SOC 2 Compliance

SOC 2 Type I and Type II compliance preparation for SaaS companies. Covers Trust Service Criteria mapping, control matrix generation, evidence collection, gap analysis, and audit readiness assessment.

Table of Contents

• Overview
• Trust Service Criteria
• Control Matrix Generation
• Gap Analysis Workflow
• Evidence Collection
• Audit Readiness Checklist
• Vendor Management
• Continuous Compliance
• Anti-Patterns
• Tools
• References
• Cross-References

---

Overview

What Is SOC 2?

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how a service organization manages customer data. It applies to any technology company that stores, processes, or transmits customer information — primarily SaaS, cloud infrastructure, and managed service providers.

Type I vs Type II

Aspect	Type I	Type II
Scope	Design of controls at a point in time	Design AND operating effectiveness over a period
Duration	Snapshot (single date)	Observation window (3-12 months, typically 6)
Evidence	Control descriptions, policies	Control descriptions + operating evidence (logs, tickets, screenshots)
Cost	$20K-$50K (audit fees)	$30K-$100K+ (audit fees)
Timeline	1-2 months (audit phase)	6-12 months (observation + audit)
Best For	First-time compliance, rapid market need	Mature organizations, enterprise customers

Who Needs SOC 2?

• SaaS companies selling to enterprise customers
• Cloud infrastructure providers handling customer workloads
• Data processors managing PII, PHI, or financial data
• Managed service providers with access to client systems
• Any vendor whose customers require third-party assurance

Typical Journey

Gap Assessment → Remediation → Type I Audit → Observation Period → Type II Audit → Annual Renewal
    (4-8 wk)      (8-16 wk)     (4-6 wk)       (6-12 mo)          (4-6 wk)       (ongoing)

---

Trust Service Criteria

SOC 2 is organized around five Trust Service Criteria (TSC) categories. Security is required for every SOC 2 report; the remaining four are optional and selected based on business need.

Security (Common Criteria CC1-CC9) — Required

The foundation of every SOC 2 report. Maps to COSO 2013 principles.

Criteria	Domain	Key Controls
CC1	Control Environment	Integrity/ethics, board oversight, org structure, competence, accountability
CC2	Communication & Information	Internal/external communication, information quality
CC3	Risk Assessment	Risk identification, fraud risk, change impact analysis
CC4	Monitoring Activities	Ongoing monitoring, deficiency evaluation, corrective actions
CC5	Control Activities	Policies/procedures, technology controls, deployment through policies
CC6	Logical & Physical Access	Access provisioning, authentication, encryption, physical restrictions
CC7	System Operations	Vulnerability management, anomaly detection, incident response
CC8	Change Management	Change authorization, testing, approval, emergency changes
CC9	Risk Mitigation	Vendor/business partner risk management

Availability (A1) — Optional

Criteria	Focus	Key Controls
A1.1	Capacity management	Infrastructure scaling, resource monitoring, capacity planning
A1.2	Recovery operations	Backup procedures, disaster recovery, BCP testing
A1.3	Recovery testing	DR drills, failover testing, RTO/RPO validation

Select when: Customers depend on your uptime; you have SLAs; downtime causes direct business impact.

Confidentiality (C1) — Optional

Criteria	Focus	Key Controls
C1.1	Identification	Data classification policy, confidential data inventory
C1.2	Protection	Encryption at rest and in transit, DLP, access restrictions
C1.3	Disposal	Secure deletion procedures, media sanitization, retention enforcement

Select when: You handle trade secrets, proprietary data, or contractually confidential information.

Processing Integrity (PI1) — Optional

Criteria	Focus	Key Controls
PI1.1	Accuracy	Input validation, processing checks, output verification
PI1.2	Completeness	Transaction monitoring, reconciliation, error handling
PI1.3	Timeliness	SLA monitoring, processing delay alerts, batch job monitoring
PI1.4	Authorization	Processing authorization controls, segregation of duties

Select when: Data accuracy is critical (financial processing, healthcare records, analytics platforms).

Privacy (P1-P8) — Optional

Criteria	Focus	Key Controls
P1	Notice	Privacy policy, data collection notice, purpose limitation
P2	Choice & Consent	Opt-in/opt-out, consent management, preference tracking
P3	Collection	Minimal collection, lawful basis, purpose specification
P4	Use, Retention, Disposal	Purpose limitation, retention schedules, secure disposal
P5	Access	Data subject access requests, correction rights
P6	Disclosure & Notification	Third-party sharing, breach notification
P7	Quality	Data accuracy verification, correction mechanisms
P8	Monitoring & Enforcement	Privacy program monitoring, complaint handling

Select when: You process PII and customers expect privacy assurance (complements GDPR compliance).

---

Control Matrix Generation

A control matrix maps each TSC criterion to specific controls, owners, evidence, and testing procedures.

