A well-built SOC 2 runbook is the difference between a finding and a clean opinion. It converts the abstract language of a control into a sequence of actions someone actually performed, in a verifiable order, with a paper trail attached. Auditors do not fail companies for having incidents. They fail them for not being able to prove how those incidents were handled. This guide shows you how to build a runbook that holds up under scrutiny — covering what a SOC 2 runbook is, what makes it audit-ready, how it differs from a playbook, the components every runbook should include, the control areas where runbooks are expected, and how to keep them current between annual examinations. What Is a SOC 2 Runbook? A SOC 2 runbook is a documented, repeatable procedure that operationalises a specific SOC 2 control. Where a policy states what must happen and why, a runbook states exactly how: the trigger, the steps, the people, the systems touched, the evidence captured, and the sign-off that closes it out. Runbooks live closest to the engineers and operations staff actually doing the work. They are the layer auditors care about most because they are where the control either operates or fails. A well-written runbook turns a control objective into something testable, traceable, and survivable across staff turnover. SOC 2 Runbook vs. SOC 2 Playbook: Key Differences The terms get used interchangeably, but they describe two different artefacts. The cleanest distinction is scope and audience. Dimension Runbook Playbook Scope One specific procedure Multi-step strategy across functions Audience Engineers, on-call responders, operations teams Leadership, legal, communications, incident response coordinators Detail Level Commands, queries, exact tooling Decisions, escalation paths, stakeholder roles Example Isolating an affected EC2 instance using a documented AWS CLI command Coordinating a ransomware response across legal, PR, and law enforcement Length Short, tactical, and scannable Longer, narrative, and decision-oriented A mature SOC 2 programme uses both. The playbook frames the response. The runbook executes pieces of it. Why SOC 2 Auditors Expect Runbooks The AICPA’s Trust Services Criteria describe what auditors test, but at the level of objectives, not procedures. CC7.3 says you must respond to security incidents. It does not tell you how. The runbook is your answer to how. Auditors are looking for two things when they evaluate a control: that it was designed appropriately, and that it operated effectively across the audit period. Runbooks are how you show both. The document itself is the design. The completed runbook artefacts (tickets, logs, sign-offs, post-mortems) are the operating evidence. Which SOC 2 Trust Services Criteria Require Runbook Documentation Every Common Criteria area benefits from runbooks, but the strongest expectation sits in CC6 (logical and physical access), CC7 (system operations, including incident detection and response), CC8 (change management), and CC9 (risk mitigation, vendor management, and BCP/DR). For a deeper look at how these criteria are structured and what auditors are actually testing, the Trust Services Criteria breakdown is worth reading before you start mapping your runbooks. If your scope includes the Availability criteria, A1.2 and A1.3 will require runbooks for failover, restoration, and capacity management. Confidentiality and Privacy add data handling and retention runbooks on top. If you are still determining which criteria apply to your organisation, a structured gap analysis is the most reliable starting point. Why Your Organization Needs a SOC 2 Runbook The common failure pattern is not the absence of policies. It is the absence of a credible bridge between the policy and what people actually do at 2am during an incident. How Runbooks Demonstrate Control Effectiveness to Auditors Auditors sample. For a Type II report covering twelve months, they will pull a population of incidents, changes, access reviews, or vendor onboardings, and trace a sample of them end to end. Without runbooks, that trace usually breaks. Engineers describe what they did from memory, ticket histories are inconsistent, and the auditor has no baseline to test against. With runbooks, the auditor compares the documented steps to what actually happened in the artefacts. If the runbook says approval is required, the ticket should show it. If it says evidence must be retained for ninety days, the log should be there. The runbook turns a subjective conversation into an objective trace. Runbooks as Evidence: Avoiding the Audit Evidence Trap A specific failure mode is what practitioners call the evidence trap: the control exists, the team is doing the right thing, but nothing was captured at the time. Three months later, the SIEM has rotated the logs, the on-call engineer has left, and the only record is a Slack thread no one can find. Runbooks prevent this when they make evidence capture a step in the procedure itself, not an afterthought. A line in the runbook that reads export the relevant CloudTrail entries to the incident folder before remediation is what stands between you and a qualified opinion. Pro Tip: Build evidence capture into the runbook as a numbered step, not a footer note. Auditors test what is written. If “save the screenshot” is step 7, it gets done. If it is buried in a paragraph at the bottom, it usually does not. SOC 2 Type I vs. Type II: How Runbooks Support Each A SOC 2 Type I report assesses the design of controls at a single point in time. For Type I, the runbook itself, together with the policies it references, is most of what auditors need. Type II is a different beast. It tests operating effectiveness over a period (typically six to twelve months), and that is where runbooks earn their keep. Each completed run produces evidence: a ticket, a log entry, a screenshot, a signed approval. Over twelve months those artefacts become the case for control effectiveness. Without runbooks, evidence collection is reactive and full of gaps. With them, it is a byproduct of normal work. For a fuller picture of what to expect across both report types, the SOC 2 compliance checklist is a useful companion to this guide. Core Components
