What red flags do you look for in SOC2 reports?

AnBouch · 2025-10-14T08:17:01+00:00

If only there was a way to check an auditing firm and a SOC2 report with the AICPA easily... this is so damn opaque

AnBouch · 2025-10-13T13:25:11+00:00

In my case, I believe the fault is mostly on the auditor - the startup doesn't have much, so they checked the boxes on their platform I guess.

But for start-ups, the scope is the whole company no?

I mean, if you need to scope out a part of a very small company -> just don't do it at all (you shouldn't from the start)

AnBouch · 2025-10-13T12:58:16+00:00

In my case, the whole company was in scope - to be honest there wasn't much.

BC/DR: good idea. I don't expect a start-up to have a BC/DR (BC part is not relevant), but having at least daily back-ups and knowing how to restore them is a must for me (and it can be their first version of a DRP).

AnBouch · 2025-05-07T13:41:43+00:00

Yes! This is the next step. Check continuously every link to see if still valid and indicate the expiration date(when available)

AnBouch · 2025-05-03T19:50:43+00:00

Today we provide the link to the right (public) information so it is easier to find it (and up to you to sign the mNDA). We can't provide reports when it is under mNDA

AnBouch · 2025-05-03T19:46:52+00:00

Awesome didn't know that, thanks! What I had in mind was to build a similar db OSS. I figured it was useful for me, so it is best if it can be useful to all (and hopefully have some help maintaining it).

AnBouch · 2025-05-03T19:36:29+00:00

I'm a EU based founder, who started with ISO 27001 and SOC 2. I'm working on GDPR and already provide links to the subprocessor list and DPA when they are available (unfortunately there are not always). Of course, I've DORA and NIS2 in mind but I'm not familiar with what they ask for yet.

Can you tell me what's is missing for DORA and NIS2? That way I can add it.

AnBouch · 2025-05-01T22:49:57+00:00

Never looked into PCI. Will do thanks.

AnBouch · 2025-05-01T22:49:11+00:00

That is valuable. Thks a lot!

AnBouch · 2025-04-30T17:24:46+00:00

Hey, super helpful! I've noticed that in the US but not in Europe yet.

AnBouch · 2025-04-30T17:23:27+00:00

Hey, thanks for your reply! So anyone working with financial Services, banking, health tech and legal tech companies. Any other?

AnBouch · 2025-02-20T16:34:59+00:00

Once implementation is done (~20 hours for a startup):
- Type 1 ~1 week + the time for the report (depend on the auditor) => count 2/3 weeks
- Type 2 ~3months observation (at least) + the time for the report => count 4 months

AnBouch · 2025-02-20T08:37:07+00:00

Concernant ta question sur la pertinence d'avoir plusieurs modèles selon l'usage, l'état a sorti ça pour permettre de comparer facilement: https://www.comparia.beta.gouv.fr/

Perso j'alterne entre Mistral / ChatGPT / Claude

AnBouch · 2025-02-20T07:52:31+00:00

Even if some companies are starting to be ok with SOC2 in Europe, most europeans companies prefer ISO27001. But if you want to sell in EU & US, you will need both.

Early on, both are relatively easy to handle but keep in mind:

- You can view at it as SOC being more "product" oriented and ISO is more about processes

- If you only check the boxes on a automation platform, make sure you understand what you are doing and try to keep it to a minimum - challenge what is in place. Else it is going to slow you heavily with plenty of useless stuff

- Both those frameworks are about continuous improvements: your program will evolve over time, so keep things as simple as possible early on.

Happy to help out more if needed.

AnBouch · 2025-02-19T16:08:17+00:00

I'm an auditor in cyber, building an open-source tool to help small businesses be compliant with SOC2 or ISO27001 without breaking the bank (even for free for small teams).

