2 posts tagged with "soc2"

If you lead engineering or security at a CEE company, you have probably heard the same conversation twice in the last six months — once from legal ("we need ISO 27001") and once from a US enterprise sales prospect ("we need SOC 2 Type II"). Both are right. Both have real consequences. And both have privileged access management as a core control requirement. The question is: which do you pursue first, and does the work overlap?

SOC 2 Type II readiness is a marathon. Most organizations get through the policy documentation, the vendor risk questionnaires, and the network segmentation diagrams without too much pain. Then they hit CC6 — Logical and Physical Access Controls — and the audit gets difficult.

CC6 is where auditors spend the most time and where companies most often receive exceptions. It covers who has access to your systems, how that access is controlled, how it is monitored, and how it is reviewed. If your privileged access management answer is "we use VPN plus RDP with shared admin credentials," you are not going to pass.

Here is exactly what CC6 requires, what auditors ask for, and how to produce the evidence.