The policy docs are just filler. Auditors never look at them in any detail. They look for last revised date and last review date. Have bought $150 bundle online and submitted as-is without even replacing a single parameter and audit went fine.
but Vanta/Tugboat won't actually do the reviews and training and HR and executive reviews you need. Basically their deal is that they cut volume discounts with the audit firms and then take the rest. They have nice dashboards, don't get me wrong, but only their hand picked auditors will accept them. Others will require you to manually package up the same evidence anyway and upload to their IRL evidence system.
Vanta at least made me sign a separate contract with the auditor, so I’m not sure they’re making money on the difference. The policy docs indeed don’t seem very closely scrutinized, and I’d prioritize the service that can automate more for you. Vanta provided its own client monitoring application which exists alongside JAMF and seems to cover the same controls.
It's more that there is a market price for SOC2 that auditors can charge, and they are adding $20-25K to the price tag, so they need the auditors to subsidize that. At least when I talked to these firms, you could not bring your own audit firm. You had to go with theirs. Nothing wrong there and kudos to them for innovating on the pricing/biz dev, but you can pocket that savings yourself by negotiating the same price drop directly with the audit firm, and using your own scripts or open source to collect evidence. Vanta and Tugboat have nice UIs definitely. It's just the difference between buying a Honda vs. Mercedes. Not everyone cares about paying the lowest amount for a solution. If your budget affords high end convenience, go for it.
Christina, Vanta founder here. Can confirm we don’t make money on any difference, and no money changes hands between us and auditors. It’s just a lower price for customers.
but Vanta/Tugboat won't actually do the reviews and training and HR and executive reviews you need. Basically their deal is that they cut volume discounts with the audit firms and then take the rest. They have nice dashboards, don't get me wrong, but only their hand picked auditors will accept them. Others will require you to manually package up the same evidence anyway and upload to their IRL evidence system.