How to Comply with SOC 2 Type II

SOC 2 is an auditing framework developed by the AICPA that evaluates an organization's controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports assess the operational effectiveness of these controls over a period of time.

100%

Coverage

Controls Required

Not Applicable

Why SOC 2 Compliance Matters

SOC 2 compliance is essential for SaaS companies, cloud service providers, and any organization handling customer data. A SOC 2 Type II report, issued by a CPA firm, demonstrates that your security controls are not only designed properly but operating effectively over time. Customers and procurement teams increasingly require SOC 2 reports before signing contracts.

Compliance Checklist by Domain

The 49 controls below are mapped to SOC 2 requirements. Work through each domain to build your compliance program.

Govern (6 controls)

Control	SOC 2 References	Also In
Governance Policy	CC1.1 CC1.2 CC1.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Risk Management	CC3.1 CC3.2 CC3.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Supply Chain Risk	CC9.2	NIST CSF 2.0, ISO 27001, PCI DSS, 800-53, HIPAA, GDPR
Roles & Responsibilities	CC1.3 CC1.4	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Compliance	CC2.1 CC4.1 CC4.2	NIST CSF 2.0, ISO 27001, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Vendor Risk Mgmt	CC9.2 CC3.2	NIST CSF 2.0, ISO 27001, PCI DSS, 800-53, HIPAA, GDPR

Identify (6 controls)

Control	SOC 2 References	Also In
Asset Management	CC6.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Risk Assessment	CC3.2 CC3.4	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Business Environment	CC1.1 CC1.2	NIST CSF 2.0, ISO 27001, PCI DSS, 800-53, HIPAA, GDPR
Data Classification	CC6.1 CC6.5	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Vulnerability Mgmt	CC7.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Threat Intelligence	CC7.2	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53

Protect (21 controls)

Control	SOC 2 References	Also In
Awareness & Training	CC1.4 CC2.2	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Access Control	CC6.1 CC6.2 CC6.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Multi-Factor Auth	CC6.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Encryption	CC6.1 CC6.7	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Data Protection	CC6.1 CC6.5 CC6.7	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Backup & Recovery	A1.2 CC7.5	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Privileged Access	CC6.1 CC6.2 CC6.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Firewall / Net Seg	CC6.1 CC6.6	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Endpoint Protection	CC6.8 CC7.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Patch Management	CC7.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Secure Config	CC6.1 CC7.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Secure Development	CC8.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, GDPR
Email Security	CC6.8	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Web Security	CC6.6 CC6.8	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Zero Trust	CC6.1 CC6.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Mobile Security	CC6.7	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Cloud Security	CC6.1 CC6.7 CC7.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
DNS Security	CC6.6	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53
WAF	CC6.6	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
DLP	CC6.5 CC6.7	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
API Security	CC6.1 CC6.6 CC8.1	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Detect (6 controls)

Control	SOC 2 References	Also In
Cont. Monitoring	CC7.1 CC7.2	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Logging & Audit	CC7.2 CC7.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Intrusion Detection	CC7.2	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Anomaly Detection	CC7.2	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
SIEM / SOC	CC7.2 CC7.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Insider Threat	CC6.2 CC6.3 CC7.2	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Respond (5 controls)

Control	SOC 2 References	Also In
Incident Response	CC7.3 CC7.4 CC7.5	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Forensics	CC7.4	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Communication	CC2.3 CC7.4	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Mitigation	CC7.4 CC7.5	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Reporting	CC2.3 CC7.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR

Recover (5 controls)

Control	SOC 2 References	Also In
Recovery Planning	A1.2 A1.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Business Continuity	A1.1 A1.2 A1.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Lessons Learned	CC4.2 CC7.5	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Comms & Restore	CC2.3 A1.2	NIST CSF 2.0, ISO 27001, PCI DSS, CMMC, 800-53, HIPAA, GDPR
Disaster Recovery	A1.2 A1.3	NIST CSF 2.0, ISO 27001, CIS v8, PCI DSS, CMMC, 800-53, HIPAA, GDPR

How SOC 2 Compares

See how SOC 2 coverage overlaps with other frameworks:

View SOC 2 Framework Page Explore in Dashboard