We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / SOC 2
AICPA · Global

SOC 2 (AICPA)

An attestation report on controls relevant to security, availability and privacy.

Introduction: SOC 2 in Plain Terms

SOC 2 (System and Organization Controls 2) is an attestation report developed and governed by the American Institute of Certified Public Accountants (AICPA). It is the most widely recognised assurance report for technology and cloud service organisations that store, process or transmit customer data. Unlike a certification with a fixed pass/fail checklist, SOC 2 is a report of independent opinion issued by a licensed CPA firm on the suitability of design and, in Type II engagements, the operating effectiveness of a service organisation's controls relevant to one or more of the five Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality and Privacy.

For B2B SaaS vendors, managed service providers, data centres, payroll processors and any organisation to whom customers outsource part of their information system, a SOC 2 report has become a de facto prerequisite to close enterprise deals. Procurement, vendor risk and security teams routinely demand a current SOC 2 Type II report before signing. This guide provides an auditor-grade walk-through of the framework, the full Trust Services Criteria control set, a master assessment checklist, a phased implementation approach, scoping guidance, and the evidence expectations that a CPA examiner will hold you to.

Copyright and licensing note
SOC 2, the Trust Services Criteria (TSC), and the SOC 2 examination framework are the intellectual property of the AICPA (and, where the criteria are aligned to internal control principles, the COSO framework). The criteria identifiers, definitions and report format are copyrighted. This guide is an original explanatory work authored by CyberSigma and paraphrases requirements for educational purposes only. It does not reproduce AICPA copyrighted text. Always obtain the authoritative TSC (2017, with 2022 revised points of focus) and the AICPA guide 'SOC 2 Reporting on an Examination of Controls at a Service Organization' from the AICPA. Only a licensed CPA firm may perform a SOC 2 examination and issue the report.

What is SOC 2

SOC 2 is one of a family of AICPA System and Organization Controls reports performed under attestation standards AT-C Section 105 and AT-C Section 205. The examination results in a report containing the independent service auditor's opinion, management's assertion, a description of the system, and the auditor's tests of controls and results (in a Type II).

The three most commonly confused SOC reports are distinguished as follows:

ReportPurposeAudienceContents
SOC 1Controls relevant to a user entity's internal control over financial reporting (ICFR)User auditors and financial controllersControl objectives defined by management, tested against
SOC 2Controls relevant to Security, Availability, Processing Integrity, Confidentiality and PrivacyCustomers, security and vendor-risk teams (restricted use)Trust Services Criteria and mapped controls
SOC 3Same subject matter as SOC 2 but a short-form, general-use reportGeneral public / marketingAuditor opinion only, no detailed test results

SOC 2 itself comes in two report types, which every buyer will ask you to distinguish:

AttributeSOC 2 Type ISOC 2 Type II
Scope of opinionSuitability of design of controls at a point in timeDesign and operating effectiveness over a period
Period coveredA single 'as of' dateA review period, typically 3 to 12 months
Evidence testedDesign evidence onlyDesign plus samples of operating evidence across the period
Market valueEntry-level, shows intentGold standard demanded by enterprise buyers
Typical useFirst-year bridge to Type IIAnnual recurring assurance

The report opinion may be unqualified (clean), qualified (one or more controls did not operate effectively or were not suitably designed), adverse, or a disclaimer. A clean Type II covering a 12-month period is the market objective.

Who Must Comply

SOC 2 is voluntary in the strict legal sense; there is no statute mandating it. In practice it is contractually mandated by customers. An organisation typically needs SOC 2 when it acts as a service organisation holding or processing another entity's data. The trigger is usually commercial, contractual or driven by the vendor risk function of a prospective customer.

