SOC 2 Requirements

CC1 — Control Environment

The organizational foundation of SOC 2 — the five COSO principles covering commitment to integrity and ethics, board oversight, organizational structure, commitment to competence, and accountability — and what auditors look for in each.

Explore Resource

CC2 — Communication and Information

How organizations must communicate internal control information — internal communication of policies and procedures, external communication of commitments to clients, and the evidence that demonstrates effective communication.

Explore Resource

CC3 — Risk Assessment

The SOC 2 risk assessment requirements — risk identification, risk analysis, fraud risk consideration, and change identification — and how the SOC 2 risk assessment relates to ISO 27001’s risk methodology.

Explore Resource

CC4 — Monitoring Activities

Ongoing and separate evaluations of the system of internal controls — how organizations monitor whether controls are operating effectively, the role of internal audit, and the management review processes that satisfy CC4.

Explore Resource

CC5 — Control Activities

The control activities that mitigate risks identified in CC3 — policies and procedures, technology controls, and how controls are deployed across processes and infrastructure.

Explore Resource

CC6 — Logical and Physical Access

The access control criteria that receive the most auditor scrutiny — logical access security software, authentication including MFA, authorization, access provisioning and deprovisioning, periodic access reviews, and physical access to data centers and offices.

Explore Resource

CC7 — System Operations

Operational controls that detect and address deviations from expected system behavior — vulnerability management, security monitoring (SIEM), malware protection, environmental controls, and incident management from a SOC 2 perspective.

Explore Resource

CC8 & CC9 — Change Management and Risk Mitigation

Change management controls covering the software development and change lifecycle (CC8), and risk mitigation controls covering vendor management and business continuity (CC9) — two criteria that produce the most common Type II findings.

Explore Resource

CC1 — Control Environment

CC2 — Communication and Information

CC3 — Risk Assessment

CC4 — Monitoring Activities

CC5 — Control Activities

CC6 — Logical and Physical Access

CC7 — System Operations

CC8 & CC9 — Change Management and Risk Mitigation

SOC 2 Foundations

What is SOC 2 and Why It Matters

The Five Trust Services Criteria (TSC)

SOC 2 Type I vs Type II — Understanding the Difference

The Common Criteria (CC): Security in Depth

SOC 2 vs ISO 27001 vs PCI DSS — Framework Comparison

Who Needs SOC 2 and When

SOC 2 Requirements

CC1 — Control Environment

CC2 — Communication and Information

CC3 — Risk Assessment

CC4 — Monitoring Activities

CC5 — Control Activities

CC6 — Logical and Physical Access

CC7 — System Operations

CC8 & CC9 — Change Management and Risk Mitigation

SOC 2 Audit Process

Scoping Your SOC 2 Audit

Selecting a SOC 2 Auditor (CPA Firm)

SOC 2 Readiness Assessment

Evidence Collection and Management

The SOC 2 Audit: What to Expect

Reading and Using Your SOC 2 Report

Continuous Compliance: Maintaining SOC 2 After Certification

SOC 2 Implementation

Building a SOC 2-Ready Control Environment

Logical Access Controls for SOC 2

Security Monitoring and Incident Response

Vulnerability Management and Penetration Testing

Change Management for SOC 2

Vendor and Third-Party Risk Management

Business Continuity and Availability Controls

SOC 2 Policies and Documentation

The SOC 2 Policy Suite: What You Need

Writing the System Description

Risk Assessment Documentation

Employee Training and Awareness Documentation

Incident Response Policy and Procedure

Vendor Management Policy and DPA Templates

Evidence Retention and the Audit Trail

SOC 2 In Context

SOC 2 for SaaS Companies

SOC 2 for Fintech and Financial Services

SOC 2 for Healthcare and Life Sciences

Multi-Framework Compliance: SOC 2 + ISO 27001 + GDPR

SOC 2 from Indonesia: Practical Guide

SOC 2 and Customer Trust: Using the Report Commercially

Building a Long-Term Compliance Program: SOC 2 as Foundation