Introduction: SOC 2 in Plain Terms
SOC 2 (System and Organization Controls 2) is an attestation report developed and governed by the American Institute of Certified Public Accountants (AICPA). It is the most widely recognised assurance report for technology and cloud service organisations that store, process or transmit customer data. Unlike a certification with a fixed pass/fail checklist, SOC 2 is a report of independent opinion issued by a licensed CPA firm on the suitability of design and, in Type II engagements, the operating effectiveness of a service organisation's controls relevant to one or more of the five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality and Privacy.
For B2B SaaS vendors, managed service providers, data centres, payroll processors and any organisation to whom customers outsource part of their information system, a SOC 2 report has become a de facto prerequisite to close enterprise deals. Procurement, vendor risk and security teams routinely demand a current SOC 2 Type II report before signing. This guide provides an auditor-grade walk-through of the framework, the full Trust Services Criteria control set, a master assessment checklist, a phased implementation approach, scoping guidance, and the evidence expectations that a CPA examiner will hold you to.
Copyright and licensing note
SOC 2, the Trust Services Criteria (TSC), and the SOC 2 examination framework are the intellectual property of the AICPA (and, where the criteria are aligned to internal control principles, the COSO framework). The criteria identifiers, definitions and report format are copyrighted. This guide is an original explanatory work authored by CyberSigma and paraphrases requirements for educational purposes only. It does not reproduce AICPA copyrighted text. Always obtain the authoritative TSC (2017, with 2022 revised points of focus) and the AICPA guide 'SOC 2 Reporting on an Examination of Controls at a Service Organization' from the AICPA. Only a licensed CPA firm may perform a SOC 2 examination and issue the report.
What is SOC 2
SOC 2 is one of a family of AICPA System and Organization Controls reports performed under attestation standards AT-C Section 105 and AT-C Section 205. The examination results in a report containing the independent service auditor's opinion, management's assertion, a description of the system, and the auditor's tests of controls and results (in a Type II).
The three most commonly confused SOC reports are distinguished as follows:
| Report | Purpose | Audience | Contents |
|---|
| SOC 1 | Controls relevant to a user entity's internal control over financial reporting (ICFR) | User auditors and financial controllers | Control objectives defined by management, tested against |
| SOC 2 | Controls relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy | Customers, security and vendor-risk teams (restricted use) | Trust Services Criteria and mapped controls |
| SOC 3 | Same subject matter as SOC 2 but a short-form, general-use report | General public / marketing | Auditor opinion only, no detailed test results |
SOC 2 itself comes in two report types, which every buyer will ask you to distinguish:
| Attribute | SOC 2 Type I | SOC 2 Type II |
|---|
| Scope of opinion | Suitability of design of controls at a point in time | Design and operating effectiveness over a period |
| Period covered | A single 'as of' date | A review period, typically 3 to 12 months |
| Evidence tested | Design evidence only | Design plus samples of operating evidence across the period |
| Market value | Entry-level, shows intent | Gold standard demanded by enterprise buyers |
| Typical use | First-year bridge to Type II | Annual recurring assurance |
The report opinion may be unqualified (clean), qualified (one or more controls did not operate effectively or were not suitably designed), adverse, or a disclaimer. A clean Type II covering a 12-month period is the market objective.
Who Must Comply
SOC 2 is voluntary in the strict legal sense; there is no statute mandating it. In practice it is contractually mandated by customers. An organisation typically needs SOC 2 when it acts as a service organisation holding or processing another entity's data. The trigger is usually commercial, contractual or driven by the vendor risk function of a prospective customer.
| Organisation type | Why SOC 2 applies | Typical criteria in scope |
|---|
| B2B SaaS / cloud application vendors | Customers outsource data storage and processing to you | Security (mandatory) + Availability + Confidentiality |
| Managed service and MSSP providers | You operate or monitor customer infrastructure | Security + Availability |
| Data centres and colocation | Physical and environmental custody of customer systems | Security + Availability |
| Payroll, HR and benefits processors | Handling of sensitive personal and financial data | Security + Confidentiality + Privacy |
| Payment and fintech platforms | Processing integrity of financial transactions | Security + Processing Integrity + Confidentiality |
| Healthcare / health-tech vendors | Custody of protected health information | Security + Confidentiality + Privacy |
| Analytics and data-enrichment providers | Aggregation and processing of client data | Security + Processing Integrity + Privacy |
- Only the Security category (the 'Common Criteria') is mandatory in every SOC 2 report; the other four categories are elective and included based on customer commitments and the nature of the service.