SOC 2 compliance is a critical trust signal for organizations handling sensitive data. Unlike ISO standards, SOC 2 reports are private attestations issued by licensed CPA firms, making verification essential. To verify a SOC 2 report, you need to review the auditor’s opinion, audit period, report type, scope, and any control exceptions, then confirm the auditor’s AICPA registration and request a bridge letter if the report is outdated. In today’s cybersecurity-driven business environment, SOC 2 compliance has become one of the most recognized trust signals in the industry. Whether you are a SaaS provider handling customer data or an enterprise evaluating third-party vendors, a SOC 2 report plays a central role in proving that security controls are properly designed and operating effectively. Verifying a SOC 2 report, however, is not as simple as checking a public registry. Unlike ISO 27001, SOC 2 is not a public certification. Despite being regulated by the AICPA, there is no central database or government portal where you can confirm a company’s compliance status. Instead, SOC 2 is a private attestation report, issued by an independent CPA firm. That makes verification a matter of careful review and disciplined due diligence. If you want to understand how SOC 2 stacks up against other frameworks, our breakdown of ISO 27001 vs SOC 2 is a good place to start. This guide explains how to properly verify a SOC 2 report, what to watch for, and how expert partners like Axipro help organizations achieve and maintain SOC 2 compliance so their reports hold up to real scrutiny. Why Verifying a SOC 2 Report Matters SOC 2 reports are widely used across vendor risk management, enterprise procurement decisions, security questionnaires, and customer trust and sales cycles. Because SOC 2 reports are private and shareable only under NDA, verification responsibility falls entirely on the recipient. Accepting an outdated, poorly scoped, or improperly audited SOC 2 report can expose your organization to serious security and compliance risks. According to IBM’s Cost of a Data Breach Report, the average cost of a data breach continues to climb year over year, and third-party vendor relationships remain one of the most common attack vectors. Treating SOC 2 verification as a formality is not just sloppy governance; it is a liability. Knowing how to verify a SOC 2 report, and working with the right compliance experts, is not optional. It is essential. Step 1: Thoroughly Review the SOC 2 Report Key Sections Once a company provides its SOC 2 report (typically under a Non-Disclosure Agreement), your first step is a structured internal review. There are five areas you must examine closely. The Auditor’s Opinion is the single most critical section of the report. The opinion should be Unqualified (also called Unmodified). A Qualified, Adverse, or Disclaimer opinion is a major red flag and should immediately prompt further questions. An unqualified opinion means the auditor found no material issues with how controls were designed or operated during the audit period. The Report Period and Date tell you whether the report is still relevant. SOC 2 reports are generally considered valid for 12 months. Confirm the exact audit period, for example, October 1, 2024 to September 30, 2025, and flag anything older than that as potentially unreliable without additional assurance documentation. The Report Type is equally important. A SOC 2 Type I assesses whether controls were properly designed at a single point in time. A SOC 2 Type II evaluates whether those controls actually operated effectively over a defined period, typically six to twelve months. For most enterprise customers, SOC 2 Type II is the expected standard, and anything less should be treated with appropriate skepticism. The Scope of Services, found in the System Description section, must explicitly include the product or service you are evaluating. A SOC 2 report that does not cover the relevant system offers limited assurance, regardless of how clean the auditor’s opinion is. Exceptions and Control Failures in the testing results section deserve careful attention. Look for exceptions, failed controls, or deviations from expected behavior. Not all exceptions are disqualifying, but you need to assess whether they represent a material risk to your data or operations. If the report contains a significant number of exceptions or a pattern of failures in critical areas, that is a conversation worth having with the vendor before proceeding. If you want a structured checklist to guide this review process internally, we have put one together here. Step 2: Verify the Auditor’s Credibility A SOC 2 report is only as trustworthy as the CPA firm that issued it. This step is non-negotiable. The auditor must be a licensed CPA firm authorized to perform SOC engagements under the standards set by the American Institute of Certified Public Accountants (AICPA). The AICPA is the governing body for SOC reporting, and any firm issuing these reports must be formally registered with them. Beyond registration, AICPA requires CPA firms to undergo periodic peer reviews to ensure quality and professional standards are maintained. You can check a firm’s peer review standing directly through the AICPA peer review database or verify their status through the relevant state board of accountancy. This is a free, publicly accessible check that takes minutes, and skipping it is a mistake. An unlicensed or non-peer-reviewed firm issuing a SOC 2 report is not just a compliance risk, it is a sign the report may not be worth the paper it is written on. Axipro works closely with reputable, AICPA-registered audit firms, helping clients select the right auditor and ensuring the engagement meets all professional and regulatory expectations from the start. Step 3: Request a Bridge Letter When There Is a Coverage Gap SOC 2 reports cover a defined period. If the most recent report ended several months ago and the next audit is still in progress, you are operating in a coverage gap, a window of time where you have no formal attestation of current control effectiveness. In this situation, you should request a Bridge Letter, sometimes
EORs are often the leaders in data security compliance. As the responsible party for payroll and HR data, the burden of SOC 2 compliance is greater for them than for other companies. But SOC 2 compliance doesn’t have to be complicated. In this article, we’ll guide EOR firms through the process with an easy, step-by-step approach. What Is SOC 2 Compliance and Why Does It Matter for EOR Providers? Understanding SOC 2 and Its Role in Employer of Record Services An Employer of Record processes payroll data, national identification numbers, bank account details, tax filings, and employment records for workers across dozens of countries. In a single month, a mid-sized EOR platform may handle more sensitive personal data than many healthcare organisations. That concentration of risk is precisely why SOC 2 compliance has moved from a nice-to-have to a procurement prerequisite for clients who take data security seriously. SOC 2 is a security auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates service organisations against a set of Trust Services Criteria covering security, availability, processing integrity, confidentiality, and privacy. Unlike prescriptive frameworks such as PCI DSS, SOC 2 does not mandate a specific list of controls. Instead, it requires organisations to demonstrate that the controls they have designed and implemented actually work. For EOR providers, this flexibility is both useful and demanding. Useful because it allows controls to be tailored to the specific realities of multi-country payroll operations. Demanding because evidence of effective control operation must be documented and sustained continuously — not assembled in the weeks before an audit. Why EOR Providers Are High-Value Targets for Data Security Risks EOR platforms sit at a uniquely dangerous intersection of data sensitivity, operational scale, and third-party dependency. They act as the legal employer in multiple jurisdictions, which means they hold the kind of data that attracts two distinct threats: financially motivated attackers looking for payroll and banking credentials, and regulatory enforcement bodies scrutinising how personal data crosses borders. The attack surface is