All Episodes
Displaying 1 - 20 of 65 in total
Episode 1 — What SOC 2 Is (and Isn’t)
SOC 2 is a framework developed by the American Institute of Certified Public Accountants (AICPA) to evaluate how well an organization manages customer data according t...
Episode 2 — Do You Need SOC 2 Now? Buyer & Contract Signals
Determining when to pursue SOC 2 depends on business drivers, not curiosity. For many organizations, the trigger comes from customer requirements or procurement questi...
Episode 3 — Scoping: System Boundary, Services, Regions, Tenants
Defining the SOC 2 scope is one of the most critical early steps. The “system” includes the services, infrastructure, software, people, and processes that support cust...
Episode 4 — Trust Services Criteria at a Glance
The Trust Services Criteria (TSC) form the backbone of every SOC 2 report, defining the control objectives used to evaluate a system’s reliability. The five criteria—S...
Episode 5 — Control Ownership & RACI Across the Org
SOC 2 success depends on clear control ownership across teams. Every control requires a defined Responsible, Accountable, Consulted, and Informed (RACI) structure to e...
Episode 6 — Program Roadmap & Realistic Timelines
Building a SOC 2 program requires sequencing activities in a way that balances business priorities, risk reduction, and audit readiness. A structured roadmap outlines ...
Episode 7 — Type I vs Type II (and Bridge Letters)
A fundamental SOC 2 distinction lies between Type I and Type II reports. Type I assesses the design of controls at a single point in time, confirming that policies and...
Episode 8 — Writing the System Description
The system description is the narrative foundation of a SOC 2 report. It defines the boundaries, components, services, infrastructure, and control environment in clear...
Episode 9 — Subservice Orgs: Inclusive vs Carve-Out
SOC 2 engagements often depend on third-party providers—cloud platforms, payment processors, or data centers—known as subservice organizations. The inclusive versus ca...
Episode 10 — CUECs Done Right
Complementary User Entity Controls (CUECs) define what responsibilities customers or users must perform for the service organization’s controls to remain effective. Th...
Episode 11 — How to Read a SOC 2 Report
Interpreting a SOC 2 report requires understanding its structure and purpose. Each report includes an auditor’s opinion, system description, control testing results, a...
Episode 12 — CC1 Governance & Tone at the Top
The first Common Criterion (CC1) focuses on governance and organizational culture—often summarized as “tone at the top.” It establishes the foundation for all other co...
Episode 13 — CC2 Risk Assessment (Method & Cadence)
CC2 addresses how an organization identifies, assesses, and manages risks to achieving its objectives. Effective risk assessment provides the context for prioritizing ...
Episode 14 — CC3 HR Lifecycle: Hiring, Training, Offboarding
CC3 governs the human element of the control environment, ensuring that personnel are competent, trustworthy, and aware of their security responsibilities. It covers t...
Episode 15 — CC4 Commitments, SLAs, Regulatory Requirements
CC4 focuses on whether an organization defines and meets commitments made to customers and regulators. It evaluates transparency, accountability, and compliance with s...
Episode 16 — CC5 Control Design, Reviews, and Monitoring
CC5 addresses how controls are designed, implemented, and monitored for continued effectiveness. The exam expects you to understand the full lifecycle—from establishin...
Episode 17 — CC6 Logical Access: IAM, SSO, MFA, JML
CC6 focuses on logical access—ensuring that only authorized individuals can interact with systems and data. It encompasses Identity and Access Management (IAM), Single...
Episode 18 — CC7 Ops: Config Management, Vulnerability Mgmt, Patching
CC7 governs how organizations maintain secure, reliable operations through configuration management, vulnerability management, and patching. The exam tests understandi...
Episode 19 — CC8 Change Management & SDLC (incl. IaC Basics)
CC8 evaluates how organizations manage system changes to prevent unintended disruption or new vulnerabilities. It covers structured change management processes, Softwa...
Episode 20 — CC9 Incident Management & Communications
CC9 covers how organizations prepare for, detect, respond to, and communicate security incidents. The exam emphasizes structured processes that define roles, escalatio...