Matrix Structure

Field	Description
Control ID	Unique identifier (e.g., SEC-001, AVL-003)
TSC Mapping	Which criteria the control addresses (e.g., CC6.1, A1.2)
Control Description	What the control does
Control Type	Preventive, Detective, or Corrective
Owner	Responsible person/team
Frequency	Continuous, Daily, Weekly, Monthly, Quarterly, Annual
Evidence Type	Screenshot, Log, Policy, Config, Ticket
Testing Procedure	How the auditor verifies the control

Control Naming Convention

{CATEGORY}-{NUMBER}
SEC-001 through SEC-NNN  → Security
AVL-001 through AVL-NNN  → Availability
CON-001 through CON-NNN  → Confidentiality
PRI-001 through PRI-NNN  → Processing Integrity
PRV-001 through PRV-NNN  → Privacy

Workflow

1. Select applicable TSC categories based on business needs
2. Run control_matrix_builder.py to generate the baseline matrix
3. Customize controls to match your actual environment
4. Assign owners and evidence requirements
5. Validate coverage — every selected TSC criterion must have at least one control

---

Gap Analysis Workflow

Phase 1: Current State Assessment

1. Document existing controls — inventory all security policies, procedures, and technical controls
2. Map to TSC — align existing controls to Trust Service Criteria
3. Collect evidence samples — gather proof that controls exist and operate
4. Interview control owners — verify understanding and execution

Phase 2: Gap Identification

Run gap_analyzer.py against your current controls to identify:

• Missing controls — TSC criteria with no corresponding control
• Partially implemented — Control exists but lacks evidence or consistency
• Design gaps — Control designed but does not adequately address the criteria
• Operating gaps (Type II only) — Control designed correctly but not operating effectively

Phase 3: Remediation Planning

For each gap, define:

Field	Description
Gap ID	Reference identifier
TSC Criteria	Affected criteria
Gap Description	What is missing or insufficient
Remediation Action	Specific steps to close the gap
Owner	Person responsible for remediation
Priority	Critical / High / Medium / Low
Target Date	Completion deadline
Dependencies	Other gaps or projects that must complete first

Phase 4: Timeline Planning

Priority	Target Remediation
Critical	2-4 weeks
High	4-8 weeks
Medium	8-12 weeks
Low	12-16 weeks

---

Evidence Collection

Evidence Types by Control Category

Control Area	Primary Evidence	Secondary Evidence
Access Management	User access reviews, provisioning tickets	Role matrix, access logs
Change Management	Change tickets, approval records	Deployment logs, test results
Incident Response	Incident tickets, postmortems	Runbooks, escalation records
Vulnerability Management	Scan reports, patch records	Remediation timelines
Encryption	Configuration screenshots, certificate inventory	Key rotation logs
Backup & Recovery	Backup logs, DR test results	Recovery time measurements
Monitoring	Alert configurations, dashboard screenshots	On-call schedules, escalation records
Policy Management	Signed policies, version history	Training completion records
Vendor Management	Vendor assessments, SOC 2 reports	Contract reviews, risk registers

Automation Opportunities

Area	Automation Approach
Access reviews	Integrate IAM with ticketing (automatic quarterly review triggers)
Configuration evidence	Infrastructure-as-code snapshots, compliance-as-code tools
Vulnerability scans	Scheduled scanning with auto-generated reports
Change management	Git-based audit trail (commits, PRs, approvals)
Uptime monitoring	Automated SLA dashboards with historical data
Backup verification	Automated restore tests with success/failure logging

Continuous Monitoring

Move from point-in-time evidence collection to continuous compliance:

1. Automated evidence gathering — scripts that pull evidence on schedule
2. Control dashboards — real-time visibility into control status
3. Alert-based monitoring — notify when a control drifts out of compliance
4. Evidence repository — centralized, timestamped evidence storage

---

Audit Readiness Checklist

Pre-Audit Preparation (4-6 Weeks Before)

• All controls documented with descriptions, owners, and frequencies
• Evidence collected for the entire observation period (Type II)
• Control matrix reviewed and gaps remediated
• Policies signed and distributed within the last 12 months
• Access reviews completed within the required frequency
• Vulnerability scans current (no critical/high unpatched > SLA)
• Incident response plan tested within the last 12 months
• Vendor risk assessments current for all subservice organizations
• DR/BCP tested and documented within the last 12 months
• Employee security training completed for all staff

Readiness Scoring

Score	Rating	Meaning
90-100%	Audit Ready	Proceed with confidence
75-89%	Minor Gaps	Address before scheduling audit
50-74%	Significant Gaps	Remediation required
< 50%	Not Ready	Major program build-out needed

Common Audit Findings

Finding	Root Cause	Prevention
Incomplete access reviews	Manual process, no reminders	Automate quarterly review triggers
Missing change approvals	Emergency changes bypass process	Define emergency change procedure with post-hoc approval
Stale vulnerability scans	Scanner misconfigured	Automated weekly scans with alerting
Policy not acknowledged	No tracking mechanism	Annual e-signature workflow
Missing vendor assessments	No vendor inventory	Maintain vendor register with review schedule