Organisation typeWhy SOC 2 appliesTypical criteria in scope
B2B SaaS / cloud application vendorsCustomers outsource data storage and processing to youSecurity (mandatory) + Availability + Confidentiality
Managed service and MSSP providersYou operate or monitor customer infrastructureSecurity + Availability
Data centres and colocationPhysical and environmental custody of customer systemsSecurity + Availability
Payroll, HR and benefits processorsHandling of sensitive personal and financial dataSecurity + Confidentiality + Privacy
Payment and fintech platformsProcessing integrity of financial transactionsSecurity + Processing Integrity + Confidentiality
Healthcare / health-tech vendorsCustody of protected health informationSecurity + Confidentiality + Privacy
Analytics and data-enrichment providersAggregation and processing of client dataSecurity + Processing Integrity + Privacy
  • Only the Security category (the 'Common Criteria') is mandatory in every SOC 2 report; the other four categories are elective and included based on customer commitments and the nature of the service.
  • Sub-service organisations (e.g. AWS, Azure, GCP) are typically handled by the carve-out method, where their controls are excluded but complementary sub-service organisation controls (CSOCs) are identified.
  • User entities are expected to implement complementary user entity controls (CUECs) described in the report.

Structure of SOC 2: The Trust Services Criteria

SOC 2 is built on the Trust Services Criteria (TSC 2017, revised points of focus 2022). The Security category is expressed as the Common Criteria (CC series), which are organised around the five components of the COSO 2013 internal control framework. The other four categories add their own criteria (A, PI, C, P series) on top of the Common Criteria. Every SOC 2 must include all Common Criteria; additional criteria apply only if that category is in scope.

CategoryCriteria seriesScopeCOSO / focus
Security (Common Criteria)CC1 to CC9Mandatory in every reportControl environment through risk mitigation
AvailabilityA1.1 to A1.3ElectiveCapacity, backup, recovery, DR
Processing IntegrityPI1.1 to PI1.5ElectiveComplete, valid, accurate, timely, authorised processing
ConfidentialityC1.1 to C1.2ElectiveProtection and disposal of confidential information
PrivacyP1.0 to P8.1ElectiveFull personal-information lifecycle (notice to disposal)

The Common Criteria (CC) are grouped into nine families aligned to COSO components:

CC familyThemeCoverage summary
CC1Control EnvironmentIntegrity, ethics, board oversight, structure, competence, accountability
CC2Communication and InformationInternal and external communication of control responsibilities
CC3Risk AssessmentObjective setting, risk identification, fraud risk, change assessment
CC4Monitoring ActivitiesOngoing and separate evaluations; remediation of deficiencies
CC5Control ActivitiesSelection and development of controls and technology controls
CC6Logical and Physical Access ControlsIdentity, authentication, authorisation, physical security, disposal
CC7System OperationsVulnerability detection, monitoring, incident response, recovery
CC8Change ManagementAuthorised, tested and approved changes to infrastructure and software
CC9Risk MitigationBusiness disruption mitigation and vendor / third-party risk

Master Assessment Checklist

This is the core section. Each criteria family is enumerated with what an examiner will verify and the typical evidence you must be able to produce. Treat every row as a potential test of control. Nothing here should be skipped during readiness.

CC1 — Control Environment

What to verifyTypical evidence
Board / governance body provides oversight of the system of internal controlBoard or security-committee charter, meeting minutes, oversight agenda
Code of conduct and ethics is defined and acknowledgedSigned code of conduct, employee handbook, acknowledgement records
Organisational structure, authority and reporting lines are definedOrg chart, RACI, role descriptions, delegation of authority
Hiring includes background checks and competence assessmentBackground-check records, job descriptions, interview scorecards
Individuals are held accountable via performance and disciplinary processPerformance review records, disciplinary policy, KPI/OKR records

CC2 — Communication and Information

What to verifyTypical evidence
Quality information supports the functioning of internal controlData flow diagrams, system inventory, information classification policy
Internal communication of control responsibilitiesPolicy portal, onboarding decks, all-hands security updates
External communication with customers and stakeholdersCustomer notices, status page, terms of service, security page
Whistle-blower or anonymous reporting channel existsEthics hotline configuration, reporting procedure, sample tickets

CC3 — Risk Assessment

What to verifyTypical evidence
Objectives are specified with sufficient clarity to assess riskDocumented business and security objectives, risk appetite statement
Risks to objectives are identified and analysedRisk register with likelihood/impact scoring, risk assessment methodology
Potential for fraud is considered in risk assessmentFraud risk assessment, segregation-of-duties analysis
Significant changes are assessed for impact on internal controlChange-risk assessments, architecture review records

