Compliance Frameworks - Learning Module

Loading content...

0/273

SOC 2 Compliance

The Trust Framework for Service Organizations

Service Organization Control 2 (SOC 2) has become the de facto standard for demonstrating security and operational excellence in the B2B software industry. Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 provides a framework for service organizations to prove they can be trusted with customer data.

Unlike regulatory frameworks (GDPR, HIPAA) that impose legal requirements, SOC 2 is a voluntary attestation. However, 'voluntary' is somewhat misleading—in practice, SOC 2 compliance has become a prerequisite for many enterprise sales. When an enterprise evaluates a SaaS vendor, a SOC 2 report is often on the mandatory requirements list alongside pricing and features.

SOC 2 Is Business-Critical

For SaaS and cloud companies, SOC 2 compliance directly impacts revenue. Enterprise customers increasingly require SOC 2 reports during vendor evaluation. Lacking SOC 2 can delay or block sales cycles, while having it accelerates trust-building and reduces customer due diligence burden.

Understanding SOC 2

SOC 2 is one of several SOC reports defined by the AICPA. Understanding how it differs from related reports clarifies its specific purpose and value.

SOC Report Types Comparison
Report Type	Scope	Audience	Common Use Case
SOC 1	Controls relevant to user entity's financial reporting (ICFR)	Auditors of user entities, management	Payroll processors, financial services, billing platforms
SOC 2	Controls based on Trust Services Criteria (security, availability, etc.)	Management, regulators, customers, prospects	SaaS companies, cloud providers, data centers, IT service providers
SOC 3	Same criteria as SOC 2, but a summarized, public report	General public, marketing materials	Public trust seal, website badge, broad distribution

Type I vs Type II: The Critical Distinction

Within SOC 2, there are two report types that represent fundamentally different assurance levels:

Type I Report:

Examines controls at a specific point in time
Auditor verifies that controls are designed appropriately
Faster to achieve (typically 2-4 months for initial assessment)
Lower assurance—controls exist but may not work consistently
Often used as a stepping stone while Type II is in progress

Type II Report:

Examines controls over a period of time (typically 6-12 months)
Auditor verifies that controls are designed AND operating effectively
More rigorous—requires evidence that controls worked throughout the period
Higher assurance—demonstrates sustained compliance
What most enterprise customers require

The Audit Period Consideration

A Type II report covering 12 months provides stronger assurance than one covering 6 months. Organizations typically start with a 6-month Type II for their first audit, then move to annual 12-month audits. The audit period must be continuous—if you let your report lapse, you may need to restart with another Type I.

Bridge Letters

The gap between when your last audit period ended and today can concern customers. Organizations often provide 'bridge letters'—management assertions that controls have continued operating effectively since the audit end date. Some auditors also offer 'gap attestations' covering interim periods.

The Trust Services Criteria

SOC 2 reports evaluate controls against the AICPA's Trust Services Criteria (TSC). There are five categories, though only Security is required—the others are selected based on business relevance.

The Five Trust Services Criteria

•Security (Required) — The foundational category. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise availability, integrity, confidentiality, and privacy. Sometimes called the 'Common Criteria' because many controls overlap with other categories.
•Availability — Information and systems are available for operation and use as committed or agreed. Includes uptime commitments, capacity planning, disaster recovery, backup/restore, and incident response.
•Processing Integrity — System processing is complete, valid, accurate, timely, and authorized. Critical for financial processing, calculations, data transformations, and transaction processing.
•Confidentiality — Information designated as confidential is protected as committed or agreed. Covers confidential business data (trade secrets, contracts, business plans) beyond just personal data.
•Privacy — Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments and with criteria established by AICPA based on GAPP (Generally Accepted Privacy Principles). Primarily relevant when processing end-user personal information.

Selecting Your TSC Categories

Most organizations start with Security—it's required and establishes foundational controls. The decision to include additional categories depends on:

Availability: If you make uptime SLAs (99.9%, 99.99%), include this to demonstrate you can deliver
Processing Integrity: If you process transactions, calculations, or data transformations where accuracy is critical
Confidentiality: If you handle sensitive business data beyond personal information
Privacy: If you collect and process end-user personal information (overlap with GDPR)

The Control Criteria Structure

Each TSC category contains specific criteria organized into control families. The 2017 TSC revision aligned significantly with the COSO framework, making mapping to other frameworks easier.

