Davinci Conclusion Davinci Conclusion

SOC2 is about motivation and structure

Peter de Raadt works at Davinci Consulting, a subsidiary of Yellowtail Conclusion, and has been active in the field of security and compliance since 2014. He has implemented SOC 2 at various organizations, including Skydoo, HDN, and the Electronic Communication for Mortgages Foundation (ECH), and is currently doing the same for Yellowtail. So where, according to Peter, lies the real added value of this framework and what are the pitfalls to watch out for?

www.davinci-consulting.nl-soc-2-draait-om-de-intrinsieke-motivatie-om-gestructureerd-te-werken-1639754044873-1280×600

ISO versus SOC 2

“Until recently, ISO27001 was the go-to standard. But these days, that’s no longer enough. The key difference is that ISO27001 is primarily about security. It provides guidelines for an organization’s information security. If you meet those guidelines, you receive an ISO certificate. Audits may occur, but in principle, the certificate is valid for three years. SOC 2, short for Service Organization Control,  goes further. It’s not just about security, but also about ensuring continuity of service for your clients. That takes more than strong security alone. SOC 2, for example, also looks at whether your finances are in order. It doesn’t result in a certificate, but in an assurance report.”

Like a marriage

“Many companies think they’re in control. SOC 2 holds up a mirror,  and often shows a very different picture. Take information security, for example. It’s a hot topic right now. Are you prepared for an attack? Have you ever tested if your backups actually work? Getting started with SOC 2 raises awareness of these kinds of risks. It requires you to define and document your processes and stick to them! It’s almost like entering into a marriage. SOC 2 ensures that your organization can constantly prove it’s doing what it says it does. If you claim to test your processes monthly, you have to prove you actually did. SOC 2 isn’t a snapshot, it’s a continuous process. And that might just be the biggest pitfall: underestimating how ongoing it really is.”

Not a straightjacket

“Some organizations hesitate to start with SOC 2. The realization that you are structurally changing your organization can feel overwhelming. That’s why, as a consultant, I try to approach it pragmatically. I start by identifying what an organization is already doing in terms of process control, and that’s often more than they think. It just needs to be made explicit. There’s a common misconception that SOC 2 is a straitjacket that you can’t deviate from your processes. That’s simply not true. SOC 2 is not set in stone. If you intentionally deviate from a process, that’s fine, as long as you document why you made that choice. That’s how you stay demonstrably in control. It really is that simple.”

To use software or not

“The beauty of SOC 2 is that it doesn’t dictate how you document things. You could write it on a napkin if you like. This flexibility makes it accessible even for smaller companies. Larger companies, where the distance to the work floor is greater, benefit from using specialized tools, like our own Key Control Dashboard. It allows you to quantify risks, take action, and log everything in one place. With the Key Control Dashboard, you’ve got a real-time management tool that gives you full visibility into your risk profile. That makes it much easier for leadership to steer on areas like information security.”

Enjoying the benefits

“Over time, I see organizations realize that SOC 2 actually saves time, as long as your processes are well-defined and followed. Everything runs more smoothly, responsibilities are clear, and if an incident occurs, you know exactly what to do. Once people experience it, they rarely want to go back. It brings calm and efficiency. SOC 2 isn’t about producing pretty reports. The foundation of SOC 2 is intrinsic motivation and wanting to stick to your processes because you benefit from doing so.”

Yellowtail

“At Yellowtail, that intrinsic motivation is definitely there. And we use our own Key Control Dashboard, which makes it much easier to log and manage processes and risks. The real challenge? Carving out enough time and capacity to actually do SOC 2, especially with the daily business still running. That’s where management has to prioritize and make decisions. It often sparks interesting conversations: Who’s responsible for what? Who sets the priorities? Yellowtail has grown quickly, but that also raises questions about accountability. Who really decides what takes precedence? That too is part of being in control, and it says something about the maturity of your organization. SOC 2 helps you shift from managing by gut feeling to managing with structure. And that’s a powerful transformation.”

Do you want to know how your organization can become SOC2 compliant? Get in touch with Peter de Raadt via pderaadt@davinci-conclusion.nl

Al het nieuws
Zonder-titel-E-mailnieuwsbrief-Banner-liggend-1500×600
The PMO: The key connector in project management
Lees meer
home-innovation-door-keys-1500×600
Building together on Zorgeloos Vastgoed
Lees meer
www.davinci-consulting.nl-digitale-innovatie-neemt-rompslomp-rondom-nalatenschap-weg-pexels-keenan-constance-2865901-2560×1707-1-1500×600
Digital innovation relieves loved ones
Lees meer
Al het nieuws
Zoekresultaten