CC4 — Monitoring Activities

What to verifyTypical evidence
Ongoing and separate evaluations are performedInternal audit plan, control self-assessments, continuous monitoring dashboards
Internal control deficiencies are evaluated and communicatedDeficiency log, remediation tracker, management review minutes
Independent assessments (pen tests, audits) are conductedPenetration test reports, third-party audit reports, vulnerability scans

CC5 — Control Activities

What to verifyTypical evidence
Control activities are selected to mitigate risks to acceptable levelsControl matrix mapping risks to controls, policy set
General technology controls are deployedBaseline hardening standards, IaC policies, configuration management records
Controls are deployed through policies and proceduresApproved policies with review dates and owners, procedure documents

CC6 — Logical and Physical Access Controls

What to verifyTypical evidence
Logical access is restricted through identity and credential managementIAM configuration, SSO/MFA settings, password policy
Access is provisioned and modified through authorised requestsJoiner-mover-leaver tickets, access approval workflow
Access is periodically reviewed and de-provisioned on terminationQuarterly access review records, termination checklists, deactivation logs
Least-privilege and role-based access are enforcedRole definitions, privileged-access management (PAM) logs
Network access is protected (firewalls, segmentation, VPN)Firewall rule sets, network diagrams, VPN and bastion configs
Encryption protects data at rest and in transitTLS configuration, KMS/key management policy, disk-encryption settings
Physical access to facilities and assets is restrictedBadge access logs, visitor logs, data centre attestations (carve-out)
Media and assets are securely disposed ofAsset disposal records, certificates of destruction, wipe logs

CC7 — System Operations

What to verifyTypical evidence
Vulnerabilities are detected and configuration monitoredVulnerability scan reports, SIEM/EDR alerts, config drift reports
Security events are monitored and anomalies detectedLog management config, SIEM alert rules, monitoring dashboards
Incidents are identified, contained and responded toIncident response plan, incident tickets, post-incident reviews
Recovery from incidents restores operationsRecovery procedures, evidence of recovery testing

CC8 — Change Management

What to verifyTypical evidence
Changes are authorised, designed and documentedChange management policy, change tickets with approvals
Changes are tested before deploymentTest results, QA sign-off, staging evidence, automated CI checks
Emergency changes follow a defined exception processEmergency change records with retrospective approval
Segregation between development and production is maintainedDeployment pipeline config, separation-of-duties evidence

CC9 — Risk Mitigation

What to verifyTypical evidence
Business disruption risks are mitigated (BCP/insurance)Business continuity plan, cyber-insurance policy, BIA
Vendor and business-partner risk is assessed and managedVendor risk assessments, due-diligence records, executed DPAs/contracts
Sub-service organisations are monitoredReviews of sub-service SOC reports, CSOC monitoring evidence

A1 — Availability (if in scope)

What to verifyTypical evidence
Capacity is monitored and forecast to meet demandCapacity dashboards, autoscaling config, capacity planning records
Environmental protections and backups are maintainedBackup schedules, backup success logs, redundancy architecture
Recovery and business continuity are testedDR test results, failover reports, RTO/RPO documentation

PI1 — Processing Integrity (if in scope)

What to verifyTypical evidence
Processing specifications are defined and communicatedData processing specifications, SLAs, quality definitions
Inputs are complete, accurate and authorisedInput validation rules, reconciliation reports, edit checks
Processing produces complete and accurate resultsProcessing logs, reconciliation controls, exception reports
Outputs are complete, accurate, timely and protectedOutput validation, delivery confirmations, error handling records
Stored data is retained completely and accuratelyData retention policy, storage integrity checks

C1 — Confidentiality (if in scope)

What to verifyTypical evidence
Confidential information is identified and protectedData classification policy, DLP configuration, encryption evidence
Confidential information is disposed of when no longer neededRetention/disposal schedule, deletion logs, destruction certificates

P1 to P8 — Privacy (if in scope)