- Sub-service organisations (e.g. AWS, Azure, GCP) are typically handled by the carve-out method, where their controls are excluded but complementary sub-service organisation controls (CSOCs) are identified.
- User entities are expected to implement complementary user entity controls (CUECs) described in the report.
Structure of SOC 2: The Trust Services Criteria
SOC 2 is built on the Trust Services Criteria (TSC 2017, revised points of focus 2022). The Security category is expressed as the Common Criteria (CC series), which are organised around the five components of the COSO 2013 internal control framework. The other four categories add their own criteria (A, PI, C, P series) on top of the Common Criteria. Every SOC 2 must include all Common Criteria; additional criteria apply only if that category is in scope.
| Category | Criteria series | Scope | COSO / focus |
|---|
| Security (Common Criteria) | CC1 to CC9 | Mandatory in every report | Control environment through risk mitigation |
| Availability | A1.1 to A1.3 | Elective | Capacity, backup, recovery, DR |
| Processing Integrity | PI1.1 to PI1.5 | Elective | Complete, valid, accurate, timely, authorised processing |
| Confidentiality | C1.1 to C1.2 | Elective | Protection and disposal of confidential information |
| Privacy | P1.0 to P8.1 | Elective | Full personal-information lifecycle (notice to disposal) |
The Common Criteria (CC) are grouped into nine families aligned to COSO components:
| CC family | Theme | Coverage summary |
|---|
| CC1 | Control Environment | Integrity, ethics, board oversight, structure, competence, accountability |
| CC2 | Communication and Information | Internal and external communication of control responsibilities |
| CC3 | Risk Assessment | Objective setting, risk identification, fraud risk, change assessment |
| CC4 | Monitoring Activities | Ongoing and separate evaluations; remediation of deficiencies |
| CC5 | Control Activities | Selection and development of controls and technology controls |
| CC6 | Logical and Physical Access Controls | Identity, authentication, authorisation, physical security, disposal |
| CC7 | System Operations | Vulnerability detection, monitoring, incident response, recovery |
| CC8 | Change Management | Authorised, tested and approved changes to infrastructure and software |
| CC9 | Risk Mitigation | Business disruption mitigation and vendor / third-party risk |
Master Assessment Checklist
This is the core section. Each criteria family is enumerated with what an examiner will verify and the typical evidence you must be able to produce. Treat every row as a potential test of control. Nothing here should be skipped during readiness.
CC1 — Control Environment
| What to verify | Typical evidence |
|---|
| Board / governance body provides oversight of the system of internal control | Board or security-committee charter, meeting minutes, oversight agenda |
| Code of conduct and ethics is defined and acknowledged | Signed code of conduct, employee handbook, acknowledgement records |
| Organisational structure, authority and reporting lines are defined | Org chart, RACI, role descriptions, delegation of authority |
| Hiring includes background checks and competence assessment | Background-check records, job descriptions, interview scorecards |
| Individuals are held accountable via performance and disciplinary process | Performance review records, disciplinary policy, KPI/OKR records |
CC2 — Communication and Information
| What to verify | Typical evidence |
|---|
| Quality information supports the functioning of internal control | Data flow diagrams, system inventory, information classification policy |
| Internal communication of control responsibilities | Policy portal, onboarding decks, all-hands security updates |
| External communication with customers and stakeholders | Customer notices, status page, terms of service, security page |
| Whistle-blower or anonymous reporting channel exists | Ethics hotline configuration, reporting procedure, sample tickets |
CC3 — Risk Assessment
| What to verify | Typical evidence |
|---|
| Objectives are specified with sufficient clarity to assess risk | Documented business and security objectives, risk appetite statement |
| Risks to objectives are identified and analysed | Risk register with likelihood/impact scoring, risk assessment methodology |
| Potential for fraud is considered in risk assessment | Fraud risk assessment, segregation-of-duties analysis |
| Significant changes are assessed for impact on internal control | Change-risk assessments, architecture review records |
CC4 — Monitoring Activities
| What to verify | Typical evidence |
|---|
