Last week, our team officially passed its SOC 2 attestation by our partner A-LIGN.
It’s a milestone we’re proud of, because it reflects months of disciplined work across every part of our small, bootstrapped team.
But the most important question—the one we’re asking ourselves now is: “What happens next?”It’s an honest question, and one that every team should ask the moment their audit ends.
As a team that designs and builds GRC software for information security professionals, we carry a responsibility to start with a simple truth: compliance does not equal security.
Getting a security attestation or a certification is a validation of discipline.
It means you’ve built strong controls, gathered evidence, and demonstrated that your systems meet a recognized standard. All of that is important, but it’s also just one snapshot in time.
In other words, security doesn’t end when the auditor signs off. It’s sustained by people, habits, awareness, and accountability that persist long after the assessment window closes.
The truth is that compliance frameworks, including SOC 2, ISO27001, FedRAMP, or CMMC, are designed to measure preparedness, not guarantee protection. They confirm that the right structures exist, but not that those structures are being lived, tested, or strengthened every day.
That is why we believe that a culture of information security is the true measure of security maturity.
A strong culture keeps controls alive long after certification. A weak one lets them fade into the background the moment the audit is over.
Building Culture
Teams that treat the certification as the end of the journey inevitably drift because they overlook that security demands continuity. Risks don’t disappear after a successful audit. They creep back in when controls are not practiced every day. Security maturity comes from habits that persist between audits.
With that in mind, how do we build culture?
Our team operates with a simple rhythm:
- We keep controls alive by assigning clear owners and making accountability visible. We review key controls regularly, not reactively. We celebrate consistency, not just compliance. When everyone understands their role in keeping the program strong, security becomes part of the routine.
- We create space for open conversations. We talk about risk in team meetings, retros, and planning sessions. We ask what feels risky, what has changed, and what is working. We treat security as an open dialogue, not a checklist. Culture grows in the conversations where people feel trusted to raise issues early.
- We model leadership. Culture starts at the top and takes root when we show our work. When managers log exceptions, follow review cycles, and ask questions about risk, others follow. Security is sustained by visible habits, not through policies archived in folders for auditors.
- We measure and improve. We track progress across assessments, risks, and exceptions. We share it transparently so improvement feels collective, not individual. Culture deepens when we see our effort turn into visible results.
- We grow readiness. We use SOC 2 as a foundation for what comes next. We build on that overlap to advance into new frameworks. Each step strengthens both our systems and our mindset. Continuous readiness keeps our culture active and growing.
What Comes Next?
SOC 2 was an important milestone, but it is only one step in our broader Trust roadmap.
The table below outlines how those frameworks connect and what additional work is required to reach them. Estimated completion percentages are based on control overlap studies and crosswalks published by the AICPA, NIST, ISACA, and leading audit firms, showing how a strong SOC 2 program accelerates readiness for future attestations and keeps the culture of improvement alive.
| Next Framework | How SOC 2 Helps | What We Need to Add | Estimated Completion from SOC 2 |
| ISO 27001 | SOC 2 already covers many Annex A controls like access, change, and risk management. | Add a formal ISMS, risk treatment plan, and Statement of Applicability. | ~58% |
| FedRAMP | SOC 2’s security and monitoring controls overlap with NIST 800-53 requirements. | Add federal baselines, documentation (SSP, POA&M), and continuous monitoring. | ~15% |
| NIST CSF | SOC 2 maps well across Identify, Protect, Detect, Respond, Recover functions. | Add outcome-based metrics, profiles, and maturity tracking. | ~50% |
| HIPAA | SOC 2 covers core safeguards like access control, logging, and vendor risk. | Add ePHI-specific scope, workforce training, and contingency planning. | ~90% |
| PCI DSS | SOC 2 provides a foundation of change control, monitoring, and governance. | Add network segmentation, encryption, and PCI-specific testing. | ~34% |
| CMMC (Level 2) | SOC 2 access, awareness, and configuration practices align with NIST 800-171. | Add DoD documentation, 110 controls coverage, and SPRS scoring. | ~50% |
Sources
- AICPA & CIMA, “Mapping: 2017 Trust Services Criteria to NIST 800-53,” https://www.aicpa-cima.com/resources/download/mapping-2017-trust-services-criteria-to-nist-800-53.
- AICPA & CIMA, “Mapping: 2017 Trust Services Criteria to NIST CSF,” https://www.aicpa-cima.com/resources/download/mapping-2017-trust-services-criteria-to-nist-csf.
- A-LIGN, “You earned SOC 2, What you should do next,” https://www.a-lign.com/resources/you-earned-soc2-report-what-should-you-do-next