What to verifyTypical evidence
P1 Notice of privacy practices is provided to data subjectsPrivacy notice, consent banners, policy publication records
P2 Choice and consent are obtained for collection and useConsent records, preference centre, opt-in/opt-out logs
P3 Personal information is collected consistently with noticeCollection inventory, data-mapping records, lawful-basis analysis
P4 Use, retention and disposal are limited to stated purposesRetention schedule, purpose-limitation controls, deletion evidence
P5 Access by data subjects is provided (DSAR)DSAR procedure, request logs, identity-verification records
P6 Disclosure to third parties is authorised and controlledData processing agreements, third-party inventory, transfer safeguards
P7 Quality of personal information is maintainedData accuracy controls, correction request handling
P8 Monitoring and enforcement of privacy commitmentsPrivacy incident log, complaint handling, privacy audits

Scoping the SOC 2 Examination

Scoping decisions drive cost, timeline and buyer value. They must be settled before the observation period begins, because a Type II report tests controls across the whole period.

  1. Select the Trust Services Categories. Security is mandatory. Add Availability, Confidentiality, Processing Integrity or Privacy only where you make explicit commitments to customers or where a category materially reflects your service.
  2. Define the system boundary. Document the in-scope product(s), infrastructure, software, people, data and procedures that make up the 'system' under examination.
  3. Decide report type. Type I for a first-year point-in-time bridge; Type II for the operating-effectiveness report enterprise buyers expect.
  4. Set the observation period. Common first Type II periods are 3 to 6 months; recurring reports usually cover 12 months for continuous coverage.
  5. Choose the sub-service organisation method. Carve-out (exclude and monitor via their SOC report) is typical for AWS/Azure/GCP; inclusive method incorporates their controls into your report.
  6. Identify complementary user entity controls (CUECs) that your customers must operate for the controls to be effective.
  7. Confirm legal entities, environments (prod only vs prod plus corporate IT) and geographic locations covered.
Scoping pitfall
Adding Privacy or Processing Integrity prematurely dramatically increases effort. Start with Security plus Availability and Confidentiality for most SaaS vendors, then expand categories in later years as customer demand and maturity grow.

Implementation Approach (Phased)

A structured programme takes a typical mid-size SaaS from zero to a clean Type II in roughly 6 to 12 months. The following phases sequence the work and set deliverables.

Phase 1 — Readiness and Gap Assessment

  • Activities: select TSC categories, define system boundary, perform a gap assessment against every applicable criterion, build the risk register and control matrix.
  • Deliverables: scoping document, gap assessment report, prioritised remediation roadmap, project plan and RACI.

Phase 2 — Policy and Governance Foundation

  • Activities: author and approve the information security policy suite (access, change, incident, risk, vendor, BCP/DR, data classification, HR security), establish security governance forum, assign control owners.
  • Deliverables: approved policy set with review dates, governance charter, control-ownership register.

Phase 3 — Technical and Operational Remediation

  • Activities: deploy SSO/MFA, PAM, encryption, logging and SIEM, vulnerability management, endpoint protection, secure SDLC gates, backup and DR, and access review automation.
  • Deliverables: hardened baseline configurations, monitoring dashboards, remediated access model, DR test results.

Phase 4 — Operate and Collect Evidence (Observation Period)

  • Activities: run controls in production over the observation window; perform quarterly access reviews, risk assessments, incident drills, vendor reviews; continuously collect evidence.
  • Deliverables: populated evidence repository, control operation logs, management review records covering the full period.

Phase 5 — Independent Examination

  • Activities: engage a licensed CPA firm, prepare management's assertion and system description, support fieldwork, respond to sample requests and clarifications.
  • Deliverables: draft and final SOC 2 report, auditor opinion, management response to any exceptions.

Phase 6 — Continuous Compliance and Renewal

  • Activities: maintain controls, automate evidence collection, monitor drift, feed findings into risk assessment, plan the next annual period with no coverage gap.
  • Deliverables: continuous monitoring reports, updated risk register, renewal plan and next-period timeline.

Maturity and Capability Model

SOC 2 does not itself assign maturity levels, but a capability model is invaluable for tracking readiness and communicating progress to leadership. The following five-level model maps organisational maturity to SOC 2 outcomes.

