Governance, Risk, & Compliance
My thoughts, observations, and readings on different facets of GRC.
I recently met with a group who wanted to get started in the IT Audit. The members of the group had some experience in the IT Audit, I realized a common theme in their misunderstanding of ISO 27001 and SOX 404 as they used both the terms interchangeably. In this post, I will distinguish the…
As we discussed in an earlier post, the primary requirement for a SOC 2 audit is when a company provides services to a third party. As per the AICPA, the SOC 2 consists of the following Trust Services Principles (TSPs): Security (also known as Common Criteria) Availability Processing Integrity Confidentiality Privacy The scope for each…
In case you are following my previous posts (link 1, link 2), you must be aware that I have been reading and posting a lot of thoughts on different ISO frameworks. But reading about these frameworks reminds me of a quote by Socrates – The more I know, the more I realize I know nothing….
Yesterday I met my previous roommate who’s a Computer Science nerd and recently completed his internship at one of the best tech companies in the Valley. We met after a long time and soon after discussing how we’ve been, he asked about my work. I told him – “I am currently working on the Governance…