broad. EOR providers connect client company HR systems to local payroll engines, tax authorities, benefits administrators, and banking rails. Each integration is a potential entry point. A misconfigured API between an EOR platform and a client HRIS can expose employee records without any external attacker involved at all. The regulatory exposure compounds the security risk. Under the GDPR alone, penalties for serious data breaches can reach €20 million or 4% of global annual turnover, whichever is higher. For an EOR operating in Europe, Southeast Asia, and Latin America simultaneously, the regulatory surface is enormous. The Business Case for SOC 2 Compliance in the EOR Industry Enterprise clients and their procurement teams increasingly require SOC 2 Type II certification before signing EOR contracts. A successful audit signals that an EOR provider has implemented and sustained effective security controls over time — not just designed them on paper. That distinction matters enormously in a market where a single data breach can destroy client relationships overnight. SOC 2 compliance also de-risks the EOR provider itself. Organisations that have gone through the audit process typically discover and remediate control gaps they did not know existed. The internal discipline required to sustain a Type II audit programme produces a more operationally mature organisation, regardless of what any individual client requires. Pro Tip: Type 1 vs Type 2 In the EOR market, SOC 2 Type II has become the de facto security signal that enterprise procurement teams look for when vetting providers. Type I is no longer sufficient for most Fortune 1000 clients. If an EOR is starting the compliance journey today, the goal should be Type II from the outset. Which Trust Services Criteria Apply to EOR Providers? Security (Common Criteria) Security is the only mandatory Trust Services Criterion in a SOC 2 audit. It covers nine areas of control (CC1 through CC9) grounded in the COSO framework, spanning governance, risk management, access controls, system operations, change management, and incident response. For EOR providers, the security criterion is the foundation on which everything else sits. Access control is particularly critical. EOR platforms grant dozens or hundreds of internal staff access to employee PII and payroll data, often differentiated by country and client. Multi-factor authentication, role-based access, and rigorous user provisioning and deprovisioning processes are baseline expectations for any SOC 2 auditor. Availability Availability assesses whether systems perform as expected and are accessible to users when required. For EOR providers, payroll processing is time-critical. A system outage on a payroll run date does not just affect internal operations — it directly impacts employees’ ability to receive pay on time, which creates legal exposure in many jurisdictions. Availability controls for EOR providers should address capacity planning, disaster recovery, and system resilience. Demonstrable recovery time objectives and tested business continuity plans are the evidence auditors will want to see. Confidentiality Confidentiality applies to any information designated as confidential within the system, including client business information, employment contracts, salary benchmarking data, and any other data the EOR has committed to protect beyond basic legal requirements. It requires both clear data classification processes and active controls to prevent unauthorised disclosure. EOR providers often hold confidential commercial information on behalf of multiple clients who may be competitors of one another. Logical segregation of client data is therefore not only a security best practice but a direct requirement under the confidentiality criterion. Processing Integrity Processing integrity evaluates whether systems process data completely, accurately, in a timely fashion, and without unauthorised modification. This criterion is particularly relevant to payroll operations, where a calculation error can result in incorrect tax remittances, underpaid employees, or regulatory violations. Input validation controls, reconciliation procedures, and audit trails that confirm payroll data moved accurately from source to payment are the core of a processing integrity programme for EOR platforms. Privacy Privacy goes beyond confidentiality to address how personal data is collected, stored, used, retained, and disclosed in line with the AICPA’s Generally Accepted Privacy Principles. It applies when an organisation collects
In March 2026, a regional conflict in the Middle East did something that stress tests and tabletop exercises rarely manage to do: it took down cloud infrastructure across multiple availability zones at the same time, in the same region, without warning. AWS data centers in the UAE and Bahrain were impacted. Banking apps went offline. Payments failed. Delivery platforms stopped. And a significant portion of the affected organizations had done everything “right” by conventional standards — multi-AZ deployments, redundancy within the region, documented continuity plans. It wasn’t enough. This article breaks down what happened, what it revealed about how most organizations think about availability, and what a more resilient architecture actually looks like. If your systems run on cloud infrastructure — in any region — this case is worth understanding closely. What Happened: The March 2026 Incident Regional conflict in the Middle East caused physical and infrastructural disruption to AWS facilities across the UAE and Bahrain. Based on publicly reported information, the incident involved power outages affecting data center operations, physical damage to infrastructure facilities, connectivity loss across affected environments, and service degradation spanning multiple availability zones within the same region — simultaneously. That last point is the one that matters most. AWS designs its availability zones to be isolated from one another — separate power, cooling, and networking — so that a failure in one zone doesn’t cascade into another. Under normal failure conditions, that isolation holds. But this wasn’t a normal failure condition. It was a regional-scale disruption. The “rooms” were fine. The “building” was the problem. “Availability zones are designed to handle localized failures, not regional ones. This incident sits firmly in the second category.” The result was that organizations with multi-AZ architectures — which many rightly considered robust — still went down. There was no in-region fallback left to use. Business Impact: What Actually Went Offline The impact was not subtle. Banking platforms experienced downtime that prevented customers from accessing accounts or completing transactions. Payment processors were unable to process transactions. Mobility and delivery platforms halted operations entirely. Customer-facing applications became unavailable across the board. This wasn’t degraded performance or slower load times. It was a full loss of availability for any system that lived entirely within the affected region. The AWS Well-Architected Framework acknowledges that regional failures, while rare, are a defined risk category — and designing for them requires a fundamentally different approach than designing