Out of curiosity, when you're doing a SOC2 compliance review, are your relying on their documentation of security measures, or would you check to see that the documentation matches the security measures that are in place?
Documentation of security controls means very little, yes having a framework with a suite of policies and procedures is important. But a proper SOC 2 review is all about actually seeing it in place.
We do a deep dive, where we understand all of the security controls, we then test the design of these security controls through reviewing security configurations within the systems themselves. Then testing the effectiveness of these controls.
So yes, we review documentation and then perform an independent review of the security measures/controls in place. For instance, understanding how batch processes are configured, then testing that the appropriate security controls in relation to batch processes operated effectively.
Both usually. The auditor have a list of a thousand and they want to verify.
Not enough to say that you have a list of active devices, need to show them an inventory. Not enough to say there is authentication, need to show them that they can't access the homepage.
