[{"data":1,"prerenderedAt":11145},["ShallowReactive",2],{"framework-topics-soc2":3,"framework-soc2":7662,"related-glossary-soc2-grc-isms-evidence-collection":8230,"explore-glossary-soc2-\u002Fframeworks\u002Fsoc2\u002Fpolicies-and-procedures":8851,"explore-topics-soc2-\u002Fframeworks\u002Fsoc2\u002Fpolicies-and-procedures":9624,"explore-hub-soc2":10223,"explore-compare-vs-\u002Fframeworks\u002Fsoc2\u002Fpolicies-and-procedures":10582,"explore-compare-\u002Fframeworks\u002Fsoc2\u002Fpolicies-and-procedures":10747,"explore-blog-soc2-\u002Fframeworks\u002Fsoc2\u002Fpolicies-and-procedures":10865,"explore-industry-soc2":11061},[4,540,933,1282,1983,2467,2768,3282,3605,4160,4809,5217,5634,6157,6781,7299],{"id":5,"title":6,"body":7,"description":521,"extension":522,"faq":523,"frameworkSlug":524,"lastUpdated":525,"meta":526,"navigation":527,"path":528,"relatedTerms":529,"relatedTopics":531,"seo":535,"stem":538,"__hash__":539},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Faudit-process.md","SOC 2 Audit Process",{"type":8,"value":9,"toc":494},"minimark",[10,15,30,34,37,42,70,74,82,96,99,103,106,126,134,138,141,178,181,185,193,197,236,240,303,307,310,313,351,355,401,405,408,412,415,419,422,426,429,443,446,450,480,484],[11,12,14],"h2",{"id":13},"how-the-soc-2-audit-process-works","How the SOC 2 audit process works",[16,17,18,19,24,25,29],"p",{},"The ",[20,21,23],"a",{"href":22},"\u002Fframeworks\u002Fsoc2","SOC 2"," audit process can feel opaque if you have never been through one. Unlike a certification like ",[20,26,28],{"href":27},"\u002Fframeworks\u002Fiso27001","ISO 27001"," where a registrar issues a certificate, SOC 2 produces an auditor's report — a detailed opinion letter from a licensed CPA firm. Understanding each phase removes surprises and keeps your team on track.",[11,31,33],{"id":32},"phase-1-scoping-and-readiness-assessment","Phase 1: Scoping and readiness assessment",[16,35,36],{},"Before engaging an auditor, define what is in scope and evaluate how ready you are.",[38,39,41],"h3",{"id":40},"define-scope","Define scope",[43,44,45,53,64],"ul",{},[46,47,48,52],"li",{},[49,50,51],"strong",{},"Systems",": Identify the applications, infrastructure, databases, and third-party services that store, process, or transmit customer data.",[46,54,55,58,59,63],{},[49,56,57],{},"Trust Services Criteria",": Security is required. Add availability, processing integrity, confidentiality, or privacy based on customer commitments and the nature of your service. See the ",[20,60,62],{"href":61},"\u002Fframeworks\u002Fsoc2\u002Ftrust-services-criteria","Trust Services Criteria deep dive"," for guidance.",[46,65,66,69],{},[49,67,68],{},"Service commitments",": Review your terms of service, SLAs, and data processing agreements. Auditors will test controls against these commitments.",[38,71,73],{"id":72},"conduct-a-gap-analysis","Conduct a gap analysis",[16,75,76,77,81],{},"Compare your current controls against ",[20,78,80],{"href":79},"\u002Fframeworks\u002Fsoc2\u002Frequirements","SOC 2 requirements",". A readiness assessment identifies:",[43,83,84,87,90,93],{},[46,85,86],{},"Controls that already satisfy criteria",[46,88,89],{},"Gaps where controls are missing or undocumented",[46,91,92],{},"Evidence that exists versus evidence you still need to collect",[46,94,95],{},"Policies that need to be written or updated",[16,97,98],{},"Many organizations perform this internally or hire a consultant. The output should be a remediation plan with owners and deadlines.",[38,100,102],{"id":101},"remediate-gaps","Remediate gaps",[16,104,105],{},"Address the findings from your gap analysis before the audit begins. Common remediation items include:",[43,107,108,111,114,117,120,123],{},[46,109,110],{},"Writing or formalizing information security policies",[46,112,113],{},"Enabling multi-factor authentication across all critical systems",[46,115,116],{},"Implementing centralized logging and monitoring",[46,118,119],{},"Establishing a vendor risk management process",[46,121,122],{},"Conducting security awareness training for all employees",[46,124,125],{},"Documenting an incident response plan and running a tabletop exercise",[16,127,128,129,133],{},"Budget four to twelve weeks for remediation depending on the size of your gap list. Use the ",[20,130,132],{"href":131},"\u002Fframeworks\u002Fsoc2\u002Fchecklist","SOC 2 compliance checklist"," to track progress systematically.",[11,135,137],{"id":136},"phase-2-selecting-an-auditor","Phase 2: Selecting an auditor",[16,139,140],{},"SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Not all CPA firms are equal — look for:",[43,142,143,149,155,161,172],{},[46,144,145,148],{},[49,146,147],{},"SOC 2 experience",": Ask how many SOC 2 engagements they complete per year and whether they have experience with companies at your stage and in your industry.",[46,150,151,154],{},[49,152,153],{},"Technology alignment",": Firms that understand cloud-native architectures, CI\u002FCD pipelines, and modern SaaS stacks will ask better questions and move faster.",[46,156,157,160],{},[49,158,159],{},"Communication style",": You will work closely with the audit team for weeks or months. Clear, responsive communication matters.",[46,162,163,166,167,171],{},[49,164,165],{},"Pricing transparency",": Request a fixed-fee quote or a detailed estimate. Understand what triggers additional fees. See our ",[20,168,170],{"href":169},"\u002Fframeworks\u002Fsoc2\u002Fcost","SOC 2 cost breakdown"," for benchmarks.",[46,173,174,177],{},[49,175,176],{},"Timeline availability",": Popular audit firms book up quarters in advance. Start the selection process early.",[16,179,180],{},"Request proposals from two to four firms, compare scope and pricing, and check references from companies similar to yours.",[11,182,184],{"id":183},"phase-3-the-type-i-audit","Phase 3: The Type I audit",[16,186,187,188,192],{},"A ",[20,189,191],{"href":190},"\u002Fframeworks\u002Fsoc2\u002Ftype-1-vs-type-2","SOC 2 Type I"," audit evaluates whether controls are suitably designed and implemented as of a specific date — a point-in-time assessment.",[38,194,196],{"id":195},"what-to-expect","What to expect",[198,199,200,206,212,218,224,230],"ol",{},[46,201,202,205],{},[49,203,204],{},"Kickoff meeting",": The auditor reviews scope, systems, and criteria with your team. They will share a request list detailing the evidence and documentation they need.",[46,207,208,211],{},[49,209,210],{},"Evidence collection",": Your team gathers policies, configurations, screenshots, access lists, and other artifacts. This is typically the most time-consuming step.",[46,213,214,217],{},[49,215,216],{},"Walkthroughs and inquiries",": The auditor conducts interviews with control owners to understand how processes work. They may ask for live demonstrations.",[46,219,220,223],{},[49,221,222],{},"Testing",": The auditor inspects evidence to confirm controls are designed to meet the criteria. For Type I, they are validating design — not operating effectiveness over time.",[46,225,226,229],{},[49,227,228],{},"Issue identification",": If the auditor finds control gaps or design deficiencies, they will flag them. You may have an opportunity to remediate before the report is finalized.",[46,231,232,235],{},[49,233,234],{},"Report drafting and delivery",": The auditor produces a report containing their opinion, a description of your system, the criteria tested, and any exceptions noted.",[38,237,239],{"id":238},"type-i-timeline","Type I timeline",[241,242,243,256],"table",{},[244,245,246],"thead",{},[247,248,249,253],"tr",{},[250,251,252],"th",{},"Step",[250,254,255],{},"Duration",[257,258,259,268,276,284,291],"tbody",{},[247,260,261,265],{},[262,263,264],"td",{},"Readiness and remediation",[262,266,267],{},"4–12 weeks",[247,269,270,273],{},[262,271,272],{},"Auditor selection and contracting",[262,274,275],{},"2–4 weeks",[247,277,278,281],{},[262,279,280],{},"Evidence collection and fieldwork",[262,282,283],{},"3–6 weeks",[247,285,286,289],{},[262,287,288],{},"Report drafting and review",[262,290,275],{},[247,292,293,298],{},[262,294,295],{},[49,296,297],{},"Total",[262,299,300],{},[49,301,302],{},"11–26 weeks",[11,304,306],{"id":305},"phase-4-the-type-ii-audit","Phase 4: The Type II audit",[16,308,309],{},"A SOC 2 Type II audit tests whether controls operated effectively over a defined observation period, typically three to twelve months. Most organizations choose a six-month or twelve-month window.",[38,311,196],{"id":312},"what-to-expect-1",[198,314,315,321,327,333,339,345],{},[46,316,317,320],{},[49,318,319],{},"Observation period begins",": The clock starts on the agreed date. All controls must be operating from this point forward.",[46,322,323,326],{},[49,324,325],{},"Ongoing evidence collection",": Unlike Type I, you need to collect evidence continuously throughout the observation period — access reviews, change approvals, incident logs, monitoring alerts.",[46,328,329,332],{},[49,330,331],{},"Midpoint check-in"," (optional but recommended): Some auditors offer an interim review partway through the observation period to catch issues early.",[46,334,335,338],{},[49,336,337],{},"Fieldwork",": After the observation period ends, the auditor performs detailed testing. They sample transactions, review logs, and verify that controls operated consistently.",[46,340,341,344],{},[49,342,343],{},"Exception handling",": If a control failed during the period, the auditor documents the exception. A few exceptions do not automatically mean a qualified opinion, but patterns of failure will.",[46,346,347,350],{},[49,348,349],{},"Final report",": The Type II report includes everything from Type I plus the auditor's testing results and opinion on operating effectiveness.",[38,352,354],{"id":353},"type-ii-timeline","Type II timeline",[241,356,357,365],{},[244,358,359],{},[247,360,361,363],{},[250,362,252],{},[250,364,255],{},[257,366,367,375,383,389],{},[247,368,369,372],{},[262,370,371],{},"Observation period",[262,373,374],{},"3–12 months",[247,376,377,380],{},[262,378,379],{},"Fieldwork after period ends",[262,381,382],{},"4–8 weeks",[247,384,385,387],{},[262,386,288],{},[262,388,275],{},[247,390,391,396],{},[262,392,393],{},[49,394,395],{},"Total (after readiness)",[262,397,398],{},[49,399,400],{},"5–15 months",[11,402,404],{"id":403},"phase-5-report-delivery-and-beyond","Phase 5: Report delivery and beyond",[16,406,407],{},"Once you receive your SOC 2 report, the process does not end.",[38,409,411],{"id":410},"distribute-the-report","Distribute the report",[16,413,414],{},"SOC 2 reports are restricted-use documents. Share them under NDA with customers, prospects, and partners who request them. Many companies set up a trust center or compliance portal to manage requests.",[38,416,418],{"id":417},"plan-for-the-next-period","Plan for the next period",[16,420,421],{},"SOC 2 Type II reports cover a specific window. To maintain continuous coverage, plan the next observation period to begin immediately after the current one ends. Auditors call this a \"bridge period\" — any gap between periods means you have a coverage lapse that buyers may question.",[38,423,425],{"id":424},"continuous-monitoring","Continuous monitoring",[16,427,428],{},"The most efficient SOC 2 programs do not treat the audit as a seasonal event. Instead, they:",[43,430,431,434,437,440],{},[46,432,433],{},"Monitor control health in real time",[46,435,436],{},"Collect evidence automatically where possible",[46,438,439],{},"Review and update policies on a regular cadence",[46,441,442],{},"Track remediation items from previous audit exceptions",[16,444,445],{},"This continuous approach reduces the scramble before each audit and catches issues before they become exceptions.",[11,447,449],{"id":448},"common-pitfalls-in-the-soc-2-audit-process","Common pitfalls in the SOC 2 audit process",[43,451,452,458,464,470],{},[46,453,454,457],{},[49,455,456],{},"Starting evidence collection too late",": Begin during readiness, not after the auditor's first request list arrives.",[46,459,460,463],{},[49,461,462],{},"Single-threaded ownership",": SOC 2 touches engineering, IT, HR, and legal. Assign control owners across teams and give them visibility into the timeline.",[46,465,466,469],{},[49,467,468],{},"Ignoring the observation period",": For Type II, controls must operate every day of the period. A policy that exists but is not followed will result in exceptions.",[46,471,472,475,476,479],{},[49,473,474],{},"Choosing the wrong auditor",": A mismatched firm can slow the process and increase ",[20,477,478],{"href":169},"costs",". Do your diligence upfront.",[11,481,483],{"id":482},"how-episki-helps","How episki helps",[16,485,486,487,493],{},"episki streamlines every phase of the audit process. During readiness, the platform performs automated gap analysis against SOC 2 requirements and generates a prioritized remediation plan. During the observation period, structured evidence collection with ownership tracking and review cadences ensures nothing falls through the cracks. When fieldwork begins, the auditor collaboration portal gives your CPA firm scoped access to controls, evidence, and Q&A threads — eliminating back-and-forth emails. ",[20,488,492],{"href":489,"rel":490},"https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",[491],"nofollow","Start a free trial"," to see the full audit workflow in action.",{"title":495,"searchDepth":496,"depth":496,"links":497},"",2,[498,499,505,506,510,514,519,520],{"id":13,"depth":496,"text":14},{"id":32,"depth":496,"text":33,"children":500},[501,503,504],{"id":40,"depth":502,"text":41},3,{"id":72,"depth":502,"text":73},{"id":101,"depth":502,"text":102},{"id":136,"depth":496,"text":137},{"id":183,"depth":496,"text":184,"children":507},[508,509],{"id":195,"depth":502,"text":196},{"id":238,"depth":502,"text":239},{"id":305,"depth":496,"text":306,"children":511},[512,513],{"id":312,"depth":502,"text":196},{"id":353,"depth":502,"text":354},{"id":403,"depth":496,"text":404,"children":515},[516,517,518],{"id":410,"depth":502,"text":411},{"id":417,"depth":502,"text":418},{"id":424,"depth":502,"text":425},{"id":448,"depth":496,"text":449},{"id":482,"depth":496,"text":483},"A step-by-step guide to the SOC 2 audit process, from readiness assessment through final report delivery, including timelines for Type I and Type II engagements.","md",null,"soc2","2026-04-16",{},true,"\u002Fframeworks\u002Fsoc2\u002Faudit-process",[524,530],"grc",[532,533,534],"type-1-vs-type-2","requirements","cost",{"title":536,"description":537},"SOC 2 Audit Process — Step-by-Step Guide for 2026","Walk through the SOC 2 audit process step by step. Learn about readiness assessments, auditor selection, Type I vs Type II timelines, and what to expect.","5.frameworks\u002Fsoc2\u002Faudit-process","iyxfqb2dYCTbXKBkEJCPxss2rzK_gziKbfoMFkRC3V0",{"id":541,"title":542,"body":543,"description":901,"extension":522,"faq":902,"frameworkSlug":524,"lastUpdated":525,"meta":919,"navigation":527,"path":920,"relatedTerms":921,"relatedTopics":925,"seo":928,"stem":931,"__hash__":932},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Favailability-criteria.md","SOC 2 Availability Criteria",{"type":8,"value":544,"toc":880},[545,549,555,558,562,567,587,590,594,597,601,621,625,639,642,646,649,652,675,678,695,698,702,705,708,725,728,742,755,759,762,788,800,804,807,810,814,846,850,867,869],[11,546,548],{"id":547},"availability-is-the-soc-2-criterion-most-visible-to-customers","Availability is the SOC 2 criterion most visible to customers",[16,550,551,552,554],{},"When a customer's application goes down and they cannot log in, they blame your uptime. The availability Trust Services Criterion is where ",[20,553,23],{"href":22}," turns that reality into a structured set of controls. The criterion applies when an organization commits to specific uptime levels or recovery capabilities — typically through published SLAs, status pages, or contractual obligations. If your customers rely on your service being up, availability belongs in your audit scope.",[16,556,557],{},"Availability is optional in SOC 2, but for SaaS companies selling into enterprise or mid-market, it is often the first additional criterion added beyond security. Enterprise procurement teams expect it because their risk frameworks treat vendor availability as a top-tier concern.",[11,559,561],{"id":560},"what-the-availability-criterion-covers","What the availability criterion covers",[16,563,18,564,566],{},[20,565,57],{"href":61}," define availability as \"the accessibility of the system, products, or services as stipulated by a contract or service level agreement.\" Availability has three dedicated control categories in the A1 series, plus overlap with several Common Criteria.",[43,568,569,575,581],{},[46,570,571,574],{},[49,572,573],{},"A1.1"," — The entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity.",[46,576,577,580],{},[49,578,579],{},"A1.2"," — The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its availability objectives.",[46,582,583,586],{},[49,584,585],{},"A1.3"," — The entity tests recovery plan procedures supporting system recovery to meet its availability objectives.",[16,588,589],{},"A1 is short but dense. Each control generates operational evidence across the observation period.",[11,591,593],{"id":592},"a11-capacity-planning-and-monitoring","A1.1 — Capacity planning and monitoring",[16,595,596],{},"A1.1 requires that you know how much capacity your system has, how much it is using, and how you will add more when demand grows. Auditors look for a capacity management process that operates continuously, not a one-time analysis.",[38,598,600],{"id":599},"typical-controls","Typical controls",[43,602,603,606,609,612,615,618],{},[46,604,605],{},"Real-time capacity monitoring dashboards (CPU, memory, storage, network, database connections)",[46,607,608],{},"Defined thresholds for capacity alerts",[46,610,611],{},"Scheduled capacity reviews with documented outcomes",[46,613,614],{},"Forecasting based on growth assumptions",[46,616,617],{},"Auto-scaling for elastic workloads",[46,619,620],{},"Procurement lead time built into capacity forecasting",[38,622,624],{"id":623},"evidence-expectations","Evidence expectations",[43,626,627,630,633,636],{},[46,628,629],{},"Capacity dashboards with historical data spanning the observation period",[46,631,632],{},"Capacity review meeting notes or tickets",[46,634,635],{},"Alert history showing capacity thresholds being monitored",[46,637,638],{},"Procurement or provisioning records when capacity was added",[16,640,641],{},"Organizations running in public cloud typically have strong A1.1 posture out of the box because auto-scaling and managed services remove much of the manual capacity work. Organizations running colocated hardware have more evidence to produce.",[11,643,645],{"id":644},"a12-environmental-protections-and-recovery-infrastructure","A1.2 — Environmental protections and recovery infrastructure",[16,647,648],{},"A1.2 covers the infrastructure that supports availability — redundancy, backups, and environmental controls. The term \"environmental\" is broader than physical environment; it includes software resilience as well.",[38,650,600],{"id":651},"typical-controls-1",[43,653,654,657,660,663,666,669,672],{},[46,655,656],{},"Multi-region or multi-AZ deployment architecture",[46,658,659],{},"Redundant components (load balancers, databases, caches)",[46,661,662],{},"Automated failover mechanisms",[46,664,665],{},"Backup and recovery procedures with defined retention",[46,667,668],{},"Data replication strategy",[46,670,671],{},"Physical environmental controls for on-premises facilities (power, cooling, fire suppression)",[46,673,674],{},"Network isolation and DDoS protections",[38,676,624],{"id":677},"evidence-expectations-1",[43,679,680,683,686,689,692],{},[46,681,682],{},"Architecture diagrams showing redundancy",[46,684,685],{},"Backup job logs confirming successful backups",[46,687,688],{},"Backup restoration test records",[46,690,691],{},"Failover test results if applicable",[46,693,694],{},"Data center certifications (for colocated hardware)",[16,696,697],{},"A common gap in A1.2 is backup coverage. Teams have backups but do not test restoration until an incident forces it. Auditors look for proactive restoration tests.",[11,699,701],{"id":700},"a13-recovery-testing","A1.3 — Recovery testing",[16,703,704],{},"A1.3 is where availability and business continuity meet. The control requires that recovery procedures be tested so they work when a real disruption occurs.",[38,706,600],{"id":707},"typical-controls-2",[43,709,710,713,716,719,722],{},[46,711,712],{},"Documented disaster recovery plan with defined RPO and RTO",[46,714,715],{},"Annual or more frequent DR tests",[46,717,718],{},"Scenario-based testing (region failure, database failure, application failure)",[46,720,721],{},"Post-test reviews with remediation items",[46,723,724],{},"Business continuity plan integration",[38,726,624],{"id":727},"evidence-expectations-2",[43,729,730,733,736,739],{},[46,731,732],{},"Current DR plan document with approval evidence",[46,734,735],{},"DR test reports from the observation period",[46,737,738],{},"Remediation tracking for issues identified during tests",[46,740,741],{},"Evidence that lessons were incorporated into the plan",[16,743,744,745,749,750,754],{},"See ",[20,746,748],{"href":747},"\u002Fglossary\u002Fbusiness-continuity","business continuity"," and ",[20,751,753],{"href":752},"\u002Fglossary\u002Fdisaster-recovery","disaster recovery"," for related terms.",[11,756,758],{"id":757},"overlap-with-other-trust-services-criteria","Overlap with other Trust Services Criteria",[16,760,761],{},"Availability does not exist in isolation. Several Common Criteria contribute to the picture.",[43,763,764,770,776,782],{},[46,765,766,769],{},[49,767,768],{},"CC7"," (system operations) — monitoring that detects availability events feeds the availability controls directly",[46,771,772,775],{},[49,773,774],{},"CC9.1"," (business continuity) — overlaps heavily with A1.3",[46,777,778,781],{},[49,779,780],{},"CC2"," (communication) — customer and internal communication during outages",[46,783,784,787],{},[49,785,786],{},"CC8"," (change management) — poorly managed changes cause outages",[16,789,790,791,749,795,799],{},"A well-designed SOC 2 program maps controls once and applies them to every applicable criterion. For example, a failover test may satisfy A1.2, A1.3, and CC9.1 simultaneously. The same mapping applies in ",[20,792,794],{"href":793},"\u002Fframeworks\u002Fsoc2\u002Fcontinuous-monitoring","continuous monitoring",[20,796,798],{"href":797},"\u002Fframeworks\u002Fsoc2\u002Fincident-response","incident response",".",[11,801,803],{"id":802},"how-this-fits-into-soc-2","How this fits into SOC 2",[16,805,806],{},"Availability is the most visible criterion for customers — outages generate status page updates, incident reports, and sometimes contractual credits. Auditors know this, so they examine availability controls against both the design and real operational outcomes during the observation period. If you had an outage during the period, the auditor will typically request the incident record and verify that A1.3 controls — recovery procedures — were executed and effective.",[16,808,809],{},"This also means availability has the clearest connection between control effectiveness and business impact. A clean availability section in a SOC 2 report supports sales conversations about enterprise reliability in a way that the security criterion alone cannot.",[11,811,813],{"id":812},"common-mistakes","Common mistakes",[43,815,816,822,828,834,840],{},[46,817,818,821],{},[49,819,820],{},"SLA without monitoring."," A published uptime commitment that nobody measures is a recipe for exceptions. If you commit to 99.9%, measure it and report it.",[46,823,824,827],{},[49,825,826],{},"Backups without restoration tests."," Untested backups are hope, not controls. Run periodic restorations.",[46,829,830,833],{},[49,831,832],{},"DR plan in a drawer."," A plan that has not been updated in two years is a design problem even if no disaster happened. Review annually.",[46,835,836,839],{},[49,837,838],{},"No RPO or RTO."," \"We'll figure it out\" is not an acceptable answer to what data loss you can tolerate. Define the numbers.",[46,841,842,845],{},[49,843,844],{},"Single-region deployments with availability criterion."," If your architecture cannot survive a regional failure and you are claiming availability, the auditor will note the gap. Match the criterion to reality.",[11,847,849],{"id":848},"implementation-tips","Implementation tips",[43,851,852,855,858,861,864],{},[46,853,854],{},"Publish a status page that reflects real uptime. Auditors sometimes check it against your internal incident records.",[46,856,857],{},"Define RPO and RTO per system tier. Not every service needs the same recovery targets, and differentiating them makes the plan credible.",[46,859,860],{},"Test DR quarterly with different scenarios rotating across the year. Document each test.",[46,862,863],{},"Treat capacity alerts as