This post has been de-listed
It is no longer included in search results and normal feeds (front page, hot posts, subreddit posts, etc). It remains visible only via the author's post history.
Hello Dear Friends
Hope you all are in good health and high spirits
Our organization is in the process of buying a software application from a vendor who will also handle deployment and ongoing support. As part of our vendor risk management, we sent a detailed questionnaire to the vendor to assess their security and compliance measures. However, the vendor declined to answer our questions directly and instead provided a SOC 2 report audited by a well-known firm. They also mentioned that they do not have an ISO 27001 certification.
Is relying solely on the SOC 2 report sufficient for due diligence in this scenario?
What steps should we take if we need more detailed information or evidence of their security practices?
Appreciate any advice.
Subreddit
Post Details
- Posted
- 5 months ago
- Reddit URL
- View post on reddit.com
- External URL
- reddit.com/r/AskNetsec/c...