| Ongoing and separate evaluations are performed | Internal audit plan, control self-assessments, continuous monitoring dashboards |
| Internal control deficiencies are evaluated and communicated | Deficiency log, remediation tracker, management review minutes |
| Independent assessments (pen tests, audits) are conducted | Penetration test reports, third-party audit reports, vulnerability scans |
CC5 — Control Activities
| What to verify | Typical evidence |
|---|
| Control activities are selected to mitigate risks to acceptable levels | Control matrix mapping risks to controls, policy set |
| General technology controls are deployed | Baseline hardening standards, IaC policies, configuration management records |
| Controls are deployed through policies and procedures | Approved policies with review dates and owners, procedure documents |
CC6 — Logical and Physical Access Controls
| What to verify | Typical evidence |
|---|
| Logical access is restricted through identity and credential management | IAM configuration, SSO/MFA settings, password policy |
| Access is provisioned and modified through authorised requests | Joiner-mover-leaver tickets, access approval workflow |
| Access is periodically reviewed and de-provisioned on termination | Quarterly access review records, termination checklists, deactivation logs |
| Least-privilege and role-based access are enforced | Role definitions, privileged-access management (PAM) logs |
| Network access is protected (firewalls, segmentation, VPN) | Firewall rule sets, network diagrams, VPN and bastion configs |
| Encryption protects data at rest and in transit | TLS configuration, KMS/key management policy, disk-encryption settings |
| Physical access to facilities and assets is restricted | Badge access logs, visitor logs, data centre attestations (carve-out) |
| Media and assets are securely disposed of | Asset disposal records, certificates of destruction, wipe logs |
CC7 — System Operations
| What to verify | Typical evidence |
|---|
| Vulnerabilities are detected and configuration monitored | Vulnerability scan reports, SIEM/EDR alerts, config drift reports |
| Security events are monitored and anomalies detected | Log management config, SIEM alert rules, monitoring dashboards |
| Incidents are identified, contained and responded to | Incident response plan, incident tickets, post-incident reviews |
| Recovery from incidents restores operations | Recovery procedures, evidence of recovery testing |
CC8 — Change Management
| What to verify | Typical evidence |
|---|
| Changes are authorised, designed and documented | Change management policy, change tickets with approvals |
| Changes are tested before deployment | Test results, QA sign-off, staging evidence, automated CI checks |
| Emergency changes follow a defined exception process | Emergency change records with retrospective approval |
| Segregation between development and production is maintained | Deployment pipeline config, separation-of-duties evidence |
CC9 — Risk Mitigation
| What to verify | Typical evidence |
|---|
| Business disruption risks are mitigated (BCP/insurance) | Business continuity plan, cyber-insurance policy, BIA |
| Vendor and business-partner risk is assessed and managed | Vendor risk assessments, due-diligence records, executed DPAs/contracts |
| Sub-service organisations are monitored | Reviews of sub-service SOC reports, CSOC monitoring evidence |
A1 — Availability (if in scope)
| What to verify | Typical evidence |
|---|
| Capacity is monitored and forecast to meet demand | Capacity dashboards, autoscaling config, capacity planning records |
| Environmental protections and backups are maintained | Backup schedules, backup success logs, redundancy architecture |
| Recovery and business continuity are tested | DR test results, failover reports, RTO/RPO documentation |
PI1 — Processing Integrity (if in scope)
| What to verify | Typical evidence |
|---|
| Processing specifications are defined and communicated | Data processing specifications, SLAs, quality definitions |
| Inputs are complete, accurate and authorised | Input validation rules, reconciliation reports, edit checks |
| Processing produces complete and accurate results | Processing logs, reconciliation controls, exception reports |
| Outputs are complete, accurate, timely and protected | Output validation, delivery confirmations, error handling records |
| Stored data is retained completely and accurately | Data retention policy, storage integrity checks |
C1 — Confidentiality (if in scope)
| What to verify | Typical evidence |
|---|
| Confidential information is identified and protected | Data classification policy, DLP configuration, encryption evidence |
