The Tenurex blog
Practical writing on SOC 2, ISO 27001, continuous controls monitoring, and what it actually takes to run a compliance program at a growing SaaS company.
What 'Continuous Controls Monitoring' Actually Means (And How It Differs From Periodic Audits)
Every vendor in the GRC space claims 'continuous monitoring.' Here's what that term should actually mean — and the difference between validating a control state versus collecting a screenshot of it.
The Real Cost of SOC 2 Evidence Collection (It's Not the Auditor Fee)
When we talk to compliance teams about their annual SOC 2 prep, the number that surprises them isn't the audit fee. It's the two weeks of engineering time they lose every year collecting evidence by hand.
Why Read-Only API Access Is the Only Acceptable Architecture for Compliance Monitoring
A compliance tool that needs write access to your production systems is a compliance tool you should never install. Here's the full read-only architecture argument.
Mapping SOC 2 Trust Service Criteria to Production Systems: A Practitioner's Guide
CC6.1 through CC9.2. A1.1. C1.1. These aren't abstract compliance concepts — each one maps to specific observable state in your AWS, GitHub, and Okta environments.
Access Control Drift: What It Is, Why It Happens, and How to Catch It Before Your Auditor Does
A user leaves your company. Their GitHub access is removed — but their access to a staging AWS account was added six months ago and nobody remembered. This is access control drift.
ISO 27001 Annex A Controls for SaaS Companies: Which Ones Actually Apply
ISO 27001:2022 has 93 Annex A controls. A cloud-native SaaS company with no physical infrastructure doesn't need to implement all of them the same way.
SOC 2 vs ISO 27001: Which Should Your Company Pursue First?
Your enterprise prospects keep asking for one or the other. Sometimes both. Here's a decision framework for mid-market SaaS companies.
Why Compliance Automation Looks Different at Mid-Market SaaS Than at Startups
Most compliance automation tooling is built for startups getting their first SOC 2. But if you already have a SOC 2 Type II and a real compliance program, you have different problems.
Building Audit-Ready Evidence Packages: What Your Auditor Actually Wants to See
We've talked with audit firms about what makes evidence packages easy to evaluate — and what makes them impossible. Here's a practical guide to structuring evidence your auditor can actually verify.
Okta, GitHub, and AWS: The Control Evidence Gaps Most Compliance Teams Miss
Three of the most common SOC 2 control evidence sources — and three of the most common places where evidence gaps hide. An engineering-level look at what's observable via API.
Reporting Compliance Posture to Your Board: What Metrics Actually Matter
Your board wants to know if the company is secure and audit-ready. 'We passed our last SOC 2' is an answer — but it's a year old. Here's how to build a real-time compliance posture report.
The Case for Replacing Point-in-Time Audit Cycles With Continuous Validation
Point-in-time audits were designed for a world where production systems changed slowly. That world no longer exists. Here's the architectural argument for continuous control validation.