Having just been through an audit and seeing the types of questions and evidence requested, I have some of my own questions on how “enterprise-worthy” companies implement the latest ideas of security best-practices or if they are doomed to always be one/two steps behind so as to look good on compliance/security reports.
I’ll limit to one example of networking. In a normal datacenter network architecture a SOC audit might cover things like having a firewall, what those rules are, having IDS/IPS, network segmentation, etc etc etc. If a company were to switch to a zero trust model of networking such as using mTLS within a container service mesh then how would one answer those network based questions? For some of the audit would you put n/a and the auditor be OKAY with your reasoning or would your report end up having many findings.
Obviously SOC audits are lengthy and complicated and don’t fit every situation. Nor, could it be discussed thoroughly on reddit. I could come up with some other examples but it seems if a company wants to be on forefront of technology that they’ll have a lot of explaining to do if they also want to look compliant in many of the frameworks.