| Confidential information is disposed of when no longer needed | Retention/disposal schedule, deletion logs, destruction certificates |
P1 to P8 — Privacy (if in scope)
| What to verify | Typical evidence |
|---|
| P1 Notice of privacy practices is provided to data subjects | Privacy notice, consent banners, policy publication records |
| P2 Choice and consent are obtained for collection and use | Consent records, preference centre, opt-in/opt-out logs |
| P3 Personal information is collected consistently with notice | Collection inventory, data-mapping records, lawful-basis analysis |
| P4 Use, retention and disposal are limited to stated purposes | Retention schedule, purpose-limitation controls, deletion evidence |
| P5 Access by data subjects is provided (DSAR) | DSAR procedure, request logs, identity-verification records |
| P6 Disclosure to third parties is authorised and controlled | Data processing agreements, third-party inventory, transfer safeguards |
| P7 Quality of personal information is maintained | Data accuracy controls, correction request handling |
| P8 Monitoring and enforcement of privacy commitments | Privacy incident log, complaint handling, privacy audits |
Scoping the SOC 2 Examination
Scoping decisions drive cost, timeline and buyer value. They must be settled before the observation period begins, because a Type II report tests controls across the whole period.
- Select the Trust Services Categories. Security is mandatory. Add Availability, Confidentiality, Processing Integrity or Privacy only where you make explicit commitments to customers or where a category materially reflects your service.
- Define the system boundary. Document the in-scope product(s), infrastructure, software, people, data and procedures that make up the 'system' under examination.
- Decide report type. Type I for a first-year point-in-time bridge; Type II for the operating-effectiveness report enterprise buyers expect.
- Set the observation period. Common first Type II periods are 3 to 6 months; recurring reports usually cover 12 months for continuous coverage.
- Choose the sub-service organisation method. Carve-out (exclude and monitor via their SOC report) is typical for AWS/Azure/GCP; inclusive method incorporates their controls into your report.
- Identify complementary user entity controls (CUECs) that your customers must operate for the controls to be effective.
- Confirm legal entities, environments (prod only vs prod plus corporate IT) and geographic locations covered.
Scoping pitfall
Adding Privacy or Processing Integrity prematurely dramatically increases effort. Start with Security plus Availability and Confidentiality for most SaaS vendors, then expand categories in later years as customer demand and maturity grow.
Implementation Approach (Phased)
A structured programme takes a typical mid-size SaaS from zero to a clean Type II in roughly 6 to 12 months. The following phases sequence the work and set deliverables.
Phase 1 — Readiness and Gap Assessment
- Activities: select TSC categories, define system boundary, perform a gap assessment against every applicable criterion, build the risk register and control matrix.
- Deliverables: scoping document, gap assessment report, prioritised remediation roadmap, project plan and RACI.
Phase 2 — Policy and Governance Foundation
- Activities: author and approve the information security policy suite (access, change, incident, risk, vendor, BCP/DR, data classification, HR security), establish security governance forum, assign control owners.
- Deliverables: approved policy set with review dates, governance charter, control-ownership register.
Phase 3 — Technical and Operational Remediation
- Activities: deploy SSO/MFA, PAM, encryption, logging and SIEM, vulnerability management, endpoint protection, secure SDLC gates, backup and DR, and access review automation.
- Deliverables: hardened baseline configurations, monitoring dashboards, remediated access model, DR test results.
Phase 4 — Operate and Collect Evidence (Observation Period)
- Activities: run controls in production over the observation window; perform quarterly access reviews, risk assessments, incident drills, vendor reviews; continuously collect evidence.
- Deliverables: populated evidence repository, control operation logs, management review records covering the full period.
Phase 5 — Independent Examination
- Activities: engage a licensed CPA firm, prepare management's assertion and system description, support fieldwork, respond to sample requests and clarifications.
- Deliverables: draft and final SOC 2 report, auditor opinion, management response to any exceptions.
