← Back to context

Comment by _tk_

4 hours ago

I was part of several third party risk management audits from a corporate perspective.

We regularly audited and questioned SMBs (and big corps) with regards to their security posture. We knew that small shops wouldn’t be able to be fully compliant to SOC2 Type 2 or have an ISO27001 certified environment. If it was clear that our business wanted the product, we either tried to help the company with the questionnaire or created a risk report that was then signed by the business. In other words: even if your customer asks you to be compliant, you don’t have to be if they care enough about your product.

If you seem intent on getting things right, that’s a big plus. Most of your competitors don’t even know what SOC 2 is.

2 comments

_tk_

Reply
whitefang  3 hours ago

Can this also be done for HIPAA and FERPA, or for those compliance requirements is the process the way to go and just filling out the questionnaire would not be sufficient?