SOC 2 Type II

What Is SOC 2?

SOC 2 is an auditing standard for service organizations that store customer data. It evaluates controls against five trust service criteria.

The Five Trust Service Criteria

| Criterion | What It Ensures | |-----------|----------------| | Security (Common) | Protection against unauthorized access | | Availability | System is operational as committed | | Processing Integrity | Data processing is complete, valid, accurate | | Confidentiality | Data is restricted to authorized parties | | Privacy | Personal data handled according to privacy notice |

Type I vs Type II

| Aspect | Type I | Type II | |--------|--------|---------| | What it tests | Controls are designed properly | Controls operate effectively over time | | Time period | Point in time | 6-12 months | | Evidence | Design documentation, policies | Logs, samples, observations | | Assurance level | Lower | Higher | | Cost | Lower | Higher | | Customer preference | Acceptable initially | Preferred for production |

SOC 2 Audit Checklist

Phase 1: Scope (Months 1-2)

| Task | Details | |------|---------| | Define system boundaries | Which systems, services, locations | | Identify trust criteria | Security is mandatory, others optional | | Map controls to criteria | Each criterion needs supporting controls | | Select auditor | Accredited CPA firm (Big 4 or specialist) |

Phase 2: Readiness (Months 2-4)

| Task | Details | |------|---------| | Document controls | Policies, procedures, system descriptions | | Implement missing controls | Gaps identified from readiness assessment | | Run mock audit | Internal review against criteria | | Remediate findings | Fix gaps before the actual audit |

Phase 3: Evidence Collection (Months 4-10)

# evidence-log.yaml โ€” Track what you collect
security:
  - Access reviews: Monthly, documented, samples for 6 months
  - Security incidents: All incidents logged with resolution
  - Vulnerability scans: Weekly scans, remediation within SLA
  - Penetration tests: Annual, by independent firm

availability:
  - Uptime monitoring: 24/7 dashboard, alerts on threshold breach
  - Incident response: Documented plan, tested annually
  - Disaster recovery: Tested annually, RTO/RPO documented
  - Capacity monitoring: Weekly checks, scaling triggers defined

confidentiality:
  - Encryption at rest: AES-256 on all storage
  - Encryption in transit: TLS 1.3 on all connections
  - Access controls: Role-based, least privilege principle
  - Data classification: Labels applied to all data assets

Phase 4: Audit (Months 10-12)

| Week | Activity | |------|----------| | 1 | Opening meeting, scope confirmation | | 2-4 | Auditor reviews policies, design documents | | 5-8 | Auditor tests controls (interviews, samples) | | 9 | Auditor issues draft report | | 10 | Management review, factual accuracy check | | 11 | Final report issued | | 12 | Report shared with customers |

SOC 2 Report Contents

| Section | Contains | |---------|----------| | Independent auditor's report | Opinion letter, scope, criteria | | Management's assertion | Statement by management about controls | | System description | Infrastructure, software, data, processes | | Control descriptions | Each control mapped to a trust criterion | | Testing results | Tests performed, results, exceptions (if any) |

Common SOC 2 Findings

| Finding Area | Typical Issue | Fix | |-------------|---------------|-----| | Access control | No regular access reviews | Implement quarterly review process | | Change management | No formal change approval | Add change advisory board | | Monitoring | Alerts not configured | Set up automated monitoring and alerting | | Security training | No annual training | Deploy security awareness program | | Vendor management | No vendor risk assessments | Implement vendor review process |

Summary

SOC 2 Type II is the gold standard for SaaS companies. It provides the highest assurance that controls operate effectively over time.

Key takeaways: | SOC 2: auditing standard for service organizations | Five criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy | Type I: design at a point in time | Type II: operating effectiveness over 6-12 months | Audit phases: scope โ†’ readiness โ†’ evidence collection โ†’ report | Evidence: access reviews, incident logs, vulnerability scans, penetration tests, DR tests | Common findings: access reviews, change management, monitoring, training, vendor management | SOC 2 report: auditor's opinion, system description, control mapping, test results

Next Chapter: PCI DSS

The next chapter covers PCI DSS for payment card security.

SOC 2 vs ISO 27001

| Aspect | SOC 2 | ISO 27001 | |--------|-------|-----------| | Focus | Trust service criteria | Information security management | | Report type | Auditor's letter + control description | Certificate | | Best for | SaaS companies | Any organization | | Criteria | 5 trust principles | 114 controls in Annex A | | Certification | By CPA firm | By accredited certification body | | Renewal | Annual | Annual surveillance, recertification every 3 years |

Building a SOC 2 Evidence Program

# Evidence collection automation
import datetime
import json

def collect_evidence():
    evidence = {
        "collected_at": datetime.datetime.now().isoformat(),
        "access_reviews": {
            "last_review": "2026-06-01",
            "status": "completed",
            "findings": 2,
            "remediated": 2,
            "evidence_file": "/evidence/access-review-june2026.pdf"
        },
        "vulnerability_scans": {
            "last_scan": "2026-07-01",
            "critical": 0,
            "high": 1,
            "medium": 3,
            "low": 12,
            "evidence_file": "/evidence/vuln-scan-july2026.pdf"
        },
        "incident_log": {
            "total_incidents": 1,
            "resolved": 1,
            "mean_time_to_resolve": "45 minutes",
            "evidence_file": "/evidence/incident-log-q2-2026.pdf"
        },
        "security_training": {
            "completion_rate": 0.97,
            "employees_trained": 185,
            "evidence_file": "/evidence/training-q2-2026.pdf"
        }
    }
    
    with open('evidence-report.json', 'w') as f:
        json.dump(evidence, f, indent=2)
    
    return evidence

# Run weekly
evidence = collect_evidence()
print(f"Evidence collected: {evidence['collected_at']}")

SOC 2 Budget Estimation

| Item | Estimated Cost | |------|---------------| | SOC 2 Readiness assessment | $10,000 - $30,000 | | SOC 2 Type I audit | $15,000 - $40,000 | | SOC 2 Type II audit | $25,000 - $75,000 | | Remediation (gaps, tools) | $20,000 - $100,000+ | | Annual Type II renewal | $20,000 - $50,000 |

Summary

SOC 2 Type II is essential for B2B SaaS companies. It provides customers with an independent assessment of your security controls.

Key takeaways: | SOC 2 vs ISO 27001: SOC 2 focuses on 5 trust criteria; ISO 27001 on ISMS process | | Evidence program: automated weekly collection of access reviews, scans, incidents, training | | Budget: $25k-$75k for Type II audit, $20k-$100k for remediation | | Annual renewal required to maintain SOC 2 report currency | | Customers increasingly require SOC 2 for vendor approval | | Evidence automation reduces audit preparation time significantly |

You've completed this course! You now understand compliance frameworks.

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!