for AZ failures. Organizations with multi-region architectures kept operating. Everything else stopped. That single architectural decision — single-region versus multi-region — was the difference between availability and a complete outage. What Risks Actually Materialised This incident didn’t create new risks. It exposed ones that were already there, quietly embedded in architectural choices and compliance assumptions that had never been stress-tested at this scale. Regional Single Point of Failure The most common pattern among affected organizations: applications, databases, and backups all deployed within a single region. When that region became unavailable, there was no secondary environment to take over. No warm standby, no traffic rerouting, no automated failover. Just downtime. This is the architectural equivalent of backing up your data to a drive sitting next to your laptop. It works until it doesn’t. The Limits of Availability Zone Redundancy Availability zones are a powerful tool — but they’re a tool designed for a specific class of failure, and understanding that class matters. Think of an availability zone as a separate floor in a building. If one floor has a problem, you move to another floor. But if the entire building loses power — or becomes inaccessible — floor redundancy doesn’t help. You needed another building entirely. That’s what a region is. And this incident took down the building. Pro tip: When mapping your architecture against a business continuity plan, explicitly define your regional failure scenario. “What happens if this entire region becomes inaccessible for 24 hours?” is a question that exposes gaps that AZ-level planning will never catch. Infrastructure-Level Disruption Is Not Solvable at the Application Layer Power outages. Connectivity loss. Physical damage. These are not conditions that clever application architecture can work around if your infrastructure is entirely contained within the affected geography. No amount of microservices design, caching strategy, or auto-scaling helps when there’s no power reaching the data center. This is an important framing shift for engineering teams who own availability: some failure modes require infrastructure-layer responses, not code-layer ones. The Compliance Gap: Controls on Paper vs. Controls in Practice Perhaps the most uncomfortable implication of this incident. In many environments — particularly those undergoing ISO/IEC 27001:2022 certification or SOC 2 audits — availability controls are documented but don’t reflect the actual system architecture. Redundancy is listed as a control. It’s just redundancy within a single region, which, as this event demonstrated, is insufficient for regional-scale disruptions. The control passes an audit. It fails a real incident. This is the exact gap that compliance frameworks are designed to close — and that audit processes sometimes fail to catch. Cloud Hosting and SOC 2 Compliance Requirements Choosing AWS or Azure doesn’t hand you a SOC 2 compliance. It hands you a shared responsibility model, which means your provider secures the physical infrastructure and you secure everything running on top of it — including whether your architecture can actually deliver on your availability commitments. Auditors know this distinction well. When they evaluate your Availability criteria, they’re looking at your controls, not your provider’s SOC 2 report. What that means in practice: your recovery objectives need to be real numbers tied to a real architecture, not placeholders in a policy document. Your failover plan needs test records behind it. And your cloud provider should appear in your vendor risk register with an annual review of their own audit reports. A single-region deployment with no tested failover isn’t compliant in any meaningful sense. It’s a documentation exercise waiting to be disproved. The March 2026 incident made this concrete. Organizations that had documented availability controls but confined their entire infrastructure to
The “SSAE 18 vs SOC 2” debate typically surfaces when buyers, vendors, and even internal teams are all talking about the same general assurance problem, but using the wrong labels. A procurement team asks, “Do you have SSAE 18?” A founder says, “We’re going for SSAE 18 certification.” A customer security team asks for an “SSAE 18 SOC 2 report.” Everyone is circling the same planet, but not always landing on the right terminology. SSAE 18 and SOC 2 are not competing things. They are related, but they are not interchangeable. The AICPA defines SOC 2 as an examination and report on controls at a service organization relevant to security, availability, processing integrity, confidentiality, or privacy. SSAE 18, by contrast, is the attestation standard framework under which these kinds of engagements are performed. That distinction matters because buyers often ask for the wrong artifact. If you answer the wrong question, you can waste months preparing the wrong report. Quick Answer: SSAE 18 Is a Standard; SOC 2 Is a Report The simplest accurate explanation is this: SSAE 18 is the professional attestation standard; SOC 2 is the report deliverable. The standard tells the auditor how to perform the engagement. The report is what your customers actually read. The AICPA states that SSAE No. 18 was issued as part of its attestation clarity project, which clarified and recodified attestation standards. The same organization also explains that SOC reports are part of the AICPA’s broader SOC suite of services used to communicate controls at service organizations. So when someone says, “We need SSAE 18,” what they usually mean is one of two things: either they want a SOC 1 report for financial-reporting-related controls, or they want a SOC 2 report for security and broader system controls. How SSAE 18 Relates to SOC 1, SOC 2, and SOC 3 SOC 1 addresses controls at a service organization that are relevant to a user entity’s internal control over financial reporting. The AICPA positions SOC 1 specifically for management of user entities and their financial statement auditors. SOC 2 addresses controls relevant to the Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. It is designed for customers and other specified users who need detailed information about system controls. SOC 3 covers the same trust services subject matter as SOC 2, but in a general-use format with less detail, so it can be freely distributed. (Think of it as the marketing-friendly version.) In plain English: SSAE 18 sits underneath the engagement methodology; SOC 1, SOC 2, and SOC 3 are the reporting formats and scopes that come out of it. What Is SSAE 18? SSAE 18 stands for Statement on Standards for Attestation Engagements No. 18. It is an AICPA-issued attestation standard used in examinations, reviews, and agreed-upon procedures for nonissuers. The AICPA describes SSAEs as applicable to the preparation and issuance of attestation reports for nonissuers, and specifically notes that SSAE No. 18 completed the attestation clarity project through clarification and recodification. Who Issues SSAE 18 and Who Performs the Engagement The AICPA Auditing Standards Board (ASB) issues SSAE standards. The actual engagement, however, is performed by an independent CPA firm or service auditor. That division of labor is