame us".
How much it suceedes is debatable but auditers being security experts is irrelavent to those goals.
Don't forget the cases where the companies are deliberately lying to customers. I worked at a company that pretty much lied to its customer's security teams about what they did. Not borderline, but claimed things they didn't do and didn't have plans to implement. This is what the SOC2 audit is for.