first-class signals. If capacity thresholds are consistently breached with no action, A1.1 is weak.",[46,865,866],{},"Integrate capacity planning with business forecasts. Sales pipeline can predict capacity demand if the signal is used.",[11,868,483],{"id":482},[16,870,871,872,875,876,879],{},"episki maps the A1 series controls to your existing monitoring, backup, and DR tooling and collects evidence — capacity dashboards, DR test results, incident history — automatically across the observation period. ",[20,873,492],{"href":489,"rel":874},[491]," or read the full ",[20,877,878],{"href":22},"SOC 2 framework guide"," for how availability sits inside a complete SOC 2 program.",{"title":495,"searchDepth":496,"depth":496,"links":881},[882,883,884,888,892,896,897,898,899,900],{"id":547,"depth":496,"text":548},{"id":560,"depth":496,"text":561},{"id":592,"depth":496,"text":593,"children":885},[886,887],{"id":599,"depth":502,"text":600},{"id":623,"depth":502,"text":624},{"id":644,"depth":496,"text":645,"children":889},[890,891],{"id":651,"depth":502,"text":600},{"id":677,"depth":502,"text":624},{"id":700,"depth":496,"text":701,"children":893},[894,895],{"id":707,"depth":502,"text":600},{"id":727,"depth":502,"text":624},{"id":757,"depth":496,"text":758},{"id":802,"depth":496,"text":803},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"Deep dive on the SOC 2 Availability Trust Services Criterion. A1 series controls, uptime commitments, capacity planning, and disaster recovery.",{"items":903},[904,907,910,913,916],{"label":905,"content":906},"When should I include the availability criterion in my SOC 2?","Include availability when you have published SLAs, customers depend on continuous uptime, or contracts include availability commitments with penalties. Many SaaS companies add availability in their first SOC 2 if they sell into enterprise or mid-market.",{"label":908,"content":909},"Does the availability criterion require 99.99% uptime?","No. SOC 2 does not set a specific uptime number. It requires that you have defined availability commitments, measure against them, and have controls that support those commitments. The number is whatever you commit to in SLAs or customer contracts.",{"label":911,"content":912},"What is the difference between availability and business continuity?","Availability in SOC 2 covers day-to-day operation of the system — capacity, redundancy, monitoring. Business continuity covers response to disruptive events — the ability to recover when something goes wrong. Both are tested under availability controls (A1.3 specifically).",{"label":914,"content":915},"Do I need to test disaster recovery annually?","Yes. Auditors expect documented DR tests at least annually, with defined scenarios, results, and corrective actions. Many mature SOC 2 programs test quarterly, rotating scenarios.",{"label":917,"content":918},"What evidence do auditors expect for availability?","Auditors typically review published SLAs, capacity monitoring dashboards, incident history for outages, DR test results, and evidence that the DR plan was executed or simulated during the observation period.",{},"\u002Fframeworks\u002Fsoc2\u002Favailability-criteria",[922,923,924,524],"business-continuity","disaster-recovery","monitoring",[926,424,927],"trust-services-criteria","incident-response",{"title":929,"description":930},"SOC 2 Availability Criteria (2026): A1 Controls Deep Dive","Master the SOC 2 Availability criterion. A1.1 capacity planning, A1.2 environmental protections, A1.3 recovery, and common audit evidence.","5.frameworks\u002Fsoc2\u002Favailability-criteria","KNruVOcwfKW-lBS_jQvoBBLXuh2wwZOLL0fROaBb2bw",{"id":934,"title":935,"body":936,"description":1252,"extension":522,"faq":1253,"frameworkSlug":524,"lastUpdated":525,"meta":1270,"navigation":527,"path":1271,"relatedTerms":1272,"relatedTopics":1276,"seo":1277,"stem":1280,"__hash__":1281},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fchange-management.md","SOC 2 Change Management",{"type":8,"value":937,"toc":1236},[938,942,948,951,955,961,984,987,991,994,998,1001,1018,1022,1025,1029,1032,1043,1047,1050,1067,1070,1074,1077,1100,1111,1115,1118,1143,1146,1148,1151,1167,1170,1172,1204,1206,1223,1225],[11,939,941],{"id":940},"change-management-is-the-most-tested-control-in-soc-2","Change management is the most-tested control in SOC 2",[16,943,944,945,947],{},"If continuous monitoring is where Type II is won, change management is where it is most often lost. Every modern SaaS company deploys constantly. Every deployment is a change that auditors consider in scope under CC8.1. A ",[20,946,23],{"href":22}," Type II audit over a six- or twelve-month observation period may involve thousands of production changes, and auditors will sample them.",[16,949,950],{},"The good news is that mature engineering teams already have most of the controls — code review, CI\u002FCD, infrastructure as code — they just need to be mapped to CC8.1, documented, and made visible to auditors. The bad news is that any change that bypasses those controls and reaches production creates an exception that is hard to explain away.",[11,952,954],{"id":953},"what-cc81-requires","What CC8.1 requires",[16,956,957,958,960],{},"CC8.1 in the ",[20,959,57],{"href":61}," requires that the entity \"authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.\" The points of focus expand this into seven expectations.",[43,962,963,966,969,972,975,978,981],{},[46,964,965],{},"Manages changes throughout the system development life cycle",[46,967,968],{},"Authorizes changes before implementation",[46,970,971],{},"Designs and develops changes with appropriate controls",[46,973,974],{},"Documents changes so they can be traced and reproduced",[46,976,977],{},"Tracks system changes to confirm authorization and intended outcomes",[46,979,980],{},"Configures software with approved configurations",[46,982,983],{},"Tests system changes before implementation",[16,985,986],{},"CC8.1 also intersects with CC6.1 (access control) because only authorized people should be able to approve and deploy changes, and CC7.1 (configuration monitoring) because unauthorized changes should generate alerts.",[11,988,990],{"id":989},"the-four-lanes-of-soc-2-change-management","The four lanes of SOC 2 change management",[16,992,993],{},"Different types of changes need different controls. Organizations that try to use a single workflow for everything end up with either too much bureaucracy or too many exceptions.",[38,995,997],{"id":996},"_1-application-code-changes","1. Application code changes",[16,999,1000],{},"Standard developer workflow: feature branch, pull request, code review, automated tests, merge to main, deploy. Controls to document:",[43,1002,1003,1006,1009,1012,1015],{},[46,1004,1005],{},"Branch protection requiring reviewer approval",[46,1007,1008],{},"Required status checks (tests passing, security scans clean)",[46,1010,1011],{},"Merge restrictions to authorized committers",[46,1013,1014],{},"Automated deployment from the main branch",[46,1016,1017],{},"Linkage from commit to pull request to deployment record",[38,1019,1021],{"id":1020},"_2-infrastructure-changes","2. Infrastructure changes",[16,1023,1024],{},"Infrastructure-as-code is the cleanest path. Terraform, Pulumi, CloudFormation, or equivalent in version control means infrastructure changes follow the same review workflow as application code. Manual console changes to production should be minimized and, when made, logged with a ticket.",[38,1026,1028],{"id":1027},"_3-configuration-changes","3. Configuration changes",[16,1030,1031],{},"Application configuration, feature flags, and runtime settings often change outside the code deployment workflow. Controls include:",[43,1033,1034,1037,1040],{},[46,1035,1036],{},"Config stored in version control or a secrets manager with audit logs",[46,1038,1039],{},"Feature flag changes logged with actor and timestamp",[46,1041,1042],{},"Production console access restricted and monitored",[38,1044,1046],{"id":1045},"_4-emergency-changes","4. Emergency changes",[16,1048,1049],{},"Every engineering team has moments when normal process must be bypassed. SOC 2 accommodates this as long as the exception is managed.",[43,1051,1052,1055,1058,1061,1064],{},[46,1053,1054],{},"Define an emergency change procedure in policy",[46,1056,1057],{},"Require at least one authorized approver (even if post-hoc)",[46,1059,1060],{},"Require a written justification",[46,1062,1063],{},"Log the change in the same system as normal changes",[46,1065,1066],{},"Review emergency changes in a monthly or quarterly retrospective",[16,1068,1069],{},"Auditors look at the population of emergency changes and ask why each one qualified. If everything is an emergency, the normal process is not working.",[11,1071,1073],{"id":1072},"evidence-auditors-expect","Evidence auditors expect",[16,1075,1076],{},"A Type II audit will generate specific requests around change management.",[43,1078,1079,1082,1085,1088,1091,1094,1097],{},[46,1080,1081],{},"Change management policy document",[46,1083,1084],{},"Inventory of systems covered by the process",[46,1086,1087],{},"A list of changes deployed during the observation period",[46,1089,1090],{},"Samples of individual changes with their full audit trail",[46,1092,1093],{},"Evidence of emergency change approvals and justifications",[46,1095,1096],{},"Evidence of segregation between developers and production deployers (where applicable)",[46,1098,1099],{},"Branch protection and CI\u002FCD configuration settings",[16,1101,1102,1103,749,1107,799],{},"The auditor may pull changes from your version control system directly or request an export. The fastest way to pass this section is to ensure the audit trail is complete by default rather than reconstructing it after the fact. Related glossary: ",[20,1104,1106],{"href":1105},"\u002Fglossary\u002Fchange-management","change management",[20,1108,1110],{"href":1109},"\u002Fglossary\u002Faudit-trail","audit trail",[11,1112,1114],{"id":1113},"approval-workflows-that-satisfy-soc-2","Approval workflows that satisfy SOC 2",[16,1116,1117],{},"The workflow itself is not prescribed. The outcomes are. The workflow must demonstrate:",[198,1119,1120,1126,1131,1137],{},[46,1121,1122,1125],{},[49,1123,1124],{},"Authorization",". Someone with appropriate authority approved the change before it reached production.",[46,1127,1128,1130],{},[49,1129,222],{},". The change was tested in a non-production environment (unless covered by emergency procedures).",[46,1132,1133,1136],{},[49,1134,1135],{},"Documentation",". The change is recorded in a way that a reviewer can understand what changed and why.",[46,1138,1139,1142],{},[49,1140,1141],{},"Traceability",". The deployment can be traced back to the approval and the approval back to the requesting actor.",[16,1144,1145],{},"For most modern teams, a pull request workflow with branch protection enforces all four by default. Older teams with manual deployment processes have more work to do.",[11,1147,803],{"id":802},[16,1149,1150],{},"Change management generates some of the highest-volume evidence in a SOC 2 audit. Every pull request, every deployment, every configuration change contributes to the population auditors sample from. Weak change management often causes exceptions in adjacent areas:",[43,1152,1153,1158,1164],{},[46,1154,1155,1157],{},[20,1156,425],{"href":793}," misses unauthorized changes if configuration drift alerting is absent",[46,1159,1160,1163],{},[20,1161,1162],{"href":797},"Incident response"," requires change management correlation when an incident is traced to a deployment",[46,1165,1166],{},"Access controls (CC6) overlap when emergency deployment access is granted temporarily",[16,1168,1169],{},"Change management also supports the availability criterion if applicable. Failed deployments are a common cause of outages, so rollback procedures and testing discipline feed both security and availability controls.",[11,1171,813],{"id":812},[43,1173,1174,1180,1186,1192,1198],{},[46,1175,1176,1179],{},[49,1177,1178],{},"Manual console changes to production."," Engineers who make one-off changes in the AWS console without a ticket leave evidence gaps. Restrict console write access or require change tickets for any change made that way.",[46,1181,1182,1185],{},[49,1183,1184],{},"Overloaded emergency procedure."," If half of your changes are emergency changes, the category is meaningless. Tighten the definition.",[46,1187,1188,1191],{},[49,1189,1190],{},"No linkage between ticket and deployment."," The auditor wants to trace from approval to deployed change. Without a link (commit message references, deploy metadata), the chain breaks.",[46,1193,1194,1197],{},[49,1195,1196],{},"Configuration drift."," Systems configured by hand drift away from declared baselines. Configuration monitoring catches this but only if it is deployed.",[46,1199,1200,1203],{},[49,1201,1202],{},"Approver-as-author."," The same person approved and deployed the change. Where possible, require separation. At minimum, document why separation is not feasible.",[11,1205,849],{"id":848},[43,1207,1208,1211,1214,1217,1220],{},[46,1209,1210],{},"Turn on branch protection with required reviews and status checks across every repository in scope. Export the settings as evidence.",[46,1212,1213],{},"Use CI\u002FCD pipelines that record who deployed what, when, and against which commit. Retain deploy logs for the full observation period.",[46,1215,1216],{},"Manage infrastructure with code. Manual console changes should be rare, logged, and revisited during quarterly audits.",[46,1218,1219],{},"Write an emergency change procedure before you need it. During an actual emergency is not the time to design the process.",[46,1221,1222],{},"Sample your own change evidence monthly to catch gaps before the auditor does.",[11,1224,483],{"id":482},[16,1226,1227,1228,1231,1232,1235],{},"episki maps your existing change management tooling — pull requests, CI\u002FCD pipelines, ticketing systems — to CC8.1 and pulls evidence continuously so the audit trail is always current. ",[20,1229,492],{"href":489,"rel":1230},[491]," or review the broader ",[20,1233,1234],{"href":22},"SOC 2 framework"," to see how change management fits alongside access, monitoring, and incident controls.",{"title":495,"searchDepth":496,"depth":496,"links":1237},[1238,1239,1240,1246,1247,1248,1249,1250,1251],{"id":940,"depth":496,"text":941},{"id":953,"depth":496,"text":954},{"id":989,"depth":496,"text":990,"children":1241},[1242,1243,1244,1245],{"id":996,"depth":502,"text":997},{"id":1020,"depth":502,"text":1021},{"id":1027,"depth":502,"text":1028},{"id":1045,"depth":502,"text":1046},{"id":1072,"depth":496,"text":1073},{"id":1113,"depth":496,"text":1114},{"id":802,"depth":496,"text":803},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"SOC 2 CC8.1 change management. Approval workflows, production change evidence, and how to avoid exceptions in Type II audits.",{"items":1254},[1255,1258,1261,1264,1267],{"label":1256,"content":1257},"Which SOC 2 criterion covers change management?","Change management is addressed in CC8.1, which requires the entity to authorize, design, develop, configure, document, test, approve, and implement changes to infrastructure, data, software, and procedures. CC6.1 also addresses logical access restrictions that support change controls.",{"label":1259,"content":1260},"Does every code commit require approval for SOC 2?","Not every commit, but every change that reaches production must have evidence of approval or an automated gate that enforces review. Pull request requirements, branch protection rules, and CI\u002FCD approval steps satisfy this for most modern engineering teams.",{"label":1262,"content":1263},"What about emergency changes?","SOC 2 allows emergency change procedures, but they must be documented. Common requirements include post-hoc approval within a defined window, a written justification, and a standing list of authorized emergency approvers.",{"label":1265,"content":1266},"Do configuration changes count under CC8.1?","Yes. Infrastructure-as-code changes, cloud console changes, and configuration updates to production systems are all in scope. Any change that affects the operation of in-scope systems must have an audit trail showing authorization and execution.",{"label":1268,"content":1269},"What evidence do auditors sample for change management?","Auditors typically request a population of changes from the observation period — often pulled from the version control system or CI\u002FCD pipeline — and sample a subset for detailed review, checking approval, testing, and deployment records for each.",{},"\u002Fframeworks\u002Fsoc2\u002Fchange-management",[1273,1274,1275],"change-management","evidence-collection","audit-trail",[424,926,533],{"title":1278,"description":1279},"SOC 2 Change Management (2026): CC8.1 Controls & Evidence","Build SOC 2 change management under CC8.1. Approval workflows, code review, deployment evidence, and what auditors expect during Type II fieldwork.","5.frameworks\u002Fsoc2\u002Fchange-management","bVL09ezXfNkEgtoU3REimU-aJM0GOoysHiOSAP-mphE",{"id":1283,"title":1284,"body":1285,"description":1972,"extension":522,"faq":523,"frameworkSlug":524,"lastUpdated":525,"meta":1973,"navigation":527,"path":131,"relatedTerms":1974,"relatedTopics":1976,"seo":1978,"stem":1981,"__hash__":1982},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fchecklist.md","SOC 2 Compliance Checklist",{"type":8,"value":1286,"toc":1957},[1287,1290,1297,1305,1309,1312,1395,1399,1402,1406,1499,1503,1587,1591,1648,1652,1655,1715,1718,1722,1770,1776,1780,1837,1841,1848,1904,1908,1940,1942],[11,1288,132],{"id":1289},"soc-2-compliance-checklist",[16,1291,1292,1293,1296],{},"Getting ",[20,1294,1295],{"href":22},"SOC 2 compliant"," can feel overwhelming when you look at the full scope of work. Breaking the process into phases makes it manageable. This checklist walks through every major step from initial scoping through audit completion, organized so you can track progress and assign ownership.",[16,1298,1299,1300,749,1302,799],{},"Use this as a reference alongside the detailed ",[20,1301,80],{"href":79},[20,1303,1304],{"href":528},"audit process guide",[11,1306,1308],{"id":1307},"phase-1-scoping-and-planning","Phase 1: Scoping and planning",[16,1310,1311],{},"The foundation of a successful SOC 2 program is clear scoping. Mistakes here ripple through every subsequent phase.",[43,1313,1316,1333,1342,1355,1364,1373,1386],{"className":1314},[1315],"contains-task-list",[46,1317,1320,1324,1325,1328,1329,1332],{"className":1318},[1319],"task-list-item",[1321,1322],"input",{"disabled":527,"type":1323},"checkbox"," ",[49,1326,1327],{},"Define the audit objective"," — decide whether to pursue ",[20,1330,1331],{"href":190},"Type I or Type II"," and set a target completion date.",[46,1334,1336,1324,1338,1341],{"className":1335},[1319],[1321,1337],{"disabled":527,"type":1323},[49,1339,1340],{},"Identify in-scope systems"," — list every application, database, cloud service, and third-party tool that stores, processes, or transmits customer data.",[46,1343,1345,1324,1347,1350,1351,1354],{"className":1344},[1319],[1321,1346],{"disabled":527,"type":1323},[49,1348,1349],{},"Select Trust Services Criteria"," — security is mandatory. Evaluate whether availability, processing integrity, confidentiality, or privacy apply based on your service commitments. See the ",[20,1352,1353],{"href":61},"Trust Services Criteria guide"," for details.",[46,1356,1358,1324,1360,1363],{"className":1357},[1319],[1321,1359],{"disabled":527,"type":1323},[49,1361,1362],{},"Identify subservice organizations"," — document any third-party providers (AWS, Stripe, Datadog) that are part of your service delivery and how they are handled in the audit (inclusive vs. carve-out method).",[46,1365,1367,1324,1369,1372],{"className":1366},[1319],[1321,1368],{"disabled":527,"type":1323},[49,1370,1371],{},"Assign a project owner"," — designate a compliance lead who owns the timeline, coordinates across teams, and serves as the auditor's primary point of contact.",[46,1374,1376,1324,1378,1381,1382,1385],{"className":1375},[1319],[1321,1377],{"disabled":527,"type":1323},[49,1379,1380],{},"Set a budget"," — use the ",[20,1383,1384],{"href":169},"SOC 2 cost guide"," to estimate auditor fees, tooling, and internal labor.",[46,1387,1389,1324,1391,1394],{"className":1388},[1319],[1321,1390],{"disabled":527,"type":1323},[49,1392,1393],{},"Establish a timeline"," — work backward from your target date and build in buffer for remediation.",[11,1396,1398],{"id":1397},"phase-2-gap-analysis-and-remediation","Phase 2: Gap analysis and remediation",[16,1400,1401],{},"This phase determines how much work stands between your current state and audit readiness.",[38,1403,1405],{"id":1404},"policies-and-documentation","Policies and documentation",[43,1407,1409,1418,1427,1436,1445,1454,1463,1472,1481,1490],{"className":1408},[1315],[46,1410,1412,1324,1414,1417],{"className":1411},[1319],[1321,1413],{"disabled":527,"type":1323},[49,1415,1416],{},"Information security policy"," — a foundational document covering the organization's approach to security, roles, and responsibilities.",[46,1419,1421,1324,1423,1426],{"className":1420},[1319],[1321,1422],{"disabled":527,"type":1323},[49,1424,1425],{},"Acceptable use policy"," — define what employees can and cannot do with company systems and data.",[46,1428,1430,1324,1432,1435],{"className":1429},[1319],[1321,1431],{"disabled":527,"type":1323},[49,1433,1434],{},"Access control policy"," — document how access is granted, reviewed, and revoked.",[46,1437,1439,1324,1441,1444],{"className":1438},[1319],[1321,1440],{"disabled":527,"type":1323},[49,1442,1443],{},"Change management policy"," — describe how changes to production systems are proposed, reviewed, approved, and deployed.",[46,1446,1448,1324,1450,1453],{"className":1447},[1319],[1321,1449],{"disabled":527,"type":1323},[49,1451,1452],{},"Incident response plan"," — define how security incidents are detected, reported, contained, and resolved.",[46,1455,1457,1324,1459,1462],{"className":1456},[1319],[1321,1458],{"disabled":527,"type":1323},[49,1460,1461],{},"Business continuity and disaster recovery plan"," — document recovery objectives, procedures, and testing schedules.",[46,1464,1466,1324,1468,1471],{"className":1465},[1319],[1321,1467],{"disabled":527,"type":1323},[49,1469,1470],{},"Vendor management policy"," — describe how third-party risks are assessed and monitored.",[46,1473,1475,1324,1477,1480],{"className":1474},[1319],[1321,1476],{"disabled":527,"type":1323},[49,1478,1479],{},"Data classification policy"," — define sensitivity levels and handling requirements for different data types.",[46,1482,1484,1324,1486,1489],{"className":1483},[1319],[1321,1485],{"disabled":527,"type":1323},[49,1487,1488],{},"Risk assessment procedure"," — document how risks are identified, evaluated, and treated on a regular cadence.",[46,1491,1493,1324,1495,1498],{"className":1492},[1319],[1321,1494],{"disabled":527,"type":1323},[49,1496,1497],{},"Privacy policy"," (if privacy criterion is in scope) — ensure your public privacy notice matches your actual data practices.",[38,1500,1502],{"id":1501},"technical-controls","Technical controls",[43,1504,1506,1515,1524,1533,1542,1551,1560,1569,1578],{"className":1505},[1315],[46,1507,1509,1324,1511,1514],{"className":1508},[1319],[1321,1510],{"disabled":527,"type":1323},[49,1512,1513],{},"Multi-factor authentication"," — enforce MFA on all production systems, cloud consoles, and critical SaaS applications.",[46,1516,1518,1324,1520,1523],{"className":1517},[1319],[1321,1519],{"disabled":527,"type":1323},[49,1521,1522],{},"Single sign-on"," — implement SSO where possible to centralize authentication and simplify access reviews.",[46,1525,1527,1324,1529,1532],{"className":1526},[1319],[1321,1528],{"disabled":527,"type":1323},[49,1530,1531],{},"Endpoint management"," — deploy MDM to enforce disk encryption, screen locks, firewall settings, and OS patching.",[46,1534,1536,1324,1538,1541],{"className":1535},[1319],[1321,1537],{"disabled":527,"type":1323},[49,1539,1540],{},"Centralized logging"," — aggregate logs from applications, infrastructure, and security tools into a central platform.",[46,1543,1545,1324,1547,1550],{"className":1544},[1319],[1321,1546],{"disabled":527,"type":1323},[49,1548,1549],{},"Monitoring and alerting"," — configure alerts for anomalous activity, unauthorized access attempts, and system health metrics.",[46,1552,1554,1324,1556,1559],{"className":1553},[1319],[1321,1555],{"disabled":527,"type":1323},[49,1557,1558],{},"Encryption"," — verify encryption at rest and in transit for all customer data stores and communication channels.",[46,1561,1563,1324,1565,1568],{"className":1562},[1319],[1321,1564],{"disabled":527,"type":1323},[49,1566,1567],{},"Network security"," — configure firewalls, security groups, and network segmentation to restrict access to production environments.",[46,1570,1572,1324,1574,1577],{"className":1571},[1319],[1321,1573],{"disabled":527,"type":1323},[49,1575,1576],{},"Vulnerability