Do any SOC2 Type II auditors truly audit the businesses they’re making an attestation for? Like do they go onsite, physically and virtually, to probe and determine what’s true? Typically the client of an assessor provides compliance evidence in the form of screenshots of configuration details. Clearly this kind of evidence can be fabricated or adulterated.
Audits are a checkbox exercise. But like before every flight, pilots complete a checklist, checking boxes just like an audit.
It takes a culture of following through with what you say you do and SOC2 is at least a 2-part audit that has you show your policies in the first part and then a year later they validate your evidence that you do what you say. So that puts it well above any self-assessment like NIST (which still has excellent guidance for how to approach security).
A SOC2 doesn’t prove they don’t share your data with the government for example just that they follow what their privacy policy says (which could include clauses about sharing data with the government).
Proton is in a great business position with current push for sovereignty within Europe
Do any SOC2 Type II auditors truly audit the businesses they’re making an attestation for? Like do they go onsite, physically and virtually, to probe and determine what’s true? Typically the client of an assessor provides compliance evidence in the form of screenshots of configuration details. Clearly this kind of evidence can be fabricated or adulterated.
Audits are a checkbox exercise. But like before every flight, pilots complete a checklist, checking boxes just like an audit.
It takes a culture of following through with what you say you do and SOC2 is at least a 2-part audit that has you show your policies in the first part and then a year later they validate your evidence that you do what you say. So that puts it well above any self-assessment like NIST (which still has excellent guidance for how to approach security).
A SOC2 doesn’t prove they don’t share your data with the government for example just that they follow what their privacy policy says (which could include clauses about sharing data with the government).
It’s really about business capacity, right? They want to make sure the organization functions in an intentional manner.
Able to make policies and follow them.
Sometimes. I’ve been on calls to explain and show the auditor various things via screen share.
Even if they go on site, it can still be faked.