Example Security criteria groups:

CC1: Control Environment (governance, oversight)
CC2: Communication and Information (internal/external communication)
CC3: Risk Assessment (risk identification, analysis)
CC4: Monitoring Activities (ongoing and separate evaluations)
CC5: Control Activities (policies and procedures)
CC6: Logical and Physical Access Controls
CC7: System Operations (incident management, change management)
CC8: Change Management (change control processes)
CC9: Risk Mitigation (risk management activities)

Mapping to Other Frameworks

The AICPA provides mappings between TSC and other frameworks: ISO 27001, NIST Cybersecurity Framework, COBIT, and HIPAA Security Rule. If you're pursuing multiple compliance frameworks, these mappings help identify overlapping controls and reduce redundant work.

Control Design and Implementation

SOC 2 is not prescriptive about specific technologies or processes—it requires you to define your own controls appropriate to your organization and demonstrate they meet the criteria. This flexibility is both a strength (you design what works for you) and a challenge (you must articulate and evidence your approach).

Controls fall into several categories:

Control Categories and Examples
Category	Description	Examples
Preventive	Stop issues before they occur	Firewall rules, access controls, input validation, encryption
Detective	Identify issues when they occur	Log monitoring, intrusion detection, anomaly detection, auditing
Corrective	Fix issues after detection	Incident response, backup restoration, patching
Compensating	Alternative controls when primary isn't feasible	Manual reviews when automated controls unavailable

Key Control Areas for SaaS Organizations

While controls vary by organization, certain areas are nearly universal for cloud and SaaS providers:

Access & Identity Controls

•Unique user IDs for all personnel
•Strong password/passphrase policies
•Multi-factor authentication (MFA)
•Role-based access control (RBAC)
•Privileged access management (PAM)
•Access reviews (quarterly/annually)
•Timely access deprovisioning
•SSO integration and enforcement

Operational Controls

•Change management processes
•Code review requirements
•Deployment approval workflows
•Vulnerability management program
•Penetration testing (annual minimum)
•Incident response procedures
•Business continuity/disaster recovery
•Vendor management program

Technical Controls

•Encryption — Data at rest (AES-256), data in transit (TLS 1.2+), key management
•Network Security — Firewalls, network segmentation, intrusion detection/prevention
•Endpoint Security — Antivirus/EDR, mobile device management, disk encryption
•Logging & Monitoring — Centralized logging, SIEM, alerting, log retention
•Backup & Recovery — Regular backups, encryption, tested restorations, offsite storage
•Infrastructure Security — Hardened configurations, patch management, asset inventory

Control Descriptions Matter

Auditors evaluate your controls as you describe them. Write control descriptions precisely—vague controls are harder to evidence and may lead to findings. 'Access reviews are performed' is weak; 'Quarterly access reviews are performed by department managers for all active users, with remediation tracked to completion' is specific and auditable.

Evidence Collection and Management

For Type II audits, you must provide evidence that controls operated effectively throughout the audit period. This evidence requirement fundamentally impacts how organizations operate—you cannot demonstrate retroactively that controls worked if you weren't collecting evidence at the time.

Common Evidence Types

•Policies and Procedures — Written documentation of control activities. Must be version-controlled, approved, and distributed.
•System Configurations — Screenshots or exports of security settings, access control configurations, encryption settings, firewall rules.
•Access Lists — Current user listings with roles, privileged account listings, access review documentation showing reviews occurred.
•Logs and Audit Trails — System logs demonstrating monitoring and alerting, login logs, change management logs, security event logs.
•Meeting Minutes — Records of security committee meetings, access review meetings, risk assessment discussions, incident reviews.
•Training Records — Evidence that security awareness training was completed by personnel, including dates and topics.
•Third-Party Reports — Penetration test reports, vulnerability scan results, vendor SOC reports, audit findings.
•Tickets and Tracking — Change management tickets, incident tickets with resolution, vulnerability remediation tickets.
•Contracts and Agreements — Vendor contracts, confidentiality agreements, employee agreements acknowledging policies.

The Sampling Methodology

Auditors don't examine every instance of every control—they use sampling to assess control effectiveness. The sample size is based on frequency:

Control Frequency	Typical Sample Size
Annual	1 (must see it occurred)
Quarterly	2 (auditors typically test more)
Monthly	3-5
Weekly	10-15
Daily or per-occurrence	25+ (depending on population)

This means:

High-frequency controls (code reviews, change tickets) require proportionally more evidence
A single exception in a monthly control is more significant than one in hundreds of daily occurrences
Controls must operate consistently—sporadic compliance is insufficient

Exception Management

Auditors will find exceptions—instances where controls didn't operate as designed. Not all exceptions result in report findings:

True exceptions — Control didn't work. The question is: was it compensating control in place? Was risk acceptable?
Documentation gaps — Control worked, but evidence wasn't captured. Often results in management response.
Process evolution — Control changed during period. Auditor must assess both versions.

