SOC 2 · Requirements
SOC 2 requirements are structured around the AICPA Trust Services Criteria. We translate them into the specific policies, control activities, and evidence artifacts your auditor will expect on day one.
01 — Overview
The Trust Services Criteria are the substantive requirements a SOC 2 report is issued against. Security is required for every SOC 2. The other four categories — Availability, Processing Integrity, Confidentiality, and Privacy — are elected based on the services you deliver and the assurance your buyers expect.
Security itself is composed of nine Common Criteria sections (CC1 through CC9) covering the control environment, communication, risk assessment, monitoring, control activities, logical and physical access, system operations, change management, and risk mitigation. Each criterion contains points of focus that inform — but do not dictate — the specific controls you implement.
02 — Engagement
Partner-led decision on which TSCs to include based on your service offering and buyer pipeline.
We map each criterion and point of focus to concrete controls in your environment — no shelf templates.
For every control, we document the evidence artifact, source system, cadence, and owner.
Board-defensible policies aligned to the criteria and to how your organization actually operates.
03 — Deliverables
04 — Timeline
Requirements definition and control mapping typically runs four to six weeks as the first phase of a full SOC 2 engagement.
Ready to begin?
A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.
Schedule the call →05 — FAQ
No. The criteria are the substantive requirements the auditor tests against. Controls are the specific mechanisms you implement to meet the criteria. Two organizations can meet the same criterion with entirely different controls.
Points of focus are considerations the AICPA publishes to help you interpret each criterion. They are not requirements — but they are what the auditor will consult when evaluating whether your controls meet the criterion.