I'm currently preparing for a SOC2 audit and I've found the process of reviewing access to be more manual than I anticipated. Right now, my process involves exporting users from Microsoft 365, checking their roles and admin access, verifying their MFA status, and documenting everything for the auditors with screenshots and spreadsheets. While this works, it's quite time-consuming and doesn't feel sustainable since the auditors want consistent evidence over time, not just isolated snapshots. I've explored some tools like Vanta and Drata, but I'm unclear on how much they help with the access reviews and evidence collection versus still requiring a lot of manual effort. I'm curious about how others are handling this in practice. Are you managing it manually, using scripts or internal tools, or have you found automation that actually simplifies data collection and reporting? My main concern is making sure we have a clean audit trail when the work is done.
5 Answers
I feel your pain! The audits can be a real hassle, especially in larger organizations. Most of the success comes from having good IT hygiene. Using tools like SaaS Management or Identity Access Management (IAM) can really help centralize access info, so when it’s time for an audit, you just hit 'export' to generate your documentation. We created a solution called MIA to automate user access reviews, focusing on small to medium-sized companies, but you might also check out ToriiHQ or Corma for their good support.
Have you considered the Identity Governance add-on from Microsoft? It offers some semi-automated solutions. Just remember, there’s a big difference between identity and access rights.
A solid Governance, Risk, and Compliance (GRC) platform like Secureframe can do automated evidence collection for SOC2 and other certifications. It really streamlines the process and minimizes manual work.
I can relate; I've been there! We use Drata, which has some automated reporting features, but we still find ourselves doing a lot of manual tasks as a small IT team. It gets frustrating having to manage it all the time.
You really don't need to export every user's MFA status. A screenshot of a Conditional Access Policy stating that all access requires MFA should suffice. Most auditors I've worked with truly just want the evidence presented in a way that's easy to digest.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures