Comment by kemotep
1 day ago
Audits are a checkbox exercise. But like before every flight, pilots complete a checklist, checking boxes just like an audit.
It takes a culture of following through with what you say you do and SOC2 is at least a 2-part audit that has you show your policies in the first part and then a year later they validate your evidence that you do what you say. So that puts it well above any self-assessment like NIST (which still has excellent guidance for how to approach security).
A SOC2 doesn’t prove they don’t share your data with the government for example just that they follow what their privacy policy says (which could include clauses about sharing data with the government).
It’s really about business capacity, right? They want to make sure the organization functions in an intentional manner.
Able to make policies and follow them.