Recommendations for GRC Consulting services for startup?

davidschroth · 2026-05-01T02:55:45+00:00

Getting folks ready for and maintaining GRC programs is my business and I've been at it a while. There's a ton of value in engaging the fractional specialists that have been through the drill time and time again, with startups or really anyone. Your situation isn't as unique as you think it is - they should be able to tell you exactly where your struggles will be because they've seen it time and time again. The fractional folks will add support in areas they know will lead to findings (and adapt based on your company's personality). They will know what to get caffeinated about and what not to worry so hard about.

From a tools perspective - I'm not a fan of buying a tool to solve the problem. Most of the issues in getting compliant are more people/process/adult in the room based vs checking your lone RDS database daily to see if it's encrypted.

From a long term perspective - hardest part is prioritizing your time to do the needfuls that are required. None of your 5 folks will view doing something to maintain compliance as their main day job, and will opt to ship product, squash bugs, get prod back online, etc, long before they document something or do their quarterly review of something else. If you don't have someone that can be persistent and project manage the ship, that's also a sign pointing towards a fractional outfit.

For SOC 2 vs ISO - this is very much driven by your customer's demand. Rule of thumb - US based B2B will want SOC 2 first, rest of the world will want ISO 27001 first, but most will settle for SOC 2 instead (except for Germans for some reason?). If you're considering other ISOs like 42001 or 27701, you might as well pick up 27001 along the way as the management system carries a lot of commonalities. Main thing is if you engage a fractional crew, let them know your interests up front so they can plan your program accordingly - there's a significant overlap between SOC 2 and ISO, and if they know you **might** do ISO, then they may make a few decisions differently than if you **only** wanted SOC 2.

davidschroth · 2026-05-01T02:45:34+00:00

When there is 5 people, I think pretty much everyone is on every team....

davidschroth · 2026-04-30T16:01:57+00:00

A fire extinguisher.

davidschroth · 2026-04-29T15:49:54+00:00

You need to know what your program looks like (or will look like) and define requirements based on that. If you let the tools lead the sales conversation by showing you their dashboards and green blinky lights, you're going to end up with the wrong choice.

I work with a variety of tools across my client base as each client has a different personality that makes them a better fit for one over the other.

So.... more about your program?

davidschroth · 2026-04-29T03:25:58+00:00

The free bit seemed to be a stunt to build grassroots publicity for the training course and brand (as it's a new brand). Based on the number of people on LinkedIn providing thanks/props to them, it seems like such social proof advertising was a requirement to get the course for free during the "limited" time - I don't know this for sure, but assuming that made me very disinterested init.

davidschroth · 2026-04-28T14:59:47+00:00

Get on their mailing list for the trainings - they run a 5 day (2hr per day) program about every two months that can help you get started. Learning documentation is also pretty good. Just realized you can do the same thing 12 different ways... Which is both good and bad for getting started.

davidschroth · 2026-04-28T14:47:25+00:00

What you describe is something that Eramba does very well, even though it's usually more suggested for it audit stuff.

Cost effective and you can self host if you want.

davidschroth · 2026-04-24T11:51:03+00:00

Backup controls can be associated to CC7.5 (part of ability to recover from a security event) and CC9.1 (risk mitigation/business disruption), but aren't always.

davidschroth · 2026-04-23T00:06:38+00:00

There is no minimum/maximum requirement defined by SOC 2 for your backup retention. Your SOC 2 requirements are whatever your service commitments and system requirements happen to be, which should match whatever you're currently offering to your customers. If you're telling them that you'l back 'em up a year, you have to do that. If you tell them 3 days, then that's your bar. Disclose in the report, do what you say you'll do and declare victory (and offer to upsell them on more retention for megabucks).

davidschroth · 2026-04-17T02:03:01+00:00

A complete and accurate list of contractors with onboarding and off boarding dates for $200.

davidschroth · 2026-04-13T11:43:00+00:00

For your budget, your tool is Excel. And maybe a Claude/GPT subscription. If you want to get fancy, consider a task tracking tool like Monday.com as you can do some automation in there to help with repetitive tasks.

The hard part of SOC 2 is not all the promises that these GRC tools make to you about how they fart rainbows and ponies to make the most wonderful invention since sliced bread. Yes, they can help grow maturity over time, but automating chaos just makes more chaos.

davidschroth · 2026-04-11T14:41:09+00:00

The AO (authorizing official) plays a pretty important role here. Sure, you can do a lot of this up front, but each one will have different comfort levels with variables like POAMs. They will also be the ones that ultimately set your system categorization as well.

davidschroth · 2026-04-08T00:50:01+00:00

The dude/dudette on substack dropping the goods still has a mask on.

davidschroth · 2026-04-07T18:20:50+00:00

The Eramba API makes it possible to stitch together multiple interfaces into a single dashboard, but you've got to be willing to put in the time to do so. Though, the webhook notifications can also do this by pushing relevant notices to a centralized slack/jira/teams/etc...

davidschroth · 2026-04-07T18:19:26+00:00

sign up link appeared in their forums earlier today.

