SOC 2 Type II
What Is SOC 2?
SOC 2 is an auditing standard for service organizations that store customer data. It evaluates controls against five trust service criteria.
The Five Trust Service Criteria
| Criterion | What It Ensures | |-----------|----------------| | Security (Common) | Protection against unauthorized access | | Availability | System is operational as committed | | Processing Integrity | Data processing is complete, valid, accurate | | Confidentiality | Data is restricted to authorized parties | | Privacy | Personal data handled according to privacy notice |
Type I vs Type II
| Aspect | Type I | Type II | |--------|--------|---------| | What it tests | Controls are designed properly | Controls operate effectively over time | | Time period | Point in time | 6-12 months | | Evidence | Design documentation, policies | Logs, samples, observations | | Assurance level | Lower | Higher | | Cost | Lower | Higher | | Customer preference | Acceptable initially | Preferred for production |
SOC 2 Audit Checklist
Phase 1: Scope (Months 1-2)
| Task | Details | |------|---------| | Define system boundaries | Which systems, services, locations | | Identify trust criteria | Security is mandatory, others optional | | Map controls to criteria | Each criterion needs supporting controls | | Select auditor | Accredited CPA firm (Big 4 or specialist) |
Phase 2: Readiness (Months 2-4)
| Task | Details | |------|---------| | Document controls | Policies, procedures, system descriptions | | Implement missing controls | Gaps identified from readiness assessment | | Run mock audit | Internal review against criteria | | Remediate findings | Fix gaps before the actual audit |
Phase 3: Evidence Collection (Months 4-10)
# evidence-log.yaml โ Track what you collect
security:
- Access reviews: Monthly, documented, samples for 6 months
- Security incidents: All incidents logged with resolution
- Vulnerability scans: Weekly scans, remediation within SLA
- Penetration tests: Annual, by independent firm
availability:
- Uptime monitoring: 24/7 dashboard, alerts on threshold breach
- Incident response: Documented plan, tested annually
- Disaster recovery: Tested annually, RTO/RPO documented
- Capacity monitoring: Weekly checks, scaling triggers defined
confidentiality:
- Encryption at rest: AES-256 on all storage
- Encryption in transit: TLS 1.3 on all connections
- Access controls: Role-based, least privilege principle
- Data classification: Labels applied to all data assets
Phase 4: Audit (Months 10-12)
| Week | Activity | |------|----------| | 1 | Opening meeting, scope confirmation | | 2-4 | Auditor reviews policies, design documents | | 5-8 | Auditor tests controls (interviews, samples) | | 9 | Auditor issues draft report | | 10 | Management review, factual accuracy check | | 11 | Final report issued | | 12 | Report shared with customers |
SOC 2 Report Contents
| Section | Contains | |---------|----------| | Independent auditor's report | Opinion letter, scope, criteria | | Management's assertion | Statement by management about controls | | System description | Infrastructure, software, data, processes | | Control descriptions | Each control mapped to a trust criterion | | Testing results | Tests performed, results, exceptions (if any) |
Common SOC 2 Findings
| Finding Area | Typical Issue | Fix | |-------------|---------------|-----| | Access control | No regular access reviews | Implement quarterly review process | | Change management | No formal change approval | Add change advisory board | | Monitoring | Alerts not configured | Set up automated monitoring and alerting | | Security training | No annual training | Deploy security awareness program | | Vendor management | No vendor risk assessments | Implement vendor review process |
Summary
SOC 2 Type II is the gold standard for SaaS companies. It provides the highest assurance that controls operate effectively over time.
Key takeaways: | SOC 2: auditing standard for service organizations | Five criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy | Type I: design at a point in time | Type II: operating effectiveness over 6-12 months | Audit phases: scope โ readiness โ evidence collection โ report | Evidence: access reviews, incident logs, vulnerability scans, penetration tests, DR tests | Common findings: access reviews, change management, monitoring, training, vendor management | SOC 2 report: auditor's opinion, system description, control mapping, test results
Next Chapter: PCI DSS
The next chapter covers PCI DSS for payment card security.
SOC 2 vs ISO 27001
| Aspect | SOC 2 | ISO 27001 | |--------|-------|-----------| | Focus | Trust service criteria | Information security management | | Report type | Auditor's letter + control description | Certificate | | Best for | SaaS companies | Any organization | | Criteria | 5 trust principles | 114 controls in Annex A | | Certification | By CPA firm | By accredited certification body | | Renewal | Annual | Annual surveillance, recertification every 3 years |
Building a SOC 2 Evidence Program
# Evidence collection automation
import datetime
import json
def collect_evidence():
evidence = {
"collected_at": datetime.datetime.now().isoformat(),
"access_reviews": {
"last_review": "2026-06-01",
"status": "completed",
"findings": 2,
"remediated": 2,
"evidence_file": "/evidence/access-review-june2026.pdf"
},
"vulnerability_scans": {
"last_scan": "2026-07-01",
"critical": 0,
"high": 1,
"medium": 3,
"low": 12,
"evidence_file": "/evidence/vuln-scan-july2026.pdf"
},
"incident_log": {
"total_incidents": 1,
"resolved": 1,
"mean_time_to_resolve": "45 minutes",
"evidence_file": "/evidence/incident-log-q2-2026.pdf"
},
"security_training": {
"completion_rate": 0.97,
"employees_trained": 185,
"evidence_file": "/evidence/training-q2-2026.pdf"
}
}
with open('evidence-report.json', 'w') as f:
json.dump(evidence, f, indent=2)
return evidence
# Run weekly
evidence = collect_evidence()
print(f"Evidence collected: {evidence['collected_at']}")
SOC 2 Budget Estimation
| Item | Estimated Cost | |------|---------------| | SOC 2 Readiness assessment | $10,000 - $30,000 | | SOC 2 Type I audit | $15,000 - $40,000 | | SOC 2 Type II audit | $25,000 - $75,000 | | Remediation (gaps, tools) | $20,000 - $100,000+ | | Annual Type II renewal | $20,000 - $50,000 |
Summary
SOC 2 Type II is essential for B2B SaaS companies. It provides customers with an independent assessment of your security controls.
Key takeaways: | SOC 2 vs ISO 27001: SOC 2 focuses on 5 trust criteria; ISO 27001 on ISMS process | | Evidence program: automated weekly collection of access reviews, scans, incidents, training | | Budget: $25k-$75k for Type II audit, $20k-$100k for remediation | | Annual renewal required to maintain SOC 2 report currency | | Customers increasingly require SOC 2 for vendor approval | | Evidence automation reduces audit preparation time significantly |
You've completed this course! You now understand compliance frameworks.