When exceptions occur, be transparent with auditors. A documented exception with management response is better than trying to hide gaps, which can undermine the entire audit relationship.

Year-Round Collection

SOC 2 readiness isn't a month-long project before audit—it's year-round operational discipline. Establish evidence collection processes from day one: automated log aggregation, ticket systems that preserve history, document management with version control. The audit is a snapshot of ongoing practices.

The SOC 2 Audit Process

Understanding the audit process helps organizations prepare effectively and set appropriate expectations for timeline and resource requirements.

Audit Phases

•Scoping and Planning (2-4 weeks) — Define systems in scope, select TSC categories, establish audit period, set timeline, assign internal owners. Auditor issues engagement letter and planning documents.
•Readiness Assessment (Optional, 4-8 weeks) — Pre-audit gap assessment. Auditor reviews controls against TSC, identifies gaps before formal audit. Highly recommended for first-time audits.
•Control Description Review (2-4 weeks) — Auditor reviews your documented control descriptions for completeness and alignment with TSC criteria. Iterate on descriptions as needed.
•Evidence Request (Ongoing through audit period) — Auditor issues Information Requested List (IRL). Organization gathers and submits evidence. This is the most labor-intensive phase.
•Testing and Walkthroughs (4-8 weeks) — Auditor tests evidence, conducts interviews, performs walkthroughs of key processes. May request additional evidence or clarification.
•Exception Remediation and Management Response (2-4 weeks) — For any exceptions found, organization provides management response explaining the finding and remediation actions.
•Report Drafting and Review (2-4 weeks) — Auditor drafts report, organization reviews for accuracy. Negotiate wording on any disputed items. Finalize management assertions.
•Final Report Issuance — Auditor issues official SOC 2 report. Organization can distribute to customers under NDA or appropriate restrictions.

Choosing an Auditor

SOC 2 audits must be performed by licensed CPA firms. When selecting an auditor:

Industry experience — Auditors familiar with SaaS/cloud have relevant context
Reputation — Enterprise customers may scrutinize your auditor's reputation
Team composition — Mix of accountants and IT security professionals
Technology — Modern auditors use secure portals, not endless email attachments
Guidance approach — Best auditors balance compliance rigor with practical guidance
Pricing transparency — Understand fixed vs. variable costs, additional request fees

Timeline Expectations

Audit Type	Typical Timeline
Type I (first audit)	3-6 months total
Type II (first, 6-month period)	8-12 months (including audit period)
Type II (renewal, 12-month period)	Continuous; report 2-3 months after period end

For renewals, organizations typically run their audit period continuously (e.g., January 1 - December 31), with auditors testing throughout and issuing the report 2-3 months after period end.

The Continuous Audit Model

Modern organizations move toward continuous audit approaches: auditors access systems throughout the year (read-only), automatically collect evidence, and perform rolling assessments. This reduces year-end crunch and catches issues earlier.

Understanding the SOC 2 Report

When you receive a SOC 2 report—whether your own or a vendor's—understanding its structure helps you interpret the findings correctly.

SOC 2 Report Sections

•Section I: Independent Auditor's Report — The auditor's opinion on whether controls are fairly stated (Type I) or operated effectively (Type II). Look for 'unqualified' (clean) opinions. Qualified opinions indicate issues.
•Section II: Management's Assertion — The organization's statement that the system description is accurate and controls meet criteria. Management takes responsibility for their claims.
•Section III: System Description — Detailed description of the system in scope: infrastructure, software, people, procedures, data. Establishes what was audited and any exclusions.
•Section IV: Trust Services Criteria and Controls — The heart of the report. Lists each applicable TSC criterion, the organization's controls addressing it, and auditor's tests and results.
•Section V: Complementary User Entity Controls (CUECs) — Controls the customer (user entity) is expected to implement. Critical for understanding shared responsibility.
•Section VI: Complementary Subservice Organization Controls (CSOCs) — Controls handled by subservice organizations (e.g., cloud providers). Often use 'carve-out' or 'inclusive' methods.