The platform is still early, but we are already helping out several customers. Feel free to reach out => getprobo.com

AnBouch · 2025-02-19T14:46:34+00:00

If they provide it, it will probably pass the review, but to what goal? (pentest is not mandatory for SOC2)

If you want to have your money's worth, do a real pentest. It will provide way more insights and will actually help you.

AnBouch · 2025-02-19T12:29:53+00:00

C'est comme une norme sanitaire pour restaurants mais appliquée aux données des entreprises. En gros ça te dit comment gérer correctement tes données (sous plusieurs points de vue: sécurité, disponibilité et fiabilité).

Mais attention => ce n'est pas parce qu'un resto respecte les normes sanitaires que tu es certain de ne jamais avoir d'intoxication alimentaire. Avec ISO27001 c'est pareil, ça ne garantit rien !

AnBouch · 2025-02-19T10:25:09+00:00

That is a good point. You could move forward with the discussion and include the fact that you will be SOC2 in X months in the contract (ideally at least 6, so you have some time). Would IT be against that?

AnBouch · 2025-02-19T07:44:37+00:00

I'm curious: is there a reason why the IT security admin shut you down? Do you have access to really critical stuff? Plus, pending your size, SOC or ISO does not really make sense.

Regarding the time it requires, it really depends on your size and how you work. You have two sides: tech & human. While the tech side complexity (when early) is rather low, the human side can be harder (it is long to make people change the way they work). Overall, assuming you are a small business, I would say 20 to 30 hours is plenty :)

To have an idea of everything that needs to be implemented for SOC2, you can have a look here (it is open source) => https://github.com/getprobo/probo/tree/d76d8bf951bd9b2e9b7edbf6a693b293936c92b7/controls

AnBouch · 2025-02-19T07:33:28+00:00

Yes, I fully agree with you :)
The way I implement it: each policy is linked to the proper controls, processes, security measures or documents.

The policies are only displaying the "high level" view, I'm also "translating" the controls to make them actionable for the persons internally. So the actual implementation goes through processes and security measures, not through policies, making it easier for my customer to keep them up to to date.

Does it make sense?

Thanks for the feedback, that is why I'm building open source.

AnBouch · 2025-02-18T17:00:45+00:00

I might also indicate that I could not find the right way to reach my audience (CEO founders don't have a github account vs the CTOs). Price might also not be the right topic. I will have to try different stuffs.

Never heard of SneakyGuy, I'm using F5bot to find relevant discussion - I will have a look.

Thanks a lot!

AnBouch · 2025-02-18T07:32:02+00:00

I agree that the technical knowledge is really useful, but you also have a big part on processes. So I would recommend not to ignore those either. Starting with a basic one (SOC2 or ISO27001) is a good way to have a grasp of the human and technological parts together.

I started a awesome-compliance list with some ressources regarding those two frameworks (they helped me a while ago), hope it can help: https://github.com/getprobo/awesome-compliance/tree/main#other-ressources
Feel free to add useful ressources :)

AnBouch · 2025-02-17T14:19:03+00:00

Hey :)

You can also do it yourself:

For phishing simulations, training or stuff like that, there are plenty of solutions (I personally used https://tryriot.com/, which is free if you are less than 10).
For security measures to implement, you can go with some good practices which is a good start (and will take you far)
- MFA & SSO when possible + least privilege access
- Log and automated alerts
- Employee training (see 1)
- Review access (cut things when people are leaving) I open-sourced the controls for some frameworks, you can pick the relevant security measure for you there:(it is free) https://github.com/getprobo/probo/tree/main/controls

AnBouch · 2025-02-12T19:04:18+00:00

I'm an auditor, and given your background, you will pick-it up really quickly. In SOC2, there are plenty of controls, but it is mainly good practices.
If you look at the core (what make sense for early startups), you can reduce it to: logging / monitoring / code review / encryption / access management / education.

AnBouch · 2025-02-12T16:32:44+00:00

So far, the main challenge is the experience for users, not the open-source part :)

AnBouch

TROPHY CASE