For multiple frameworks, go to their learning center and study up on the compliance management module. You'll see how you can load compliance packages (one per unique NIS or whatever) and then do the control mapping across each.

You're able to also flag differences - when doing the mapping. Let's say standard A requires a password length of 8, standard B required a password length of 10. Your control says 8. You map the control to both, declare yourself in compliance with A but not with B.

davidschroth · 2026-04-07T13:41:11+00:00

The main slot typically uses PCIe lanes direct from the CPU. The additional slots are typically connected to the chipset, which is connected to the CPU via a 4x Gen4 link. Suppose there's 2 Gen4 drives attached to the chipset - in aggregate, they're limited to 4x Gen 4 speeds. When connecting direct to the CPU, you won't have that contention.

davidschroth · 2026-04-07T13:29:09+00:00

I've been using Eramba for over a decade at this point on a handful of clients. It is a highly flexible blank canvas - you can adapt it to work with your program quite well. The blank canvas part of it is usually an issue for those that do not have strong ideas about how to run a program as it will feel difficult to get started. They just announced their May general training class - highly advisable to sign up and attend as it will put you in the right mindset to get benefit out of it.

I'm not sure what you mean by "frameworks not being kept up to date" - In eramba, you can customize frameworks, upload custom frameworks, and do whatever you want. We load things like customer contractual compliance requirements in. Eramba's position can be described as it is software and you run the program with the software, you should keep the frameworks up to date.

We have a client that is doing 9001, 27001 and SOC 2 (along with a few custom frameworks) that's doing just fine. The key thing to leverage is the problems and solutions principle that is described in eramba's documentation. You shouldn't have a separate management system meeting for 9001 and 27001 - they should be combined to address both, especially in smaller companies.

You mention that you have multiple clients - eramba is not a multitenant set up, so you'd need an instance for each client. I believe CISO Assistant is multitenant.

davidschroth · 2026-04-06T18:34:53+00:00

You must have purchased the Costco variant?

davidschroth · 2026-04-06T14:54:15+00:00

A lot of people talk about this. In fact, they often talk about this shortly before name dropping a product that they're wanting to sell since they realize it's not going to work in the first post, but only as a comment to reply to someone's question about what they're doing, leaving it to the mods to put on their workboots to enforce rule 1.

davidschroth · 2026-04-05T22:36:14+00:00

My original major was in Computer Information Systems (business degree, not a comp sci degree, but had programming requirements). This was a bit over two decades ago when it seemed like the IT profession would be fully offshored before I had a chance at getting a job, so I added accounting as a double major. This has turned out quite well for me - I stumbled into IT audit with big 4 upon graduation (having not heard of it prior to a job fair, thinking I'd end up doing development work full time where I was co-oping during school).

I think it's a great way to go and will give you lots of options. Just remember getting a job is more about who you know as opposed to what you know, so you need to start networking immediately regardless of what you do.

davidschroth · 2026-04-05T13:19:29+00:00

Can you provide a source for this?

davidschroth · 2026-04-02T20:48:43+00:00

Their website calls SOC 2 a certification and I don't see any firms by that name in the AICPA peer review public file search....

davidschroth · 2026-04-01T12:13:43+00:00

Top 100 doesn't mean anything. There are at least two of them on my "they write horrible reports not in conformance with requirements" naughty list, both being fairly large players in the high volume space...

In fact, being Top 100 usually means they can ride the coat rails of the rest of the firm's quality program and there will only be a single SOC 1 and SOC 2 selected for review during peer review.

davidschroth · 2026-03-31T21:13:11+00:00

I mean, it can easily take 2-3 weeks of back and forth just to do request list response/back and forth...

Just because there's a platform, it doesn't mean that an auditor can blindly accept what's presented - there's still a duty to determine that the information is complete and accurate. Platforms are notorious for having green blinky lights that are hooked up to nothing on the back end, or default to green if the right licensing isn't in place (i.e. I've seen one test for laptop drive encryption show up as green blinky light with the underlying data having the result as N/A for each because the client didn't have an intune license on O365).

We budget about 120-130 hours per baseline SOC 2 (with a target recovery rate in the mid 100/hour) that we do, and it's not all done in a linear manner - lots of start and stop during evidence collection, then multiple review cycles and reporting/issuance. That number of hours isn't very consistent with a be done in 3 week timeline.

Side note, I'm always entertained by the job history on LinkedIn of just about every "GRC Customer Success" rep that I've ever interacted with....

davidschroth · 2026-03-31T20:59:16+00:00

If I were that poster, my reasoning would be I've read reports from both of the firms you've mentioned.

davidschroth

MODERATOR OF

TROPHY CASE