I'm part of a small company with fewer than 100 employees, and we're mainly operating in AWS. As we approach our PCI and SOC audit, I'm starting to feel the pressure. Our infrastructure was set up by a third party a while ago, and since then, it's mostly run on autopilot. My team does basic tasks like patching and making minor changes, but we don't have a dedicated security or compliance person. Now, with the audit looming, I'm realizing we lack visibility into crucial areas such as backups and monitoring. I'm not even sure what auditors will want from us beyond the usual policies and screenshots. I'm really stressed about showing up to the audit and discovering we've overlooked something significant. For those who've experienced PCI or SOC audits in a similar setup, what kind of evidence or reports did auditors request? How in-depth do they go into AWS configurations versus just covering high-level controls? How did you prepare without a dedicated compliance team? I'm trying to determine if I need to enlist outside help or if there's a more practical approach to get ready without breaking the bank.
5 Answers
If this is your first audit, view it as a learning opportunity. You might receive a comprehensive list of items to fix, which can extend your timeline for remediation. It’s also a good idea to ask the auditor for confirmation as you complete items on the list—keep the lines of communication open!
We’ve been using Vanta for evidence gathering. Given the size of our team, it would have been challenging to manage the audit without it. If I were to start over, I’d consider Thoropass since they handle the audits directly and make things a lot easier.
A gap assessment is essential. Were you preparing for a Type 1 or Type 2 audit? This can dictate how extensively you need to document your processes and controls.
I've had a PCI audit experience where the auditor helped outline our faults and gave us a list to fix. It turned out pretty manageable since I could tackle it piece by piece over several months. So, if you can work closely with your auditor, it might take some pressure off.
One thing to keep in mind is documentation. It can be a pain, but having a clear way to gather and present evidence is crucial. Over time, you might forget how you verified things like backups. We set up our automated processes to send completion emails to an audit evidence email list, which helped us show auditors that backups were running as needed over the evaluation period.
Definitely! Auditors typically prefer screenshots, PDFs, or formatted documents instead of raw text files or CSVs. They just want to ensure things haven’t changed. But it's kind of a catch-22—you start questioning about how they know the screenshots weren’t tampered with!
That’s a great approach! If you're unsure about whether backups are happening, get on that ASAP. Not knowing could lead to bigger issues down the road.