Contents

Chapter 1

SOC 2 Overview & Scoping

SOC 2 is an auditing standard developed by the American Institute of CPAs (AICPA). It evaluates whether a service organization's controls meet the Trust Services Criteria (TSC) for security, availability, processing integrity, confidentiality, and privacy.

Type I vs Type II

SOC 2 Type I — A point-in-time assessment. The auditor evaluates whether your controls are designed appropriately to meet the Trust Services Criteria. It does not test whether the controls operated effectively over a period.

SOC 2 Type II — A period-of-time assessment (typically 3-12 months). The auditor evaluates both the design and the operating effectiveness of your controls over the entire period.

Most organizations start with a Type I to unblock sales deals quickly, then pursue a Type II covering the following period.

Scoping Your SOC 2

Scoping determines which systems, services, and criteria are in scope. Every SOC 2 must include the Security criterion (CC1-CC9). The other four criteria (Availability, Processing Integrity, Confidentiality, Privacy) are optional.

Choose additional criteria carefully. Adding Availability means you must demonstrate that your systems have been available throughout the audit period. Adding Privacy means demonstrating a full GDPR-style privacy program. Scoping a criterion you can't operate leads to exceptions on your report.

The SOC 2 Timeline

A realistic timeline from start to signed report:

  • Month 1-2 — Readiness assessment, gap analysis, scoping
  • Month 3-4 — Policy development, control implementation
  • Month 5-6 — Evidence collection begins, Type I readiness
  • Month 7-8 — Type I audit (if pursuing), Type II period begins
  • Month 9-14 — Type II observation period ends
  • Month 15-16 — Type II fieldwork, report issued

Selecting an Auditor

Choose a licensed CPA firm with SOC 2 experience in your industry. Request references from companies of similar size. Discuss scope early — some auditors are more conservative than others on what constitutes adequate evidence.

Chapter 2

Trust Services Criteria & Control Mapping

The Trust Services Criteria are the standard against which your controls are measured. Understanding them thoroughly is essential before you design your control environment.

The Common Criteria (CC1-CC9)

CC1-CC9 apply to the Security criterion and form the backbone of any SOC 2 report:

CC1: Control Environment — The board and management set the tone for the importance of controls. Includes code of conduct, organizational structure, and board oversight.

CC2: Communication and Information — Relevant information is identified, captured, and communicated in a timely manner. Includes communication of control responsibilities, internal reporting, and external communication with stakeholders.

CC3: Risk Assessment — The organization identifies and assesses risks that could affect the achievement of its objectives. Includes risk identification, risk analysis, and risk response.

CC4: Monitoring Activities — Controls are monitored on an ongoing basis. Includes ongoing and separate evaluations, and communication of deficiencies.

CC5: Control Activities — Policies and procedures are established to address risks. Includes the selection and development of control activities.

CC6: Logical and Physical Access — Access to systems and data is restricted to authorized users. The most detailed and commonly tested criteria.

CC7: System Operations — System operations are managed to ensure availability and integrity. Includes monitoring, incident response, and capacity management.

CC8: Change Management — Changes to systems are authorized, tested, and documented. Includes development methodology, testing, and approval.

CC9: Risk Mitigation — The organization identifies and manages risks from vendors and business partners.

Control Mapping

The control matrix (included in this product) maps each of your controls to the specific criteria they satisfy. A single control can satisfy multiple criteria. For example, your access review process satisfies CC6 (logical access) and CC4 (monitoring activities). Map everything clearly so the auditor can trace each criterion to a control.

Chapter 3
🔒 Available in full product

Policy Development & Implementation

Chapter 4
🔒 Available in full product

Evidence Collection & Auditor Readiness

Chapter 5
🔒 Available in full product

Operating Through the Audit Period

You’ve reached the end of the free preview

Get the full SOC 2 Compliance Templates and unlock everything.

All Chapters

Get the complete guide with every chapter unlocked, including code samples, diagrams, and best practices.

Full Tool Suite

Access all interactive tools with complete data, all workload profiles, and the full scenario library.

Source Files

Downloadable source code, configuration files, and working examples from every chapter.

Lifetime Updates

Free updates for life. Every new chapter, tool, and improvement included.

Buy Now — $39 →
📦 Free sample included — download another copy for the full product.
SOC 2 Compliance Templates v1.0.0 — Free Preview