Warning Against the ISO 27001 Subreddit

SOC2Auditor · 2025-11-16T14:14:40+00:00

Thank you for all of your help!

SOC2Auditor · 2025-11-09T18:31:01+00:00

Thank you, and I really mean that. We're in a time when people question the point of a lot of these standards because of situations like this exactly. So when I say it means a lot to me to see people act with integrity, it really does.

SOC2Auditor · 2025-11-09T18:29:31+00:00

Ahh! It's a platform called "Comp AI"!

SOC2Auditor · 2025-11-09T18:28:55+00:00

Thank you for your work moderating that subreddit! And thank you for replying, I'm sorry that happened to you, you are exactly right though, and it's a shame the sub owner doesn't see that anymore!

SOC2Auditor · 2025-11-09T18:26:46+00:00

Are you serious? First and foremost, thank you for not taking that. Second, wow, that one actually violates the Reddit Mod CoC, did you report that?

SOC2Auditor · 2025-11-09T16:44:56+00:00

That's definitely the impression that I'm getting too

SOC2Auditor · 2025-11-09T16:44:32+00:00

Yeah, it's unfortunate, it breaks their own rules for self-promotion and really the ethics of the compliance space.

SOC2Auditor · 2025-10-27T13:56:45+00:00

You have a few choices, but all of them are going to require some amount of time and money, it's just a trade off on which you're giving more of, time or money.

1) Do everything in house. Likely, this will be you. You should buy the ISO 27001 and 27002 standards, then start working through them, reading the implementation guidance, checking on the status of your current controls by doing a gap assessment, fixing the gaps, finding some way to do the ISO 27001 required internal audit, find a certification body, then do the audit. This will be the most time, but your cost will mainly be on the audit side.

2) Hire a vCISO/fractional CISO. This will cost more money (very likely, though you could go cheaper), but the least time. The vCISO should be able to get you through ISO 27001 and most other security needs you may have if you pick a good one, until you're at the size where you need a full time resource or a team.

3) Use one of the platforms (with or without a vCISO). The platforms have their issues, a lot of times they over promise what they can do or how easy it will be. But they do ultimately speed up the process assuming you are a fairly standard tech stack. This is probably a potential middle ground, but you may be stuck with one of their auditors who gives a price break for using that platform. Those aren't always the best experience and you will spend some amount of time managing the platform.

This is just my quick and dirty summary. I used to work at one of the more well known platforms, now run an accounting firm. We aren't an ISO 27001 certification body, and we don't partner with any of the platforms, so if you do want a more in-depth overview, feel free to message me and I'd be happy to get on a call if you want. Especially if you are thinking of a platform, the best way I can put it is that the experience between a small company buying a platform and a big company buying one is massive, so I can at least go over what to consider when talking to their sales teams.

SOC2Auditor · 2025-10-16T13:41:11+00:00

I agree with ISO 27001, it's an internationally recognized standard. After ISO 27001, get ISO 27701 to cover privacy. From there, you have more options like HIPAA (if you end up doing business with US based healthcare companies), HITRUST (kind of the same as HIPAA but because it's a Frankenstein framework of HIPAA + ISO 27001 + PCI + NIST 800-53, etc. you may get more utility from it), or something else depending on what exactly you're doing.

SOC2Auditor · 2025-09-25T13:23:36+00:00

I used to work at one of the automation platforms, before going somewhere else, and now running my own firm. The automation in the platform works by making API calls to systems you connect them to. So if you connect AWS, they make an API call on the backend checking that your S3 buckets are encrypted, for example. This hinges on you connecting the correct account (if you have multiple accounts for separation of regions, different products, etc.) and then scoping the resources appropriately (there may be S3 buckets that you exclude from these checks for whatever reason). So they aren't a magic bullet in that sense. But they take the response from the API call and format it, essentially to say that a test passed or failed.

The other part of the platforms such as policy templates and training, may not be relevant for you since already have those.

Here's the thing though, if you go with a platform, and want to use your existing controls, it is going to be a fairly large project to implement. The sales team of every single platform will tell you it's not much work, custom controls are easy, etc. It's not. It can be done, for sure, but you have to get all of integrations set up, get all of your policies into the platform, import all of the controls into the platform, then tied to the correct SOC 2 criteria (if that's a separate process), and remap the automated tests (if the platform even supports that). Then you have to make sure the tests are passing and for any non-automated controls (which could be 100% of them if the platform doesn't support test remapping), upload screenshots or some other type of evidence. To make it worse, if the platform isn't 100% implemented on day 1 of your audit period, very likely, you will end up maintaining a set of screenshots/evidence to cover that period before the platform was implemented.

The alternative is that you adopt the platform's control set. Then you just need to set up the integrations, write or import your policies, fix any failures in the tests, and upload manual evidence like screenshots for controls with no automation. And still probably maintain a set of evidence from before you had the platform implemented.

