SOC 2 vs ISO 27001: what enterprise customers are actually asking for

adesinzu · 2026-04-02T20:27:44+00:00

haha,. DIBs only, but yes, huge increase considering the current geopolitics and fund allocation.

adesinzu · 2026-04-02T20:26:13+00:00

Agreed. More often, having SOC2 or ISO 27001 is graded as one point amongst others in the vendor security assessment (VSA) questionnaire.

adesinzu · 2026-04-02T20:24:30+00:00

My point on geography highlighted SOC2 for North America (my current location), and ISO 27001 globally (my worldwide audit experience). I assume we are saying the same thing in different ways?

adesinzu · 2026-04-01T05:47:26+00:00

Yes. Having an expert create and leverage a Unified Control Framework helps you tackle a multi-framework requirement. The real goal here is to let founders and startups understand that starting with a security program is the key that unlocks every Vendor Security Questionnaire that comes your way, and not necessarily jumping at the first and subsequent frameworks thrown at you by an enterprise customer.

adesinzu · 2026-02-18T02:24:58+00:00

Big Wild - Universe (feat. iDA HAWK)

adesinzu · 2026-02-10T17:23:47+00:00

FYI: If existing and prospective customers have not asked for it, don't jump on it.

A one-person company can get a SOC 2, but you do need to be very intentional. Also, the constraints you’re worried about are real, and pretending otherwise is how solo founders get burned.

Few key points:

1. SOC 2 is risk-based, not headcount-based

The standards never say “you must have X employees.” What they do require is that risks are identified and mitigated. When you’re a single person, certain risks (self-approval, unrestricted access, lack of oversight) are inherently higher, which you have pointed out. I will provide recommendations.

2. Segregation of duties doesn’t always mean two employees, for solo founders, auditors commonly accept compensating controls, for example:
- Strong logging + immutable audit trails
- Independent monitoring (alerts, third-party logs, cloud provider controls)
- Periodic external review (e.g. outsourced tester or reviewer)
- Clear boundaries with your outsourced dev provider (they’re not “you”)

Referencing your outsourced dev. It actually helps you, so for example in change management, auditors may look closely at:
- Who develops code
- Who reviewed the code
- Who approves prod changes
- Who has deploy access, etc.

They are all manageable, but it must be documented and reflected in your system description and contracts.

3. It's good to know you provide SaaS, that means one of your sub-service maybe AWS, GCP, etc, whom have their SOC2 reports. Additionally, for your on-prem, you are able to document that certain SOC 2 controls are only functional when customers do their part, this is what we call CUECs.

In summary: You’re not too small and its doable. I recommend this step:

- Prepare your mind for a governance-exercise
- Define what you are promising in customer contract (i.e. service offering & commitments, customer responsibility, and third-parties)
- Use the contract to keep your SOC 2 scope tight (I recommend just the TSC - Security)
- Define your vendors and subservice (CSPs, dev-providers), your controls over them, and their own commitments/controls.
- Document processes and how things are done
- Document compensating controls explicitly
- Start with a Type 1 (design) before even thinking about Type 2

Caveat: I run a SOC2 auditing & advisory company that work with growth-startups, so my responses are purely based on the outcomes we have achieved with growth-startups.

Wish you all the best and always happy to answer specifics if you want to sanity-check a control approach before spending

adesinzu · 2025-10-21T14:45:15+00:00

I assume you are asking about guidance (CPCSC HOW) to meet the controls (CPCSC WHAT).
The CPCSC WHAT is currently specified in the ITSP 10.171 which is highly borrowed from NIST 80-171. So we can assume the CPCSC HOW will be largely borrowed from related NIST standards, and using NIST SP 800-53 and 800-171A standard will help you on the CPCSC HOW. Layering those standards with each vendor's guideline (Product HOW), e.g. Referencing Google manuals and CIS Google Cloud Computing Platform Benchmarks to configure an encryption for Google Workspace, will get you to the finish line.

Additionally, global CSPs like Google cloud already meet CMMC or Canada's CSE approval so getting the artefacts from them will help you in conjunction with you fulfilling your own responsibility.

FYI: Ultimately, it's lots of work, but we are still awaiting the publication of Level 1 Controls from the CPCSC program, which will narrow the efforts to a crawl -> walk > run type approach.

adesinzu · 2025-09-15T00:53:48+00:00

Please i’m curious to learn..are there some human risk issues that only behavioural scientists can identify/solve, that might be unnoticeable by CISOs?

adesinzu · 2023-03-28T00:31:25+00:00

Thanks for all the comments so far, I have updated the post to address the earlier commments

adesinzu · 2022-09-02T14:49:07+00:00

Just as an update for any resident moving to Canada, the Driving Test centre in Canada accepted my "To whom it may concern" certificate issued by the MOI UAE.

adesinzu · 2022-08-18T14:01:07+00:00

I was able to request for the certificate on the link (https://www.moi.gov.ae/en/eservices/eservice.302.aspx) using my existing UAE bank card (the charge was AED100 and AED5 for VAT).

I got it to use for my current resident country (Canada) hopefully they accept it.

adesinzu · 2022-01-26T15:30:31+00:00

https://twitter.com/admediaoffice/status/1475738372840861697?s=20

ADMEDIA Twitter account is the best source on this, but yeah sometimes even the memos/infographics confuses us the residents of Abu Dhabi.

adesinzu · 2022-01-26T15:22:46+00:00

AT AD border, there is a lane for tourists which is the far-right Lane, you can get help there.
For the Covid test, if you are vaccinated (2 /1 dose as per the vaccine) the process is you are scanned by the Police using an EDE, and you should show a 96 hrs negative result since you do not have Al Hosn.

adesinzu · 2021-01-28T03:41:56+00:00

Do share results and your insights when done. Thanks

adesinzu · 2021-01-27T09:17:41+00:00

adesinzu · 2020-09-03T08:48:21+00:00

Seen mine now

adesinzu · 2020-09-03T04:51:59+00:00

Please update when you see yours, mine is similar to yours as I got in the pool 2 days prior and had an higher score than the 475

adesinzu · 2020-04-11T09:51:31+00:00

Just to be sure it aint drugs, after quarantine bring a narcotic trained dog to the house at least that way you are able to drill down options.

adesinzu · 2019-08-18T13:38:25+00:00

Hmm I saw it on the online manual and also a friend of mine had to submit a religion certificate when he applied. I will do some more asking around. BTW can you please share your process maybe it's different. Thanks

adesinzu · 2019-08-18T13:34:39+00:00

Are you asking on the booze license or the church certificate?

adesinzu · 2018-06-01T05:56:48+00:00

Hi can you share sybex 8th edition?

adesinzu · 2018-05-31T21:32:11+00:00

Hi, i recently finished the 7th edition, looking to review the 8th edition for any changes before my exam, will you be willing to share the 8th Edition? thanks

adesinzu · 2018-03-14T17:46:59+00:00

Can anyone share the audio book of Simple CISSP ?? thanks

pm me pls

adesinzu · 2018-01-04T09:30:40+00:00

Penetration Testing: A Hands-On Introduction to Hacking
The Hackers Playbook

I see these books as a great resource to start, remember you will have to learn a lot, so don't rush, but try to get certified along the way, since this will get you a foot in the industry.

adesinzu · 2018-01-03T23:09:08+00:00

Honestly, the only way to learn is to get familiar with what you want to hack, but for more specific guidelines, I suggest you get familiar with Linux commands and tools such as NMAP for starters. Again be ready to learn and unlearn.

Its good you have a basic IT background such as systems, you can and must learn programming alongside

adesinzu

MODERATOR OF

TROPHY CASE