management"," — implement automated vulnerability scanning and a process for triaging and remediating findings.",[46,1579,1581,1324,1583,1586],{"className":1580},[1319],[1321,1582],{"disabled":527,"type":1323},[49,1584,1585],{},"Backup and recovery"," — configure automated backups, verify restoration procedures, and document retention schedules.",[38,1588,1590],{"id":1589},"people-and-processes","People and processes",[43,1592,1594,1603,1612,1621,1630,1639],{"className":1593},[1315],[46,1595,1597,1324,1599,1602],{"className":1596},[1319],[1321,1598],{"disabled":527,"type":1323},[49,1600,1601],{},"Background checks"," — perform background checks on new hires, especially those with access to customer data or production systems.",[46,1604,1606,1324,1608,1611],{"className":1605},[1319],[1321,1607],{"disabled":527,"type":1323},[49,1609,1610],{},"Security awareness training"," — deliver annual training covering phishing, social engineering, data handling, and incident reporting. Track completion.",[46,1613,1615,1324,1617,1620],{"className":1614},[1319],[1321,1616],{"disabled":527,"type":1323},[49,1618,1619],{},"Onboarding procedures"," — document how new employees receive access, equipment, and policy acknowledgments.",[46,1622,1624,1324,1626,1629],{"className":1623},[1319],[1321,1625],{"disabled":527,"type":1323},[49,1627,1628],{},"Offboarding procedures"," — document how access is revoked, equipment is recovered, and accounts are deactivated when employees leave.",[46,1631,1633,1324,1635,1638],{"className":1632},[1319],[1321,1634],{"disabled":527,"type":1323},[49,1636,1637],{},"Quarterly access reviews"," — establish a recurring process for reviewing who has access to what and removing stale accounts.",[46,1640,1642,1324,1644,1647],{"className":1641},[1319],[1321,1643],{"disabled":527,"type":1323},[49,1645,1646],{},"Risk assessment"," — conduct a formal risk assessment at least annually and document the results and treatment decisions.",[11,1649,1651],{"id":1650},"phase-3-evidence-collection","Phase 3: Evidence collection",[16,1653,1654],{},"Evidence is the proof that your controls are not just designed but actually operating. Start collecting early — do not wait for the auditor to ask.",[43,1656,1658,1667,1676,1685,1694,1703],{"className":1657},[1315],[46,1659,1661,1324,1663,1666],{"className":1660},[1319],[1321,1662],{"disabled":527,"type":1323},[49,1664,1665],{},"Create an evidence inventory"," — for each control, document what evidence demonstrates it is working (screenshots, exports, logs, tickets).",[46,1668,1670,1324,1672,1675],{"className":1669},[1319],[1321,1671],{"disabled":527,"type":1323},[49,1673,1674],{},"Assign evidence owners"," — each piece of evidence should have a named person responsible for collecting and refreshing it.",[46,1677,1679,1324,1681,1684],{"className":1678},[1319],[1321,1680],{"disabled":527,"type":1323},[49,1682,1683],{},"Set collection cadences"," — some evidence is collected once (policies), while other evidence recurs (quarterly access reviews, monthly vulnerability scans).",[46,1686,1688,1324,1690,1693],{"className":1687},[1319],[1321,1689],{"disabled":527,"type":1323},[49,1691,1692],{},"Establish naming conventions"," — consistent file naming makes it easy for auditors to find what they need.",[46,1695,1697,1324,1699,1702],{"className":1696},[1319],[1321,1698],{"disabled":527,"type":1323},[49,1700,1701],{},"Store evidence securely"," — use a structured evidence locker with access controls, not a shared Google Drive folder.",[46,1704,1706,1324,1708,1711,1712,1714],{"className":1705},[1319],[1321,1707],{"disabled":527,"type":1323},[49,1709,1710],{},"Test evidence completeness"," — before the audit, review your evidence inventory against the ",[20,1713,80],{"href":79}," to identify gaps.",[16,1716,1717],{},"For a Type II engagement, evidence must span the entire observation period. A control that was implemented halfway through the period will result in an exception for the uncovered months.",[11,1719,1721],{"id":1720},"phase-4-auditor-selection-and-engagement","Phase 4: Auditor selection and engagement",[43,1723,1725,1734,1743,1752,1761],{"className":1724},[1315],[46,1726,1728,1324,1730,1733],{"className":1727},[1319],[1321,1729],{"disabled":527,"type":1323},[49,1731,1732],{},"Research CPA firms"," — identify two to four firms with SOC 2 experience relevant to your company size and industry.",[46,1735,1737,1324,1739,1742],{"className":1736},[1319],[1321,1738],{"disabled":527,"type":1323},[49,1740,1741],{},"Request proposals"," — compare scope, pricing, timeline, and communication approach.",[46,1744,1746,1324,1748,1751],{"className":1745},[1319],[1321,1747],{"disabled":527,"type":1323},[49,1749,1750],{},"Check references"," — talk to other companies that have worked with each firm.",[46,1753,1755,1324,1757,1760],{"className":1754},[1319],[1321,1756],{"disabled":527,"type":1323},[49,1758,1759],{},"Negotiate and sign the engagement letter"," — confirm scope, criteria, observation period (for Type II), fees, and timeline.",[46,1762,1764,1324,1766,1769],{"className":1763},[1319],[1321,1765],{"disabled":527,"type":1323},[49,1767,1768],{},"Schedule kickoff"," — align your team's availability with the auditor's timeline.",[16,1771,1772,1773,1775],{},"See the ",[20,1774,1304],{"href":528}," for what to expect during each stage of the engagement.",[11,1777,1779],{"id":1778},"phase-5-audit-execution","Phase 5: Audit execution",[43,1781,1783,1792,1801,1810,1819,1828],{"className":1782},[1315],[46,1784,1786,1324,1788,1791],{"className":1785},[1319],[1321,1787],{"disabled":527,"type":1323},[49,1789,1790],{},"Attend the kickoff meeting"," — review scope, criteria, and the auditor's request list with your team.",[46,1793,1795,1324,1797,1800],{"className":1794},[1319],[1321,1796],{"disabled":527,"type":1323},[49,1798,1799],{},"Fulfill evidence requests"," — respond to auditor requests promptly. Delayed responses are the number one cause of audit timeline slippage.",[46,1802,1804,1324,1806,1809],{"className":1803},[1319],[1321,1805],{"disabled":527,"type":1323},[49,1807,1808],{},"Prepare control owners for interviews"," — auditors will conduct walkthroughs with the people who operate each control. Ensure they can explain what they do and why.",[46,1811,1813,1324,1815,1818],{"className":1812},[1319],[1321,1814],{"disabled":527,"type":1323},[49,1816,1817],{},"Track open items"," — maintain a running list of auditor questions, outstanding requests, and items pending resolution.",[46,1820,1822,1324,1824,1827],{"className":1821},[1319],[1321,1823],{"disabled":527,"type":1323},[49,1825,1826],{},"Review draft findings"," — if the auditor identifies exceptions or gaps, understand the impact and discuss remediation options.",[46,1829,1831,1324,1833,1836],{"className":1830},[1319],[1321,1832],{"disabled":527,"type":1323},[49,1834,1835],{},"Review the draft report"," — check the system description for accuracy and ensure the report reflects your environment correctly.",[11,1838,1840],{"id":1839},"phase-6-post-audit-and-continuous-monitoring","Phase 6: Post-audit and continuous monitoring",[16,1842,1843,1844,1847],{},"The audit is complete, but ",[20,1845,23],{"href":1846},"\u002Fglossary\u002Fsoc2"," is an ongoing commitment.",[43,1849,1851,1859,1868,1877,1886,1895],{"className":1850},[1315],[46,1852,1854,1324,1856,1858],{"className":1853},[1319],[1321,1855],{"disabled":527,"type":1323},[49,1857,411],{}," — share under NDA with customers and prospects through a trust center or compliance portal.",[46,1860,1862,1324,1864,1867],{"className":1861},[1319],[1321,1863],{"disabled":527,"type":1323},[49,1865,1866],{},"Remediate exceptions"," — address any findings from the audit and document corrective actions.",[46,1869,1871,1324,1873,1876],{"className":1870},[1319],[1321,1872],{"disabled":527,"type":1323},[49,1874,1875],{},"Plan the next period"," — schedule the next observation period to begin immediately after the current one ends to avoid coverage gaps.",[46,1878,1880,1324,1882,1885],{"className":1879},[1319],[1321,1881],{"disabled":527,"type":1323},[49,1883,1884],{},"Maintain continuous monitoring"," — keep collecting evidence, reviewing controls, and updating policies on the cadences you established.",[46,1887,1889,1324,1891,1894],{"className":1888},[1319],[1321,1890],{"disabled":527,"type":1323},[49,1892,1893],{},"Conduct an internal retrospective"," — document what went well, what caused delays, and what to improve for the next cycle.",[46,1896,1898,1324,1900,1903],{"className":1897},[1319],[1321,1899],{"disabled":527,"type":1323},[49,1901,1902],{},"Update risk assessments"," — incorporate lessons learned from the audit and any changes to the business or threat landscape.",[11,1905,1907],{"id":1906},"tips-for-staying-on-track","Tips for staying on track",[198,1909,1910,1916,1922,1928,1934],{},[46,1911,1912,1915],{},[49,1913,1914],{},"Start early"," — give yourself at least three months of preparation time before the audit. Six months is better for a first-time engagement.",[46,1917,1918,1921],{},[49,1919,1920],{},"Assign clear ownership"," — every control, policy, and evidence item should have a named owner, not a team.",[46,1923,1924,1927],{},[49,1925,1926],{},"Automate what you can"," — manual evidence collection is the biggest time sink. Automation reduces errors and frees your team.",[46,1929,1930,1933],{},[49,1931,1932],{},"Communicate broadly"," — SOC 2 is not just a security team project. Engineering, HR, IT, and legal all have roles to play.",[46,1935,1936,1939],{},[49,1937,1938],{},"Use a single source of truth"," — scattered spreadsheets and documents lead to confusion. Centralize everything in one platform.",[11,1941,483],{"id":482},[16,1943,1944,1945,1947,1948,1951,1952,1956],{},"episki turns this checklist into a live workspace. Every item above is pre-loaded as an actionable task with ownership, due dates, and linked evidence requirements. The platform maps your controls to ",[20,1946,57],{"href":61}," automatically, tracks evidence freshness, and surfaces gaps before your auditor finds them. Instead of managing SOC 2 in spreadsheets, you get a structured system that keeps your entire team aligned. ",[20,1949,492],{"href":489,"rel":1950},[491]," and see the full SOC 2 checklist in action, or ",[20,1953,1955],{"href":1954},"\u002Fcompare\u002Fsprinto","compare episki to Sprinto"," to see how the approaches differ.",{"title":495,"searchDepth":496,"depth":496,"links":1958},[1959,1960,1961,1966,1967,1968,1969,1970,1971],{"id":1289,"depth":496,"text":132},{"id":1307,"depth":496,"text":1308},{"id":1397,"depth":496,"text":1398,"children":1962},[1963,1964,1965],{"id":1404,"depth":502,"text":1405},{"id":1501,"depth":502,"text":1502},{"id":1589,"depth":502,"text":1590},{"id":1650,"depth":496,"text":1651},{"id":1720,"depth":496,"text":1721},{"id":1778,"depth":496,"text":1779},{"id":1839,"depth":496,"text":1840},{"id":1906,"depth":496,"text":1907},{"id":482,"depth":496,"text":483},"An actionable SOC 2 compliance checklist organized by phase, covering everything from scoping through audit completion and continuous monitoring.",{},[524,530,1975],"isms",[533,1977,534],"audit-process",{"title":1979,"description":1980},"SOC 2 Compliance Checklist — Actionable Steps for 2026","Use this phased SOC 2 compliance checklist to go from scoping to audit-ready. Covers policies, technical controls, evidence collection, and audit prep.","5.frameworks\u002Fsoc2\u002Fchecklist","7Pn1WQfPyCT_rxQqS2NkwzXHj2f0VIrdIWfUJuCTV3w",{"id":1984,"title":1985,"body":1986,"description":2437,"extension":522,"faq":2438,"frameworkSlug":524,"lastUpdated":525,"meta":2455,"navigation":527,"path":2456,"relatedTerms":2457,"relatedTopics":2459,"seo":2462,"stem":2465,"__hash__":2466},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fconfidentiality-criteria.md","SOC 2 Confidentiality Criteria",{"type":8,"value":1987,"toc":2417},[1988,1992,1998,2001,2005,2010,2024,2027,2031,2034,2038,2041,2102,2109,2113,2116,2133,2136,2140,2143,2175,2186,2190,2193,2207,2211,2214,2218,2244,2248,2251,2265,2268,2270,2273,2303,2306,2308,2311,2319,2321,2324,2347,2349,2381,2383,2405,2407],[11,1989,1991],{"id":1990},"confidentiality-is-the-criterion-customers-request-but-rarely-understand","Confidentiality is the criterion customers request but rarely understand",[16,1993,1994,1995,1997],{},"The confidentiality Trust Services Criterion is one of the more commonly misunderstood parts of ",[20,1996,23],{"href":22},". Customers ask for it during due diligence — \"we need a report that includes confidentiality\" — without always knowing how it differs from security or privacy. This page clears that up, walks through the C1 series controls, and explains the evidence auditors expect.",[16,1999,2000],{},"Confidentiality applies when information has been designated confidential — by contract, NDA, policy, or regulation. It is distinct from personal information, which falls under the privacy criterion. If your customers entrust you with intellectual property, business plans, negotiation data, source code, or other sensitive non-personal information, the confidentiality criterion belongs in your audit.",[11,2002,2004],{"id":2003},"what-the-confidentiality-criterion-covers","What the confidentiality criterion covers",[16,2006,18,2007,2009],{},[20,2008,57],{"href":61}," define confidentiality as \"information designated as confidential is protected to meet the entity's objectives.\" Confidentiality has two dedicated control categories in the C1 series, plus heavy overlap with the Common Criteria, especially CC6 (access control).",[43,2011,2012,2018],{},[46,2013,2014,2017],{},[49,2015,2016],{},"C1.1"," — The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality.",[46,2019,2020,2023],{},[49,2021,2022],{},"C1.2"," — The entity disposes of confidential information to meet the entity's objectives related to confidentiality.",[16,2025,2026],{},"These two controls frame the confidentiality lifecycle: identify what is confidential, handle it appropriately, and dispose of it securely when the obligation ends.",[11,2028,2030],{"id":2029},"c11-identification-and-handling-of-confidential-information","C1.1 — Identification and handling of confidential information",[16,2032,2033],{},"C1.1 requires that the organization knows what is confidential and handles it consistently with that designation. The core expectations are classification, access restriction, and protection.",[38,2035,2037],{"id":2036},"data-classification","Data classification",[16,2039,2040],{},"A data classification policy defines the sensitivity tiers used by the organization. A common structure:",[241,2042,2043,2056],{},[244,2044,2045],{},[247,2046,2047,2050,2053],{},[250,2048,2049],{},"Tier",[250,2051,2052],{},"Description",[250,2054,2055],{},"Example",[257,2057,2058,2069,2080,2091],{},[247,2059,2060,2063,2066],{},[262,2061,2062],{},"Public",[262,2064,2065],{},"No restrictions",[262,2067,2068],{},"Marketing material, published documentation",[247,2070,2071,2074,2077],{},[262,2072,2073],{},"Internal",[262,2075,2076],{},"For internal use",[262,2078,2079],{},"Internal policies, team rosters",[247,2081,2082,2085,2088],{},[262,2083,2084],{},"Confidential",[262,2086,2087],{},"Restricted to need-to-know",[262,2089,2090],{},"Customer data, unreleased product plans, source code",[247,2092,2093,2096,2099],{},[262,2094,2095],{},"Highly confidential",[262,2097,2098],{},"Strict access controls and auditing",[262,2100,2101],{},"M&A data, authentication secrets, personal financial data",[16,2103,2104,2105,799],{},"The tiers are not prescribed by SOC 2. What matters is that the policy is documented, tiers have handling requirements, and employees know how to classify their work. See ",[20,2106,2108],{"href":2107},"\u002Fglossary\u002Fdata-classification","data classification",[38,2110,2112],{"id":2111},"access-restrictions-aligned-to-classification","Access restrictions aligned to classification",[16,2114,2115],{},"Access controls must enforce the classification scheme. Typical controls:",[43,2117,2118,2121,2124,2127,2130],{},[46,2119,2120],{},"Role-based access with least-privilege defaults",[46,2122,2123],{},"Additional review or approval for highly confidential data",[46,2125,2126],{},"Periodic access reviews scoped to confidential systems",[46,2128,2129],{},"Logging of access to confidential data",[46,2131,2132],{},"Segmentation or tokenization where possible",[16,2134,2135],{},"These overlap with CC6 access control requirements but must be tested against the classification policy. Auditors may request a sample of users with access to confidential systems and verify that the access aligns with documented roles.",[38,2137,2139],{"id":2138},"technical-protection-of-confidential-data","Technical protection of confidential data",[16,2141,2142],{},"Specific technical controls include:",[43,2144,2145,2151,2157,2163,2169],{},[46,2146,2147,2150],{},[49,2148,2149],{},"Encryption at rest",": confidential data encrypted on storage media, with managed keys",[46,2152,2153,2156],{},[49,2154,2155],{},"Encryption in transit",": TLS for all confidential data moving between systems",[46,2158,2159,2162],{},[49,2160,2161],{},"Key management",": keys rotated, access to key management restricted and audited",[46,2164,2165,2168],{},[49,2166,2167],{},"DLP and monitoring",": detection for unauthorized movement of confidential data",[46,2170,2171,2174],{},[49,2172,2173],{},"Endpoint protections",": disk encryption on devices that may hold confidential data",[16,2176,744,2177,749,2181,2185],{},[20,2178,2180],{"href":2179},"\u002Fglossary\u002Fencryption","encryption",[20,2182,2184],{"href":2183},"\u002Fglossary\u002Fkey-management","key management"," for related glossary terms.",[38,2187,2189],{"id":2188},"contractual-and-policy-protections","Contractual and policy protections",[16,2191,2192],{},"Technical controls sit on top of policy and contract. The organization must have:",[43,2194,2195,2198,2201,2204],{},[46,2196,2197],{},"Confidentiality agreements with employees",[46,2199,2200],{},"Confidentiality agreements with contractors and vendors",[46,2202,2203],{},"Customer contracts that designate data as confidential and set handling obligations",[46,2205,2206],{},"An acceptable use policy that addresses confidential information",[11,2208,2210],{"id":2209},"c12-secure-disposal-of-confidential-information","C1.2 — Secure disposal of confidential information",[16,2212,2213],{},"C1.2 addresses what happens when confidential information is no longer needed or the confidentiality obligation ends. Secure disposal is often overlooked until audit time.",[38,2215,2217],{"id":2216},"disposal-methods","Disposal methods",[43,2219,2220,2226,2232,2238],{},[46,2221,2222,2225],{},[49,2223,2224],{},"Logical deletion with cryptographic erasure",": encryption keys destroyed so encrypted data becomes unrecoverable",[46,2227,2228,2231],{},[49,2229,2230],{},"Data purging",": secure deletion from databases, storage, and caches",[46,2233,2234,2237],{},[49,2235,2236],{},"Physical destruction",": for media that cannot be sanitized digitally (old disks, paper)",[46,2239,2240,2243],{},[49,2241,2242],{},"Vendor certificates of destruction",": when third parties destroy data on your behalf",[38,2245,2247],{"id":2246},"retention-and-decommissioning-procedures","Retention and decommissioning procedures",[16,2249,2250],{},"Disposal requires that you know when to dispose. Retention schedules specify how long different data types are kept. Decommissioning procedures specify what happens to data when:",[43,2252,2253,2256,2259,2262],{},[46,2254,2255],{},"A customer terminates their contract",[46,2257,2258],{},"An employee leaves the organization",[46,2260,2261],{},"A system is retired",[46,2263,2264],{},"A vendor relationship ends",[16,2266,2267],{},"A decommissioning runbook reduces the risk that confidential data lingers in deprecated systems.",[11,2269,758],{"id":757},[16,2271,2272],{},"Confidentiality depends heavily on Common Criteria controls.",[43,2274,2275,2281,2287,2293],{},[46,2276,2277,2280],{},[49,2278,2279],{},"CC6 (access control)"," — classification drives access decisions",[46,2282,2283,2286],{},[49,2284,2285],{},"CC7 (system operations)"," — monitoring detects unauthorized confidentiality events",[46,2288,2289,2292],{},[49,2290,2291],{},"CC9 (risk mitigation)"," — vendor relationships involving confidential data",[46,2294,2295,2298,2299],{},[49,2296,2297],{},"Privacy"," — personal data is a subset; controls overlap significantly with ",[20,2300,2302],{"href":2301},"\u002Fframeworks\u002Fsoc2\u002Fprivacy-criteria","privacy criteria",[16,2304,2305],{},"A mature SOC 2 program maps each control to every criterion it satisfies, so a single encryption control contributes to security, confidentiality, and privacy without duplicating work.",[11,2307,803],{"id":802},[16,2309,2310],{},"Confidentiality is a natural addition when customers share sensitive data under NDA or when the organization processes intellectual property. It also pairs with the security criterion almost mechanically — most security controls contribute to confidentiality. Adding confidentiality to scope rarely requires dramatic new work; it requires deliberate mapping, classification, and disposal discipline.",[16,2312,2313,2314,2318],{},"The challenge during Type II is demonstrating operation across the observation period. Classification must be applied consistently, access reviews must include confidential systems, and disposal must be documented. See ",[20,2315,2317],{"href":2316},"\u002Fframeworks\u002Fsoc2\u002Fpolicies-and-procedures","policies and procedures"," for how to anchor the program in written commitments.",[11,2320,1073],{"id":1072},[16,2322,2323],{},"Typical fieldwork requests for the confidentiality criterion:",[43,2325,2326,2329,2332,2335,2338,2341,2344],{},[46,2327,2328],{},"Data classification policy and examples of classified assets",[46,2330,2331],{},"Confidentiality agreements (sample of executed NDAs)",[46,2333,2334],{},"Access control configuration for confidential systems",[46,2336,2337],{},"Encryption configuration (algorithms, key management)",[46,2339,2340],{},"Disposal procedures and records of disposals during the period",[46,2342,2343],{},"Customer contract samples showing confidentiality obligations",[46,2345,2346],{},"Vendor contracts with confidentiality clauses where relevant",[11,2348,813],{"id":812},[43,2350,2351,2357,2363,2369,2375],{},[46,2352,2353,2356],{},[49,2354,2355],{},"Classification without enforcement."," Policy defines tiers but systems treat everything the same. Auditors will notice.",[46,2358,2359,2362],{},[49,2360,2361],{},"Missing disposal records."," Data is deleted but no record is kept. Without evidence, the disposal did not happen from the audit's perspective.",[46,2364,2365,2368],{},[49,2366,2367],{},"NDA-only approach."," Relying on contracts without technical controls leaves confidential data exposed.",[46,2370,2371,2374],{},[49,2372,2373],{},"Vendor gaps."," Confidential data flows to vendors without corresponding contract language or monitoring.",[46,2376,2377,2380],{},[49,2378,2379],{},"Overly narrow scope."," Confidential data lives in systems that are excluded from SOC 2 scope. Include them.",[11,2382,849],{"id":848},[43,2384,2385,2388,2396,2399,2402],{},[46,2386,2387],{},"Classify data in the tools where it lives — databases, document stores, file shares. Centralized classification tags drive downstream controls.",[46,2389,2390,2391,2395],{},"Tie confidentiality to your ",[20,2392,2394],{"href":2393},"\u002Fframeworks\u002Fsoc2\u002Fvendor-management","vendor management"," process. High-tier data flows require vetted vendors.",[46,2397,2398],{},"Automate secure deletion when possible. Scheduled jobs that purge expired data produce cleaner evidence than ad hoc deletions.",[46,2400,2401],{},"Include confidentiality acknowledgment in employee onboarding and annual training.",[46,2403,2404],{},"Run a quarterly review of who has access to the most sensitive classification tier. Tighten aggressively.",[11,2406,483],{"id":482},[16,2408,2409,2410,2413,2414,2416],{},"episki maps C1.1 and C1.2 controls to your data classification, access, encryption, and disposal tooling, collecting evidence continuously so the confidentiality story is always current. ",[20,2411,492],{"href":489,"rel":2412},[491]," or explore the broader ",[20,2415,878],{"href":22}," to see how confidentiality integrates with security and privacy.",{"title":495,"searchDepth":496,"depth":496,"links":2418},[2419,2420,2421,2427,2431,2432,2433,2434,2435,2436],{"id":1990,"depth":496,"text":1991},{"id":2003,"depth":496,"text":2004},{"id":2029,"depth":496,"text":2030,"children":2422},[2423,2424,2425,2426],{"id":2036,"depth":502,"text":2037},{"id":2111,"depth":502,"text":2112},{"id":2138,"depth":502,"text":2139},{"id":2188,"depth":502,"text":2189},{"id":2209,"depth":496,"text":2210,"children":2428},[2429,2430],{"id":2216,"depth":502,"text":2217},{"id":2246,"depth":502,"text":2247},{"id":757,"depth":496,"text":758},{"id":802,"depth":496,"text":803},{"id":1072,"depth":496,"text":1073},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"Deep