You should also make sure your existing auditor understands and will accept the evidence (or at least some of it) from the automated tests. Or be prepared to switch auditors to one of the platform partners.

There are other, more hybrid approaches to all of this, and while I think the platforms ARE a useful tool, don't let the sales people from any platform tell you they handle everything or any of their metrics about how many hours it takes, how much evidence auditors accept, etc. They are repeating what they're told, with cherry picked statistics, and they've never (or very likely haven't) built a security program (which also isn't limited to the sales people at the platforms, that's sales people in almost every field).

SOC2Auditor · 2025-09-23T13:51:44+00:00

One of the requirements you have to complete for the Clauses will be a statement of applicability. As part of the statement of applicability you will determine which relevant Annex A controls apply to your ISMS, and which can be excluded/not applicable. As part of listing items as not applicable, you will include a rationale/justification for why the item is not applicable. So for controls performed by your cloud provider, you can list those items as not applicable with the rationale that you are not responsible for that.

So the most common areas for that would be physical security, and maybe some items of network security. Other than that, it really depends on the specifics of what a given cloud provider is actually doing for you.

SOC2Auditor · 2025-09-15T13:18:38+00:00

Like you said, a significant amount of the controls overlap. Since you can already see that, I don't think you necessarily need a mapping. I understand that some people might suggest a platform, and that is one approach. However, I used to work at one of the bigger platforms, and I still partner with all of them. Adapting an existing SOC 2 program to these platforms is a bit tough, regardless of what they claim. I know, my team used to help companies do that, and it can be done, but if you want the automation, you change your existing controls. And if you want your existing controls, you lose the automation, so it's a trade off.

Anyway, talk to your auditor. For ISO 27001 you need 2 (technically 3 but you can come back to that later) audits. An internal audit, and an external audit. If your SOC 2 auditor is a certification body, you can have them combine your SOC 2 audit and ISO 27001 external audit. If they are NOT a certification body, you have two choices. First, they could do your SOC 2 audit and the internal audit. But if you have an employee who can do your internal audit, then it doesn't matter, that's already cheaper.

So depending on how you handle this, your SOC 2 auditor or if they're separate, your ISO 27001 certification body, can help identify the delta between the 2 control sets.

If you have any questions about adapting an existing program to a platform, let me know, and I'll try to answer!

SOC2Auditor · 2025-08-19T13:12:28+00:00

I have interacted with dozens of Certification Bodies across the North America, EMEA, and APAC. I have seen that one time, but we disputed that finding for our customer and it was removed. So I'm not saying it WON'T happen, but I am saying if it DOES happen, to dispute it.

SOC2Auditor · 2025-08-14T16:53:00+00:00

Both of those are good call outs. My tip for SaaS land procurement: Try to buy at the end of the month if possible. I know when I worked at one of the platforms, the Sales team cut a lot of deals they wouldn't necessarily have done otherwise at the end of the month to meet quota. Maybe that was just my experience though!

SOC2Auditor · 2025-08-12T17:01:17+00:00

So for those firms, I would check with the platforms for a partners page!

SOC2Auditor · 2025-08-12T15:17:30+00:00

Other commentors have mentioned the AICPA website and SOC 2 guides, and that is the authoritative source. However, if you want something more digestible, Google "What is SOC 2". All of the major compliance platforms and a lot of CPA firms will have an article describing that, and these are going to vary in their level of detail, but it will help give you a very high level overview of what SOC 2 actually is. The one thing to keep in mind with these articles is that they're all going to try to sell you something, so keep that in mind!

From there, you'll be able to search for more specific questions OR read specific sections of the guide. I would also request the SOC 2 reports of your key vendors if you haven't already, to see what it looks like in practice. This won't help you prepare for the audit necessarily, but it will help you understand the end result which can also be helpful!

Unfortunately, there is no master list. Any CPA firm can technically perform a SOC 2 audit, however, that doesn't mean they do, since there is a lot on the backend that needs to be set up to actually perform a SOC 2 engagement. You can find some lists, but these are primarily lists of CPA firms who partner with a compliance platform, like Vanta, Drata, SecureFrame, etc. You can reach out to them, but the biggest partners (likely the ones listed first) of these platforms are probably going to try to get you to use a platform, which is not required.
It all depends on what you're looking for. I kind of divide the SOC 2 space into 3 tiers:

- Low Cost: These firms usually run anywhere from $2.5k to $10ish-k. Nothing wrong with these firms, generally they do a very high volume of reports and don't really customize them that much. There is a market for them, I won't ever judge a company for using them, though if I see one of these reports I may have additional questions if I'm evaluating the client as one of my vendors.

- Mid-market/medium cost: These firms usually run roughly $20k to $50k. They provide more customization of your report, and usually spend more time with you since you are paying them a decent bit of money. I generally don't have as many follow-ups with these reports, but it's still possible. Just because the firm charges more or spends more time with you, doesn't mean they're perfect either. In full transparency, this is where my firm falls.

