What tools have been most helpful to gather evidence for a SOC 2 audit?

19.7k views1 Upvote5 Comments

Information Security Manager, 501 - 1,000 employees
At Yext we are SOC 2 Type 2 certified, which means that we have specific controls around confidentiality, availability, and security of our customer data. We have different teams that require access to databases - from Operations to Analytics and Developers. We need to make sure that those teams can be productive and access and data, but from the security and compliance side, we need to make sure that we can audit what's going on.We use strongDM to manage database permissions and log every query. Before strongDM we had to ensure that logging was turned on for each MySQL database and hope to catch a specific query in real time. We don’t normally keep MySQL logging on because of the abuse of IO and disk space requirements (especially on a busy database) so only after the fact would we have to make that judgement call. With strongDM we’re able to pull that log data in real time with no impact to the database. Having forensic data of every query run is very, very important from an auditing perspective and helped us achieve SOC 2 compliance.
VP of Global IT and Cybersecurity in Manufacturing, 501 - 1,000 employees
ex-CIO, 10,001+ employees
The right person with knowledge and skills in dealing with audits and auditors is more important than which tools to use. The bonus is that the 'right person' will probably know which tools are best suited to what audit.  My opinion only...
CIO, 1,001 - 5,000 employees
For our SOC2 audit we are not using a 3rd party tool for documentation collection. We simply use Excel and a folder hierarchy.
Partner in Software, 1,001 - 5,000 employees
Assuming you have some work loads in AWS there are a number of good solutions. I have looked closely at Orkus (full disclosure that I recently was asked to become and advisor). StrongPoint is also one to consider for relevant business applications

Content you might like

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
39.9k views130 Upvotes318 Comments

Scaled back – new requirements are too detailed31%

Expanded – new requirements aren’t detailed enough58%

Neither – new requirements are appropriate11%



Senior Director of Engineering in Software, 501 - 1,000 employees
The state of California has been pretty active in this area (example: CCPA) so I wouldn't be surprised if they would do something similar to what the state of Florida is doing.
Read More Comments
1.6k views2 Upvotes7 Comments