Comment by dgellow
3 hours ago
Sure, yes. The way I understand SOC2 relies on the auditors to set the effective standard. So it really depends who audited you
3 hours ago
Sure, yes. The way I understand SOC2 relies on the auditors to set the effective standard. So it really depends who audited you
SOC2 auditors are accountants. A SOC2 auditor verifies only that you're doing what you say what you're doing.
And the way they verify you are doing what you say you are doing is by asking you to provide evidence, which is usually pretty easy to demonstrate that a policy was followed once or twice, a lot harder for them to pick up consistency issues or exceptions.
Obviously, yes
A SOC auditor who tells you that you can’t use an nmap scan to meet SOC2 obligations is a bad SOC auditor, because they’re attempting to enforce a constraint on you that SOC2 does not.
But the far more likely thing is that a medium SOC auditor, upon being told “we do our vulnerability scanning with nmap”, would say “I haven’t heard of nmap. You should use Tenable,” and if you’re letting SOC auditor drive your engineering you’d make a mistake and accidentally think that meant you needed to change your answer for SOC2 and go buy Tenable licenses.
1 reply →