---

Vendor Management

Third-Party Risk Assessment

Every vendor that accesses, stores, or processes customer data must be assessed:

1. Vendor inventory — maintain a register of all service providers
2. Risk classification — categorize vendors by data access level
3. Due diligence — collect SOC 2 reports, security questionnaires, certifications
4. Contractual protections — ensure DPAs, security requirements, breach notification clauses
5. Ongoing monitoring — annual reassessment, continuous news monitoring

Vendor Risk Tiers

Tier	Data Access	Assessment Frequency	Requirements
Critical	Processes/stores customer data	Annual + continuous monitoring	SOC 2 Type II, penetration test, security review
High	Accesses customer environment	Annual	SOC 2 Type II or equivalent, questionnaire
Medium	Indirect access, support tools	Annual questionnaire	Security certifications, questionnaire
Low	No data access	Biennial questionnaire	Basic security questionnaire

Subservice Organizations

When your SOC 2 report relies on controls at a subservice organization (e.g., AWS, GCP, Azure):

• Inclusive method — your report covers the subservice org's controls (requires their cooperation)
• Carve-out method — your report excludes their controls but references their SOC 2 report
• Most companies use carve-out and include complementary user entity controls (CUECs)

---

Continuous Compliance

From Point-in-Time to Continuous

Aspect	Point-in-Time	Continuous
Evidence collection	Manual, before audit	Automated, ongoing
Control monitoring	Periodic review	Real-time dashboards
Drift detection	Found during audit	Alert-based, immediate
Remediation	Reactive	Proactive
Audit preparation	4-8 week scramble	Always ready

Implementation Steps

1. Automate evidence gathering — cron jobs, API integrations, IaC snapshots
2. Build control dashboards — aggregate control status into a single view
3. Configure drift alerts — notify when controls fall out of compliance
4. Establish review cadence — weekly control owner check-ins, monthly steering
5. Maintain evidence repository — centralized, timestamped, auditor-accessible

Annual Re-Assessment Cycle

Quarter	Activities
Q1	Annual risk assessment, policy refresh, vendor reassessment launch
Q2	Internal control testing, remediation of findings
Q3	Pre-audit readiness review, evidence completeness check
Q4	External audit, management assertion, report distribution

---

Anti-Patterns

Anti-Pattern	Why It Fails	Better Approach
Point-in-time compliance	Controls degrade between audits; gaps found during audit	Implement continuous monitoring and automated evidence
Manual evidence collection	Time-consuming, inconsistent, error-prone	Automate with scripts, IaC, and compliance platforms
Missing vendor assessments	Auditors flag incomplete vendor due diligence	Maintain vendor register with risk-tiered assessment schedule
Copy-paste policies	Generic policies don't match actual operations	Tailor policies to your actual environment and technology stack
Security theater	Controls exist on paper but aren't followed	Verify operating effectiveness; build controls into workflows
Skipping Type I	Jumping to Type II without foundational readiness	Start with Type I to validate control design before observation
Over-scoping TSC	Including all 5 categories when only Security is needed	Select categories based on actual customer/business requirements
Treating audit as a project	Compliance degrades after the report is issued	Build compliance into daily operations and engineering culture

---

Tools

Control Matrix Builder

Generates a SOC 2 control matrix from selected TSC categories.

# Generate full security matrix in markdown
python scripts/control_matrix_builder.py --categories security --format md

# Generate matrix for multiple categories as JSON
python scripts/control_matrix_builder.py --categories security,availability,confidentiality --format json

# All categories, CSV output
python scripts/control_matrix_builder.py --categories security,availability,confidentiality,processing-integrity,privacy --format csv

Evidence Tracker

Tracks evidence collection status per control.

# Check evidence status from a control matrix
python scripts/evidence_tracker.py --matrix controls.json --status

# JSON output for integration
python scripts/evidence_tracker.py --matrix controls.json --status --json

Gap Analyzer

Analyzes current controls against SOC 2 requirements and identifies gaps.

# Type I gap analysis
python scripts/gap_analyzer.py --controls current_controls.json --type type1

# Type II gap analysis (includes operating effectiveness)
python scripts/gap_analyzer.py --controls current_controls.json --type type2 --json

---

References

• Trust Service Criteria Reference — All 5 TSC categories with sub-criteria, control objectives, and evidence examples
• Evidence Collection Guide — Evidence types per control, automation tools, documentation requirements
• Type I vs Type II Comparison — Detailed comparison, timeline, cost analysis, and upgrade path

---

Cross-References

• gdpr-dsgvo-expert — SOC 2 Privacy criteria overlaps significantly with GDPR requirements; use together when processing EU personal data
• information-security-manager-iso27001 — ISO 27001 Annex A controls map closely to SOC 2 Security criteria; organizations pursuing both can share evidence
• isms-audit-expert — Audit methodology and finding management patterns transfer directly to SOC 2 audit preparation