Reading a SOC 2 Report: What to Look For

When evaluating a vendor's SOC 2 report:

Audit opinion type — Unqualified is good; qualified means issues
Audit period — How recent is it? Is there a gap to today?
TSC categories — Does it include Availability if they have SLAs?
Scope — Does it cover the specific services you're using?
Exceptions — Section IV shows any control failures. Read management responses.
CUECs — What are you responsible for? Can you implement those controls?
Subservice organizations — Are AWS/Azure/GCP included, or carved out? If carved out, you need their SOC reports too.

The Carve-Out vs. Inclusive Method

When service organizations rely on subservice providers (like cloud providers):

Carve-Out Method — Subservice organization's controls are excluded from the report. Readers need the subservice org's own SOC report for complete picture.
Inclusive Method — Subservice organization's controls are included and tested. More comprehensive but more complex for the service organization to achieve.

Most SaaS providers use the carve-out method for cloud infrastructure, referencing AWS/Azure/GCP's own SOC reports for underlying controls.

Don't Ignore CUECs

Complementary User Entity Controls are controls you must implement for the vendor's security to be complete. If a SOC report lists 'User entity is responsible for MFA on accounts' and you haven't configured MFA, you have a gap—regardless of how clean the vendor's report is.

Automation and Continuous Compliance

Modern compliance approaches leverage automation to reduce manual burden, improve accuracy, and enable continuous compliance rather than point-in-time audits.

Compliance Automation Platforms

•Vanta — Automated evidence collection, continuous monitoring, SOC 2/ISO 27001/HIPAA frameworks, auditor integration
•Drata — Real-time compliance monitoring, automated evidence collection, multiple framework support
•Secureframe — Automated compliance, integrated training, vendor management, policy templates
•Laika — AI-powered compliance platform, evidence automation, framework mapping
•Thoropass (formerly Laika) — Combined platform and professional services approach

What Automation Enables

Continuous Evidence Collection
- Direct integrations with AWS, Azure, GCP for infrastructure configuration
- HR system integrations for onboarding/offboarding evidence
- GitHub/GitLab integrations for code review and deployment evidence
- Identity provider integrations for access control evidence
- Endpoint management integrations for device security
Automated Control Monitoring
- Real-time alerts when controls fail (encryption disabled, MFA not enforced)
- Drift detection from compliant configurations
- Automatic evidence screenshots and exports
Audit Preparation Streamlining
- Pre-organized evidence packages mapped to TSC criteria
- Auditor portals with role-based access
- Evidence completeness dashboards
- Exception tracking and management response workflows
Multi-Framework Mapping
- Single control maps to SOC 2, ISO 27001, HIPAA, GDPR
- Evidence reuse across frameworks
- Gap identification across frameworks

Build vs. Buy Considerations

Organizations can build their own compliance automation (custom dashboards, scripted evidence collection) or use commercial platforms. Considerations:

Build: Lower direct cost but significant engineering time; custom fit; maintenance burden
Buy: Faster to implement; auditor familiarity; ongoing license costs; may not fit perfectly

For most organizations, the time savings from commercial platforms justify the cost, especially given the engineering opportunity cost of building in-house.

Compliance as Culture

Automation handles mechanics, but culture determines success. When security practices are embedded in daily work—not bolt-ons for audit season—SOC 2 becomes a natural byproduct of good operations rather than a special project.

Summary: SOC 2 as Operational Excellence

SOC 2 represents more than compliance checkbox—it's a framework for building and demonstrating operational excellence. Key insights:

Key Takeaways

•SOC 2 is de facto required for B2B SaaS — Enterprise customers expect it. Lack of SOC 2 impacts sales.
•Type II provides meaningful assurance — Controls operating over time, not just designed. This is what customers want.
•Trust Services Criteria are flexible — Select Security plus categories relevant to your business (Availability for SLAs, Processing Integrity for financial data).
•Controls are your design — SOC 2 doesn't prescribe specific technologies. You define controls appropriate to your organization.
•Evidence is year-round — Year-long operational discipline, not audit-season project. Collection processes must be in place continuously.
•The report structure matters — Understand opinions, exceptions, CUECs, and subservice organization handling when reading any SOC 2.
•Automation enables continuous compliance — Modern platforms reduce manual burden and catch issues before auditors do.

Moving Forward

With SOC 2's framework for service organization controls understood, we'll examine PCI DSS—the Payment Card Industry Data Security Standard. Where SOC 2 is broad and flexible, PCI DSS is prescriptive and specific, designed to protect cardholder data in payment processing systems.

Page Complete

You now understand SOC 2's structure, the Trust Services Criteria, control design and evidence requirements, the audit process, and modern automation approaches. These concepts apply beyond SOC 2 to operational excellence generally—good security operations naturally produce SOC 2 compliance.