dive on the SOC 2 Confidentiality Trust Services Criterion. C1 series controls, data classification, NDAs, encryption, and secure disposal.",{"items":2439},[2440,2443,2446,2449,2452],{"label":2441,"content":2442},"When should I include the confidentiality criterion in my SOC 2?","Include confidentiality when you handle information designated as confidential by contract, NDA, or regulation — beyond what the security criterion already covers. Common triggers include processing intellectual property, business plans, M&A data, or competitively sensitive customer data.",{"label":2444,"content":2445},"What is the difference between confidentiality and privacy in SOC 2?","Confidentiality addresses information that the organization has designated as confidential — often non-personal, such as trade secrets. Privacy addresses personal information — data that identifies individuals. A single control (like encryption) may support both criteria, but the scope and legal context differ.",{"label":2447,"content":2448},"Is encryption required for the confidentiality criterion?","The criterion does not mandate specific technologies, but encryption at rest and in transit is the standard expectation. Auditors who find confidential data unencrypted without compensating controls generally flag the gap.",{"label":2450,"content":2451},"Do NDAs satisfy the confidentiality criterion?","NDAs are one part of it. Confidentiality also requires technical controls, data classification, access restrictions, and secure disposal. An NDA without enforcing technical controls is a paper commitment, not a SOC 2 control.",{"label":2453,"content":2454},"What is secure disposal under the confidentiality criterion?","Secure disposal means confidential data is rendered unrecoverable when it is no longer needed or when the confidentiality obligation ends. This includes cryptographic erasure, physical destruction of media, and documented decommissioning procedures.",{},"\u002Fframeworks\u002Fsoc2\u002Fconfidentiality-criteria",[2036,2180,524,2458],"key-management",[926,2460,2461],"policies-and-procedures","privacy-criteria",{"title":2463,"description":2464},"SOC 2 Confidentiality Criteria (2026): C1 Controls Deep Dive","Master the SOC 2 Confidentiality criterion. C1.1 identification of confidential information, C1.2 disposal, data classification, and NDAs.","5.frameworks\u002Fsoc2\u002Fconfidentiality-criteria","KpgfmJIQcxxBzNlyBGX0EAxONBAu57e2ELpmcvFlBW8",{"id":2468,"title":2469,"body":2470,"description":2741,"extension":522,"faq":2742,"frameworkSlug":524,"lastUpdated":525,"meta":2759,"navigation":527,"path":793,"relatedTerms":2760,"relatedTopics":2762,"seo":2763,"stem":2766,"__hash__":2767},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fcontinuous-monitoring.md","SOC 2 Continuous Monitoring",{"type":8,"value":2471,"toc":2725},[2472,2476,2482,2485,2489,2494,2526,2529,2533,2536,2539,2551,2555,2558,2562,2565,2569,2572,2576,2579,2582,2599,2602,2606,2609,2612,2638,2640,2652,2655,2657,2689,2691,2713,2715],[11,2473,2475],{"id":2474},"continuous-monitoring-is-where-soc-2-type-ii-is-won-or-lost","Continuous monitoring is where SOC 2 Type II is won or lost",[16,2477,2478,2479,2481],{},"Continuous monitoring is the SOC 2 control category that separates programs that pass Type II audits cleanly from those that scramble during fieldwork. A ",[20,2480,23],{"href":22}," Type II engagement tests whether your controls operated effectively across an observation period of three to twelve months. Controls that depend on human attention — someone remembering to check a dashboard, review a log, or investigate an alert — fail consistently without automation. Continuous monitoring fixes this by making detection, logging, and alerting a property of the system rather than a task on someone's to-do list.",[16,2483,2484],{},"Auditors look for evidence that monitoring actually ran throughout the period, not just that tools were installed. That means alert history, triage tickets, incident records, and log retention sufficient to reconstruct what happened on any given day.",[11,2486,2488],{"id":2487},"what-soc-2-means-by-continuous-monitoring","What SOC 2 means by continuous monitoring",[16,2490,18,2491,2493],{},[20,2492,57],{"href":61}," address monitoring across several control categories. The most direct references are in the CC7 series, which covers system operations.",[43,2495,2496,2502,2508,2514,2520],{},[46,2497,2498,2501],{},[49,2499,2500],{},"CC7.1"," — The entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities and susceptibilities to newly discovered vulnerabilities.",[46,2503,2504,2507],{},[49,2505,2506],{},"CC7.2"," — The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives.",[46,2509,2510,2513],{},[49,2511,2512],{},"CC7.3"," — The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents).",[46,2515,2516,2519],{},[49,2517,2518],{},"CC7.4"," — The entity responds to identified security incidents by executing a defined incident response program.",[46,2521,2522,2525],{},[49,2523,2524],{},"CC7.5"," — The entity identifies, develops, and implements activities to recover from identified security incidents.",[16,2527,2528],{},"CC4 also addresses monitoring activities at a higher level, requiring ongoing evaluations to verify controls are present and functioning. Together these criteria frame continuous monitoring as a closed loop: detect, evaluate, respond, recover, and verify.",[11,2530,2532],{"id":2531},"the-building-blocks-of-a-soc-2-monitoring-program","The building blocks of a SOC 2 monitoring program",[16,2534,2535],{},"A credible continuous monitoring program has four components.",[38,2537,1540],{"id":2538},"centralized-logging",[16,2540,2541,2542,749,2546,2550],{},"All security-relevant logs from infrastructure, applications, identity providers, and endpoints are forwarded to a central system. The central system is typically a SIEM or a log aggregation platform with search and alerting. Auditors expect to see that logs are collected from every in-scope system and retained for the full observation period. See ",[20,2543,2545],{"href":2544},"\u002Fglossary\u002Flog-management","log management",[20,2547,2549],{"href":2548},"\u002Fglossary\u002Fevidence-collection","evidence collection"," for related glossary definitions.",[38,2552,2554],{"id":2553},"alert-definitions","Alert definitions",[16,2556,2557],{},"Alerts are configured to fire when conditions indicate a potential security event — a failed login burst, a privilege escalation, an unusual data export, a change to production made outside the normal pipeline. Alert definitions should be documented and version-controlled so the auditor can see what conditions triggered alerts across the period.",[38,2559,2561],{"id":2560},"triage-and-response","Triage and response",[16,2563,2564],{},"Every alert produces an action. Either it is investigated and closed as a false positive with a note, or it is escalated to an incident. Either outcome must be documented. Auditors sample alerts from across the period and expect to see evidence of triage — a ticket, a comment, a status change.",[38,2566,2568],{"id":2567},"metrics-and-reporting","Metrics and reporting",[16,2570,2571],{},"Coverage metrics answer the question \"how do you know monitoring is working?\" Examples include the percentage of in-scope systems forwarding logs, the mean time to acknowledge alerts, and the volume of incidents declared. Reporting these metrics to leadership demonstrates the monitoring program is real, not a checkbox.",[11,2573,2575],{"id":2574},"automated-evidence-collection","Automated evidence collection",[16,2577,2578],{},"Evidence is the currency of SOC 2. The more you can generate and retain automatically, the less your team scrambles during fieldwork.",[16,2580,2581],{},"Examples of evidence a well-run continuous monitoring program produces without human intervention:",[43,2583,2584,2587,2590,2593,2596],{},[46,2585,2586],{},"Daily log ingestion reports confirming every source is active",[46,2588,2589],{},"Weekly alert summaries with triage disposition",[46,2591,2592],{},"Monthly access anomaly reports",[46,2594,2595],{},"Quarterly vulnerability scan results",[46,2597,2598],{},"Continuous configuration drift alerts against baseline",[16,2600,2601],{},"A compliance automation platform can ingest this evidence on a schedule, tag it to the relevant controls, and make it available to the auditor on request. This is where platforms like episki and its competitors add the most value — removing the manual work of gathering artifacts that already exist elsewhere.",[11,2603,2605],{"id":2604},"alerting-patterns-that-survive-auditor-scrutiny","Alerting patterns that survive auditor scrutiny",[16,2607,2608],{},"Not every alert belongs in SOC 2 scope. Alerts that map to controls and get acted on are valuable. Alerts that are ignored become exceptions.",[16,2610,2611],{},"A practical approach:",[43,2613,2614,2620,2626,2632],{},[46,2615,2616,2619],{},[49,2617,2618],{},"Tier alerts by severity."," High-severity alerts page an on-call engineer. Medium-severity alerts create tickets. Low-severity alerts aggregate into daily reports.",[46,2621,2622,2625],{},[49,2623,2624],{},"Tune for signal."," False positive rates above fifty percent degrade the entire program. Spend the time to filter noise out of the alert stream.",[46,2627,2628,2631],{},[49,2629,2630],{},"Document runbooks."," Every alert should have a runbook describing the expected response. Auditors may ask to see the runbook alongside the alert history.",[46,2633,2634,2637],{},[49,2635,2636],{},"Review alert inventory quarterly."," Systems change. Alerts that made sense a year ago may be stale. A documented review shows auditors the program is being maintained.",[11,2639,803],{"id":802},[16,2641,2642,2643,2645,2646,2648,2649,2651],{},"Continuous monitoring is one of the most evidence-rich control areas in the entire SOC 2 audit. It generates continuous artifacts across the observation period, which auditors sample aggressively during Type II testing. Strong monitoring programs often reduce exceptions in adjacent areas: ",[20,2644,798],{"href":797}," is easier when alerts are credible, ",[20,2647,1106],{"href":1271}," benefits when unauthorized changes trigger alerts, and ",[20,2650,2394],{"href":2393}," improves when third-party access is monitored alongside internal systems.",[16,2653,2654],{},"Monitoring also plays directly into the availability criterion when applicable. Capacity alerts, uptime monitoring, and performance thresholds are the backbone of availability controls.",[11,2656,813],{"id":812},[43,2658,2659,2665,2671,2677,2683],{},[46,2660,2661,2664],{},[49,2662,2663],{},"Tools without ownership."," A SIEM deployed but not triaged is worse than no SIEM at all. Auditors will ask who owns alert response and expect a clear answer.",[46,2666,2667,2670],{},[49,2668,2669],{},"Missing log sources."," In-scope systems that are not forwarding logs create evidence gaps. Keep an inventory of all systems in scope and verify each is reporting.",[46,2672,2673,2676],{},[49,2674,2675],{},"Insufficient retention."," Logs purged at ninety days do not cover a twelve-month Type II observation period. Verify retention before the period starts, not when the auditor asks.",[46,2678,2679,2682],{},[49,2680,2681],{},"Alert fatigue."," Engineers who ignore alerts will miss real incidents. Invest in tuning before the observation period begins.",[46,2684,2685,2688],{},[49,2686,2687],{},"No link between alerts and incidents."," Auditors look for the connection between an alert firing and an incident ticket. If that chain is broken, the control looks theoretical.",[11,2690,849],{"id":848},[43,2692,2693,2696,2699,2702,2705],{},[46,2694,2695],{},"Use your compliance platform to tag each monitoring control with the log source, alert definition, and responsible owner. This single view prevents drift.",[46,2697,2698],{},"Run a quarterly tabletop that traces a simulated incident from alert to resolution. Document the exercise and use it as evidence.",[46,2700,2701],{},"Retain at least thirteen months of security logs to cover a full observation period plus fieldwork.",[46,2703,2704],{},"Pull a sample of alerts monthly and verify each was triaged. Catch gaps before the auditor does.",[46,2706,2707,2708,2712],{},"Map monitoring coverage to your ",[20,2709,2711],{"href":2710},"\u002Fglossary\u002Frisk-register","risk register"," so leadership sees where the program is strongest and weakest.",[11,2714,483],{"id":482},[16,2716,2717,2718,2721,2722,2724],{},"episki centralizes continuous monitoring evidence by pulling alert history, triage records, and log coverage metrics from your tools and mapping them to the SOC 2 controls they support. ",[20,2719,492],{"href":489,"rel":2720},[491]," or review the full ",[20,2723,1234],{"href":22}," to see continuous monitoring as part of an end-to-end compliance program.",{"title":495,"searchDepth":496,"depth":496,"links":2726},[2727,2728,2729,2735,2736,2737,2738,2739,2740],{"id":2474,"depth":496,"text":2475},{"id":2487,"depth":496,"text":2488},{"id":2531,"depth":496,"text":2532,"children":2730},[2731,2732,2733,2734],{"id":2538,"depth":502,"text":1540},{"id":2553,"depth":502,"text":2554},{"id":2560,"depth":502,"text":2561},{"id":2567,"depth":502,"text":2568},{"id":2574,"depth":496,"text":2575},{"id":2604,"depth":496,"text":2605},{"id":802,"depth":496,"text":803},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"How continuous monitoring satisfies SOC 2 CC7 requirements. Automated evidence collection, alerting patterns, and common pitfalls to avoid.",{"items":2743},[2744,2747,2750,2753,2756],{"label":2745,"content":2746},"What does continuous monitoring mean under SOC 2?","Continuous monitoring under SOC 2 means the ongoing, automated surveillance of systems, access, and controls with real-time detection of anomalies. Auditors examine monitoring for CC7.1 through CC7.5 and expect evidence that alerts were generated, triaged, and acted on throughout the observation period.",{"label":2748,"content":2749},"Which SOC 2 criteria does continuous monitoring satisfy?","Continuous monitoring primarily addresses CC7.1 (detection of anomalies), CC7.2 (monitoring of system components), and CC4 (monitoring activities). It also feeds CC6 access monitoring, CC8 change monitoring, and the availability criterion when applicable.",{"label":2751,"content":2752},"What tools are typically used for SOC 2 continuous monitoring?","Common tools include SIEM platforms (Splunk, Elastic, Datadog), cloud-native logging (CloudWatch, GCP Cloud Logging), endpoint detection (CrowdStrike, SentinelOne), and compliance automation platforms that pull evidence from these sources on a recurring schedule.",{"label":2754,"content":2755},"How long should SOC 2 logs be retained?","SOC 2 does not specify a log retention period, but most auditors expect at least twelve months for Type II engagements with a twelve-month observation period. Many organizations retain security logs for thirteen months to cover a full cycle plus the fieldwork window.",{"label":2757,"content":2758},"Is continuous monitoring required for Type I?","Type I tests control design at a point in time, so continuous operation is not strictly required. However, auditors still expect to see that monitoring tools are configured, alerts are defined, and someone owns triage. Design without implementation will be flagged.",{},[424,924,2761,1274],"log-management",[1977,927,926],{"title":2764,"description":2765},"SOC 2 Continuous Monitoring (2026): CC7 Controls & Automation","Build continuous monitoring for SOC 2 CC7. Automated evidence collection, alerting, log retention, and auditor expectations for Type II programs.","5.frameworks\u002Fsoc2\u002Fcontinuous-monitoring","_0nKPsSh6GssokRNKYKpZkbyI6nLfsOmignPwEkJbvU",{"id":2769,"title":2770,"body":2771,"description":3272,"extension":522,"faq":523,"frameworkSlug":524,"lastUpdated":525,"meta":3273,"navigation":527,"path":169,"relatedTerms":3274,"relatedTopics":3275,"seo":3277,"stem":3280,"__hash__":3281},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fcost.md","How Much Does SOC 2 Cost",{"type":8,"value":2772,"toc":3257},[2773,2777,2784,2787,2791,2795,2798,2835,2838,2867,2871,2874,2920,2933,2937,2940,2972,2975,2979,2982,3043,3046,3050,3053,3057,3103,3106,3110,3152,3156,3210,3214,3217,3243,3245],[11,2774,2776],{"id":2775},"how-much-does-soc-2-really-cost","How much does SOC 2 really cost?",[16,2778,2779,2780,2783],{},"One of the first questions every founder and security leader asks is how much ",[20,2781,2782],{"href":22},"SOC 2 compliance"," will cost. The honest answer: it depends. Total costs for a first-time SOC 2 engagement typically range from $20,000 to $150,000 or more, depending on company size, scope, and how much you need to build from scratch.",[16,2785,2786],{},"This guide breaks down every major cost category so you can budget accurately and avoid surprises.",[11,2788,2790],{"id":2789},"cost-breakdown-by-category","Cost breakdown by category",[38,2792,2794],{"id":2793},"_1-auditor-fees","1. Auditor fees",[16,2796,2797],{},"The CPA firm that performs your SOC 2 audit is usually the single largest line item.",[241,2799,2800,2810],{},[244,2801,2802],{},[247,2803,2804,2807],{},[250,2805,2806],{},"Engagement type",[250,2808,2809],{},"Typical range",[257,2811,2812,2819,2827],{},[247,2813,2814,2816],{},[262,2815,191],{},[262,2817,2818],{},"$15,000 – $40,000",[247,2820,2821,2824],{},[262,2822,2823],{},"SOC 2 Type II",[262,2825,2826],{},"$25,000 – $80,000",[247,2828,2829,2832],{},[262,2830,2831],{},"Combined Type I + Type II (same year)",[262,2833,2834],{},"$35,000 – $90,000",[16,2836,2837],{},"Factors that affect auditor pricing:",[43,2839,2840,2846,2855,2861],{},[46,2841,2842,2845],{},[49,2843,2844],{},"Firm size and reputation",": Big Four firms charge significantly more than boutique or mid-market firms. A regional firm with strong SOC 2 experience often delivers the same quality at a fraction of the cost.",[46,2847,2848,2851,2852,2854],{},[49,2849,2850],{},"Scope complexity",": More Trust Services Criteria, more in-scope systems, and more subservice organizations increase the audit effort. See ",[20,2853,80],{"href":79}," for scoping guidance.",[46,2856,2857,2860],{},[49,2858,2859],{},"Number of exceptions",": If the auditor encounters issues during fieldwork, additional testing and documentation increase the fee.",[46,2862,2863,2866],{},[49,2864,2865],{},"Location",": Some firms adjust pricing by geography, though remote audits have largely leveled this out.",[38,2868,2870],{"id":2869},"_2-compliance-platform-or-tooling","2. Compliance platform or tooling",[16,2872,2873],{},"Most companies use a compliance platform to manage controls, evidence, and policies. Pricing models vary:",[241,2875,2876,2886],{},[244,2877,2878],{},[247,2879,2880,2883],{},[250,2881,2882],{},"Platform type",[250,2884,2885],{},"Typical annual cost",[257,2887,2888,2896,2904,2912],{},[247,2889,2890,2893],{},[262,2891,2892],{},"Enterprise GRC tools (ServiceNow, Archer)",[262,2894,2895],{},"$50,000 – $200,000+",[247,2897,2898,2901],{},[262,2899,2900],{},"Mid-market compliance platforms (Vanta, Drata, Secureframe)",[262,2902,2903],{},"$12,000 – $50,000 per year",[247,2905,2906,2909],{},[262,2907,2908],{},"episki",[262,2910,2911],{},"$500\u002Fmonth ($6,000\u002Fyear), no per-seat charges",[247,2913,2914,2917],{},[262,2915,2916],{},"Spreadsheets and shared drives",[262,2918,2919],{},"$0 (but high hidden cost in labor)",[16,2921,2922,2923,2927,2928,2932],{},"The platform you choose has a compounding effect on total cost because it directly impacts how much internal time is required for evidence collection, policy management, and auditor collaboration. A tool that automates repetitive tasks pays for itself quickly. ",[20,2924,2926],{"href":2925},"\u002Fcompare\u002Fvanta","Compare episki to Vanta"," or ",[20,2929,2931],{"href":2930},"\u002Fcompare\u002Fdrata","Drata"," to see how pricing and capabilities stack up.",[38,2934,2936],{"id":2935},"_3-internal-time-and-labor","3. Internal time and labor",[16,2938,2939],{},"This is the cost most organizations underestimate. Getting SOC 2 ready requires significant time from multiple teams:",[43,2941,2942,2948,2954,2960,2966],{},[46,2943,2944,2947],{},[49,2945,2946],{},"Security or compliance lead",": 200–500 hours over the first year for project management, gap analysis, control design, and auditor coordination.",[46,2949,2950,2953],{},[49,2951,2952],{},"Engineering",": 50–200 hours for implementing technical controls, configuring monitoring, setting up logging, and providing evidence.",[46,2955,2956,2959],{},[49,2957,2958],{},"IT \u002F DevOps",": 40–100 hours for endpoint management, access reviews, and infrastructure documentation.",[46,2961,2962,2965],{},[49,2963,2964],{},"HR",": 20–40 hours for onboarding\u002Foffboarding procedures, background checks, and training programs.",[46,2967,2968,2971],{},[49,2969,2970],{},"Legal",": 10–30 hours for policy review, vendor contract updates, and privacy notice alignment.",[16,2973,2974],{},"At a blended cost of $75–$150 per hour, internal labor for a first-time SOC 2 can easily reach $30,000–$80,000. This is where the right tooling makes the biggest difference — automating evidence collection and centralizing control management can cut these hours by 40–60%.",[38,2976,2978],{"id":2977},"_4-gap-remediation","4. Gap remediation",[16,2980,2981],{},"If your gap analysis reveals missing controls, you may need to invest in new tools or services:",[241,2983,2984,2994],{},[244,2985,2986],{},[247,2987,2988,2991],{},[250,2989,2990],{},"Remediation area",[250,2992,2993],{},"Typical cost",[257,2995,2996,3004,3012,3020,3027,3035],{},[247,2997,2998,3001],{},[262,2999,3000],{},"MDM \u002F endpoint management",[262,3002,3003],{},"$3–$10 per device\u002Fmonth",[247,3005,3006,3009],{},[262,3007,3008],{},"SIEM or log management",[262,3010,3011],{},"$5,000 – $30,000\u002Fyear",[247,3013,3014,3017],{},[262,3015,3016],{},"Background check service",[262,3018,3019],{},"$30–$100 per check",[247,3021,3022,3024],{},[262,3023,1610],{},[262,3025,3026],{},"$2,000 – $10,000\u002Fyear",[247,3028,3029,3032],{},[262,3030,3031],{},"Penetration testing",[262,3033,3034],{},"$5,000 – $30,000 per engagement",[247,3036,3037,3040],{},[262,3038,3039],{},"Vulnerability scanning",[262,3041,3042],{},"$3,000 – $15,000\u002Fyear",[16,3044,3045],{},"Not every organization needs all of these. Many startups already have adequate tooling in place and only need to formalize processes and documentation.",[38,3047,3049],{"id":3048},"_5-consulting-and-advisory-optional","5. Consulting and advisory (optional)",[16,3051,3052],{},"Some organizations hire a consultant to guide them through the readiness phase. Rates typically range from $150 to $350 per hour, with fixed-fee readiness engagements running $10,000 to $40,000. A good consultant can accelerate your timeline, but this is optional — especially if you use a platform that provides built-in guidance.",[11,3054,3056],{"id":3055},"total-cost-estimates-by-company-stage","Total cost estimates by company stage",[241,3058,3059,3069],{},[244,3060,3061],{},[247,3062,3063,3066],{},[250,3064,3065],{},"Company profile",[250,3067,3068],{},"Estimated first-year cost",[257,3070,3071,3079,3087,3095],{},[247,3072,3073,3076],{},[262,3074,3075],{},"Seed-stage startup (10–25 employees, cloud-native)",[262,3077,3078],{},"$20,000 – $50,000",[247,3080,3081,3084],{},[262,3082,3083],{},"Series A\u002FB (25–100 employees, moderate complexity)",[262,3085,3086],{},"$40,000 – $100,000",[247,3088,3089,3092],{},[262,3090,3091],{},"Growth-stage (100–500 employees, multiple products)",[262,3093,3094],{},"$80,000 – $150,000+",[247,3096,3097,3100],{},[262,3098,3099],{},"Enterprise (500+ employees, complex environments)",[262,3101,3102],{},"$150,000 – $300,000+",[16,3104,3105],{},"Renewal years are typically 30–50% less expensive because controls, policies, and processes are already established.",[11,3107,3109],{"id":3108},"factors-that-increase-cost","Factors that increase cost",[43,3111,3112,3118,3124,3130,3136,3142],{},[46,3113,3114,3117],{},[49,3115,3116],{},"Adding optional Trust Services Criteria"," beyond security",[46,3119,3120,3123],{},[49,3121,3122],{},"Large number of in-scope systems"," and subservice organizations",[46,3125,3126,3129],{},[49,3127,3128],{},"Poor documentation"," requiring significant policy and procedure development",[46,3131,3132,3135],{},[49,3133,3134],{},"Manual evidence collection"," that consumes engineering time every audit cycle",[46,3137,3138,3141],{},[49,3139,3140],{},"Scope changes mid-audit"," that require additional auditor testing",[46,3143,3144,3151],{},[49,3145,3146,3147,3150],{},"Choosing a ",[20,3148,3149],{"href":190},"Type II"," first"," without a readiness baseline (Type I first can reduce total cost)",[11,3153,3155],{"id":3154},"practical-ways-to-reduce-soc-2-cost","Practical ways to reduce SOC 2 cost",[198,3157,3158,3167,3173,3179,3185,3191,3204],{},[46,3159,3160,3163,3164,3166],{},[49,3161,3162],{},"Right-size your scope",": Only