I think people need to stop seeing Service Organizational Controls and Security Operations Center controls as the same thing. The SOC2 audits change management mostly and performance of contract for software companies. It was made by accountants and does not correlate to cyber threats. Audits like CyberSecurity Maturity Model Certifications were developed to align configurations which lead to breaches or threats more directly. It’s also important that you understand which compliance audits improve your CyberSecurity like CIS or CMMC and which ones are more generic like SOC and which help security professionals like MITRE understand attacks better. We have a SOC 2 because we have financial services clients which audit themselves against SOC 1 for financial reporting and want to use a similar standard to audit their software providers development environments. We use other policies and frameworks like MITRE, CIS and CMMC to stay ahead of threat details. You can use the Verizon breach report to correlate the controls to number of times you got breached. But you’d be napping CiS as a SOC doesn’t correlate at all.

Wrote whole article about it: https://actzero.ai/resources/blog/6-soc2-questions-to-ask-yo...