LevelNameCharacteristicsSOC 2 outcome
1Initial / Ad hocControls undocumented, informal, reactiveNot ready; multiple design gaps
2DevelopingPolicies drafted, some controls implemented inconsistentlyPartial design; likely qualified opinion
3DefinedControls documented, owned and operating across the orgReady for Type I; approaching Type II
4ManagedControls consistently operating with evidence collected continuouslyClean Type II achievable
5OptimisedAutomated evidence, continuous monitoring, metrics-driven improvementClean recurring Type II with minimal effort

Assessment and Audit Approach

The examination follows AICPA attestation standards. The service auditor executes an evidence-based process from planning through opinion.

  1. Engagement acceptance: the CPA firm confirms independence, competence and scope, and agrees the categories, system boundary, report type and period.
  2. Understanding the system: the auditor documents the service, controls and the description prepared by management.
  3. Risk assessment and control identification: the auditor maps management's controls to each applicable Trust Services Criterion.
  4. Design evaluation (Type I and II): the auditor tests whether controls are suitably designed to meet the criteria.
  5. Operating effectiveness testing (Type II only): the auditor selects samples across the period and performs inquiry, observation, inspection and re-performance.
  6. Exception evaluation: any control failures are assessed for severity and impact on the opinion.
  7. Forming the opinion: unqualified, qualified, adverse or disclaimer, based on results.
  8. Reporting: the auditor issues the report containing the opinion, management's assertion, the system description, and (Type II) the tests of controls and results.
  9. Management response: management addresses any exceptions and describes remediation.

Evidence Request List

Auditors request evidence by category. Prepare a repository organised as follows before fieldwork.

  • Governance: board/committee minutes, org chart, code of conduct, policy suite with approval and review dates.
  • HR security: background-check records, onboarding and offboarding checklists, security-awareness training completion.
  • Access management: IAM/SSO/MFA configuration, joiner-mover-leaver tickets, quarterly access review records, PAM logs.
  • Change management: change tickets with approvals, CI/CD pipeline configuration, QA sign-offs, deployment logs.
  • System operations: vulnerability scan and penetration test reports, SIEM/EDR alerts, incident tickets and post-mortems.
  • Availability: backup success logs, DR test results, capacity monitoring, uptime/status reports.
  • Encryption and network: TLS/KMS configuration, firewall rules, network diagrams, disk-encryption settings.
  • Vendor risk: vendor inventory, due-diligence assessments, executed contracts and DPAs, sub-service SOC report reviews.
  • Risk and monitoring: risk register, risk assessment methodology, internal audit and control self-assessment records.
  • Privacy (if in scope): privacy notice, consent records, DSAR logs, retention and disposal evidence.

Roles and Responsibilities

RoleSOC 2 responsibility
Executive sponsor / CEOApproves programme, funds resources, signs management assertion
CISO / Security leadOwns the control framework, drives remediation, manages the audit relationship
Compliance / GRC managerMaintains policies, evidence repository, control matrix and audit coordination
IT / DevOps / Platform engineeringImplements and operates technical controls, produces configuration evidence
HROperates background checks, onboarding/offboarding and training controls
Legal / PrivacyOwns contracts, DPAs, privacy notice and regulatory alignment
Control ownersOperate assigned controls and supply evidence during the period
Internal auditPerforms independent monitoring and control self-assessments
Independent CPA firmPerforms the examination and issues the SOC 2 report

KPIs to Track

  • Percentage of controls with a named owner and current evidence.
  • Access review completion rate and time to remediate access exceptions.
  • Mean time to detect and mean time to respond for security incidents.
  • Percentage of changes following the approved change-management process.
  • Vulnerability remediation SLA adherence (critical/high within target days).
  • Backup success rate and DR test pass rate against RTO/RPO targets.
  • Vendor risk assessments completed for in-scope third parties.
  • Security-awareness training completion rate.
  • Number and severity of audit exceptions per period (trend downward).
  • Policy review currency (percentage reviewed within the last 12 months).

