[_tk_]

I was part of several third party risk management audits from a corporate perspective.

We regularly audited and questioned SMBs (and big corps) with regards to their security posture. We knew that small shops wouldn’t be able to be fully compliant to SOC2 Type 2 or have an ISO27001 certified environment. If it was clear that our business wanted the product, we either tried to help the company with the questionnaire or created a risk report that was then signed by the business. In other words: even if your customer asks you to be compliant, you don’t have to be if they care enough about your product.

If you seem intent on getting things right, that’s a big plus. Most of your competitors don’t even know what SOC 2 is.

[whitefang]

Can this also be done for HIPAA and FERPA, or for those compliance requirements is the process the way to go and just filling out the questionnaire would not be sufficient?

[blochist]

SOC2 is, at the end of the day, a voluntary compliance standard. HIPAA and FERPA requirements are federal law. Waiving those requirements would not just mean accepting additional liability, but would normally make your customer ineligible to receive federal funds, which are typically a substantial chunk of revenue.

[tptacek]

Compliance with HIPAA for small firms is generally straightforward and there isn't a standard audit. It's not the same animal as SOC2, which is a CPA standard and is administered by certified auditors.

[Grimburger]

You have it completely the wrong way around.

HIPAA is self-certifying, SOC2 isn't.

No way on earth you are getting SOC2 without an auditor.

[sochix]

Thank you for your comment!