the book I wish I'd had
the journal of Michael Werneburg
twenty-seven years and one million words
Ray Pompon's book IT Security Risk Control Management: An Audit Preparation Plan is the one I needed back in 2011 when I first took a service organization through an audit. It is a thorough discussion of the subject, covering the range of a service audit's scope in a spare and to-the-point style that serves both as a guide and reference. Rather than exploring any handful of subjects in exhaustive detail, the book concentrates on covering the subject area with enough understanding to communicate the important ideas ("why") and the necessary tasks ("what"), then adds pointers and links to the reams of underlying "how" material. It's a great way to organize the book, and a great way to organize an approach to the daunting challenge before any practitioner with a SOC-2/SOC-1 a year away.
Even after five years, I still need a reference with ideas, and this is that book.
One oddity was the font chosen by the publisher. It's small, dark, and cramped.