[Lucasoato]

I went through SOC2 Type I and II. I’d say that most of that stuff is necessary, like splitting environments and so on. That doesn’t mean it’s anything close to sufficient to avoid being hacked.

It’s a framework to give you the direction, then if employees are careless (or even malicious), no security standard is complete enough to protect a company.

[perch56]

Not to be pedantic about the topic but SOC 2 is an auditing standard, not a security framework. It defines what you’ll be assessed against but it doesn’t tell you how to build your security program. You’ll find the prescriptive controls in real frameworks like ISO 27001, NIST CSF, or CIS Controls which do give you a structure for implementing security.