important. Your company does not “self-issue” SSAE 18. A CPA firm performs an attestation engagement under that standard and then issues the related report. Insider Tip When a buyer asks whether you are “SSAE 18 certified,” they are using market shorthand, not technical language. The better response is: “We have a SOC 2 Type 2 report issued by an independent CPA firm under the applicable attestation standards.” What SSAE 18 Replaced (SSAE 16 / SAS 70 Context) Historically, the service-organization reporting world moved from SAS 70 to SSAE 16, and then to SSAE 18. The AICPA’s clarity and convergence work eliminated the old SAS 70 framing, established the SOC-branded reports, and recodified the underlying attestation standards into SSAE 18. The standard was introduced in 2016 and implemented in 2017 as part of this evolution. (For international context, SSAE 18’s closest equivalent is ISAE 3402, issued by the International Auditing and Assurance Standards Board.) That is why older buyers may still talk in legacy language. They remember SAS 70. Mid-generation buyers remember SSAE 16. Today’s market usually asks for SOC 1 or SOC 2, but sometimes with yesterday’s vocabulary still attached. Which Engagements Fall Under SSAE 18 Within the SOC context, SSAE 18 governs how the practitioner performs examinations that lead to reports such as SOC 1, SOC 2, and SOC 3. The AICPA’s SOC suite overview frames these offerings as assurance reports used to help assess and address outsourcing risk. What Is a SOC 2 Report? A SOC 2 report is an independent attestation report on controls at a service organization relevant to the Trust Services Criteria. The AICPA defines SOC 2 around the five criteria categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 exists because businesses increasingly outsource critical systems to cloud and SaaS providers, and they want a way to evaluate whether those providers have appropriate controls in place. We’ve written an in-depth guide on what SOC 2 is, which you can read here. What SOC 2 Evaluates (Controls Aligned to Trust Services Criteria) SOC 2 evaluates whether the service organization’s system and controls are suitably designed—and, in a Type 2 engagement, whether they operated effectively over a review period—against the applicable TSC. Security is always part of SOC 2, while Availability, Processing Integrity, Confidentiality, and Privacy are included based on the nature of the service and customer commitments. If you’re unsure which criteria apply to your organization, a gap analysis is a smart first step. SSAE 18 vs SOC 2: Side-by-Side Comparison Category SSAE 18 SOC 2 What it is Attestation standard Report deliverable Issued by AICPA Auditing Standards Board Independent CPA firm (after the engagement) Primary purpose Governs how the engagement is performed Communicates results about controls relevant to TSC Scope Broad attestation framework Security and
Contrary to popular belief, SOC 2 does not mandate a strict list of cryptographic controls. Instead, it evaluates whether an organization has implemented appropriate encryption controls based on risk. That distinction matters: auditors care less about whether you check a specific box and more about whether your encryption strategy effectively protects sensitive data. This guide breaks down how encryption fits into SOC 2 compliance, where auditors look for it, and how to design encryption controls that hold up during a SOC 2 Type I or SOC 2 Type II audit. What “SOC 2 encryption requirements” really means The System and Organization Controls 2 (SOC 2) framework was created by the American Institute of Certified Public Accountants (AICPA) to help service organizations demonstrate that their systems are secure and trustworthy. SOC 2 assessments evaluate controls against the Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. The AICPA’s 2017 Trust Services Criteria (updated with revised points of focus in 2022) is the document auditors reference when evaluating your controls. But here’s the key nuance: SOC 2 is a controls report, not a prescriptive encryption standard. Instead of dictating exact technologies, SOC 2 asks auditors to determine whether controls are appropriately designed and operating effectively to meet the Trust Services Criteria. This means encryption is often expected—especially for sensitive or regulated data—but it’s not universally “required” in every scenario. Scenario Encryption expectation Public marketing website TLS likely required Internal operational logs May depend on risk classification Customer database with PII Encryption almost always expected The goal is to demonstrate that encryption controls align with your data classification and risk management strategy. If you can show auditors that your encryption decisions are deliberate, documented, and proportionate to the risk, you’re in strong shape. If you can’t, even if your encryption is technically sound, expect follow-up questions. How auditors evaluate “appropriate” encryption for your risk profile SOC 2 audits are risk-based. Auditors don’t walk in with a checklist of mandatory algorithms. Instead, they assess whether your encryption posture makes sense given the data you handle. They typically ask questions like: What types of data does the system process? How sensitive is that data? What threats could expose it? What encryption controls mitigate those risks? Organizations that process PII, financial records, or proprietary customer data will be expected to demonstrate stronger encryption controls than a company that only handles non-sensitive internal metrics. Evidence often includes encryption policies, architecture diagrams, key management procedures, configuration evidence from cloud services, and monitoring and audit logs. The point isn’t just having encryption—it’s having evidence that encryption is in place and working as described. If you’re working from a SOC 2 compliance checklist, make encryption evidence a line item, not an afterthought. For a SOC 2 Type I, auditors evaluate control design at a single point in time. They’re asking: “Are these controls designed in a way that should work?” For a SOC 2 Type II, auditors test whether encryption controls operated consistently over time, typically across a 6–12 month period. This is where SOC 2 Type II continuous monitoring becomes essential. It’s one thing to set up encryption correctly on a Tuesday—it’s another to prove it was running properly every day for the last nine months. The goal is to demonstrate that encryption controls align with your data classification and risk management strategy. If you can show auditors that your encryption decisions are deliberate, documented, and proportionate to the risk, you’re in strong shape. If you can’t—even if your encryption is technically sound—expect follow-up questions. Criterion Role of encryption Key focus Security (mandatory) Primary TLS for network communication, secrets protection, key management, access control enforcement Confidentiality Primary Protecting sensitive data at rest (e.g., AES-256, TDE) and in transit Privacy Important Encrypting PII, credentials, and identity documents; works alongside retention and data minimization controls Availability Supporting Encrypted backups, secure recovery data Processing Integrity Supporting Tamper