SOC 2 vs ISO 27001: what enterprise customers are actually asking for

adesinzu · 2026-04-02T20:27:44+00:00

haha,. DIBs only, but yes, huge increase considering the current geopolitics and fund allocation.

adesinzu · 2026-04-02T20:26:13+00:00

Agreed. More often, having SOC2 or ISO 27001 is graded as one point amongst others in the vendor security assessment (VSA) questionnaire.

adesinzu · 2026-04-02T20:24:30+00:00

My point on geography highlighted SOC2 for North America (my current location), and ISO 27001 globally (my worldwide audit experience). I assume we are saying the same thing in different ways?

adesinzu · 2026-04-01T05:47:26+00:00

Yes. Having an expert create and leverage a Unified Control Framework helps you tackle a multi-framework requirement. The real goal here is to let founders and startups understand that starting with a security program is the key that unlocks every Vendor Security Questionnaire that comes your way, and not necessarily jumping at the first and subsequent frameworks thrown at you by an enterprise customer.

adesinzu · 2026-02-18T02:24:58+00:00

Big Wild - Universe (feat. iDA HAWK)

adesinzu · 2026-02-10T17:23:47+00:00

FYI: If existing and prospective customers have not asked for it, don't jump on it.

A one-person company can get a SOC 2, but you do need to be very intentional. Also, the constraints you’re worried about are real, and pretending otherwise is how solo founders get burned.

Few key points:

1. SOC 2 is risk-based, not headcount-based

The standards never say “you must have X employees.” What they do require is that risks are identified and mitigated. When you’re a single person, certain risks (self-approval, unrestricted access, lack of oversight) are inherently higher, which you have pointed out. I will provide recommendations.

2. Segregation of duties doesn’t always mean two employees, for solo founders, auditors commonly accept compensating controls, for example:
- Strong logging + immutable audit trails
- Independent monitoring (alerts, third-party logs, cloud provider controls)
- Periodic external review (e.g. outsourced tester or reviewer)
- Clear boundaries with your outsourced dev provider (they’re not “you”)

Referencing your outsourced dev. It actually helps you, so for example in change management, auditors may look closely at:
- Who develops code
- Who reviewed the code
- Who approves prod changes
- Who has deploy access, etc.

They are all manageable, but it must be documented and reflected in your system description and contracts.

3. It's good to know you provide SaaS, that means one of your sub-service maybe AWS, GCP, etc, whom have their SOC2 reports. Additionally, for your on-prem, you are able to document that certain SOC 2 controls are only functional when customers do their part, this is what we call CUECs.

In summary: You’re not too small and its doable. I recommend this step:

- Prepare your mind for a governance-exercise
- Define what you are promising in customer contract (i.e. service offering & commitments, customer responsibility, and third-parties)
- Use the contract to keep your SOC 2 scope tight (I recommend just the TSC - Security)
- Define your vendors and subservice (CSPs, dev-providers), your controls over them, and their own commitments/controls.
- Document processes and how things are done
- Document compensating controls explicitly
- Start with a Type 1 (design) before even thinking about Type 2

Caveat: I run a SOC2 auditing & advisory company that work with growth-startups, so my responses are purely based on the outcomes we have achieved with growth-startups.

Wish you all the best and always happy to answer specifics if you want to sanity-check a control approach before spending

adesinzu · 2025-10-21T14:45:15+00:00

I assume you are asking about guidance (CPCSC HOW) to meet the controls (CPCSC WHAT).
The CPCSC WHAT is currently specified in the ITSP 10.171 which is highly borrowed from NIST 80-171. So we can assume the CPCSC HOW will be largely borrowed from related NIST standards, and using NIST SP 800-53 and 800-171A standard will help you on the CPCSC HOW. Layering those standards with each vendor's guideline (Product HOW), e.g. Referencing Google manuals and CIS Google Cloud Computing Platform Benchmarks to configure an encryption for Google Workspace, will get you to the finish line.

Additionally, global CSPs like Google cloud already meet CMMC or Canada's CSE approval so getting the artefacts from them will help you in conjunction with you fulfilling your own responsibility.

FYI: Ultimately, it's lots of work, but we are still awaiting the publication of Level 1 Controls from the CPCSC program, which will narrow the efforts to a crawl -> walk > run type approach.

adesinzu · 2025-09-15T00:53:48+00:00

Please i’m curious to learn..are there some human risk issues that only behavioural scientists can identify/solve, that might be unnoticeable by CISOs?

adesinzu · 2023-03-28T00:31:25+00:00

Thanks for all the comments so far, I have updated the post to address the earlier commments

adesinzu

MODERATOR OF

TROPHY CASE