Phase 6 — Continuous Compliance and Renewal
- Activities: maintain controls, automate evidence collection, monitor drift, feed findings into risk assessment, plan the next annual period with no coverage gap.
- Deliverables: continuous monitoring reports, updated risk register, renewal plan and next-period timeline.
Maturity and Capability Model
SOC 2 does not itself assign maturity levels, but a capability model is invaluable for tracking readiness and communicating progress to leadership. The following five-level model maps organisational maturity to SOC 2 outcomes.
| Level | Name | Characteristics | SOC 2 outcome |
|---|
| 1 | Initial / Ad hoc | Controls undocumented, informal, reactive | Not ready; multiple design gaps |
| 2 | Developing | Policies drafted, some controls implemented inconsistently | Partial design; likely qualified opinion |
| 3 | Defined | Controls documented, owned and operating across the org | Ready for Type I; approaching Type II |
| 4 | Managed | Controls consistently operating with evidence collected continuously | Clean Type II achievable |
| 5 | Optimised | Automated evidence, continuous monitoring, metrics-driven improvement | Clean recurring Type II with minimal effort |
Assessment and Audit Approach
The examination follows AICPA attestation standards. The service auditor executes an evidence-based process from planning through opinion.
- Engagement acceptance: the CPA firm confirms independence, competence and scope, and agrees the categories, system boundary, report type and period.
- Understanding the system: the auditor documents the service, controls and the description prepared by management.
- Risk assessment and control identification: the auditor maps management's controls to each applicable Trust Services Criterion.
- Design evaluation (Type I and II): the auditor tests whether controls are suitably designed to meet the criteria.
- Operating effectiveness testing (Type II only): the auditor selects samples across the period and performs inquiry, observation, inspection and re-performance.
- Exception evaluation: any control failures are assessed for severity and impact on the opinion.
- Forming the opinion: unqualified, qualified, adverse or disclaimer, based on results.
- Reporting: the auditor issues the report containing the opinion, management's assertion, the system description, and (Type II) the tests of controls and results.
- Management response: management addresses any exceptions and describes remediation.
Evidence Request List
Auditors request evidence by category. Prepare a repository organised as follows before fieldwork.
- Governance: board/committee minutes, org chart, code of conduct, policy suite with approval and review dates.
- HR security: background-check records, onboarding and offboarding checklists, security-awareness training completion.
- Access management: IAM/SSO/MFA configuration, joiner-mover-leaver tickets, quarterly access review records, PAM logs.
- Change management: change tickets with approvals, CI/CD pipeline configuration, QA sign-offs, deployment logs.
- System operations: vulnerability scan and penetration test reports, SIEM/EDR alerts, incident tickets and post-mortems.
- Availability: backup success logs, DR test results, capacity monitoring, uptime/status reports.
- Encryption and network: TLS/KMS configuration, firewall rules, network diagrams, disk-encryption settings.
- Vendor risk: vendor inventory, due-diligence assessments, executed contracts and DPAs, sub-service SOC report reviews.
- Risk and monitoring: risk register, risk assessment methodology, internal audit and control self-assessment records.
- Privacy (if in scope): privacy notice, consent records, DSAR logs, retention and disposal evidence.
Roles and Responsibilities
| Role | SOC 2 responsibility |
|---|
| Executive sponsor / CEO | Approves programme, funds resources, signs management assertion |
| CISO / Security lead | Owns the control framework, drives remediation, manages the audit relationship |
| Compliance / GRC manager | Maintains policies, evidence repository, control matrix and audit coordination |
| IT / DevOps / Platform engineering | Implements and operates technical controls, produces configuration evidence |
| HR | Operates background checks, onboarding/offboarding and training controls |
| Legal / Privacy | Owns contracts, DPAs, privacy notice and regulatory alignment |
| Control owners | Operate assigned controls and supply evidence during the period |
| Internal audit | Performs independent monitoring and control self-assessments |
| Independent CPA firm | Performs the examination and issues the SOC 2 report |
KPIs to Track
- Percentage of controls with a named owner and current evidence.
- Access review completion rate and time to remediate access exceptions.
- Mean time to detect and mean time to respond for security incidents.
