What SOC 2 auditors are actually looking for in awareness evidence — 2026 update
The annual update on what SOC 2 auditors prioritise in awareness-evidence reviews, based on the audits our customers ran in 2025.
Compliance notes
Writing on our work
Observations from current engagements, opinion on industry developments, and the occasional longer essay.
Certification versus attestation — what your auditor actually wants to see
Many awareness platforms produce "certificates" that have no audit standing. Here's what produces evidence and what doesn't.
DORA Article 13 Section 6 in practice — what awareness evidence regulators expect
Our reading of DORA's training and awareness expectations, based on the first cohort of inspections our customers have undergone.
ISO 27001:2022 transition — A.6.3 and A.6.5 in the new control set
The 2022 revision reorganised the Annex A controls; awareness-related controls sit in different places under the new structure.
PCI DSS v4.0 Requirement 12.6 — awareness expectations evolved
PCI DSS v4.0 expanded the security awareness requirement; what the changes mean for customers in payments.