top | item 46729951

(no title)

Understanding what a control actually means is the first "aha" moment. And it feels like you've cracked the code. Then you realize that's maybe 10% of the work. Each control needs sub-controls (because "Access Control" is actually 15 different things). Those sub-controls need evidence. That evidence needs to be versioned (auditors love asking "show me this policy as it existed 6 months ago"). Your policies need to map to controls. Your controls need to map to risks. Your risks need treatment plans.

Oh, and you'll need vendor assessments - because your auditor will ask about that AWS subprocessor you forgot you were using.

And business continuity plans. And an incident management process.

And then, right at the end, you discover the System Description — this dense narrative document that ties everything together and somehow needs to exist before your Type I audit.

I went through ISO 27001 in 2019 and thought "never again." Then I built a tool to make it survivable and got SOC 2 Type I using it (humadroid.io). Took way longer than I expected, and I already knew the domain.

Not trying to discourage — just a heads up that the iceberg goes deep. Happy to answer questions if you're heading down this path.

discuss

No comments yet.