- Percentage of changes following the approved change-management process.
- Vulnerability remediation SLA adherence (critical/high within target days).
- Backup success rate and DR test pass rate against RTO/RPO targets.
- Vendor risk assessments completed for in-scope third parties.
- Security-awareness training completion rate.
- Number and severity of audit exceptions per period (trend downward).
- Policy review currency (percentage reviewed within the last 12 months).
Readiness Checklist
- Trust Services Categories selected and system boundary documented
- Full information security policy suite authored, approved and communicated
- Risk register and control matrix completed and mapped to every applicable criterion
- SSO, MFA and least-privilege access enforced across production and corporate systems
- Quarterly access reviews scheduled and evidence retained
- Change management with approvals, testing and dev/prod separation operating
- Centralised logging, SIEM/EDR monitoring and incident response plan in place and tested
- Vulnerability management and annual penetration testing performed
- Encryption enforced at rest and in transit with key management
- Backups running with verified restores and a tested DR/BCP plan
- Vendor risk assessments and DPAs completed; sub-service SOC reports reviewed
- Security-awareness training and background checks completed for all staff
- Evidence repository organised by criteria and covering the full observation period
- Licensed CPA firm engaged and management assertion and system description drafted
Common Gaps
- Access reviews performed once for the audit rather than consistently throughout the period, causing operating-effectiveness exceptions.
- Terminated users not de-provisioned promptly, leaving stale accounts detectable in samples.
- Change management bypassed for 'quick fixes' with no ticket, approval or test evidence.
- Policies written but never approved, dated or communicated to staff.
- Incident response plan documented but never tested; no evidence of tabletop or drill.
- Vendor risk programme absent; sub-service organisation SOC reports never reviewed.
- Backups configured but restores never tested, and no DR exercise evidence.
- Security-awareness training incomplete for a subset of the workforce.
- Evidence collected only near audit time, leaving gaps earlier in the observation period.
- Overscoping with Privacy or Processing Integrity before those controls are mature, leading to qualifications.
SOC 2 Mapped to Other Frameworks
SOC 2 controls overlap heavily with other frameworks, enabling a build-once, comply-many approach. The mapping below is indicative and should be validated against the authoritative crosswalks.
| SOC 2 area | ISO 27001 | NIST CSF | PCI DSS | GDPR / DPDP |
|---|
| CC1 Control Environment | A.5 Organisational / Clauses 5-9 | Govern (GV) | Req 12 Policy | Accountability principle |
| CC6 Access Controls | A.5.15-18, A.8 Access | Protect (PR.AA) | Req 7, 8 Access | Security of processing |
| CC7 System Operations | A.8.15-16 Logging/Monitoring | Detect (DE), Respond (RS) | Req 10, 11 Monitoring | Breach detection |
| CC8 Change Management | A.8.32 Change management | Protect (PR.PS) | Req 6 Secure dev | N/A |
| CC9 Risk Mitigation | A.5.19-23 Supplier / Clause 6 | Identify (ID.RA) | Req 12 Vendor | Processor obligations |
| Availability (A1) | A.5.29-30, A.8.13-14 | Recover (RC) | Req 12.10 IR | Availability of processing |
| Confidentiality (C1) | A.8.10-12 Data | Protect (PR.DS) | Req 3 Protect stored data | Confidentiality principle |
| Privacy (P1-P8) | ISO 27701 (PIMS) | Not core | N/A | Full GDPR / DPDP articles |
How CyberSigma helps
CyberSigma runs end-to-end SOC 2 programmes for SaaS and technology organisations across India, the Middle East and globally. We perform the readiness and gap assessment, author and operationalise your full policy and control set, remediate technical gaps (IAM, encryption, logging, vulnerability and change management), and stand up an audit-ready evidence repository with continuous monitoring so controls hold across the entire observation period. We manage the relationship with the licensed CPA firm through fieldwork to a clean Type II opinion, and align the same controls to ISO 27001, PCI DSS, NIST CSF and DPDP/GDPR so you build once and comply many. Talk to our CERT-In empanelled and PCI QSA advisors to plan your fastest path to a defensible, buyer-ready SOC 2 report.