SOC 2 for ISVs — A 2026 Refresh of the Series Series Recap
A short note on why I refreshed the 5-part SOC 2 for ISVs series in 2026 — modernized imagery, and a reset of my own field knowledge from +-5-7 years of customer engagements.
#soc2
FedRAMP, From the Platform Side — Part 1: Why You Probably Need a Partner Part 1
A platform engineer's take on starting the FedRAMP journey from outside the US — why a third-party partner matters, and what the '90 days' promise really means in 2026.
Compliance, Cloud, and Consulting from Anywhere Part 7
The finale of the Zero Trust series: where compliance frameworks meet ZTNA, how the hyperscalers ship it natively, and what twenty years of remote-access evolution means for working practitioners.
SOC 2 for ISVs, Part 5: Surviving the Audit and What Comes After Part 5
Choosing an auditor, surviving the Type II observation window, common findings, and how SOC 2 becomes the foundation for ISO 27001, HIPAA, and FedRAMP.
SOC 2 for ISVs, Part 4: Continuous Compliance — Making SOC 2 a Byproduct, Not a Project Part 4
How to turn SOC 2 from a yearly fire drill into a byproduct of how you build — AWS SCPs, GCP Org Policies, OPA, drift detection, and automated evidence collection.
SOC 2 for ISVs, Part 3: From Zero to Audit-Ready — The Technical Foundation Part 3
How to map SOC 2 controls to your AWS, GCP, and Kubernetes stack — IAM, logging, encryption, change management, and what auditors actually want to see.
SOC 2 for ISVs, Part 2: The Five Trust Service Criteria, Demystified Part 2
What the five SOC 2 Trust Service Criteria actually mean, which are mandatory, and how to scope your audit so it doesn't sprawl. Part 2 of 5.
SOC 2 for ISVs, Part 1: The Price of Admission to the Enterprise Part 1
Why SOC 2 has become non-negotiable for ISVs selling to enterprises — and what it actually costs to skip it. Part 1 of a 5-part series.