1. What SOC 2 actually is
SOC 2 is an attestation report produced by an independent auditor on how well a service organisation’s controls meet the Trust Services Criteria. It is not a pass/fail certificate — it is a detailed report that your customers read as part of their due diligence.
2. The Trust Services Criteria
There are five criteria. Security (the "common criteria") is always included; the others are optional depending on your commitments to customers:
- Security — protection against unauthorised access (always required).
- Availability — the system is available as committed.
- Confidentiality — confidential information is protected.
- Processing integrity — processing is complete, accurate and timely.
- Privacy — personal information is handled per your privacy notice.
3. Type I vs Type II
A Type I report assesses whether your controls are suitably designed at a point in time. A Type II report assesses whether they operated effectively over a period (typically 3–12 months). Customers increasingly expect Type II; Type I can be a useful first milestone.
4. Run a readiness (gap) assessment
Before the audit, map your current controls to the criteria you have chosen and find the gaps. This is where most of the real work is scoped: policies, access controls, monitoring, vendor management and change control.
5. Implement controls and collect evidence
- Document policies and make them operational, not shelf-ware.
- Enforce access control, MFA and periodic access reviews.
- Stand up logging, monitoring and alerting.
- Track changes, incidents and vendor risk with evidence.
6. The observation period
For a Type II, controls must operate over the observation window. Consistency matters more than perfection — an access review skipped or a ticket without evidence becomes an exception in the report.
7. The audit and the report
A licensed auditor tests your controls and issues the report. Aim for an "unqualified" opinion with no exceptions; where exceptions arise, a clear remediation story matters to readers.
8. Common mistakes to avoid
- Choosing more criteria than you can realistically support.
- Treating SOC 2 as a documentation exercise rather than operating controls.
- Leaving evidence collection to the end of the observation period.
How CyberSigma helps
We run the readiness assessment, help you implement and evidence the controls, and support you through the audit — so your first SOC 2 report lands clean and on time.
This guide is educational and not legal advice. Requirements evolve — validate specifics against the current standard or regulation for your situation.
