[colechristensen]

Does SOC2 in general have a particularly high reputation?

The only security compliance frameworks that have any particular reputation with me are the ones associated with the department of defense where the consequences range between a slap on the wrist warning or a small 5 figure fine to execution for espionage (which only ever happened for Julius and Ethel Rosenberg, though one could imagine there may have been more, uh, unofficial consequences that nobody ever heard about). In other words, people actually care about the enforcement of security standards in meaningful ways and there are meaningful consequences.

Everything else... well they're all at least a little better than a participation trophy and the process proving you're trying isn't meaningless. It's just not been my experience with these things that they're particularly good guarantees that the spirit embodying the compliance program is actually being done particularly well.

[tptacek]

It's the universal de facto standard at least in North America, and nobody takes it especially seriously. About the best thing you could say for it is that it verifies that you're an actual company and not 3 raccoons in a trench coat. But if you're savvy about how you manage your auditors, you can get an attestation for 3 raccoons as well.

[colechristensen]

Right, in general the compliance programs mean that you are at minimum put together enough to scam the auditors which is, in itself, not nothing.

[wlonkly]

Not so much a high reputation as it is that SOC2 is the low bar.