What's the hardest part of getting SOC 2 done in practice?

Y	Hacker News new \| ask \| show \| jobs

1 points by asdxrfx 162 days ago

Hi HN,

I’m curious to hear from founders, engineers, and consultants who’ve gone through (or are going through) SOC 2. On paper it sounds straightforward: controls, evidence, audit, but in practice it seems to get messy quickly.

Some things I’ve heard people struggle with: translating abstract controls into real engineering workflows; knowing what level of evidence is “enough”; keeping things updated once the audit is over; coordinating between engineering, security, and ops; dealing with tools vs. spreadsheets vs. consultants

For those who’ve done it: - What part took the most time? - What was more painful than expected? - What did you wish you had known before starting?

Not trying to sell anything, genuinely trying to understand where the real friction is.

Thanks!

1 comments

solarengineer 162 days ago

It is actually OK to state that you are researching for ideas. This is HN, after all.

Try the HN search. There have been so many discussions about SOC2 over the years. https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

Edit: Looks like you are the lumoar guy. So you already know what has been discussed. Please share clearly in the future.

link