All Episodes
Displaying 21 - 40 of 65 in total
Episode 21 — CC10 Data Integrity in Pipelines
CC10 ensures that information processed within systems remains accurate, complete, and valid throughout its lifecycle. It focuses on maintaining data integrity from in...
Episode 22 — CC11 Vendor Risk & Subservice Oversight
CC11 addresses how organizations manage risks associated with third-party vendors and subservice providers. It requires structured due diligence, contract management, ...
Episode 23 — CC12 Physical/Environmental & Remote-First Realities
CC12 governs physical and environmental safeguards—controls that protect systems from unauthorized access, damage, or environmental hazards. Traditionally, this meant ...
Episode 24 — Availability: Capacity, DR, RTO/RPO, Game-Days
Availability is one of the Trust Services Criteria most closely tied to operational resilience. It ensures that systems meet uptime commitments and can recover from di...
Episode 25 — Confidentiality: Classification, Encryption, DLP
Confidentiality ensures that sensitive information is protected from unauthorized disclosure. The exam focuses on how organizations identify, classify, and safeguard d...
Episode 26 — Processing Integrity: Accuracy/Completeness/Monitoring
Processing Integrity in SOC 2 focuses on whether systems deliver the right results at the right time for the right reasons, emphasizing accuracy, completeness, validit...
Episode 27 — Privacy: Notice, Rights, DPIAs, Retention, DSRs
Under the SOC 2 Privacy criterion, organizations must show that personal information is collected, used, retained, disclosed, and disposed of in accordance with commit...
Episode 28 — Privacy in Context: SOC 2 vs ISO 27701 vs HIPAA
This episode situates SOC 2 Privacy alongside ISO/IEC 27701 and HIPAA so you can compare scope, obligations, and evidence expectations. SOC 2 is an attestation over yo...
Episode 29 — Evidence for A/C/PI/P: What “Good” Looks Like
Auditors evaluate whether controls for Availability, Confidentiality, Processing Integrity, and Privacy are designed and operating effectively, so your evidence must b...
Episode 30 — Cloud & Multitenant Edge Cases (Scope, Tenancy, Regions)
Cloud-native and multitenant architectures introduce scoping complexities that the exam will expect you to navigate precisely. Define the “system” to include services,...
Episode 31 — Strong Control Narratives: Before/After Examples
A strong control narrative translates policy intent into the specific, routine actions a team performs, expressed in clear, testable language. For exam readiness, unde...
Episode 32 — Evidence Strategy & Sampling for Type II
Type II reports evaluate operating effectiveness over time, so your evidence strategy must prove consistency, not isolated success. The exam expects fluency with defin...
Episode 33 — Continuous Control Monitoring & Automation
Continuous control monitoring (CCM) converts periodic, manual checks into automated, near-real-time assurance. For the exam, be prepared to explain how CCM maps contro...
Episode 34 — Ticketing as Evidence (Approvals, Change, Incidents)
Ticketing systems provide the audit backbone for approvals, changes, incidents, and exceptions, turning ephemeral conversations into durable records. The exam will exp...
Episode 35 — Audit-Ready Logs & Screenshots: Accept vs Reject
Audit-ready evidence depends on provenance, completeness, and repeatability. Logs should originate from systems of record, be time-synchronized, and retained immutably...
Episode 36 — CI/CD & Cloud Proofs: Pipelines, Baselines, Diffs
Continuous Integration and Continuous Deployment (CI/CD) pipelines are now central to SOC 2 evidence collection because they record how code and infrastructure move fr...
Episode 37 — Policy-to-Practice Traceability (Text → Proof → Tests)
Policy-to-practice traceability connects written commitments to measurable evidence. The exam will expect you to map a control statement from the policy, through its i...
Episode 38 — Selecting the CPA Firm & Independence
Choosing the right Certified Public Accountant (CPA) firm is critical because SOC 2 is an attestation engagement requiring auditor independence. The exam expects you t...
Episode 39 — Readiness Assessments & Gap Closure
A readiness assessment bridges the gap between current state and audit expectations. It is a dry run designed to identify deficiencies in design, documentation, or ope...
Episode 40 — Fieldwork Do’s & Don’ts; Request Lists & Walkthroughs
Fieldwork is the active phase of the SOC 2 audit when auditors test controls, review evidence, and conduct walkthroughs. The exam expects familiarity with the rhythm: ...