At what point does it make sense to get a SOC 2?


1 comment

  • Erkang Zheng

    It's never too early to start, even though you may not need to get certified right away.  With SOC 2, you'll need to define your controls.  Is your company in a regulated industry such that another compliance framework might be applicable?  For example, PCI DSS for retail/finance, HIPAA (or HITRUST) for healthcare.  If not, NIST CSF or CIS Controls are both good starting points to leverage to define your SOC 2 controls.

    Comment actions Permalink

Please sign in to leave a comment.