undefined

points

[-]

SOC 2 is mostly about proving you do what your policies say, and there’s more flexibility than people think.

For small teams it doesn’t have to be heavyweight. A risk register can be a simple doc with a few real risks and mitigations.

That said, I agree there’s a lot of theater. For smaller companies and budgets, it often turns into rubber stamping. Auditors rely on the evidence you provide, so the report can look much cleaner than day to day reality.

Still, it has value. It forces you to formalize basic practices, and if you want those customers, you’re signing up for that level of scrutiny.

by IgorPartola2 hours ago|

prev|

[-]

Exactly this. But my question here is also: is there not a competitive advantage to a big enterprise that applies standards in a more intelligent way? You have a SaaS, I have a Fortune 500 company that could use your product but I cannot use it because my procurement process is as long and winding ad the Road to Hana. In the meantime my competitor has a smarter procurement process that takes into account the impact and risk involved in renting your software. Don’t they get a competitive advantage over me by having a better process and as a result getting better vendors?

by mushufasa1 hours ago|

parent|

[-]

Unfortunately in most cases the buyers have way more liability/risk using a small vendor than opportunity. Often this is coming from regulators in certain industries.

In scenarios where the company REALLY REALLY wants to buy the SaaS, they often will invest in the company, one of the reasons for which being to ensure they have the resources to go through all the red tape.

by 1970-01-0150 minutes ago|

prev|

[-]

The risk register is ISO 27001. The "I" in ISO doesn't stand for Internet, it stands for international. You shouldn't be doing business with international customers if you don't have a risk register, which is why they're requesting it.

by bartman2 hours ago|

prev|

[-]

I’ve found CIS Controls v8.1 to be good and sane, with actual benefits to security. Level 1 is a solid base, and Level 2 is good for picking from depending on where risks exist in your business.

CIS Benchmarks are worth a look too: They’re best practices for securing typical cloud platforms, SaaS and OS.

by kingjimmy23 minutes ago|

prev|

[-]

"is very european." ... aa yes consumer protections. very european.

by ljm2 hours ago|

prev|

[-]

Maybe you suouldn't be hacking due diligence if your team isn't ready for it

by ceejayoz1 hours ago|

parent|

[-]

Isn't ready for, or doesn't need?

I had to have meetings with… myself, at times, for compliance reasons.

by phyzix57612 hours ago|

prev|

[-]

What is the purpose of a business though? To make profits for its owners. If the profit lies in doing all this corporate theater then that's the business. A company that focuses only on providing a service and product but ignores how their customer needs to use said service and product is going to go out of business.

by eikenberry1 hours ago|

parent|

[-]

That is "a" purpose of a business, but not the primary purpose. The primary purpose of business is to provide a service or product people want. You can want profits all day long but if you don't have something people want you don't have a business.

by throttlebody1 hours ago|

parent|

prev|

[-]

I would argue that profits are a result of what you do and not the purpose... Obviously intertwined but that's why its important to pick something you like

by Bombthecat1 hours ago|

prev|

[-]

Going through this with a medical startup... We have like 2 developer. But to get investment, put the app online etc. We need to fill out those paperwork... For things which just don't exist...

by sidewndr4625 minutes ago|

parent|

[-]

Isn't the point of the paperwork to get you to make those things exist?

by bradfox21 hours ago|

prev|

[-]

This is as designed to gatekeep these customers. Those in control of the checklists stand to benefit.