Skip to main content

SOC 2 Compliance

SOC 2 is an AICPA framework that audits how service organizations protect customer data against five Trust Services Criteria. Building its controls into a system keeps migrated services continuously auditable rather than audit-driven.

Best Practice: SOC 2 Compliance

SOC 2 (Service Organization Control 2) is an auditing framework from the American Institute of Certified Public Accountants (AICPA) that evaluates how well a service organization protects customer data. It is based on the Trust Services Criteria: Security (always required), and optionally Availability, Processing Integrity, Confidentiality, and Privacy. A Type I report assesses control design at a point in time; a Type II report assesses operating effectiveness over a period, typically 3 to 12 months. SOC 2 is the de facto trust signal for B2B SaaS. For modernization, treating SOC 2 controls as design requirements keeps a migrated system continuously auditable rather than scrambling before each audit.

Step-by-Step Implementation Guidance

  1. Choose the Trust Services Criteria in scope based on what you promise customers.
  2. Define your system boundary: the services, infrastructure, and data covered.
  3. Implement controls for access, change management, monitoring, encryption, and incident response.
  4. Document policies and procedures and assign owners.
  5. Collect evidence continuously (logs, tickets, approvals) rather than at audit time.
  6. Run a readiness assessment or gap analysis before the formal audit.
  7. Engage a licensed CPA firm for the Type I, then Type II, examination.

Common Mistakes Teams Make When Ignoring This Practice

  • Treating SOC 2 as a one-time project instead of continuous operation.
  • Scrambling to recreate evidence right before the audit window.
  • Scoping the system boundary vaguely, leaving gaps auditors flag.
  • Writing policies no one follows in practice.
  • Ignoring change management and access reviews until findings appear.

Tools and Techniques That Support This Practice

  • Compliance automation platforms such as Vanta, Drata, and Secureframe.
  • Centralized logging, SIEM, and access-review tooling.
  • Infrastructure as code with policy as code for consistent controls.
  • Identity and access management with least-privilege and MFA.

How This Practice Applies to Different Migration Types

  • Cloud Migration: Carry SOC 2 controls into the new environment, including logging, encryption, and access reviews.
  • Database Migration: Preserve encryption, access controls, and audit trails for data at rest and in transit.
  • SaaS Migration: Verify new SaaS vendors hold their own SOC 2 reports before relying on them.
  • Codebase Migration: Keep change-management and code-review controls intact through the rewrite.

Checklist

  • In-scope Trust Services Criteria are chosen.
  • The system boundary is clearly defined.
  • Controls cover access, change, monitoring, and encryption.
  • Policies are documented and owned.
  • Evidence is collected continuously.
  • A readiness gap analysis is completed.
  • A licensed CPA firm performs the examination.