include the Trust Services Criteria and systems that are relevant. Over-scoping is the fastest way to inflate costs. Review the ",[20,3165,533],{"href":79}," carefully.",[46,3168,3169,3172],{},[49,3170,3171],{},"Start with Type I",": A Type I engagement validates your control design at lower cost, identifies issues early, and builds auditor familiarity before the longer Type II period.",[46,3174,3175,3178],{},[49,3176,3177],{},"Automate evidence collection",": Every hour saved on screenshots, access review exports, and configuration checks is an hour your team spends on product work instead. This is the highest-ROI investment you can make.",[46,3180,3181,3184],{},[49,3182,3183],{},"Choose a right-sized auditor",": A mid-market CPA firm with deep SOC 2 experience often provides better service and lower fees than a Big Four firm for companies under 500 employees.",[46,3186,3187,3190],{},[49,3188,3189],{},"Use a purpose-built compliance platform",": Spreadsheet-based compliance programs cost less in software but far more in labor. A good platform pays for itself in the first audit cycle.",[46,3192,3193,3196,3197,2927,3199,3203],{},[49,3194,3195],{},"Leverage framework overlap",": If you also need ",[20,3198,28],{"href":27},[20,3200,3202],{"href":3201},"\u002Fframeworks\u002Fhipaa","HIPAA",", map controls once and reuse evidence across frameworks. This amortizes the cost of compliance work across multiple requirements.",[46,3205,3206,3209],{},[49,3207,3208],{},"Build a compliance culture",": When control owners understand their responsibilities and collect evidence as part of their daily workflow, the incremental cost of each audit cycle drops significantly.",[11,3211,3213],{"id":3212},"the-cost-of-not-getting-soc-2","The cost of not getting SOC 2",[16,3215,3216],{},"While SOC 2 costs real money, the cost of not having it can be higher:",[43,3218,3219,3225,3231,3237],{},[46,3220,3221,3224],{},[49,3222,3223],{},"Lost deals",": Enterprise buyers increasingly require SOC 2 reports before signing contracts. A missing report can stall or kill a sale.",[46,3226,3227,3230],{},[49,3228,3229],{},"Longer sales cycles",": Without a SOC 2 report, security reviews become bespoke questionnaire exercises that consume weeks of back-and-forth.",[46,3232,3233,3236],{},[49,3234,3235],{},"Higher insurance premiums",": Some cyber insurance carriers offer better terms to organizations with a current SOC 2 report.",[46,3238,3239,3242],{},[49,3240,3241],{},"Incident costs",": The controls you implement for SOC 2 reduce the likelihood and severity of security incidents.",[11,3244,483],{"id":482},[16,3246,3247,3248,3251,3252,3256],{},"episki is designed to minimize the total cost of SOC 2 compliance. At $500\u002Fmonth with no per-seat charges, the platform cost is a fraction of alternatives. More importantly, episki reduces the internal labor component — the largest and most variable cost category — through pre-mapped control libraries, structured evidence collection, automated review cadences, and an auditor collaboration portal that eliminates email-based back-and-forth. Organizations using episki report cutting preparation time by up to 45 days. ",[20,3249,492],{"href":489,"rel":3250},[491]," to see how much time and money you can save, or ",[20,3253,3255],{"href":3254},"\u002Fcompare\u002Fsecureframe","compare episki to Secureframe"," for a detailed feature comparison.",{"title":495,"searchDepth":496,"depth":496,"links":3258},[3259,3260,3267,3268,3269,3270,3271],{"id":2775,"depth":496,"text":2776},{"id":2789,"depth":496,"text":2790,"children":3261},[3262,3263,3264,3265,3266],{"id":2793,"depth":502,"text":2794},{"id":2869,"depth":502,"text":2870},{"id":2935,"depth":502,"text":2936},{"id":2977,"depth":502,"text":2978},{"id":3048,"depth":502,"text":3049},{"id":3055,"depth":496,"text":3056},{"id":3108,"depth":496,"text":3109},{"id":3154,"depth":496,"text":3155},{"id":3212,"depth":496,"text":3213},{"id":482,"depth":496,"text":483},"A transparent breakdown of SOC 2 costs including auditor fees, compliance tooling, internal time, and factors that influence total spend.",{},[524,530],[1977,3276,533],"checklist",{"title":3278,"description":3279},"How Much Does SOC 2 Cost in 2026 — Full Cost Breakdown","SOC 2 costs range from $20K to $150K+. Get a transparent breakdown of auditor fees, tooling, internal time, and practical ways to reduce spend.","5.frameworks\u002Fsoc2\u002Fcost","TKZqVnKfYHxEAdY00RgH5EUl-GdWTOh38Ctp7yNatF4",{"id":3283,"title":3284,"body":3285,"description":3578,"extension":522,"faq":3579,"frameworkSlug":524,"lastUpdated":525,"meta":3596,"navigation":527,"path":797,"relatedTerms":3597,"relatedTopics":3599,"seo":3600,"stem":3603,"__hash__":3604},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fincident-response.md","SOC 2 Incident Response",{"type":8,"value":3286,"toc":3561},[3287,3291,3294,3302,3306,3309,3314,3319,3324,3327,3331,3334,3338,3341,3370,3374,3377,3381,3387,3391,3394,3423,3426,3430,3436,3440,3443,3445,3459,3462,3464,3467,3490,3493,3495,3531,3533,3550,3552],[11,3288,3290],{"id":3289},"incident-response-is-where-soc-2-moves-from-theory-to-practice","Incident response is where SOC 2 moves from theory to practice",[16,3292,3293],{},"Every SOC 2 program has an incident response plan. Auditors see hundreds of them. What separates a program that passes Type II cleanly from one that collects exceptions is whether the plan is actually executed when something happens — and whether there is evidence the team can produce six months later.",[16,3295,187,3296,3298,3299,3301],{},[20,3297,23],{"href":22}," Type II audit tests operating effectiveness. Incident response is one of the most operationally demanding control areas because it requires coordinated action across engineering, security, legal, and leadership, often under time pressure. The controls that matter are CC7.3 (evaluation of security events), CC7.4 (response execution), and CC7.5 (recovery) in the ",[20,3300,57],{"href":61},". Each generates evidence that auditors will sample and test.",[11,3303,3305],{"id":3304},"what-cc73-through-cc75-expect","What CC7.3 through CC7.5 expect",[16,3307,3308],{},"The CC7 series defines a closed loop from detection through recovery.",[16,3310,3311,3313],{},[49,3312,2512],{}," — The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents). This requires that detected events are triaged and classified, not just logged. Auditors look for evidence that events were evaluated — not every alert becomes an incident, but every alert should have a disposition.",[16,3315,3316,3318],{},[49,3317,2518],{}," — The entity responds to identified security incidents by executing a defined incident response program that includes assigned roles, containment, remediation, communication, and documentation. This requires a written plan, trained responders, and evidence that real or simulated incidents followed it.",[16,3320,3321,3323],{},[49,3322,2524],{}," — The entity identifies, develops, and implements activities to recover from identified security incidents. Recovery includes restoring systems, verifying integrity, and applying lessons learned.",[16,3325,3326],{},"CC2.2 and CC9 also touch incident response — internal and external communication during an incident and risk mitigation through incident learnings.",[11,3328,3330],{"id":3329},"components-of-a-soc-2-ready-incident-response-program","Components of a SOC 2-ready incident response program",[16,3332,3333],{},"A program that passes auditor scrutiny has six components.",[38,3335,3337],{"id":3336},"_1-a-written-incident-response-plan","1. A written incident response plan",[16,3339,3340],{},"The plan should be approved by leadership, reviewed annually, and specific enough that a new team member could follow it. Required elements include:",[43,3342,3343,3346,3349,3352,3355,3358,3361,3364,3367],{},[46,3344,3345],{},"Definition of a security incident",[46,3347,3348],{},"Severity classifications (for example, P1 through P4)",[46,3350,3351],{},"Roles and responsibilities (incident commander, communications lead, technical lead)",[46,3353,3354],{},"Detection and reporting channels",[46,3356,3357],{},"Triage and classification process",[46,3359,3360],{},"Containment, eradication, and recovery procedures",[46,3362,3363],{},"Internal and external communication requirements",[46,3365,3366],{},"Post-incident review expectations",[46,3368,3369],{},"Regulatory and contractual notification obligations",[38,3371,3373],{"id":3372},"_2-runbooks-for-common-scenarios","2. Runbooks for common scenarios",[16,3375,3376],{},"The plan covers the framework; runbooks cover the specifics. Typical runbooks address credential compromise, ransomware, data exfiltration, DDoS, vendor compromise, insider threat, and lost or stolen device. Runbooks reduce decision latency when an incident is active and demonstrate maturity to auditors.",[38,3378,3380],{"id":3379},"_3-defined-detection-and-escalation-paths","3. Defined detection and escalation paths",[16,3382,3383,3384,3386],{},"Alerts from ",[20,3385,794],{"href":793}," tools must flow into a triage process. Each alert is either dismissed with a note or escalated to an incident with a severity rating. Auditors look for the linkage between detection and incident records — if the chain is unclear, the control appears theoretical.",[38,3388,3390],{"id":3389},"_4-documented-incidents","4. Documented incidents",[16,3392,3393],{},"Every real incident during the observation period must have a record. Minimum fields:",[43,3395,3396,3399,3402,3405,3408,3411,3414,3417,3420],{},[46,3397,3398],{},"Incident ID and title",[46,3400,3401],{},"Detection time and source",[46,3403,3404],{},"Severity at declaration and revision history",[46,3406,3407],{},"Timeline of actions taken",[46,3409,3410],{},"Systems, data, and individuals affected",[46,3412,3413],{},"Containment and remediation steps",[46,3415,3416],{},"Communications sent (internal, customers, regulators, law enforcement)",[46,3418,3419],{},"Root cause",[46,3421,3422],{},"Lessons learned and assigned remediation items",[16,3424,3425],{},"The system of record can be a dedicated incident platform, a ticketing system, or a structured document repository. What matters is consistency across incidents.",[38,3427,3429],{"id":3428},"_5-tabletop-exercises","5. Tabletop exercises",[16,3431,3432,3433,3435],{},"If no real incidents occur during the observation period, tabletop exercises demonstrate the plan works. A tabletop walks a team through a simulated scenario, capturing decisions and timing. At minimum, conduct one tabletop annually covering a realistic scenario. Mature programs run them quarterly. See ",[20,3434,2549],{"href":2548}," for how to document.",[38,3437,3439],{"id":3438},"_6-post-incident-review","6. Post-incident review",[16,3441,3442],{},"Every declared incident above a threshold severity should produce a post-incident review (PIR) or retrospective. The PIR captures the root cause, contributing factors, and remediation items with owners and due dates. Auditors may request to see PIRs for a sample of incidents from the observation period.",[11,3444,803],{"id":802},[16,3446,3447,3448,3450,3451,3454,3455,3458],{},"Incident response is tightly coupled to other SOC 2 control areas. ",[20,3449,425],{"href":793}," feeds the detection engine. ",[20,3452,3453],{"href":1271},"Change management"," failures sometimes manifest as incidents. ",[20,3456,3457],{"href":2393},"Vendor management"," governs how you respond when a third party is compromised. Strong incident response also supports the availability criterion when applicable — outage response is an incident response subset with its own RTO and RPO targets.",[16,3460,3461],{},"Auditors often use incident records to validate controls elsewhere. An incident that required access to production shows up in access control logs. A change that caused an incident shows up in change management records. Inconsistencies between these artifacts create findings.",[11,3463,624],{"id":623},[16,3465,3466],{},"During fieldwork, the auditor will typically request:",[43,3468,3469,3472,3475,3478,3481,3484,3487],{},[46,3470,3471],{},"The current incident response plan with approval evidence",[46,3473,3474],{},"Runbooks for common scenarios",[46,3476,3477],{},"A list of incidents declared during the observation period",[46,3479,3480],{},"Full documentation for a sampled subset of those incidents",[46,3482,3483],{},"Evidence of tabletop exercises during the observation period",[46,3485,3486],{},"Evidence of incident response training for relevant staff",[46,3488,3489],{},"Breach notification templates and examples if any notifications were sent",[16,3491,3492],{},"If no incidents occurred, the auditor relies heavily on tabletop and training evidence. Skipping these is a red flag.",[11,3494,813],{"id":812},[43,3496,3497,3503,3509,3515,3521],{},[46,3498,3499,3502],{},[49,3500,3501],{},"Plan without practice."," A polished document that no one follows creates more audit risk than a simple plan that is actually used. Test it.",[46,3504,3505,3508],{},[49,3506,3507],{},"Severity drift."," Teams reclassify incidents down to avoid paperwork. Auditors notice when severity distributions do not match the alert volume.",[46,3510,3511,3514],{},[49,3512,3513],{},"Missing communication records."," Incidents often require customer or regulatory notifications. If communications happened verbally with no record, the evidence is gone.",[46,3516,3517,3520],{},[49,3518,3519],{},"No lessons learned."," Running an incident and not capturing what to improve shows the program is reactive, not mature.",[46,3522,3523,3526,3527,799],{},[49,3524,3525],{},"Breach notification as an afterthought."," Regulatory timelines (GDPR 72 hours, some state laws 30 to 60 days) apply whether or not your plan accounts for them. See ",[20,3528,3530],{"href":3529},"\u002Fglossary\u002Fbreach-notification","breach notification",[11,3532,849],{"id":848},[43,3534,3535,3538,3541,3544,3547],{},[46,3536,3537],{},"Keep the incident response plan in version control. Each approved version should be dated and linked to a leadership review.",[46,3539,3540],{},"Integrate your alerting tool with your ticketing system so every escalated alert creates an incident record automatically.",[46,3542,3543],{},"Use a consistent template for post-incident reviews so comparisons across incidents are possible.",[46,3545,3546],{},"Run one tabletop per quarter, rotating scenarios. Capture the output as a PDF and store it with the other SOC 2 evidence.",[46,3548,3549],{},"Train all employees annually on how to report a suspected incident. The earliest detection often comes from a non-security team member.",[11,3551,483],{"id":482},[16,3553,3554,3555,2721,3558,3560],{},"episki provides templates for incident response plans, runbooks, and post-incident reviews mapped to CC7.3 through CC7.5, along with evidence collection for tabletop exercises and training. ",[20,3556,492],{"href":489,"rel":3557},[491],[20,3559,878],{"href":22}," to see how incident response integrates with monitoring, change management, and vendor controls.",{"title":495,"searchDepth":496,"depth":496,"links":3562},[3563,3564,3565,3573,3574,3575,3576,3577],{"id":3289,"depth":496,"text":3290},{"id":3304,"depth":496,"text":3305},{"id":3329,"depth":496,"text":3330,"children":3566},[3567,3568,3569,3570,3571,3572],{"id":3336,"depth":502,"text":3337},{"id":3372,"depth":502,"text":3373},{"id":3379,"depth":502,"text":3380},{"id":3389,"depth":502,"text":3390},{"id":3428,"depth":502,"text":3429},{"id":3438,"depth":502,"text":3439},{"id":802,"depth":496,"text":803},{"id":623,"depth":496,"text":624},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"How to build a SOC 2 incident response program that satisfies CC7.3 and CC7.4. Playbooks, evidence expectations, and what auditors look for during fieldwork.",{"items":3580},[3581,3584,3587,3590,3593],{"label":3582,"content":3583},"Which SOC 2 criteria cover incident response?","Incident response maps to CC7.3 (evaluation of security events), CC7.4 (response to identified incidents), and CC7.5 (recovery from incidents). CC2.2 also covers internal and external communication about incidents, which includes breach notification.",{"label":3585,"content":3586},"Do I need to have had a real incident to pass SOC 2?","No. Auditors look for a documented incident response program, tested procedures, and evidence of how alerts are triaged. If real incidents occurred, the auditor will examine those. If not, tabletop exercises can demonstrate the process works.",{"label":3588,"content":3589},"How often should incident response plans be tested?","At minimum annually. Many mature SOC 2 programs conduct quarterly tabletop exercises covering different scenarios (data exfiltration, ransomware, insider threat, vendor compromise). Evidence of testing is a common auditor request.",{"label":3591,"content":3592},"What counts as a security incident under SOC 2?","Any event that could affect the security, availability, integrity, confidentiality, or privacy of the system. This includes confirmed breaches, attempted intrusions, policy violations, malware detections, and unauthorized access attempts — not just successful compromises.",{"label":3594,"content":3595},"Does SOC 2 require breach notification?","SOC 2 requires defined procedures for communicating about incidents to affected parties. Specific notification timelines come from external obligations (GDPR, HIPAA, state breach laws, customer contracts), but SOC 2 auditors will verify that your process incorporates those timelines.",{},[927,3598,924,1274],"breach-notification",[424,926,1977],{"title":3601,"description":3602},"SOC 2 Incident Response (2026): CC7.3\u002F7.4 Requirements","SOC 2 incident response under CC7.3 and CC7.4. Playbooks, runbooks, tabletop exercises, and the evidence auditors expect during Type II fieldwork.","5.frameworks\u002Fsoc2\u002Fincident-response","1H5HP7ZTDnMHccFEfaOpF40qzXBuvKiCdVMSHqaC--4",{"id":3606,"title":3607,"body":3608,"description":4133,"extension":522,"faq":4134,"frameworkSlug":524,"lastUpdated":525,"meta":4151,"navigation":527,"path":2316,"relatedTerms":4152,"relatedTopics":4153,"seo":4155,"stem":4158,"__hash__":4159},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fpolicies-and-procedures.md","SOC 2 Policies and Procedures",{"type":8,"value":3609,"toc":4116},[3610,3614,3620,3623,3627,3632,3649,3652,3656,3659,3807,3810,3814,3817,3821,3824,3847,3851,3854,3903,3907,3921,3926,3930,3933,3950,3953,3956,3973,3977,3980,3999,4002,4004,4018,4026,4028,4031,4048,4051,4053,4085,4087,4104,4106],[11,3611,3613],{"id":3612},"policies-are-where-soc-2-programs-set-their-own-ceiling","Policies are where SOC 2 programs set their own ceiling",[16,3615,3616,3617,3619],{},"Policies define what your organization has committed to. Every other ",[20,3618,23],{"href":22}," control is, in some sense, testing whether you do what you said you would. Weak policies create a weak foundation for the entire program — auditors cannot test adherence to commitments that are not written down, unclear, or inconsistent with practice. Strong policies make the rest of the audit easier because they anchor the conversation in documented expectations.",[16,3621,3622],{},"This is also where many first-time programs overcorrect. Teams buy a template library, rubber-stamp the whole set, and discover during fieldwork that the auditor is testing against policies nobody read. The fix is not more policy — it is fewer, sharper policies that match how the team actually operates.",[11,3624,3626],{"id":3625},"what-soc-2-expects-from-policies","What SOC 2 expects from policies",[16,3628,18,3629,3631],{},[20,3630,57],{"href":61}," reference policies and procedures throughout, most directly in CC1.4, CC2.2, CC5.1, CC5.3, and CC6.1. Together these require that the entity:",[43,3633,3634,3637,3640,3643,3646],{},[46,3635,3636],{},"Establishes structures, reporting lines, authorities, and responsibilities",[46,3638,3639],{},"Develops and implements controls through policies and procedures",[46,3641,3642],{},"Communicates policies to internal and external parties as relevant",[46,3644,3645],{},"Demonstrates commitment to competence, including training on policies",[46,3647,3648],{},"Restricts access based on documented criteria",[16,3650,3651],{},"Policies must be approved, communicated, followed, and periodically reviewed. Each of those verbs generates evidence.",[11,3653,3655],{"id":3654},"the-baseline-soc-2-policy-set","The baseline SOC 2 policy set",[16,3657,3658],{},"There is no mandated list, but most SOC 2 programs maintain a baseline of policies that map to the Common Criteria and any additional Trust Services Criteria selected.",[241,3660,3661,3674],{},[244,3662,3663],{},[247,3664,3665,3668,3671],{},[250,3666,3667],{},"Policy",[250,3669,3670],{},"Purpose",[250,3672,3673],{},"Primary Criteria",[257,3675,3676,3687,3698,3709,3720,3731,3742,3753,3764,3775,3786,3797],{},[247,3677,3678,3681,3684],{},[262,3679,3680],{},"Information Security Policy",[262,3682,3683],{},"Defines the overall security program, roles, and authorities",[262,3685,3686],{},"CC1, CC2",[247,3688,3689,3692,3695],{},[262,3690,3691],{},"Acceptable Use Policy",[262,3693,3694],{},"Governs employee behavior on company systems",[262,3696,3697],{},"CC2.3, CC6",[247,3699,3700,3703,3706],{},[262,3701,3702],{},"Access Control Policy",[262,3704,3705],{},"Defines provisioning, review, and removal of access",[262,3707,3708],{},"CC6",[247,3710,3711,3714,3717],{},[262,3712,3713],{},"Change Management Policy",[262,3715,3716],{},"Governs changes to infrastructure, code, and configuration",[262,3718,3719],{},"CC8.1",[247,3721,3722,3725,3728],{},[262,3723,3724],{},"Incident Response Policy",[262,3726,3727],{},"Defines how security incidents are detected and handled",[262,3729,3730],{},"CC7.3–CC7.5",[247,3732,3733,3736,3739],{},[262,3734,3735],{},"Vendor Management Policy",[262,3737,3738],{},"Defines how third parties are assessed and monitored",[262,3740,3741],{},"CC9.2",[247,3743,3744,3747,3750],{},[262,3745,3746],{},"Risk Assessment Policy",[262,3748,3749],{},"Defines how risks are identified, evaluated, and treated",[262,3751,3752],{},"CC3",[247,3754,3755,3758,3761],{},[262,3756,3757],{},"Business Continuity and DR Policy",[262,3759,3760],{},"Defines recovery objectives and testing",[262,3762,3763],{},"CC9.1, Availability",[247,3765,3766,3769,3772],{},[262,3767,3768],{},"Data Classification Policy",[262,3770,3771],{},"Defines data sensitivity tiers and handling requirements",[262,3773,3774],{},"CC6, Confidentiality",[247,3776,3777,3780,3783],{},[262,3778,3779],{},"HR Security Policy",[262,3781,3782],{},"Covers hiring, training, termination, confidentiality",[262,3784,3785],{},"CC1.4, CC2.3",[247,3787,3788,3791,3794],{},[262,3789,3790],{},"System Monitoring Policy",[262,3792,3793],{},"Defines logging, alerting, and review obligations",[262,3795,3796],{},"CC7.1, CC7.2",[247,3798,3799,3802,3805],{},[262,3800,3801],{},"Privacy Policy",[262,3803,3804],{},"Covers handling of personal information (if privacy in scope)",[262,3806,2297],{},[16,3808,3809],{},"Some organizations split these into more granular documents; others combine them. Either is acceptable if the content is comprehensive and consistent.",[11,3811,3813],{"id":3812},"anatomy-of-a-soc-2-ready-policy","Anatomy of a SOC 2-ready policy",[16,3815,3816],{},"Auditors quickly identify thin or template-only policies. A policy that passes scrutiny has consistent structure and real operational content.",[38,3818,3820],{"id":3819},"required-metadata","Required metadata",[16,3822,3823],{},"Every policy should include:",[43,3825,3826,3829,3832,3835,3838,3841,3844],{},[46,3827,3828],{},"Title and version number",[46,3830,3831],{},"Date of last review",[46,3833,3834],{},"Owner (role, not name)",[46,3836,3837],{},"Approver (leadership role)",[46,3839,3840],{},"Approval date",[46,3842,3843],{},"Scope of applicability",[46,3845,3846],{},"Next scheduled review date",[38,3848,3850],{"id":3849},"required-sections","Required sections",[16,3852,3853],{},"At minimum, a complete SOC 2 policy covers:",[198,3855,3856,3861,3867,3873,3879,3885,3891,3897],{},[46,3857,3858,3860],{},[49,3859,3670],{}," — why the policy exists",[46,3862,3863,3866],{},[49,3864,3865],{},"Scope"," — who and what it applies to",[46,3868,3869,3872],{},[49,3870,3871],{},"Roles and responsibilities"," — who does what",[46,3874,3875,3878],{},[49,3876,3877],{},"Policy statements"," — the rules themselves, in directive language",[46,3880,3881,3884],{},[49,3882,3883],{},"Procedures or references"," — how the policy is executed",[46,3886,3887,3890],{},[49,3888,3889],{},"Exceptions process"," — how deviations are approved and tracked",[46,3892,3893,3896],{},[49,3894,3895],{},"Enforcement and consequences"," — what happens if the policy is violated",[46,3898,3899,3902],{},[49,3900,3901],{},"Review cadence"," — when and how the policy is updated",[38,3904,3906],{"id":3905},"language-that-survives-audit","Language that survives audit",[43,3908,3909,3912,3915,3918],{},[46,3910,3911],{},"Use \"shall\" or \"must\" for required actions; \"should\" for recommended",[46,3913,3914],{},"Avoid aspirational language that cannot be tested",[46,3916,3917],{},"Name the system, team, or artifact by role rather than by product (so policies survive tool changes)",[46,3919,3920],{},"Reference other policies rather than duplicating content",[16,3922,744,3923,3925],{},[20,3924,2549],{"href":2548}," for how policy adherence becomes auditable.",[11,3927,3929],{"id":3928},"version-control-and-approval-workflow","Version control and approval workflow",[16,3931,3932],{},"Policies must be controlled documents. Auditors typically verify:",[43,3934,3935,3938,3941,3944,3947],{},[46,3936,3937],{},"Current version is the approved version",[46,3939,3940],{},"Historical versions are retained",[46,3942,3943],{},"Approvals are documented with approver, date, and method",[46,3945,3946],{},"Changes between versions can be traced",[46,3948,3949],{},"Distribution to affected parties is evidenced",[16,3951,3952],{},"Practical options range from a policy management tool to a Git repository with signed commits and a documented pull request workflow. What matters is traceability, not the specific tool.",[16,3954,3955],{},"The approval workflow should specify:",[43,3957,3958,3961,3964,3967,3970],{},[46,3959,3960],{},"Who can propose changes",[46,3962,3963],{},"Who reviews before approval",[46,3965,3966],{},"Who approves (usually leadership for any material change)",[46,3968,3969],{},"How approval is recorded",[46,3971,3972],{},"How approved policies are published and communicated",[11,3974,3976],{"id":3975},"policies-versus-procedures-versus-standards","Policies versus procedures versus standards",[16,3978,3979],{},"SOC 2 does not require a specific document hierarchy, but clarity helps.",[43,3981,3982,3987,3993],{},[46,3983,3984,3986],{},[49,3985,3667],{}," — a high-level commitment that rarely changes. \"All employees must use multi-factor authentication on company accounts.