protection during data transmission and processing Security is the only mandatory criterion in every SOC 2 audit, but if you’ve included Confidentiality or Privacy in your scope, encryption becomes a central control,not a supporting one. For organizations weighing SOC 2 against other standards, our comparison of ISO 27001 vs SOC 2 can help clarify the differences. Encryption scope: what auditors will examine Auditors evaluate encryption within the boundaries you define. That means scoping decisions matter as much as the technical implementation. A mature SOC 2 environment classifies data into tiers,public, internal, confidential, and regulated,and applies encryption requirements accordingly. Customer data almost always receives the strictest protections, while internal operational metrics may be risk-based. If you haven’t built a formal data classification policy, expect auditors to flag that gap. Data type Encryption expectation Customer database Mandatory encryption Employee HR records Strong encryption Internal monitoring metrics Risk-based Two scoping pitfalls that auditors flag regularly: production data copied into staging or development environments without encryption (if real data is present, it needs production-grade protections), and unclear cloud shared responsibility. Cloud providers operate under shared responsibility models,infrastructure security may be the provider’s job, but data encryption configuration is almost always yours. Organizations using services like AWS KMS, Azure Key Vault, or Google Cloud KMS must demonstrate what the provider manages, what they manage, and how both are verified. Data in transit and at rest: what you need to encrypt In transit The industry standard is TLS 1.2 or TLS 1.3 for any data crossing a network boundary,external APIs, admin portals, and internal microservices where the risk justifies it. The rule is simple: if sensitive data moves between systems, it should be encrypted. Auditors increasingly ask about internal service-to-service traffic, not just external connections. Organizations using service mesh frameworks or zero-trust models are well positioned here. Don’t overlook remote access (VPNs, bastion hosts, zero-trust gateways), file transfers (SFTP over plain FTP), and certificate lifecycle management,an expired TLS certificate that causes an outage is both an availability problem and evidence that controls aren’t operating effectively. At rest Encryption at rest protects stored data from unauthorized access. The most
SOC 2 compliance can sometimes feel like a needlessly complex Pandora’s box of documentation. But it shouldn’t be. That’s why today, we’ll show you how to easily become compliant with our 12-step SOC 2 compliance checklist.In its simplest form, all the SOC 2 sections point to the same question: Can you prove your controls work? This SOC 2 Compliance Checklist guides you through the process from scoping through audit completion for both SOC 2 Type 1 and Type 2. It is practical, auditor-aligned, and written for teams that want clarity rather than theory. If you want the short version: SOC 2 is not about tools or paperwork. It is about repeatable processes, clear ownership, and evidence that stands up to scrutiny. What is a SOC 2 compliance checklist? A SOC 2 compliance checklist is a structured roadmap that maps your internal controls to the AICPA Trust Services Criteria and prepares your organization for a Type 1 or Type 2 audit. For a full breakdown of SOC 2 requirements, read our detailed SOC 2 guide. How to Use This SOC 2 Compliance Checklist Think of this checklist as a living roadmap, not a one-time document. You should revisit it at four points: before scoping, during readiness, throughout evidence collection, and after the audit for continuous compliance. Type 1 vs. Type 2: Which Checklist Items Change? The core checklist does not change dramatically between Type 1 and Type 2. What changes is time and proof. Type 1 evaluates whether controls are designed correctly at a specific point in time. Type 2 evaluates whether those same controls operated effectively over an observation period, usually 3, 6, or 12 months. This means evidence for Type 2 must show consistency, such as quarterly access reviews, repeated vulnerability scans, and incident response tests that actually occurred. Who Owns Each Workstream SOC 2 is cross-functional by design. Security may lead, but it cannot succeed alone. Engineering typically owns secure SDLC, change management, and logging. IT owns IAM, endpoints, and device management. Legal and HR contribute policies, onboarding controls, and training. GRC or compliance coordinates risk assessment, evidence, and auditor communication. The fastest SOC 2 projects have named control owners with deadlines, not shared responsibility. What “Audit-Ready” Really Means Being audit-ready does not mean “we think we are secure.” It means you can produce clear, dated, and traceable evidence that maps directly to the Trust Services Criteria. Auditors test design, then operation. They expect policies, tickets, screenshots, logs, and approvals. They also expect alignment. If your policy says quarterly, your evidence cannot show annual. The AICPA provides the underlying standard, supported by SSAE 18 and AT-C 205. Pre-Checklist: Confirm You Actually Need SOC 2 Not every company needs SOC 2 immediately. If your customers are SMBs, you may see lighter requirements. If you sell to enterprises, SOC 2 often becomes non-negotiable. Security questionnaires are the strongest signal. When prospects ask about penetration testing, access reviews, and incident response evidence, SOC 2 is usually the cleanest way to respond at scale. Alternatives like ISO 27001, PCI DSS, or HIPAA can be valid. But SOC 2 is uniquely customer-facing, especially in North America. ISO 27001 is excellent for global alignment, while SOC 2 maps directly to buyer trust. The 12-Step Checklist Step 1- Define Scope Scoping mistakes cause more SOC 2 delays than any missing control. Your scope must clearly define the services you provide, the systems that support them, and the access controls. Over-scoping increases cost and complexity. Under-scoping leads to auditor pushback. In-scope systems usually include production cloud environments, CI/CD pipelines, support tooling, and identity providers. In-scope people include employees and contractors with access to customer data. Third parties are addressed as Subservice organization, using either the Carve-out method or Inclusive method. Data classification and flows must identify PII, PHI, or payment data, and how it moves through systems. Action Plan for Scoping Define the Service Commitment List In-Scope Systems Identify In-Scope People Document Third Parties Map Data Flows Validate Scope with Leadership Step 2- Select the Trust Services Criteria All SOC 2 reports include Security (Common Criteria). The others are optional but must be justified. Availability focuses on uptime and disaster recovery. Confidentiality focuses on sensitive data protection. Processing Integrity focuses on system accuracy. Privacy applies when personal data obligations are central. Your report must document why each criterion is included or excluded. Auditors look closely at this rationale. Trust Service Criteria Action Plan Confirm Security (Mandatory) Assess Optional Criteria Document Inclusion Rationale Obtain Executive Sign-Off Step 3- Choose the Audit Path and Timeline Most teams benefit from a readiness assessment before audit. This is often referred to as a Readiness assessment or Gap analysis. Type 1 audits can be completed in weeks once controls are ready. Type 2 timelines depend on the observation period. Six months is the most common balance between speed and credibility. Define control owners early and create an evidence calendar. Late evidence is the enemy of clean audits. Audit Path and Timeline Action Plan Conduct Readiness or Gap Assessment Choose Audit Type Set Observation Period (Type 2) Assign Control Owners Build Evidence Calendar Step 4- Pick an Auditor and Define the Engagement Choose a CPA firm with real SOC 2 experience in your industry. Responsiveness matters more than brand name. Confirm standards, testing approach, sampling expectations, and how subservice organizations are treated. The engagement letter should clearly state scope, period, and deliverables. A clear PBC list process avoids confusion later. Action plan for finding an auditor. Shortlist CPA Firms Review Testing Approach Clarify Subservice Treatment Finalize Engagement Letter Request Preliminary PBC List Step 5- Perform a SOC 2 Gap Analysis Map existing controls to the Trust Services Criteria. Missing policies, undocumented processes, and inconsistent evidence usually surface here. Prioritize high-risk gaps first. Document known exceptions and compensating controls honestly. Auditors prefer transparency over perfection. Gap Analysis Action Plan: Map Controls to Criteria Identify Missing Controls Prioritize by Risk Document Compensating Controls Step 6- Build the Policy and Governance
Drata is a powerful tool. It can transform a slow, resource-draining activity into a value-added automated task. But in order for it to work, it needs to be set up properly. This guide explains how SOC 2 actually works inside Drata, what you need before you begin, and how to avoid the most common mistakes that slow teams down. It is written for founders, CISOs, compliance leads, and non-technical executives who want a semi-automated approach to compliance. Drata does not replace your SOC 2 program. It operationalizes it. The platform helps you manage controls, evidence, and monitoring, but decisions, ownership, and execution still matter. A successful Drata SOC 2 project follows a predictable flow: scoping, setup, automation, validation, and audit. Before You Start: What You Need to Run a SOC 2 Project in Drata Before logging into Drata, your organization needs to be aligned. 1- Decide your SOC 2 target: Type 1 vs. Type 2 and realistic timelines SOC 2 comes in two formats defined by the AICPA. SOC 2 Type I evaluates whether controls are designed correctly at a point in time.SOC 2 Type II evaluates whether those controls operate effectively over a period, usually three to twelve months. Report Type What It Evaluates Timeframe SOC 2 Type I Whether controls are designed appropriately Point in time SOC 2 Type II Whether controls operate effectively 3–12 months With Drata, many of our clients reach Type I readiness in 6 to 8 weeks if controls already exist. Type II timelines depend on the observation period, which can range from 3 months to up to a year. If you’re pursuing SOC 2 compliance due to a client’s request, he will till you which type he requires. If you’re proactively seeking SOC 2 compliance, then we recommend going for type 2 compliance. This allows you to cast a wider net of clients. A successful SOC 2 program follows a predictable lifecycle. While tools and timelines vary, the underlying phases are consistent across most organizations. Scoping: Define the system being audited, select Trust Services Criteria, set the audit period, and confirm the auditor. Good scoping reduces downstream complexity dramatically. Setup: Configure Drata, connect integrations, publish policies, and assign control ownership. This phase turns abstract requirements into operational structure. Automation: Enable continuous evidence collection across identity, infrastructure, code, ticketing, and endpoints. Automation replaces manual tracking, but only when integrations reflect reality. Validation: Run a readiness review. Confirm that controls are operating as described, evidence is complete, and timing aligns with the audit window. This is where most hidden risks surface. Audit: Auditors independently test controls and evidence. Clarifications and minor findings are normal. Clear responses and preparation determine how fast this phase moves. Continuous compliance: After the report is issued, controls continue operating. Monitoring, reviews, and periodic reassessment prevent drift and reduce effort in future audit cycles. 2- Select your Trust Services Criteria Every SOC 2 must include the Common Criteria for Security. Additional criteria are optional and must be justified. These include Availability, Confidentiality, Processing Integrity, and Privacy. The choice of additional criteria is driven by the service agreement with the customer, which may require specific criteria, or by the type of business pursuing SOC 2. If you’re a SaaS that handles a large amount of private financial data, it makes sense to pursue the confidentiality criteria, for example. Availability makes sense if you sell uptime guarantees or SLAs. Privacy should only be selected if you are prepared to meet the additional criteria around notice, consent, and data subject rights. 3- Gather prerequisites: Systems, Owners, and Access Drata works best when you already know what is in scope. This includes cloud infrastructure, identity providers, repositories, ticketing tools, and endpoints. You also need named control owners. Automation cannot replace accountability. 4- Choose or confirm an auditor early An external CPA firm ultimately issues the SOC 2 report. Confirm your auditor before proceeding with deep configuration to avoid mismatches in expectations, evidence formats, or control interpretations. Where Axipro Fits in a Drata-Led SOC 2 Program Drata is excellent at operationalizing SOC 2. It centralizes controls, automates evidence collection, and enforces timelines that matter to auditors. What it does not do is make judgment calls, resolve ambiguity, or design controls in context. That work still belongs to the experts. This is where Axipro fits. In practice, Axipro supports Drata-led SOC 2 programs in four critical areas: Scoping discipline Before configuration begins, Axipro helps validate system boundaries, Trust Services Criteria selection, and audit periods. This prevents over-scoping, which is one of the most common reasons SOC 2 projects slow down or fail testing later. Control ownership and execution clarity Drata can track controls, but it cannot assign accountability. Axipro works with teams to ensure every in-scope control has a clear owner, a realistic execution process, and an evidence strategy that will stand up to auditor scrutiny. Readiness validation before auditor access Many SOC 2 delays happen after auditors are invited. Axipro performs structured readiness reviews to catch weak evidence, misaligned controls, and timing gaps before fieldwork begins. This reduces follow-ups, exceptions, and rework. Audit navigation and exception handling During the audit, Axipro helps teams respond to auditor questions, document compensating controls, and resolve findings clearly. This keeps the audit moving and avoids creating long-term issues that resurface in future cycles. Drata provides the operating system. Axipro helps ensure the program running on top of it is coherent, defensible, and sustainable. Step 1: Scope Your SOC 2 Program in Drata Once your prep work is done, it’s time to open Drata and start the real implementation work. Scoping is the first and most important step. It defines what the auditor will test and, just as importantly, what they will ignore. Create the audit container In Drata, scope becomes “real” the moment you create the audit. Navigate to Audit Hub, then select Create Audit. Choose SOC 2 as the framework and define the audit period. This date range matters more than most teams realize. Drata