Readiness Checklist

  • Trust Services Categories selected and system boundary documented
  • Full information security policy suite authored, approved and communicated
  • Risk register and control matrix completed and mapped to every applicable criterion
  • SSO, MFA and least-privilege access enforced across production and corporate systems
  • Quarterly access reviews scheduled and evidence retained
  • Change management with approvals, testing and dev/prod separation operating
  • Centralised logging, SIEM/EDR monitoring and incident response plan in place and tested
  • Vulnerability management and annual penetration testing performed
  • Encryption enforced at rest and in transit with key management
  • Backups running with verified restores and a tested DR/BCP plan
  • Vendor risk assessments and DPAs completed; sub-service SOC reports reviewed
  • Security-awareness training and background checks completed for all staff
  • Evidence repository organised by criteria and covering the full observation period
  • Licensed CPA firm engaged and management assertion and system description drafted

Common Gaps

  • Access reviews performed once for the audit rather than consistently throughout the period, causing operating-effectiveness exceptions.
  • Terminated users not de-provisioned promptly, leaving stale accounts detectable in samples.
  • Change management bypassed for 'quick fixes' with no ticket, approval or test evidence.
  • Policies written but never approved, dated or communicated to staff.
  • Incident response plan documented but never tested; no evidence of tabletop or drill.
  • Vendor risk programme absent; sub-service organisation SOC reports never reviewed.
  • Backups configured but restores never tested, and no DR exercise evidence.
  • Security-awareness training incomplete for a subset of the workforce.
  • Evidence collected only near audit time, leaving gaps earlier in the observation period.
  • Overscoping with Privacy or Processing Integrity before those controls are mature, leading to qualifications.

SOC 2 Mapped to Other Frameworks

SOC 2 controls overlap heavily with other frameworks, enabling a build-once, comply-many approach. The mapping below is indicative and should be validated against the authoritative crosswalks.

SOC 2 areaISO 27001NIST CSFPCI DSSGDPR / DPDP
CC1 Control EnvironmentA.5 Organisational / Clauses 5-9Govern (GV)Req 12 PolicyAccountability principle
CC6 Access ControlsA.5.15-18, A.8 AccessProtect (PR.AA)Req 7, 8 AccessSecurity of processing
CC7 System OperationsA.8.15-16 Logging/MonitoringDetect (DE), Respond (RS)Req 10, 11 MonitoringBreach detection
CC8 Change ManagementA.8.32 Change managementProtect (PR.PS)Req 6 Secure devN/A
CC9 Risk MitigationA.5.19-23 Supplier / Clause 6Identify (ID.RA)Req 12 VendorProcessor obligations
Availability (A1)A.5.29-30, A.8.13-14Recover (RC)Req 12.10 IRAvailability of processing
Confidentiality (C1)A.8.10-12 DataProtect (PR.DS)Req 3 Protect stored dataConfidentiality principle
Privacy (P1-P8)ISO 27701 (PIMS)Not coreN/AFull GDPR / DPDP articles
How CyberSigma helps
CyberSigma runs end-to-end SOC 2 programmes for SaaS and technology organisations across India, the Middle East and globally. We perform the readiness and gap assessment, author and operationalise your full policy and control set, remediate technical gaps (IAM, encryption, logging, vulnerability and change management), and stand up an audit-ready evidence repository with continuous monitoring so controls hold across the entire observation period. We manage the relationship with the licensed CPA firm through fieldwork to a clean Type II opinion, and align the same controls to ISO 27001, PCI DSS, NIST CSF and DPDP/GDPR so you build once and comply many. Talk to our CERT-In empanelled and PCI QSA advisors to plan your fastest path to a defensible, buyer-ready SOC 2 report.
Free 1-minute check
ISO 27001 Readiness Checker
See how close you are to ISO 27001 certification — free, in 5 questions.
Try it free →

Frequently asked questions

What is the difference between SOC 2 Type I and Type II?
Type I attests that controls are suitably designed at a point in time; Type II attests they operated effectively over a period. Enterprise buyers increasingly prefer Type II.
Is SOC 2 a certification?
Not exactly — it is an attestation report with an auditor’s opinion, not a certificate. You share the report itself as proof.
SOC 2 vs ISO 27001 — which do I need?
SOC 2 is favoured by US buyers; ISO 27001 is a globally recognised certification. Many companies pursue both; the underlying controls overlap heavily.

Need help with SOC 2?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.