\"",[46,3988,3989,3992],{},[49,3990,3991],{},"Standard"," — a specific requirement that supports a policy. \"Multi-factor authentication must use either a hardware token or a TOTP app; SMS is not permitted.\"",[46,3994,3995,3998],{},[49,3996,3997],{},"Procedure"," — the operational steps to implement the policy and standard. \"To enroll a hardware token: log in to the identity provider, navigate to security, click add device...\"",[16,4000,4001],{},"Auditors may test against any layer. Separating them keeps policies stable while allowing procedures to evolve with operational reality.",[11,4003,803],{"id":802},[16,4005,4006,4007,4009,4010,4009,4012,4014,4015,4017],{},"Policies feed every other SOC 2 control area. ",[20,4008,3453],{"href":1271},", ",[20,4011,798],{"href":797},[20,4013,2394],{"href":2393},", and ",[20,4016,794],{"href":793}," all reference policy requirements, and auditors often start a control area by asking to see the policy before testing adherence.",[16,4019,4020,4021,4025],{},"Policies are also central to ",[20,4022,4024],{"href":4023},"\u002Fframeworks\u002Fsoc2\u002Freadiness-assessment","readiness assessment",". A common finding during readiness is that informal practices exist but are not documented. The fix is to write what the team already does — not to invent new procedures — and then evolve the policy as practice matures.",[11,4027,1073],{"id":1072},[16,4029,4030],{},"For each policy, auditors may request:",[43,4032,4033,4036,4039,4042,4045],{},[46,4034,4035],{},"Current version of the policy document",[46,4037,4038],{},"Evidence of approval (signed approval, workflow record, metadata)",[46,4040,4041],{},"Evidence of last annual review",[46,4043,4044],{},"Distribution evidence (email, portal acknowledgment, training completion)",[46,4046,4047],{},"Evidence of adherence across the observation period",[16,4049,4050],{},"For a Type II audit, adherence evidence is the most demanding category. A change management policy is only as strong as the changes that followed it.",[11,4052,813],{"id":812},[43,4054,4055,4061,4067,4073,4079],{},[46,4056,4057,4060],{},[49,4058,4059],{},"Template tourism."," Teams adopt templates without tailoring. Auditors recognize generic language immediately.",[46,4062,4063,4066],{},[49,4064,4065],{},"Policy-practice gap."," Written policy diverges from actual practice. Walkthroughs expose this fast.",[46,4068,4069,4072],{},[49,4070,4071],{},"Stale reviews."," Policies with \"last reviewed\" dates more than a year old signal neglect.",[46,4074,4075,4078],{},[49,4076,4077],{},"Missing approval."," No documented sign-off from leadership. A committed policy with no approval trail rarely passes review.",[46,4080,4081,4084],{},[49,4082,4083],{},"No communication evidence."," Policy exists but employees cannot confirm they have seen it.",[11,4086,849],{"id":848},[43,4088,4089,4092,4095,4098,4101],{},[46,4090,4091],{},"Start with the baseline set above and resist the urge to create more. Every policy is future audit burden.",[46,4093,4094],{},"Pair every policy with a procedure or runbook that shows how it is executed. The pair is stronger than either alone.",[46,4096,4097],{},"Review and re-approve all policies annually on a fixed schedule — for example, every February. Document the cycle.",[46,4099,4100],{},"Collect policy acknowledgment during employee onboarding and annually thereafter. Acknowledgment is inexpensive evidence.",[46,4102,4103],{},"Keep an exceptions log. A policy with no exceptions is either perfectly followed or poorly understood; exceptions tell you which.",[11,4105,483],{"id":482},[16,4107,4108,4109,4112,4113,4115],{},"episki ships with a SOC 2 policy template library — covering the baseline set above — mapped to the Trust Services Criteria, with approval workflow, version history, and acknowledgment tracking built in. ",[20,4110,492],{"href":489,"rel":4111},[491]," or review the ",[20,4114,878],{"href":22}," to see how policy management integrates with the rest of the audit program.",{"title":495,"searchDepth":496,"depth":496,"links":4117},[4118,4119,4120,4121,4126,4127,4128,4129,4130,4131,4132],{"id":3612,"depth":496,"text":3613},{"id":3625,"depth":496,"text":3626},{"id":3654,"depth":496,"text":3655},{"id":3812,"depth":496,"text":3813,"children":4122},[4123,4124,4125],{"id":3819,"depth":502,"text":3820},{"id":3849,"depth":502,"text":3850},{"id":3905,"depth":502,"text":3906},{"id":3928,"depth":496,"text":3929},{"id":3975,"depth":496,"text":3976},{"id":802,"depth":496,"text":803},{"id":1072,"depth":496,"text":1073},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"The policies required for SOC 2. Templates, version control, approval workflow, and how auditors test policy adherence during fieldwork.",{"items":4135},[4136,4139,4142,4145,4148],{"label":4137,"content":4138},"What policies are required for SOC 2?","There is no prescribed list, but most SOC 2 programs have at least twelve policies covering information security, access control, change management, incident response, vendor management, acceptable use, data classification, business continuity, risk management, HR security, system monitoring, and privacy (if the privacy criterion is in scope).",{"label":4140,"content":4141},"Are policy templates acceptable for SOC 2?","Templates are an acceptable starting point, but the final policy must reflect how your organization actually operates. Auditors look for alignment between written policy and observed practice. A template never tailored to your environment usually fails walkthroughs.",{"label":4143,"content":4144},"How often should SOC 2 policies be reviewed?","At least annually. Many organizations review policies more frequently when significant changes occur — reorganizations, new products, regulatory changes. Each review should be documented with a reviewer, date, and any changes made.",{"label":4146,"content":4147},"Who must approve SOC 2 policies?","Policies typically require leadership approval — CEO, CTO, CISO, or equivalent. The approver should be documented on the policy itself. A policy without evidence of formal approval is a common source of audit findings.",{"label":4149,"content":4150},"How do auditors test policies?","Auditors review the policy itself, check approval and review history, and then test whether the policy is followed through walkthroughs and evidence sampling. A policy that says one thing while the team does another is flagged as a design-versus-operating-effectiveness issue.",{},[524,530,1975,1274],[533,4154,1977],"readiness-assessment",{"title":4156,"description":4157},"SOC 2 Policies & Procedures (2026): Required Docs & Templates","Every policy a SOC 2 audit expects. Templates, version control, leadership approval, and the difference between policy on paper and policy in practice.","5.frameworks\u002Fsoc2\u002Fpolicies-and-procedures","vTsNDGzErpsuzja0X79iu8h767Qjr1SAJbnemh3OH-U",{"id":4161,"title":4162,"body":4163,"description":4782,"extension":522,"faq":4783,"frameworkSlug":524,"lastUpdated":525,"meta":4800,"navigation":527,"path":2301,"relatedTerms":4801,"relatedTopics":4802,"seo":4804,"stem":4807,"__hash__":4808},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fprivacy-criteria.md","SOC 2 Privacy Criteria",{"type":8,"value":4164,"toc":4740},[4165,4169,4175,4178,4182,4187,4265,4268,4271,4274,4276,4293,4295,4306,4309,4312,4314,4331,4333,4344,4347,4350,4352,4369,4371,4382,4385,4388,4391,4408,4411,4425,4428,4431,4434,4451,4454,4465,4468,4471,4474,4491,4494,4508,4513,4516,4519,4522,4539,4542,4553,4556,4559,4562,4579,4582,4596,4598,4601,4636,4639,4641,4650,4653,4655,4658,4676,4678,4710,4712,4729,4731],[11,4166,4168],{"id":4167},"privacy-is-the-most-demanding-soc-2-criterion","Privacy is the most demanding SOC 2 criterion",[16,4170,4171,4172,4174],{},"Privacy has eight control categories — P1 through P8 — which is more than any other ",[20,4173,23],{"href":22}," Trust Services Criterion. It touches every team that handles personal information and requires operational discipline across the full data lifecycle: notice, choice, collection, use, retention, disclosure, access, and monitoring. For organizations adding the privacy criterion to an existing SOC 2, the scope expansion is substantial. For those starting fresh with privacy in scope, the readiness effort is significant.",[16,4176,4177],{},"The privacy criterion applies when the organization collects and processes personal information — data that can identify an individual. It aligns closely with regulations like GDPR, CCPA, PIPEDA, and other data protection laws, though SOC 2 Privacy attests to controls, not regulatory compliance. Buyers often request it as operational assurance that privacy commitments are not theoretical.",[11,4179,4181],{"id":4180},"the-eight-privacy-categories","The eight privacy categories",[16,4183,18,4184,4186],{},[20,4185,57],{"href":61}," organize the privacy criterion into eight control categories. Each maps to a principle in the AICPA's generally accepted privacy principles.",[241,4188,4189,4199],{},[244,4190,4191],{},[247,4192,4193,4196],{},[250,4194,4195],{},"Category",[250,4197,4198],{},"Focus",[257,4200,4201,4209,4217,4225,4233,4241,4249,4257],{},[247,4202,4203,4206],{},[262,4204,4205],{},"P1 — Notice",[262,4207,4208],{},"Providing notice about privacy practices",[247,4210,4211,4214],{},[262,4212,4213],{},"P2 — Choice and consent",[262,4215,4216],{},"Obtaining informed consent",[247,4218,4219,4222],{},[262,4220,4221],{},"P3 — Collection",[262,4223,4224],{},"Collecting only what is needed",[247,4226,4227,4230],{},[262,4228,4229],{},"P4 — Use, retention, and disposal",[262,4231,4232],{},"Using data for stated purposes; retaining and disposing appropriately",[247,4234,4235,4238],{},[262,4236,4237],{},"P5 — Access",[262,4239,4240],{},"Providing data subjects access to their personal information",[247,4242,4243,4246],{},[262,4244,4245],{},"P6 — Disclosure and notification",[262,4247,4248],{},"Disclosing to third parties and notifying of breaches",[247,4250,4251,4254],{},[262,4252,4253],{},"P7 — Quality",[262,4255,4256],{},"Maintaining accurate and complete personal information",[247,4258,4259,4262],{},[262,4260,4261],{},"P8 — Monitoring and enforcement",[262,4263,4264],{},"Monitoring privacy practices and enforcing commitments",[16,4266,4267],{},"Each category has specific points of focus. Below, we summarize the operational controls for each.",[11,4269,4205],{"id":4270},"p1-notice",[16,4272,4273],{},"P1 requires that the organization provide notice about its privacy practices. The notice must be readily available, describe the entity's practices clearly, and be updated when practices change.",[38,4275,600],{"id":599},[43,4277,4278,4281,4284,4287,4290],{},[46,4279,4280],{},"Published privacy notice on the company website",[46,4282,4283],{},"Notice at the point of data collection where relevant",[46,4285,4286],{},"Version history with effective dates",[46,4288,4289],{},"Procedures for updating and re-communicating notice when practices change",[46,4291,4292],{},"Internal policy on when notice updates are required",[38,4294,624],{"id":623},[43,4296,4297,4300,4303],{},[46,4298,4299],{},"Current notice document",[46,4301,4302],{},"Prior versions with effective dates",[46,4304,4305],{},"Records of material changes during the observation period",[11,4307,4213],{"id":4308},"p2-choice-and-consent",[16,4310,4311],{},"P2 addresses how individuals exercise choice over their personal information. This includes opt-in, opt-out, and consent mechanisms.",[38,4313,600],{"id":651},[43,4315,4316,4319,4322,4325,4328],{},[46,4317,4318],{},"Consent management platform or equivalent",[46,4320,4321],{},"Opt-in and opt-out workflows aligned to applicable law",[46,4323,4324],{},"Consent records with timestamp, scope, and method",[46,4326,4327],{},"Procedures for responding to revoked consent",[46,4329,4330],{},"Cookie consent and tracking preferences where relevant",[38,4332,624],{"id":677},[43,4334,4335,4338,4341],{},[46,4336,4337],{},"Consent configuration",[46,4339,4340],{},"Sample consent records",[46,4342,4343],{},"Revocation handling evidence",[11,4345,4221],{"id":4346},"p3-collection",[16,4348,4349],{},"P3 requires that personal information be collected for specified purposes and limited to what is necessary. This is the data minimization principle.",[38,4351,600],{"id":707},[43,4353,4354,4357,4360,4363,4366],{},[46,4355,4356],{},"Documented purposes for each data element collected",[46,4358,4359],{},"Data inventory or data map",[46,4361,4362],{},"Review of collection forms and API endpoints for minimization",[46,4364,4365],{},"Controls preventing collection of unrelated or unnecessary data",[46,4367,4368],{},"Purpose limitation during new feature design",[38,4370,624],{"id":727},[43,4372,4373,4376,4379],{},[46,4374,4375],{},"Data map or inventory",[46,4377,4378],{},"Privacy impact assessments for new data flows",[46,4380,4381],{},"Collection forms reviewed against documented purposes",[11,4383,4229],{"id":4384},"p4-use-retention-and-disposal",[16,4386,4387],{},"P4 addresses how personal information is used after collection and what happens when it is no longer needed.",[38,4389,600],{"id":4390},"typical-controls-3",[43,4392,4393,4396,4399,4402,4405],{},[46,4394,4395],{},"Purpose limitation enforced through access controls and code review",[46,4397,4398],{},"Data retention schedule with defined periods per data type",[46,4400,4401],{},"Automated or tracked deletion when retention expires",[46,4403,4404],{},"Disposal procedures for physical and logical data",[46,4406,4407],{},"Documentation of exceptions and legal holds",[38,4409,624],{"id":4410},"evidence-expectations-3",[43,4412,4413,4416,4419,4422],{},[46,4414,4415],{},"Retention schedule",[46,4417,4418],{},"Evidence of automated deletion (job logs, records)",[46,4420,4421],{},"Disposal records for the observation period",[46,4423,4424],{},"Examples of purpose limitation (access restrictions tied to purpose)",[11,4426,4237],{"id":4427},"p5-access",[16,4429,4430],{},"P5 requires procedures for providing data subjects with access to their personal information, including correction or deletion rights.",[38,4432,600],{"id":4433},"typical-controls-4",[43,4435,4436,4439,4442,4445,4448],{},[46,4437,4438],{},"Subject access request (SAR) intake process",[46,4440,4441],{},"Identity verification procedures",[46,4443,4444],{},"Response timelines aligned to applicable law",[46,4446,4447],{},"Procedures for correction, deletion, and objection requests",[46,4449,4450],{},"SAR tracking system with full audit trail",[38,4452,624],{"id":4453},"evidence-expectations-4",[43,4455,4456,4459,4462],{},[46,4457,4458],{},"SAR policy and procedure",[46,4460,4461],{},"Sample SAR cases closed during the period",[46,4463,4464],{},"Response timeline metrics",[11,4466,4245],{"id":4467},"p6-disclosure-and-notification",[16,4469,4470],{},"P6 covers how personal information is shared with third parties and how breaches are handled.",[38,4472,600],{"id":4473},"typical-controls-5",[43,4475,4476,4479,4482,4485,4488],{},[46,4477,4478],{},"Data processing agreements with all processors",[46,4480,4481],{},"Subprocessor notification procedures",[46,4483,4484],{},"Breach detection and notification procedures",[46,4486,4487],{},"Notification templates for regulators and data subjects",[46,4489,4490],{},"Records of disclosures for accounting purposes",[38,4492,624],{"id":4493},"evidence-expectations-5",[43,4495,4496,4499,4502,4505],{},[46,4497,4498],{},"DPA templates and executed DPAs",[46,4500,4501],{},"Subprocessor list",[46,4503,4504],{},"Breach response procedures",[46,4506,4507],{},"Notification records if any occurred during the period",[16,4509,744,4510,4512],{},[20,4511,3530],{"href":3529}," for related glossary.",[11,4514,4253],{"id":4515},"p7-quality",[16,4517,4518],{},"P7 addresses maintaining accurate, complete, and current personal information. This intersects with both P5 (correction rights) and operational data quality.",[38,4520,600],{"id":4521},"typical-controls-6",[43,4523,4524,4527,4530,4533,4536],{},[46,4525,4526],{},"Data quality checks at collection and processing",[46,4528,4529],{},"Procedures for correcting inaccurate information",[46,4531,4532],{},"Periodic data quality reviews",[46,4534,4535],{},"Deduplication processes",[46,4537,4538],{},"Customer-facing update flows",[38,4540,624],{"id":4541},"evidence-expectations-6",[43,4543,4544,4547,4550],{},[46,4545,4546],{},"Data quality policy and reviews",[46,4548,4549],{},"Evidence of corrections handled during the period",[46,4551,4552],{},"Sample of updated records",[11,4554,4261],{"id":4555},"p8-monitoring-and-enforcement",[16,4557,4558],{},"P8 closes the loop by requiring that privacy practices are monitored and enforced across the organization.",[38,4560,600],{"id":4561},"typical-controls-7",[43,4563,4564,4567,4570,4573,4576],{},[46,4565,4566],{},"Privacy training for staff",[46,4568,4569],{},"Periodic privacy compliance reviews",[46,4571,4572],{},"Investigation and remediation of privacy complaints",[46,4574,4575],{},"Privacy metrics reported to leadership",[46,4577,4578],{},"Enforcement actions (disciplinary procedures for violations)",[38,4580,624],{"id":4581},"evidence-expectations-7",[43,4583,4584,4587,4590,4593],{},[46,4585,4586],{},"Training completion records",[46,4588,4589],{},"Privacy reviews or assessments",[46,4591,4592],{},"Complaint log and resolutions",[46,4594,4595],{},"Metric reports to leadership",[11,4597,758],{"id":757},[16,4599,4600],{},"Privacy pulls heavily from the Common Criteria and often overlaps with confidentiality.",[43,4602,4603,4608,4614,4620,4628],{},[46,4604,4605,4607],{},[49,4606,2279],{}," — access restrictions on personal data",[46,4609,4610,4613],{},[49,4611,4612],{},"CC7 (monitoring)"," — detection of privacy events",[46,4615,4616,4619],{},[49,4617,4618],{},"CC9 (risk)"," — privacy risk assessment and vendor oversight",[46,4621,4622,4627],{},[49,4623,4624],{},[20,4625,4626],{"href":2456},"Confidentiality"," — technical controls like encryption apply to both",[46,4629,4630,4635],{},[49,4631,4632],{},[20,4633,4634],{"href":61},"Security"," — the foundation of privacy",[16,4637,4638],{},"A well-mapped control inventory lets a single encryption, access, or disposal control support multiple criteria simultaneously.",[11,4640,803],{"id":802},[16,4642,4643,4644,4646,4647,4649],{},"Privacy is often the last criterion added because of its scope. Organizations typically pursue security first, add availability or confidentiality based on customer commitments, and layer privacy on top when GDPR, CCPA, or enterprise privacy expectations demand it. Because privacy spans the entire data lifecycle, it benefits from strong ",[20,4645,2317],{"href":2316}," and a mature ",[20,4648,2394],{"href":2393}," program.",[16,4651,4652],{},"Buyers who request a SOC 2 report with privacy in scope are usually asking about operational discipline, not legal compliance. Pair SOC 2 Privacy with explicit GDPR or CCPA programs, DPAs, and regulatory filings for a complete privacy story.",[11,4654,1073],{"id":1072},[16,4656,4657],{},"Beyond the category-specific evidence listed above, auditors typically request:",[43,4659,4660,4663,4665,4667,4670,4673],{},[46,4661,4662],{},"Data map or inventory spanning the observation period",[46,4664,4378],{},[46,4666,4586],{},[46,4668,4669],{},"Executed DPAs and subprocessor lists",[46,4671,4672],{},"Full SAR case logs for the period",[46,4674,4675],{},"Breach response records if applicable",[11,4677,813],{"id":812},[43,4679,4680,4686,4692,4698,4704],{},[46,4681,4682,4685],{},[49,4683,4684],{},"Privacy policy without practice."," A published notice that does not reflect actual data flows fails walkthroughs fast.",[46,4687,4688,4691],{},[49,4689,4690],{},"No data map."," Without a data inventory, it is impossible to demonstrate P3 (collection limited to purpose) or P4 (retention by type).",[46,4693,4694,4697],{},[49,4695,4696],{},"Manual SAR handling with no audit trail."," Responses happen but nothing is logged. Auditors need the record.",[46,4699,4700,4703],{},[49,4701,4702],{},"Subprocessor gaps."," Vendors that process personal data without DPAs are a P6 finding.",[46,4705,4706,4709],{},[49,4707,4708],{},"Training as a checkbox."," Annual training that nobody actually completes is a P8 weakness.",[11,4711,849],{"id":848},[43,4713,4714,4717,4720,4723,4726],{},[46,4715,4716],{},"Build the data map first. Every privacy control depends on knowing what personal data exists, where, and why.",[46,4718,4719],{},"Treat consent as a system of record, not a form. A consent management platform that produces auditable records is far stronger than email trails.",[46,4721,4722],{},"Automate retention. Scheduled deletion jobs are cleaner evidence than manual cleanup.",[46,4724,4725],{},"Run a quarterly privacy review covering new data flows, new subprocessors, and any incidents. Document it.",[46,4727,4728],{},"Align SOC 2 Privacy work with your GDPR and CCPA programs so artifacts are reused.",[11,4730,483],{"id":482},[16,4732,4733,4734,875,4737,4739],{},"episki maps the P1 through P8 control categories to operational workflows — consent management, SAR tracking, data inventory, subprocessor management — and collects evidence continuously. ",[20,4735,492],{"href":489,"rel":4736},[491],[20,4738,878],{"href":22}," to see how privacy integrates with security, confidentiality, and the rest of the Trust Services Criteria.",{"title":495,"searchDepth":496,"depth":496,"links":4741},[4742,4743,4744,4748,4752,4756,4760,4764,4768,4772,4776,4777,4778,4779,4780,4781],{"id":4167,"depth":496,"text":4168},{"id":4180,"depth":496,"text":4181},{"id":4270,"depth":496,"text":4205,"children":4745},[4746,4747],{"id":599,"depth":502,"text":600},{"id":623,"depth":502,"text":624},{"id":4308,"depth":496,"text":4213,"children":4749},[4750,4751],{"id":651,"depth":502,"text":600},{"id":677,"depth":502,"text":624},{"id":4346,"depth":496,"text":4221,"children":4753},[4754,4755],{"id":707,"depth":502,"text":600},{"id":727,"depth":502,"text":624},{"id":4384,"depth":496,"text":4229,"children":4757},[4758,4759],{"id":4390,"depth":502,"text":600},{"id":4410,"depth":502,"text":624},{"id":4427,"depth":496,"text":4237,"children":4761},[4762,4763],{"id":4433,"depth":502,"text":600},{"id":4453,"depth":502,"text":624},{"id":4467,"depth":496,"text":4245,"children":4765},[4766,4767],{"id":4473,"depth":502,"text":600},{"id":4493,"depth":502,"text":624},{"id":4515,"depth":496,"text":4253,"children":4769},[4770,4771],{"id":4521,"depth":502,"text":600},{"id":4541,"depth":502,"text":624},{"id":4555,"depth":496,"text":4261,"children":4773},[4774,4775],{"id":4561,"depth":502,"text":600},{"id":4581,"depth":502,"text":624},{"id":757,"depth":496,"text":758},{"id":802,"depth":496,"text":803},{"id":1072,"depth":496,"text":1073},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"Deep dive on the SOC 2 Privacy Trust Services Criterion. The P1 through P8 series covering notice, choice, collection, use, access, disclosure, and quality.",{"items":4784},[4785,4788,4791,4794,4797],{"label":4786,"content":4787},"When should I include the privacy criterion in my SOC 2?","Include privacy when you collect and process personal information and want to