I’m curious to hear from founders, engineers, and consultants who’ve gone through (or are going through) SOC 2. On paper it sounds straightforward: controls, evidence, audit, but in practice it seems to get messy quickly.
Some things I’ve heard people struggle with: translating abstract controls into real engineering workflows; knowing what level of evidence is “enough”; keeping things updated once the audit is over; coordinating between engineering, security, and ops; dealing with tools vs. spreadsheets vs. consultants
For those who’ve done it: - What part took the most time? - What was more painful than expected? - What did you wish you had known before starting?
Not trying to sell anything, genuinely trying to understand where the real friction is.
Thanks!
solarengineer•1d ago
Try the HN search. There have been so many discussions about SOC2 over the years. https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...
Edit: Looks like you are the lumoar guy. So you already know what has been discussed. Please share clearly in the future.