What's the hardest part of getting SOC 2 done in practice?
1 points| asdxrfx | 1 month ago
I’m curious to hear from founders, engineers, and consultants who’ve gone through (or are going through) SOC 2. On paper it sounds straightforward: controls, evidence, audit, but in practice it seems to get messy quickly.
Some things I’ve heard people struggle with: translating abstract controls into real engineering workflows; knowing what level of evidence is “enough”; keeping things updated once the audit is over; coordinating between engineering, security, and ops; dealing with tools vs. spreadsheets vs. consultants
For those who’ve done it: - What part took the most time? - What was more painful than expected? - What did you wish you had known before starting?
Not trying to sell anything, genuinely trying to understand where the real friction is.
Thanks!
solarengineer|1 month ago
Try the HN search. There have been so many discussions about SOC2 over the years. https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
Edit: Looks like you are the lumoar guy. So you already know what has been discussed. Please share clearly in the future.