demonstrate your privacy program to customers, regulators, or partners. Privacy is also common when buyers ask about GDPR, CCPA, or similar regulatory compliance and want independent attestation.",{"label":4789,"content":4790},"How does SOC 2 Privacy relate to GDPR and CCPA?","SOC 2 Privacy controls align closely with the principles in GDPR and CCPA — notice, consent, data subject rights, minimization, retention. A SOC 2 Privacy report is often used as evidence of operational discipline in these areas but does not itself demonstrate legal compliance with any specific regulation.",{"label":4792,"content":4793},"Is privacy the most demanding SOC 2 criterion?","Typically yes. Privacy has eight categories (P1 through P8), the most extensive control set, and touches every team that handles personal information. Adding privacy to an existing SOC 2 scope usually adds significant evidence and process work.",{"label":4795,"content":4796},"Do I need a separate privacy audit if I have SOC 2 Privacy?","The SOC 2 Privacy criterion is not a substitute for regulatory compliance. Many organizations use SOC 2 Privacy as operational evidence and maintain separate privacy impact assessments, DPAs, and regulatory filings as required by specific laws.",{"label":4798,"content":4799},"What is a Subject Access Request under the privacy criterion?","A Subject Access Request (SAR) is a request from an individual to access, correct, or delete their personal information. Under P5, the organization must have procedures to handle SARs within a reasonable time, verify identity, and document the response.",{},[2036,3598,524,1274],[926,4803,2460],"confidentiality-criteria",{"title":4805,"description":4806},"SOC 2 Privacy Criteria (2026): P1-P8 Series Deep Dive","Master the SOC 2 Privacy criterion. P1 notice, P2 choice, P3 collection, P4 use and retention, P5 access, P6 disclosure, P7 quality, P8 monitoring.","5.frameworks\u002Fsoc2\u002Fprivacy-criteria","SEAT5ForhomAbzrVxFRrpZL2bYX8BNfJZTMyOg8eIYY",{"id":4810,"title":4811,"body":4812,"description":5191,"extension":522,"faq":5192,"frameworkSlug":524,"lastUpdated":525,"meta":5209,"navigation":527,"path":4023,"relatedTerms":5210,"relatedTopics":5211,"seo":5212,"stem":5215,"__hash__":5216},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Freadiness-assessment.md","SOC 2 Readiness Assessment",{"type":8,"value":4813,"toc":5175},[4814,4818,4824,4830,4834,4837,4841,4844,4874,4877,4881,4884,4904,4910,4914,4917,4931,4934,4983,4987,4990,5010,5016,5020,5023,5034,5043,5047,5050,5070,5072,5075,5081,5085,5088,5108,5111,5113,5145,5147,5164,5166],[11,4815,4817],{"id":4816},"readiness-is-the-single-highest-leverage-phase-of-soc-2","Readiness is the single highest-leverage phase of SOC 2",[16,4819,4820,4821,4823],{},"A well-run ",[20,4822,23],{"href":22}," readiness assessment saves more time and money than any other activity in the compliance program. Skip it and you enter fieldwork with unknown gaps, triggering remediation mid-audit, extending timelines, and burning goodwill with your CPA firm. Do it properly and you arrive at the audit knowing exactly where you stand, with a clean, prioritized punch list already worked.",[16,4825,4826,4827,4829],{},"Readiness is not a dress rehearsal. It is a structured gap analysis that compares your current controls against the ",[20,4828,57],{"href":61}," you have selected and outputs a remediation plan. The plan — with owners, due dates, and evidence requirements — becomes the roadmap for the weeks or months before fieldwork begins.",[11,4831,4833],{"id":4832},"what-a-readiness-assessment-covers","What a readiness assessment covers",[16,4835,4836],{},"A SOC 2 readiness assessment has five components. Skipping any of them weakens the value of the output.",[38,4838,4840],{"id":4839},"_1-scoping","1. Scoping",[16,4842,4843],{},"Scoping defines what the audit will cover. This includes:",[43,4845,4846,4852,4857,4863,4869],{},[46,4847,4848,4851],{},[49,4849,4850],{},"Systems in scope",": the applications, infrastructure, databases, and third-party services that store, process, or transmit customer data",[46,4853,4854,4856],{},[49,4855,57],{},": security is required; availability, processing integrity, confidentiality, and privacy are optional and selected based on commitments",[46,4858,4859,4862],{},[49,4860,4861],{},"Locations",": physical offices or data centers in scope",[46,4864,4865,4868],{},[49,4866,4867],{},"Entities",": if the company has subsidiaries or separate business units, decide which are covered",[46,4870,4871,4873],{},[49,4872,371],{}," (for Type II): the start and end dates the auditor will test against",[16,4875,4876],{},"Scoping decisions made during readiness typically carry through to the audit contract. Changing scope mid-engagement is expensive.",[38,4878,4880],{"id":4879},"_2-control-inventory","2. Control inventory",[16,4882,4883],{},"Catalog every control currently in place that could contribute to SOC 2 coverage. Sources include:",[43,4885,4886,4889,4892,4895,4898,4901],{},[46,4887,4888],{},"Existing information security policy",[46,4890,4891],{},"Identity and access management configuration",[46,4893,4894],{},"Infrastructure and application security tooling",[46,4896,4897],{},"HR processes (onboarding, offboarding, training)",[46,4899,4900],{},"Vendor management practices",[46,4902,4903],{},"Incident response and business continuity plans",[16,4905,4906,4907,4909],{},"The output is a control inventory mapped to the categories of the ",[20,4908,80],{"href":79},". It does not need to be exhaustive — the goal is to understand what exists, not perfect it.",[38,4911,4913],{"id":4912},"_3-gap-analysis","3. Gap analysis",[16,4915,4916],{},"With scope and inventory defined, compare what you have against what the Trust Services Criteria require. For every point of focus, answer:",[43,4918,4919,4922,4925,4928],{},[46,4920,4921],{},"Is there a control in place?",[46,4923,4924],{},"Is the control documented?",[46,4926,4927],{},"Is the control operating?",[46,4929,4930],{},"Is there evidence the control operated over time (for Type II)?",[16,4932,4933],{},"Gaps fall into three categories.",[241,4935,4936,4948],{},[244,4937,4938],{},[247,4939,4940,4943,4945],{},[250,4941,4942],{},"Gap Type",[250,4944,2052],{},[250,4946,4947],{},"Typical Effort",[257,4949,4950,4961,4972],{},[247,4951,4952,4955,4958],{},[262,4953,4954],{},"Missing control",[262,4956,4957],{},"No control exists for the criterion",[262,4959,4960],{},"High — design and implement",[247,4962,4963,4966,4969],{},[262,4964,4965],{},"Undocumented control",[262,4967,4968],{},"Control exists but is not written down",[262,4970,4971],{},"Low — document what you do",[247,4973,4974,4977,4980],{},[262,4975,4976],{},"No evidence",[262,4978,4979],{},"Control exists but generates no auditable evidence",[262,4981,4982],{},"Medium — instrument evidence generation",[38,4984,4986],{"id":4985},"_4-remediation-planning","4. Remediation planning",[16,4988,4989],{},"Each gap becomes a remediation item with:",[43,4991,4992,4995,4998,5001,5004,5007],{},[46,4993,4994],{},"Description of what is missing",[46,4996,4997],{},"Owner (named individual or team)",[46,4999,5000],{},"Priority (must-fix before audit vs nice-to-have)",[46,5002,5003],{},"Estimated effort",[46,5005,5006],{},"Due date aligned to the audit timeline",[46,5008,5009],{},"Evidence requirement after remediation",[16,5011,5012,5013,5015],{},"Prioritize gaps that are likely to be tested first and gaps that take the longest to close. Examples of items that frequently need the most lead time: centralized logging deployment, MFA rollout to all in-scope systems, policy set formalization, and vendor assessments. See ",[20,5014,2317],{"href":2316}," for the policy baseline most SOC 2 programs need.",[38,5017,5019],{"id":5018},"_5-evidence-catalog","5. Evidence catalog",[16,5021,5022],{},"For every control — existing or newly created — identify the evidence the auditor will request. Evidence may be:",[43,5024,5025,5028,5031],{},[46,5026,5027],{},"Static documents (policies, agreements, plans)",[46,5029,5030],{},"Snapshots (access review exports, configuration screenshots)",[46,5032,5033],{},"Continuous artifacts (logs, tickets, alerts) for Type II",[16,5035,5036,5037,749,5039,799],{},"The catalog prevents the scramble during fieldwork when auditors send their first request list and the team realizes half the evidence is not where it needs to be. Related glossary: ",[20,5038,2549],{"href":2548},[20,5040,5042],{"href":5041},"\u002Fglossary\u002Fremediation","remediation",[11,5044,5046],{"id":5045},"how-readiness-connects-to-type-i-and-type-ii","How readiness connects to Type I and Type II",[16,5048,5049],{},"Readiness is typically the first stop on the path to a SOC 2 report.",[43,5051,5052,5062,5067],{},[46,5053,5054,5055,5058,5059,799],{},"If your next report will be ",[49,5056,5057],{},"Type I",", readiness identifies gaps to close so control design passes. Remediation must be complete before the Type I reporting date. See ",[20,5060,5061],{"href":190},"SOC 2 Type 1 vs Type 2",[46,5063,5054,5064,5066],{},[49,5065,3149],{},", readiness closes gaps so controls can operate cleanly across the observation period. Any remediation that happens during the observation period creates risk that the auditor will see control failure earlier in the period.",[46,5068,5069],{},"If you plan to skip Type I and go straight to Type II, readiness is even more important because there is no point-in-time checkpoint to catch design flaws before the observation clock starts.",[11,5071,803],{"id":802},[16,5073,5074],{},"Readiness is not a Trust Services Criterion itself but supports CC3 (risk assessment) and CC4 (monitoring activities). The readiness output becomes evidence that the organization assessed control adequacy and took action. Many auditors ask to see the readiness assessment or equivalent gap analysis during fieldwork as an indicator of program maturity.",[16,5076,5077,5078,799],{},"Readiness also informs scoping conversations with the CPA firm. Sharing your gap analysis with a prospective auditor during the selection process demonstrates seriousness and can help estimate fieldwork effort accurately. This in turn affects the ",[20,5079,5080],{"href":169},"cost estimate",[11,5082,5084],{"id":5083},"deliverables-of-a-good-readiness-assessment","Deliverables of a good readiness assessment",[16,5086,5087],{},"By the end of readiness, you should have:",[43,5089,5090,5093,5096,5099,5102,5105],{},[46,5091,5092],{},"A written scope statement (systems, criteria, observation period)",[46,5094,5095],{},"A control inventory mapped to the Trust Services Criteria",[46,5097,5098],{},"A gap analysis document",[46,5100,5101],{},"A remediation plan with owners and due dates",[46,5103,5104],{},"An evidence catalog listing required artifacts per control",[46,5106,5107],{},"A refined understanding of likely audit cost and timeline",[16,5109,5110],{},"These artifacts are worth maintaining after readiness ends — they become the operating system of the SOC 2 program through the audit and beyond.",[11,5112,813],{"id":812},[43,5114,5115,5121,5127,5133,5139],{},[46,5116,5117,5120],{},[49,5118,5119],{},"Scoping too broadly."," Including criteria you have no customer commitment for adds work without adding value. Start tight.",[46,5122,5123,5126],{},[49,5124,5125],{},"Skipping evidence planning."," Identifying gaps without identifying how evidence will be produced leads to scrambling later.",[46,5128,5129,5132],{},[49,5130,5131],{},"No owner on remediation items."," Items without owners stall. Every gap needs a name attached.",[46,5134,5135,5138],{},[49,5136,5137],{},"Treating readiness as a document exercise."," Readiness is an operational sprint, not a report. The goal is to close gaps, not just describe them.",[46,5140,5141,5144],{},[49,5142,5143],{},"Using readiness as a substitute for Type I."," Some buyers ask for Type I specifically. Readiness is not an auditor's opinion and does not satisfy that request.",[11,5146,849],{"id":848},[43,5148,5149,5152,5155,5158,5161],{},[46,5150,5151],{},"Start readiness at least three months before you want to begin fieldwork for Type I, or before the observation period begins for Type II.",[46,5153,5154],{},"Use your compliance platform to run the gap analysis rather than a spreadsheet. The platform becomes the living record after readiness ends.",[46,5156,5157],{},"Involve engineering, IT, HR, and legal from day one. SOC 2 is cross-functional, and single-team readiness misses gaps.",[46,5159,5160],{},"Review the readiness output with your prospective auditor before signing the engagement letter. They may flag scoping issues or evidence expectations.",[46,5162,5163],{},"Re-run readiness annually or whenever scope changes. The program is never done.",[11,5165,483],{"id":482},[16,5167,5168,5169,2721,5172,5174],{},"episki ships with a pre-mapped SOC 2 control library, scoping wizard, gap analysis engine, and remediation tracker — turning readiness from a multi-week consulting engagement into a workflow your team can run in-house. ",[20,5170,492],{"href":489,"rel":5171},[491],[20,5173,878],{"href":22}," to see how readiness connects to the rest of the audit lifecycle.",{"title":495,"searchDepth":496,"depth":496,"links":5176},[5177,5178,5185,5186,5187,5188,5189,5190],{"id":4816,"depth":496,"text":4817},{"id":4832,"depth":496,"text":4833,"children":5179},[5180,5181,5182,5183,5184],{"id":4839,"depth":502,"text":4840},{"id":4879,"depth":502,"text":4880},{"id":4912,"depth":502,"text":4913},{"id":4985,"depth":502,"text":4986},{"id":5018,"depth":502,"text":5019},{"id":5045,"depth":496,"text":5046},{"id":802,"depth":496,"text":803},{"id":5083,"depth":496,"text":5084},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"How to run a SOC 2 readiness assessment. Gap analysis, scoping, remediation planning, and preparing for Type I fieldwork.",{"items":5193},[5194,5197,5200,5203,5206],{"label":5195,"content":5196},"What is a SOC 2 readiness assessment?","A SOC 2 readiness assessment is an internal or consultant-led review that compares your current controls against the Trust Services Criteria you intend to audit. The output is a gap analysis and a prioritized remediation plan for closing gaps before fieldwork begins.",{"label":5198,"content":5199},"Do I need a consultant to run a readiness assessment?","No. Many teams run readiness internally using the Trust Services Criteria and a compliance platform. Consultants can accelerate the process and bring benchmarking data, but the work is not so specialized that you cannot do it in-house.",{"label":5201,"content":5202},"How long does a readiness assessment take?","Typically two to six weeks for the assessment itself, depending on the size of the environment and the number of criteria in scope. Remediation of identified gaps usually takes an additional four to twelve weeks.",{"label":5204,"content":5205},"Can I skip readiness and go straight to the audit?","Technically yes, but organizations that skip readiness usually discover significant gaps during fieldwork, which is expensive and extends the timeline. Readiness is cheaper insurance.",{"label":5207,"content":5208},"What is the difference between a readiness assessment and the Type I audit?","Readiness is internal and non-binding. The Type I audit is performed by a licensed CPA firm and produces an official opinion. Readiness identifies gaps; Type I attests that controls are designed correctly as of a specific date.",{},[524,530,1274,5042],[1977,532,2460],{"title":5213,"description":5214},"SOC 2 Readiness Assessment (2026): Gap Analysis & Scoping","Run a SOC 2 readiness assessment that actually prepares you for Type I. Scoping, gap analysis, remediation prioritization, and timeline planning.","5.frameworks\u002Fsoc2\u002Freadiness-assessment","LXYZZpTRaWcjLeZ5NifO3NYIccKPVRAiyQhEg7LwuCw",{"id":5218,"title":5219,"body":5220,"description":5625,"extension":522,"faq":523,"frameworkSlug":524,"lastUpdated":525,"meta":5626,"navigation":527,"path":79,"relatedTerms":5627,"relatedTopics":5628,"seo":5629,"stem":5632,"__hash__":5633},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Frequirements.md","SOC 2 Requirements",{"type":8,"value":5221,"toc":5611},[5222,5226,5234,5240,5244,5247,5251,5254,5310,5313,5317,5320,5337,5340,5344,5347,5364,5367,5371,5374,5390,5393,5397,5400,5417,5420,5424,5427,5509,5516,5520,5523,5560,5566,5568,5599,5601],[11,5223,5225],{"id":5224},"what-are-the-soc-2-requirements","What are the SOC 2 requirements?",[16,5227,5228,5229,5233],{},"SOC 2 is not a prescriptive checklist like ",[20,5230,5232],{"href":5231},"\u002Fframeworks\u002Fpci","PCI DSS",". Instead, it is a principles-based framework built around the AICPA's Trust Services Criteria. That flexibility is powerful, but it also means organizations must interpret the criteria and design controls that fit their specific environment.",[16,5235,5236,5237,5239],{},"At its core, ",[20,5238,2782],{"href":22}," requires that an organization demonstrate it has designed and implemented controls that satisfy the applicable Trust Services Criteria. Security is mandatory for every SOC 2 engagement. The remaining four criteria — availability, processing integrity, confidentiality, and privacy — are selected based on the services the organization provides and the commitments it makes to customers.",[11,5241,5243],{"id":5242},"the-five-trust-services-criteria","The five Trust Services Criteria",[16,5245,5246],{},"Each criterion contains a set of points of focus that auditors use to evaluate whether controls are suitably designed and operating effectively. Below is a summary of what each criterion requires.",[38,5248,5250],{"id":5249},"_1-security-common-criteria-required","1. Security (Common Criteria) — required",[16,5252,5253],{},"Security is the foundation of every SOC 2 report. It addresses whether the system is protected against unauthorized access, both physical and logical. The Common Criteria map closely to the COSO framework and cover nine broad categories:",[43,5255,5256,5262,5268,5274,5280,5286,5292,5298,5304],{},[46,5257,5258,5261],{},[49,5259,5260],{},"CC1 — Control environment",": Governance structures, board oversight, organizational accountability, and ethical values.",[46,5263,5264,5267],{},[49,5265,5266],{},"CC2 — Communication and information",": Internal and external communication about policies, objectives, and responsibilities.",[46,5269,5270,5273],{},[49,5271,5272],{},"CC3 — Risk assessment",": Identifying and analyzing risks to achieving objectives, including fraud risk.",[46,5275,5276,5279],{},[49,5277,5278],{},"CC4 — Monitoring activities",": Ongoing evaluations to verify controls are present and functioning.",[46,5281,5282,5285],{},[49,5283,5284],{},"CC5 — Control activities",": Policies and procedures that mitigate identified risks, including technology general controls.",[46,5287,5288,5291],{},[49,5289,5290],{},"CC6 — Logical and physical access",": Restrictions on system access, credential management, encryption, and physical security.",[46,5293,5294,5297],{},[49,5295,5296],{},"CC7 — System operations",": Monitoring infrastructure for anomalies, incident detection, and response procedures.",[46,5299,5300,5303],{},[49,5301,5302],{},"CC8 — Change management",": Controls over changes to infrastructure, software, and configurations.",[46,5305,5306,5309],{},[49,5307,5308],{},"CC9 — Risk mitigation",": Identifying, selecting, and developing activities that address risks from business disruptions and vendor relationships.",[16,5311,5312],{},"Most startups find that CC6, CC7, and CC8 demand the most effort because they require tangible technical controls and ongoing evidence.",[38,5314,5316],{"id":5315},"_2-availability","2. Availability",[16,5318,5319],{},"The availability criterion applies when the organization has made commitments about system uptime or disaster recovery. Requirements include:",[43,5321,5322,5325,5328,5331,5334],{},[46,5323,5324],{},"Defined and communicated availability commitments (SLAs, status pages)",[46,5326,5327],{},"Capacity planning and performance monitoring",[46,5329,5330],{},"Disaster recovery and business continuity plans that are tested regularly",[46,5332,5333],{},"Incident response procedures for availability-impacting events",[46,5335,5336],{},"Backup and restoration processes with documented recovery point and recovery time objectives",[16,5338,5339],{},"If your product has an SLA in customer contracts, availability is almost certainly in scope.",[38,5341,5343],{"id":5342},"_3-processing-integrity","3. Processing integrity",[16,5345,5346],{},"Processing integrity focuses on whether the system processes data completely, accurately, and in a timely manner. This is relevant for platforms that perform calculations, transactions, or data transformations. Requirements include:",[43,5348,5349,5352,5355,5358,5361],{},[46,5350,5351],{},"Input validation and error handling",[46,5353,5354],{},"Processing monitoring and reconciliation",[46,5356,5357],{},"Output reviews and quality assurance",[46,5359,5360],{},"Defined processing objectives and tolerances",[46,5362,5363],{},"Procedures for handling processing errors and exceptions",[16,5365,5366],{},"Fintech companies, data pipelines, and billing platforms commonly include this criterion.",[38,5368,5370],{"id":5369},"_4-confidentiality","4. Confidentiality",[16,5372,5373],{},"Confidentiality applies to information designated as confidential, such as intellectual property, business plans, or data shared under NDA. Requirements include:",[43,5375,5376,5379,5381,5384,5387],{},[46,5377,5378],{},"Classification and labeling of confidential information",[46,5380,2112],{},[46,5382,5383],{},"Encryption in transit and at rest for confidential data",[46,5385,5386],{},"Secure disposal procedures when confidentiality obligations expire",[46,5388,5389],{},"Monitoring for unauthorized disclosure",[16,5391,5392],{},"Many organizations choose confidentiality in addition to security because customer contracts explicitly reference confidential data handling.",[38,5394,5396],{"id":5395},"_5-privacy","5. Privacy",[16,5398,5399],{},"Privacy addresses personal information collected, used, retained, disclosed, and disposed of in accordance with the organization's privacy notice. It is closely aligned with regulations like GDPR and CCPA. Requirements include:",[43,5401,5402,5405,5408,5411,5414],{},[46,5403,5404],{},"A published privacy notice that describes data practices",[46,5406,5407],{},"Consent mechanisms and choice management",[46,5409,5410],{},"Data minimization and purpose limitation",[46,5412,5413],{},"Subject access, correction, and deletion processes",[46,5415,5416],{},"Breach notification procedures",[16,5418,5419],{},"If your organization processes personal data and has a public privacy policy, auditors will evaluate whether your practices match your stated commitments.",[11,5421,5423],{"id":5422},"common-controls-that-satisfy-soc-2-requirements","Common controls that satisfy SOC 2 requirements",[16,5425,5426],{},"While every organization's control set is different, certain controls appear in nearly every SOC 2 environment:",[241,5428,5429,5439],{},[244,5430,5431],{},[247,5432,5433,5436],{},[250,5434,5435],{},"Control area",[250,5437,5438],{},"Examples",[257,5440,5441,5449,5457,5464,5471,5479,5486,5493,5501],{},[247,5442,5443,5446],{},[262,5444,5445],{},"Access management",[262,5447,5448],{},"SSO with MFA, role-based access, quarterly access reviews",[247,5450,5451,5454],{},[262,5452,5453],{},"Endpoint security",[262,5455,5456],{},"MDM enrollment, disk encryption, automated patching",[247,5458,5459,5461],{},[262,5460,1567],{},[262,5462,5463],{},"Firewalls, segmentation, intrusion detection",[247,5465,5466,5468],{},[262,5467,3453],{},[262,5469,5470],{},"Pull request reviews, CI\u002FCD pipelines, rollback procedures",[247,5472,5473,5476],{},[262,5474,5475],{},"Logging and monitoring",[262,5477,5478],{},"Centralized log aggregation, alerting on anomalies, SIEM",[247,5480,5481,5483],{},[262,5482,1162],{},[262,5484,5485],{},"Documented IR plan, tabletop exercises, post-mortems",[247,5487,5488,5490],{},[262,5489,3457],{},[262,5491,5492],{},"Third-party risk assessments, contract reviews, ongoing monitoring",[247,5494,5495,5498],{},[262,5496,5497],{},"HR security",[262,5499,5500],{},"Background checks, security awareness training, offboarding checklists",[247,5502,5503,5506],{},[262,5504,5505],{},"Data protection",[262,5507,5508],{},"Encryption at rest and in transit, key management, backup verification",[16,5510,5511,5512,5515],{},"The key is not just having these controls in place but being able to demonstrate they are operating consistently. That evidence collection burden is where most teams struggle, especially during a ",[20,5513,5514],{"href":190},"SOC 2 Type II audit"," that examines an extended observation period.",[11,5517,5519],{"id":5518},"scoping-your-soc-2-requirements","Scoping your SOC 2 requirements",[16,5521,5522],{},"Before you start building controls, define your scope carefully:",[198,5524,5525,5530,5535,5541,5550],{},[46,5526,5527,5529],{},[49,5528,1340],{}," — which