If your company sells software, handles customer data, or operates in the cloud, chances are you have already been asked for a SOC 2 report. Sometimes by a prospect, sometimes by a procurement team, sometimes by a very persistent security questionnaire that refuses to go away. And if you are early in your compliance journey, that request can feel confusing, intimidating, or even slightly unfair. What exactly is a SOC 2 report? What does it include? How does the process actually work? And do you really need one right now? This article answers those questions clearly, without legal jargon or unnecessary complexity. Whether you are a startup selling internationally or a SaaS company expanding into enterprise deals, this guide will give you the full picture on SOC 2 compliance. What does SOC 2 stand for? SOC 2 stands for System and Organization Controls 2. It is part of a broader family of SOC reports created to help organisations demonstrate how they manage and protect information. In a nutshell, its a voluntary framework that proves that a company stores and manages data in a safe way. The “2” matters because it distinguishes this report from others in the SOC framework: Report Type Primary Focus Typical Audience SOC 1 Controls relevant to financial reporting Auditors, finance teams, regulators SOC 2 Controls related to security, availability, processing integrity, confidentiality, and privacy Customers, partners, procurement teams SOC 3 High-level public summary of SOC 2 controls General public, marketing, prospects When customers ask for “SOC 2,” they are seeking evidence that your internal systems and processes are designed to protect their data consistently and measurably. And this can be evaluated through a SOC 2 report. SOC 2 vs SOC 1 vs SOC 3: what’s the difference? SOC reports serve different purposes, and choosing the wrong one can create unnecessary work. SOC 1 focuses exclusively on controls related to financial reporting. It is primarily relevant for service providers whose systems impact a customer’s financial statements, such as payroll processors or financial platforms. SOC 2 evaluates controls related to security, availability, processing integrity, confidentiality, and privacy. It is the most commonly requested report for SaaS companies, cloud providers, and B2B service organisations because it directly addresses data protection and operational risk. SOC 3 is a high-level, public summary of a SOC 2 report. It contains far less detail and is typically used for marketing or high-level assurance, not for procurement or vendor risk assessments. If customers, partners, or regulators need detailed evidence of how you protect data, SOC 2 is almost always the correct choice. Benefits of SOC 2 Compliance- Why do Companies Pursue Compliance? Companies invest in SOC 2 compliance for the commercial and operational advantages it delivers. But besides that, being able to produce a SOC 2 report will allow to cast a wider net and work with customers that you would otherwise not be able to work with. Some examples: Cloud service providers, SaaS companies, and Data Centers looking to win big enterprise contracts: These businesses are often required to do Vendor Risk Assessment due to regulations such as GDPR, HIPAA, PCI DSS, SOX, and NYDFS. Companies in tightly regulated industries: Finance, healthcare, and technology are typically regulated by norms that required SOC 2 reports and Vendor Risk Assessment. Companies bidding for government contracts: While not always required, some government bodies will ask for an SOC 2 report or ISO 27001 certification to accept bids. SOC 2 reports are becoming widespread since they cascade down: Most SOC 2 compliant businesses will require vendors to produce a SOC 2 report, and not having an SOC 2 report will often make you lose a compliant client. Besides that, the most immediate benefit is trust. A SOC 2 report reduces friction during sales cycles by answering security questions upfront, rather than repeatedly through bespoke questionnaires. So even when its not strictly required, having a SOC 2 report will be beneficial. It also improves internal discipline. Preparing for SOC 2 forces teams to formalise access controls, incident response, change management, and monitoring processes that often exist informally. Finally, SOC 2 can be a growth enabler. Many enterprise buyers will not progress without it. Having a current report keeps deals moving and prevents compliance from becoming a last-minute blocker. A 2023 procurement study published by Wired noted that vendor security reviews are now standard even for contracts under six figures, reflecting how deeply embedded assurance expectations have become. Who typically needs SOC 2 compliance? SOC 2 is most often pursued by organisations that handle customer data on behalf of others, especially where trust and security influence buying decisions. This commonly includes: SaaS and cloud-based software companies Managed service providers, IT, and security firms Data platforms, infrastructure providers, and APIs Companies selling into regulated or enterprise markets Beyond industry, SOC 2 is often triggered by stage and scale. Startups moving upmarket, companies entering enterprise sales cycles, or vendors undergoing formal vendor risk assessments are frequently asked for a SOC 2 report before deals can progress. Even when not explicitly required, SOC 2 often becomes a commercial necessity. Customers increasingly expect structured, independent assurance that security controls are not improvised, but designed, documented, and consistently followed. What is a SOC 2 report? A SOC 2 report is an independent assurance report that evaluates how well an organisation protects customer data. It is issued by a licensed CPA firm and is based on the Trust Services Criteria (TSC) developed by the American Institute of Certified Public Accountants (AICPA). In simple terms, a SOC 2 report answers one core question: Can this company be trusted to handle sensitive information securely and responsibly? Unlike ISO standards, SOC 2 is not a “certification” in the traditional sense. There is no pass or fail badge. Instead, the report documents: Your control environment How controls are designed How they operate over time Any exceptions or gaps identified by the auditor The result is a detailed report that customers and partners use to assess your security
