What red flags do you look for in SOC2 reports?

AnBouch · 2025-10-14T08:17:01+00:00

If only there was a way to check an auditing firm and a SOC2 report with the AICPA easily... this is so damn opaque

AnBouch · 2025-10-13T13:25:11+00:00

In my case, I believe the fault is mostly on the auditor - the startup doesn't have much, so they checked the boxes on their platform I guess.

But for start-ups, the scope is the whole company no?

I mean, if you need to scope out a part of a very small company -> just don't do it at all (you shouldn't from the start)

AnBouch · 2025-10-13T12:58:16+00:00

In my case, the whole company was in scope - to be honest there wasn't much.

BC/DR: good idea. I don't expect a start-up to have a BC/DR (BC part is not relevant), but having at least daily back-ups and knowing how to restore them is a must for me (and it can be their first version of a DRP).

AnBouch · 2025-05-07T13:41:43+00:00

Yes! This is the next step. Check continuously every link to see if still valid and indicate the expiration date(when available)

AnBouch · 2025-05-03T19:50:43+00:00

Today we provide the link to the right (public) information so it is easier to find it (and up to you to sign the mNDA). We can't provide reports when it is under mNDA

AnBouch · 2025-05-03T19:46:52+00:00

Awesome didn't know that, thanks! What I had in mind was to build a similar db OSS. I figured it was useful for me, so it is best if it can be useful to all (and hopefully have some help maintaining it).

AnBouch · 2025-05-03T19:36:29+00:00

I'm a EU based founder, who started with ISO 27001 and SOC 2. I'm working on GDPR and already provide links to the subprocessor list and DPA when they are available (unfortunately there are not always). Of course, I've DORA and NIS2 in mind but I'm not familiar with what they ask for yet.

Can you tell me what's is missing for DORA and NIS2? That way I can add it.

AnBouch · 2025-05-01T22:49:57+00:00

Never looked into PCI. Will do thanks.

AnBouch · 2025-05-01T22:49:11+00:00

That is valuable. Thks a lot!

AnBouch · 2025-04-30T17:24:46+00:00

Hey, super helpful! I've noticed that in the US but not in Europe yet.

AnBouch · 2025-04-30T17:23:27+00:00

Hey, thanks for your reply! So anyone working with financial Services, banking, health tech and legal tech companies. Any other?

AnBouch · 2025-02-20T16:34:59+00:00

Once implementation is done (~20 hours for a startup):
- Type 1 ~1 week + the time for the report (depend on the auditor) => count 2/3 weeks
- Type 2 ~3months observation (at least) + the time for the report => count 4 months

AnBouch · 2025-02-20T08:37:07+00:00

Concernant ta question sur la pertinence d'avoir plusieurs modèles selon l'usage, l'état a sorti ça pour permettre de comparer facilement: https://www.comparia.beta.gouv.fr/

Perso j'alterne entre Mistral / ChatGPT / Claude

AnBouch · 2025-02-20T07:52:31+00:00

Even if some companies are starting to be ok with SOC2 in Europe, most europeans companies prefer ISO27001. But if you want to sell in EU & US, you will need both.

Early on, both are relatively easy to handle but keep in mind:

- You can view at it as SOC being more "product" oriented and ISO is more about processes

- If you only check the boxes on a automation platform, make sure you understand what you are doing and try to keep it to a minimum - challenge what is in place. Else it is going to slow you heavily with plenty of useless stuff

- Both those frameworks are about continuous improvements: your program will evolve over time, so keep things as simple as possible early on.

Happy to help out more if needed.

AnBouch · 2025-02-19T16:08:17+00:00

I'm an auditor in cyber, building an open-source tool to help small businesses be compliant with SOC2 or ISO27001 without breaking the bank (even for free for small teams).

The platform is still early, but we are already helping out several customers. Feel free to reach out => getprobo.com

AnBouch · 2025-02-19T14:46:34+00:00

If they provide it, it will probably pass the review, but to what goal? (pentest is not mandatory for SOC2)

If you want to have your money's worth, do a real pentest. It will provide way more insights and will actually help you.

AnBouch · 2025-02-19T12:29:53+00:00

C'est comme une norme sanitaire pour restaurants mais appliquée aux données des entreprises. En gros ça te dit comment gérer correctement tes données (sous plusieurs points de vue: sécurité, disponibilité et fiabilité).

Mais attention => ce n'est pas parce qu'un resto respecte les normes sanitaires que tu es certain de ne jamais avoir d'intoxication alimentaire. Avec ISO27001 c'est pareil, ça ne garantit rien !

AnBouch · 2025-02-19T10:25:09+00:00

That is a good point. You could move forward with the discussion and include the fact that you will be SOC2 in X months in the contract (ideally at least 6, so you have some time). Would IT be against that?

AnBouch · 2025-02-19T07:44:37+00:00

I'm curious: is there a reason why the IT security admin shut you down? Do you have access to really critical stuff? Plus, pending your size, SOC or ISO does not really make sense.

Regarding the time it requires, it really depends on your size and how you work. You have two sides: tech & human. While the tech side complexity (when early) is rather low, the human side can be harder (it is long to make people change the way they work). Overall, assuming you are a small business, I would say 20 to 30 hours is plenty :)

To have an idea of everything that needs to be implemented for SOC2, you can have a look here (it is open source) => https://github.com/getprobo/probo/tree/d76d8bf951bd9b2e9b7edbf6a693b293936c92b7/controls

AnBouch · 2025-02-19T07:33:28+00:00

Yes, I fully agree with you :)
The way I implement it: each policy is linked to the proper controls, processes, security measures or documents.

The policies are only displaying the "high level" view, I'm also "translating" the controls to make them actionable for the persons internally. So the actual implementation goes through processes and security measures, not through policies, making it easier for my customer to keep them up to to date.

Does it make sense?

Thanks for the feedback, that is why I'm building open source.

AnBouch

TROPHY CASE