SOC 2 · Requirements

SOC 2 requirements, translated into an operating program.

SOC 2 requirements are structured around the AICPA Trust Services Criteria. We translate them into the specific policies, control activities, and evidence artifacts your auditor will expect on day one.

01 — Overview

The Trust Services Criteria are the substantive requirements a SOC 2 report is issued against. Security is required for every SOC 2. The other four categories — Availability, Processing Integrity, Confidentiality, and Privacy — are elected based on the services you deliver and the assurance your buyers expect.

Security itself is composed of nine Common Criteria sections (CC1 through CC9) covering the control environment, communication, risk assessment, monitoring, control activities, logical and physical access, system operations, change management, and risk mitigation. Each criterion contains points of focus that inform — but do not dictate — the specific controls you implement.

02 — Engagement

Our approach.

  1. I

    Criteria election

    Partner-led decision on which TSCs to include based on your service offering and buyer pipeline.

  2. II

    Control library mapping

    We map each criterion and point of focus to concrete controls in your environment — no shelf templates.

  3. III

    Evidence blueprint

    For every control, we document the evidence artifact, source system, cadence, and owner.

  4. IV

    Policy suite

    Board-defensible policies aligned to the criteria and to how your organization actually operates.

03 — Deliverables

What you receive.

  • Trust Services Criteria election memo
  • Complete control library mapped to each point of focus
  • Evidence blueprint spreadsheet with artifact, source, cadence, and owner
  • Policy suite (12 – 24 policies) aligned to elected criteria
  • Auditor-ready system description outline

04 — Timeline

Expected duration.

Requirements definition and control mapping typically runs four to six weeks as the first phase of a full SOC 2 engagement.

Ready to begin?

A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.

Schedule the call →

05 — FAQ

Common questions.

Are the Trust Services Criteria the same as controls?+

No. The criteria are the substantive requirements the auditor tests against. Controls are the specific mechanisms you implement to meet the criteria. Two organizations can meet the same criterion with entirely different controls.

What are 'points of focus' and are they required?+

Points of focus are considerations the AICPA publishes to help you interpret each criterion. They are not requirements — but they are what the auditor will consult when evaluating whether your controls meet the criterion.