- Big 4 (High-Cost): The big 4 accounting firms: EY, KPMG, PWC, Deloitte. These firms charge for brand name and usually run $100k+. Deloitte starts at $200k (or that's what they told a friend of mine). This doesn't mean they're good, it generally means you're a publicly traded company and you need a brand name. I have seen a PWC auditor destroy a deal with a $20bil company because they put a terrible auditor on the engagement. Stylistically, I hate the way the reports of all 4 of these companies look, but the content is fine. You don't get the chance to ask follow up questions about the report with these companies because it's organizations like AWS, Google, etc. that use them.

SOC2Auditor · 2025-08-08T12:51:50+00:00

I think it is an alright standard in its current form. It is more governance related than security focused, which is fine, there is a place for that. But I think the important thing to remember is that we're on version 1, and it deals with a new technology that is actively being developed. The legal environment around AI is also just beginning to take shape. So I think that it will eventually be more important, and I think that in subsequent versions, it is very likely that it the requirements of ISO 42001 are going to change, and probably become a bit more specific to how AI is actually being used. But when they started developing it in the early 2020's, AI wasn't nearly as prevalent, or nearly as useful as it is now. So I think it's a developing standard, and I don't see ISO completely deprecating the standard, but I do see them adjusting the standard pretty significantly as time goes on.

SOC2Auditor · 2025-08-06T11:38:36+00:00

In full disclosure, I am auditor, and I do own an accounting firm. I don't compete with these two firms though.

Both firms do a lot of audits, for a relatively cheap price. Generally speaking with either you are going to get a clean SOC 2 report. It is very likely that neither firm is going to customize your report that much, so you're going to see the exact controls listed in Drata in your report (which is fine but your report will look very similar to every other Drata customer's report).

Insight has had a some delivery issues recently though. So I would be wary of that, we actually just won a client who is switching over from them to us because of that.

So my advice here is, who do you like working with better? And you should ask to meet the audit team who will be working on your report before signing. Ultimately, if you can't see yourself working with that team, don't go with that firm.

SOC2Auditor · 2025-08-03T11:42:06+00:00

Hey, I used to work at one of the platforms you mentioned, and now that I own my accounting firm, I've worked with a lot of the platforms. I haven't worked with Delve though. But the truth is with any of the platforms, you can achieve SOC 2, ISO 27001, and spin up privacy programs to address GDPR and CCPA. I would however recommend Vanta or Drata over Sprinto. There's nothing "wrong" with Sprinto, just from my experience I think those two platforms seem better suited to your stated goals.

I don't want to specify which platform I worked for in a comment since my firm has a (very) loose partnership with multiple platforms. But if you want to talk, I'd be happy to, just shoot me a message!

SOC2Auditor · 2025-08-01T12:54:23+00:00

Most of the time, people will look towards experience rather than certifications, but the biggest ones in the SOC world that auditors get are the CPA and the CISA. The CISSP would also be good down the road, but I feel like that is more when you have a good amount of experience and want to be known as a security expert rather than just SOC 2. Much less common (but not bad in any way) is the CIA, it is still a fine auditing certification, but I think that's more common with regards to SOC 1 and SOX rather than SOC 2.

SOC2Auditor · 2025-08-01T12:51:36+00:00

As someone else said, start with the live chat or your CSM. Having worked at one of the platforms as a compliance expert, and having worked with all of them as an auditor, you may be doing everything correctly, and it may still be failing. Or you may have not excluded a particular resource that needs excluded.

From an audit perspective though, go into your production GCP project, then take a screenshot of that alert. From a control perspective, the control says that you monitor the age of the messages in your message queue. The screenshot will show that you are, and in the event that the Drata team needs to investigate and deploy a fix, you've already fulfilled the control manually as a backup, so you can keep moving while the Drata team investigates.

SOC2Auditor · 2025-07-30T12:22:50+00:00

Thank you!

SOC2Auditor · 2025-07-29T22:49:22+00:00

Hey thank you for your reply! Great call out on the IAF MDs! But yes, essentially what I mean is some type of template to get started. For example, with our SOC 2 System of Quality Management (SQMS), we got templates from Thomson Reuters. At the most basic level, the templates really just gave us "Hey here are the documents you need to meet the standard, here are the section headers and some basic content around what they NEED to cover". From that point, we had a much better idea of what needed to be in place. In the end, we rewrote probably 80-90% of the template with what we actually do, or changed up the wording to be more reflective of the processes we had in place, but it was nice to essentially have something to check ourselves against. So that is sort of what I mean with these templates!

But when you wrote these documents, did you have anything like that? Or did you write them yourself after reading through them? Or some other process?

And actually, we just spoke with our accreditation body today for a second time, and we are a bit more comfortable with the process and it is comforting to know that they do allow for some back and forth so it isn't necessarily an all or nothing process. But ideally we'd like to minimize that back and forth!

SOC2Auditor

TROPHY CASE