applications, infrastructure, and third-party services touch customer data.",[46,5531,5532,5534],{},[49,5533,1349],{}," — start with security and add criteria that align with customer commitments and contractual obligations.",[46,5536,5537,5540],{},[49,5538,5539],{},"Map existing controls"," — many organizations already satisfy 40-60% of SOC 2 requirements through existing security practices.",[46,5542,5543,5546,5547,5549],{},[49,5544,5545],{},"Perform a gap analysis"," — compare current state against the ",[20,5548,57],{"href":61}," to identify missing or immature controls.",[46,5551,5552,5555,5556,5559],{},[49,5553,5554],{},"Prioritize remediation"," — address high-risk gaps first, then work through lower-priority items before the ",[20,5557,5558],{"href":528},"audit"," begins.",[16,5561,5562,5563,5565],{},"A well-scoped audit reduces ",[20,5564,534],{"href":169}," and avoids scope creep that delays the timeline.",[11,5567,813],{"id":812},[43,5569,5570,5576,5582,5593],{},[46,5571,5572,5575],{},[49,5573,5574],{},"Over-scoping",": Including systems or criteria that are not relevant increases evidence requirements and audit complexity.",[46,5577,5578,5581],{},[49,5579,5580],{},"Under-documenting",": Controls exist but lack written policies, procedures, or evidence. Auditors need proof, not assertions.",[46,5583,5584,5587,5588,5592],{},[49,5585,5586],{},"Ignoring the human element",": Technical controls are important, but ",[20,5589,5591],{"href":5590},"\u002Fglossary\u002Fgrc","GRC"," programs also require training, awareness, and accountability.",[46,5594,5595,5598],{},[49,5596,5597],{},"Treating SOC 2 as a one-time project",": SOC 2 is an ongoing commitment. Controls must operate continuously, not just during audit prep.",[11,5600,483],{"id":482},[16,5602,5603,5604,2927,5606,5610],{},"episki maps every Trust Services Criteria point of focus to actionable controls with suggested narratives, testing procedures, and evidence requirements. Instead of building your control matrix in a spreadsheet, you get a structured workspace where controls are linked to owners, evidence, and review cadences from day one. Pre-loaded templates cover the most common control patterns, and the platform highlights gaps so you know exactly what needs attention before your auditor arrives. ",[20,5605,2926],{"href":2925},[20,5607,5609],{"href":489,"rel":5608},[491],"start a free trial"," to see the full SOC 2 control library.",{"title":495,"searchDepth":496,"depth":496,"links":5612},[5613,5614,5621,5622,5623,5624],{"id":5224,"depth":496,"text":5225},{"id":5242,"depth":496,"text":5243,"children":5615},[5616,5617,5618,5619,5620],{"id":5249,"depth":502,"text":5250},{"id":5315,"depth":502,"text":5316},{"id":5342,"depth":502,"text":5343},{"id":5369,"depth":502,"text":5370},{"id":5395,"depth":502,"text":5396},{"id":5422,"depth":496,"text":5423},{"id":5518,"depth":496,"text":5519},{"id":812,"depth":496,"text":813},{"id":482,"depth":496,"text":483},"A detailed breakdown of SOC 2 requirements across the five Trust Services Criteria, including what auditors expect, common controls, and how to scope your audit.",{},[524,530,1975],[926,3276,1977],{"title":5630,"description":5631},"SOC 2 Requirements Explained — What You Need to Know","Understand SOC 2 requirements across all five Trust Services Criteria. Learn what auditors expect, common controls, and how to scope your audit effectively.","5.frameworks\u002Fsoc2\u002Frequirements","MXHlQl2PdzvSq1w0Cnjvgqf6-Xsq-1noyoweHPR3Gfw",{"id":5635,"title":5636,"body":5637,"description":6127,"extension":522,"faq":6128,"frameworkSlug":524,"lastUpdated":525,"meta":6145,"navigation":527,"path":6146,"relatedTerms":6147,"relatedTopics":6151,"seo":6152,"stem":6155,"__hash__":6156},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fsoc1-vs-soc2.md","SOC 1 vs SOC 2 vs SOC 3",{"type":8,"value":5638,"toc":6103},[5639,5643,5651,5654,5658,5782,5786,5789,5793,5816,5820,5827,5830,5847,5851,5854,5858,5864,5868,5871,5891,5895,5898,5912,5916,5928,5932,5935,5939,5942,5946,5957,5960,5964,5967,5971,5974,5977,6006,6013,6017,6020,6040,6043,6045,6071,6073,6091,6093],[11,5640,5642],{"id":5641},"soc-1-soc-2-and-soc-3-solve-different-problems","SOC 1, SOC 2, and SOC 3 solve different problems",[16,5644,5645,5646,5650],{},"The \"SOC\" in SOC 1, SOC 2, and SOC 3 stands for System and Organization Controls — a reporting suite from the AICPA for service organizations. The three reports share a common heritage in the ",[20,5647,5649],{"href":5648},"\u002Fglossary\u002Fssae-18","SSAE 18"," attestation standard, but they address different audiences and different kinds of controls. Choosing the right report is a strategic decision that depends on what your company does, who your buyers are, and what those buyers need for their own compliance and risk programs.",[16,5652,5653],{},"This page compares the three at a practical level, including when each applies and how they interact in organizations that maintain more than one.",[11,5655,5657],{"id":5656},"the-three-reports-at-a-glance","The three reports at a glance",[241,5659,5660,5675],{},[244,5661,5662],{},[247,5663,5664,5667,5670,5672],{},[250,5665,5666],{},"Dimension",[250,5668,5669],{},"SOC 1",[250,5671,23],{},[250,5673,5674],{},"SOC 3",[257,5676,5677,5692,5707,5723,5737,5752,5766],{},[247,5678,5679,5683,5686,5689],{},[262,5680,5681],{},[49,5682,4198],{},[262,5684,5685],{},"Controls over financial reporting",[262,5687,5688],{},"Security, availability, integrity, confidentiality, privacy",[262,5690,5691],{},"Same criteria as SOC 2",[247,5693,5694,5699,5702,5705],{},[262,5695,5696],{},[49,5697,5698],{},"Framework",[262,5700,5701],{},"SSAE 18 — control objectives",[262,5703,5704],{},"SSAE 18 — Trust Services Criteria",[262,5706,5704],{},[247,5708,5709,5714,5717,5720],{},[262,5710,5711],{},[49,5712,5713],{},"Audience",[262,5715,5716],{},"Customer auditors, finance teams",[262,5718,5719],{},"Customer security, procurement, risk teams",[262,5721,5722],{},"General public, marketing",[247,5724,5725,5730,5733,5735],{},[262,5726,5727],{},[49,5728,5729],{},"Distribution",[262,5731,5732],{},"Restricted (NDA)",[262,5734,5732],{},[262,5736,2062],{},[247,5738,5739,5744,5747,5749],{},[262,5740,5741],{},[49,5742,5743],{},"Contents",[262,5745,5746],{},"Detailed system description, controls, tests, opinion",[262,5748,5746],{},[262,5750,5751],{},"Short summary with auditor opinion",[247,5753,5754,5758,5761,5763],{},[262,5755,5756],{},[49,5757,1331],{},[262,5759,5760],{},"Both exist",[262,5762,5760],{},[262,5764,5765],{},"Effectively Type II only",[247,5767,5768,5773,5776,5779],{},[262,5769,5770],{},[49,5771,5772],{},"Typical pursuer",[262,5774,5775],{},"Payroll, billing, financial service providers",[262,5777,5778],{},"SaaS companies, cloud service providers",[262,5780,5781],{},"Companies wanting public assurance",[11,5783,5785],{"id":5784},"soc-1-in-depth","SOC 1 in depth",[16,5787,5788],{},"SOC 1 reports on a service organization's controls that are relevant to customer financial reporting. The standard applies when a service organization performs functions that, if controlled weakly, could lead to misstatements in the customer's financial statements.",[38,5790,5792],{"id":5791},"when-soc-1-applies","When SOC 1 applies",[43,5794,5795,5798,5801,5804,5807,5810,5813],{},[46,5796,5797],{},"Payroll service providers whose processing affects customer payroll liabilities",[46,5799,5800],{},"Benefits administrators",[46,5802,5803],{},"Claims processing for insurance",[46,5805,5806],{},"Transaction processing for banks and fintechs",[46,5808,5809],{},"Billing or invoicing platforms that record customer revenue",[46,5811,5812],{},"Fund administrators and asset management services",[46,5814,5815],{},"ERP-adjacent services that feed customer accounting systems",[38,5817,5819],{"id":5818},"what-soc-1-tests","What SOC 1 tests",[16,5821,5822,5823,5826],{},"SOC 1 is organized around ",[49,5824,5825],{},"control objectives"," defined by the service organization based on the financial statement impact of their services. The auditor evaluates whether controls are designed (Type I) or operating effectively (Type II) to achieve those objectives.",[16,5828,5829],{},"Typical control objectives in a SOC 1 report might cover:",[43,5831,5832,5835,5838,5841,5844],{},[46,5833,5834],{},"Transaction processing accuracy and completeness",[46,5836,5837],{},"Timely recording of transactions",[46,5839,5840],{},"Authorization of processing changes",[46,5842,5843],{},"Access restrictions to financial systems",[46,5845,5846],{},"Protection of financial data",[38,5848,5850],{"id":5849},"who-reads-soc-1","Who reads SOC 1",[16,5852,5853],{},"The primary audience is the customer's financial statement auditor. Under PCAOB and AICPA standards, customer auditors must understand and, in some cases, test controls at service organizations that affect their audit. A service organization that produces a SOC 1 gives customer auditors a ready-made reference they can rely on.",[11,5855,5857],{"id":5856},"soc-2-in-depth","SOC 2 in depth",[16,5859,5860,5861,5863],{},"SOC 2 reports on controls aligned to the ",[20,5862,57],{"href":61}," — security (required), availability, processing integrity, confidentiality, and privacy. Unlike SOC 1, which is oriented around financial reporting, SOC 2 is oriented around how a service organization protects and manages customer data.",[38,5865,5867],{"id":5866},"when-soc-2-applies","When SOC 2 applies",[16,5869,5870],{},"SOC 2 applies broadly to any service organization that handles customer data. Common pursuers include:",[43,5872,5873,5876,5879,5882,5885,5888],{},[46,5874,5875],{},"B2B SaaS platforms",[46,5877,5878],{},"Cloud infrastructure and managed service providers",[46,5880,5881],{},"Data analytics and processing companies",[46,5883,5884],{},"CRM, marketing automation, and customer success platforms",[46,5886,5887],{},"Fintech platforms (often in combination with SOC 1)",[46,5889,5890],{},"Healthcare technology (often in combination with HIPAA)",[38,5892,5894],{"id":5893},"what-soc-2-tests","What SOC 2 tests",[16,5896,5897],{},"SOC 2 tests controls against the applicable Trust Services Criteria. Security is required in every SOC 2 engagement; additional criteria are selected based on customer commitments. The auditor assesses:",[43,5899,5900,5903,5906,5909],{},[46,5901,5902],{},"Design of controls (Type I) or design plus operating effectiveness (Type II)",[46,5904,5905],{},"Evidence produced across the observation period (for Type II)",[46,5907,5908],{},"Coverage of every point of focus in the selected criteria",[46,5910,5911],{},"Exceptions or deficiencies identified during testing",[38,5913,5915],{"id":5914},"who-reads-soc-2","Who reads SOC 2",[16,5917,5918,5919,5922,5923,5927],{},"The primary audience is the customer's security, risk, or procurement team. SOC 2 is requested during vendor due diligence, security questionnaires, and contract negotiations. See ",[20,5920,5921],{"href":190},"type 1 vs type 2"," and the ",[20,5924,5926],{"href":5925},"\u002Fglossary\u002Fsoc2-type-2","SOC 2 Type 2 glossary entry"," for more.",[11,5929,5931],{"id":5930},"soc-3-in-depth","SOC 3 in depth",[16,5933,5934],{},"SOC 3 is a short-form public report based on the same Trust Services Criteria as SOC 2. It produces an auditor's opinion without the detailed system description or control testing results that fill a SOC 2 report.",[38,5936,5938],{"id":5937},"when-soc-3-applies","When SOC 3 applies",[16,5940,5941],{},"SOC 3 is optional. Organizations produce it when they want a public-facing assurance document — often to display on a trust page or use in marketing materials. The report can be freely distributed and does not require an NDA.",[38,5943,5945],{"id":5944},"what-soc-3-contains","What SOC 3 contains",[43,5947,5948,5951,5954],{},[46,5949,5950],{},"Company description and services covered",[46,5952,5953],{},"Auditor's opinion on whether controls met the criteria",[46,5955,5956],{},"Management's assertion about its system",[16,5958,5959],{},"SOC 3 does not contain the control descriptions, testing procedures, or results that are standard in SOC 2. Enterprise buyers generally do not accept SOC 3 in lieu of SOC 2.",[38,5961,5963],{"id":5962},"who-reads-soc-3","Who reads SOC 3",[16,5965,5966],{},"The general public — prospects browsing your trust page, press researching your security posture, smaller buyers who do not have a formal vendor assessment process. For buyers with mature procurement, SOC 3 is a marketing artifact and SOC 2 is the substantive document.",[11,5968,5970],{"id":5969},"how-this-fits-into-the-broader-compliance-picture","How this fits into the broader compliance picture",[16,5972,5973],{},"SOC 2 is the most common report and the default starting point for B2B SaaS. SOC 1 is added when the organization touches financial reporting. SOC 3 is added for public-facing assurance.",[16,5975,5976],{},"Related frameworks that buyers may ask about alongside SOC:",[43,5978,5979,5986,5993,6000],{},[46,5980,5981,5985],{},[49,5982,5983],{},[20,5984,28],{"href":27}," — international security certification; complements SOC 2 in global markets",[46,5987,5988,5992],{},[49,5989,5990],{},[20,5991,3202],{"href":3201}," — US healthcare law; SOC 2 controls cover many HIPAA safeguards",[46,5994,5995,5999],{},[49,5996,5997],{},[20,5998,5232],{"href":5231}," — payment card industry standard; applies when cardholder data is handled",[46,6001,6002,6005],{},[49,6003,6004],{},"NIST CSF"," — US government-adjacent framework; maps well to SOC 2 security",[16,6007,6008,6009,799],{},"For tooling comparisons, see ",[20,6010,6012],{"href":6011},"\u002Fcompare\u002Fvs\u002Fvanta-vs-drata","Vanta vs Drata",[11,6014,6016],{"id":6015},"can-you-pursue-multiple-soc-reports","Can you pursue multiple SOC reports?",[16,6018,6019],{},"Yes. Many service organizations maintain both SOC 1 and SOC 2, and add SOC 3 for public assurance.",[43,6021,6022,6028,6034],{},[46,6023,6024,6027],{},[49,6025,6026],{},"SOC 1 + SOC 2"," is common for fintech and billing platforms. The same CPA firm can usually perform both audits in the same cycle with shared walkthroughs where controls overlap.",[46,6029,6030,6033],{},[49,6031,6032],{},"SOC 2 + SOC 3"," is common for SaaS companies that want public assurance. The SOC 3 is often produced from the same underlying engagement as a companion deliverable.",[46,6035,6036,6039],{},[49,6037,6038],{},"SOC 1 + SOC 2 + SOC 3"," is rare but possible for companies with diverse customer bases.",[16,6041,6042],{},"The cost of an additional report is typically less than the cost of a standalone engagement because controls, evidence, and walkthroughs are shared.",[11,6044,813],{"id":812},[43,6046,6047,6053,6059,6065],{},[46,6048,6049,6052],{},[49,6050,6051],{},"Pursuing SOC 1 when SOC 2 is what buyers want."," SOC 1 is irrelevant to most security questionnaires. Verify with your sales team which report prospects are asking for.",[46,6054,6055,6058],{},[49,6056,6057],{},"Assuming SOC 3 replaces SOC 2."," Enterprise buyers will still ask for SOC 2. Use SOC 3 as a complement, not a substitute.",[46,6060,6061,6064],{},[49,6062,6063],{},"Single auditor for all reports without shared evidence."," If you engage one CPA firm for multiple reports, insist on shared walkthroughs and evidence where possible. This is one of the main reasons to use one firm.",[46,6066,6067,6070],{},[49,6068,6069],{},"Missing the financial reporting link."," If customers' auditors request information about your controls during their audit, you probably need SOC 1. Listen for this signal.",[11,6072,849],{"id":848},[43,6074,6075,6078,6085,6088],{},[46,6076,6077],{},"Before starting any SOC report, confirm with your top customers and prospects which report they want.",[46,6079,6080,6081,6084],{},"If you may eventually need both SOC 1 and SOC 2, scope them together during ",[20,6082,6083],{"href":4023},"readiness"," so the control inventory covers both.",[46,6086,6087],{},"Treat SOC 3 as a marketing project once SOC 2 is in place. It is inexpensive to add.",[46,6089,6090],{},"Renew each report annually to maintain continuous coverage. Gaps between reports can block deals.",[11,6092,483],{"id":482},[16,6094,6095,6096,6099,6100,6102],{},"episki supports SOC 1 and SOC 2 programs in the same workspace. Controls tagged to financial reporting objectives feed SOC 1, and controls tagged to Trust Services Criteria feed SOC 2 — with shared evidence when controls satisfy both. ",[20,6097,492],{"href":489,"rel":6098},[491]," or see the broader ",[20,6101,878],{"href":22}," to learn how multi-report programs run together.",{"title":495,"searchDepth":496,"depth":496,"links":6104},[6105,6106,6107,6112,6117,6122,6123,6124,6125,6126],{"id":5641,"depth":496,"text":5642},{"id":5656,"depth":496,"text":5657},{"id":5784,"depth":496,"text":5785,"children":6108},[6109,6110,6111],{"id":5791,"depth":502,"text":5792},{"id":5818,"depth":502,"text":5819},{"id":5849,"depth":502,"text":5850},{"id":5856,"depth":496,"text":5857,"children":6113},[6114,6115,6116],{"id":5866,"depth":502,"text":5867},{"id":5893,"depth":502,"text":5894},{"id":5914,"depth":502,"text":5915},{"id":5930,"depth":496,"text":5931,"children":6118},[6119,6120,6121],{"id":5937,"depth":502,"text":5938},{"id":5944,"depth":502,"text":5945},{"id":5962,"depth":502,"text":5963},{"id":5969,"depth":496,"text":5970},{"id":6015,"depth":496,"text":6016},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"The differences between SOC 1, SOC 2, and SOC 3 reports. When each applies, which buyers request which, and how to choose the right report for your company.",{"items":6129},[6130,6133,6136,6139,6142],{"label":6131,"content":6132},"What is the difference between SOC 1 and SOC 2?","SOC 1 reports on controls relevant to financial reporting — typically for service organizations that affect customer financial statements. SOC 2 reports on controls relevant to security, availability, integrity, confidentiality, or privacy. The audit standards differ, and buyers request each for different reasons.",{"label":6134,"content":6135},"Is SOC 3 the same as SOC 2?","SOC 3 is based on the same Trust Services Criteria as SOC 2, but the report is a public-use summary rather than a detailed restricted-distribution document. Companies sometimes produce both — a SOC 2 Type II for buyer due diligence and a SOC 3 for marketing.",{"label":6137,"content":6138},"Do I need both SOC 1 and SOC 2?","Most SaaS companies only need SOC 2. SOC 1 is specifically for organizations whose services affect customer financial reporting — payroll, billing, financial processing. If customers' auditors ask about your impact on their financial statements, you likely need SOC 1.",{"label":6140,"content":6141},"Can SOC 3 replace SOC 2?","No. SOC 3 does not contain the detailed system description, control testing results, or auditor opinion that enterprise buyers examine. It is a public summary, not a substitute. Enterprise procurement will still ask for SOC 2.",{"label":6143,"content":6144},"Which report do I get first?","Almost always SOC 2. It is what B2B SaaS buyers request by default. SOC 1 comes into play only when you affect customer financial reporting. SOC 3, if produced, usually follows an existing SOC 2 program.",{},"\u002Fframeworks\u002Fsoc2\u002Fsoc1-vs-soc2",[524,6148,6149,6150],"soc2-type-2","ssae-18","service-auditor",[926,532,1977],{"title":6153,"description":6154},"SOC 1 vs SOC 2 vs SOC 3 (2026): Differences & Which to Choose","SOC 1, SOC 2, and SOC 3 reports compared. Scope, audience, testing approach, and decision framework for which report fits your company and buyers.","5.frameworks\u002Fsoc2\u002Fsoc1-vs-soc2","aEt_rFaPiXobUOoB5VBnHl0jWJaAshW0Vft7Ggsc4DY",{"id":6158,"title":57,"body":6159,"description":6772,"extension":522,"faq":523,"frameworkSlug":524,"lastUpdated":525,"meta":6773,"navigation":527,"path":61,"relatedTerms":6774,"relatedTopics":6775,"seo":6776,"stem":6779,"__hash__":6780},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Ftrust-services-criteria.md",{"type":8,"value":6160,"toc":6751},[6161,6165,6171,6177,6181,6184,6187,6190,6195,6209,6215,6218,6221,6225,6236,6241,6244,6247,6251,6265,6270,6273,6276,6280,6291,6296,6299,6302,6306,6317,6322,6325,6328,6332,6346,6351,6354,6357,6361,6375,6380,6383,6386,6390,6404,6409,6412,6415,6419,6430,6435,6439,6442,6446,6460,6464,6482,6488,6492,6495,6499,6516,6520,6540,6545,6548,6551,6555,6571,6575,6595,6600,6603,6606,6610,6639,6643,6669,6674,6678,6681,6723,6726,6730,6733,6739,6741],[11,6162,6164],{"id":6163},"what-are-the-trust-services-criteria","What are the Trust Services Criteria?",[16,6166,6167,6168,6170],{},"The Trust Services Criteria (TSC) are the foundation of every ",[20,6169,23],{"href":22}," audit. Developed by the AICPA, they define the principles an organization must satisfy to demonstrate it manages customer data responsibly. There are five criteria: security, availability, processing integrity, confidentiality, and privacy.",[16,6172,6173,6174,6176],{},"Security — also called the Common Criteria — is required for every SOC 2 engagement. The remaining four are optional and selected based on the services you provide and the commitments you make to customers. Choosing the right criteria is a critical scoping decision that affects audit ",[20,6175,534],{"href":169},", timeline, and the relevance of your report to buyers.",[11,6178,6180],{"id":6179},"security-common-criteria-required","Security (Common Criteria) — required",[16,6182,6183],{},"Security is the only mandatory criterion. It addresses whether the system is protected against unauthorized access — both logical and physical. The Common Criteria are organized into nine categories that map to the COSO internal control framework.",[38,6185,5260],{"id":6186},"cc1-control-environment",[16,6188,6189],{},"The control environment sets the tone for the organization's approach to security and risk. Auditors evaluate governance structures, management philosophy, and accountability.",[16,6191,6192],{},[49,6193,6194],{},"Points of focus:",[43,6196,6197,6200,6203,6206],{},[46,6198,6199],{},"Board or management oversight of security objectives",[46,6201,6202],{},"Organizational structure with defined roles and reporting lines",[46,6204,6205],{},"Commitment to competence through hiring and development",[46,6207,6208],{},"Accountability for internal control responsibilities",[16,6210,6211,6214],{},[49,6212,6213],{},"Common controls:"," Security governance charter, defined CISO or security lead role, annual security objectives reviewed by leadership.",[38,6216,5266],{"id":6217},"cc2-communication-and-information",[16,6219,6220],{},"This category ensures relevant information is communicated internally and externally to support the control environment.",[16,6222,6223],{},[49,6224,6194],{},[43,6226,6227,6230,6233],{},[46,6228,6229],{},"Internal communication of policies, objectives, and responsibilities",[46,6231,6232],{},"External communication about system boundaries, commitments, and changes",[46,6234,6235],{},"Channels for reporting security concerns",[16,6237,6238,6240],{},[49,6239,6213],{}," Employee policy acknowledgment process, external security documentation, whistleblower or anonymous reporting mechanism.",[38,6242,5272],{"id":6243},"cc3-risk-assessment",[16,6245,6246],{},"Organizations must identify and analyze risks that could prevent them from achieving their objectives.",[16,6248,6249],{},[49,6250,6194],{},[43,6252,6253,6256,6259,6262],{},[46,6254,6255],{},"Identification of risks to security objectives",[46,6257,6258],{},"Analysis of risk likelihood and impact",[46,6260,6261],{},"Assessment of fraud risk",[46,6263,6264],{},"Identification of significant changes that could affect controls",[16,6266,6267,6269],{},[49,6268,6213],{}," Annual risk assessment process, risk register with likelihood and impact ratings, change management triggers for risk reassessment.",[38,6271,5278],{"id":6272},"cc4-monitoring-activities",[16,6274,6275],{},"Ongoing and periodic evaluations verify that controls are present and functioning.",[16,6277,6278],{},[49,6279,6194],{},[43,6281,6282,6285,6288],{},[46,6283,6284],{},"Ongoing monitoring through automated tools and management oversight",[46,6286,6287],{},"Periodic evaluations (internal audits, self-assessments)",[46,6289,6290],{},"Communication and remediation of identified deficiencies",[16,6292,6293,6295],{},[49,6294,6213],{}," Continuous monitoring dashboards, quarterly control self-assessments, remediation tracking for identified issues.",[38,6297,5284],{"id":6298},"cc5-control-activities",[16,6300,6301],{},"These are the specific policies and procedures that mitigate identified risks.",[16,6303,6304],{},[49,6305,6194],{},[43,6307,6308,6311,6314],{},[46,6309,6310],{},"Selection and development of control activities",[46,6312,6313],{},"Technology general controls (ITGC)",[46,6315,6316],{},"Deployment through policies and procedures",[16,6318,6319,6321],{},[49,6320,6213],{}," Documented security policies, technology controls mapped to risks, procedures for key processes like access provisioning and incident response.",[38,6323,5290],{"id":6324},"cc6-logical-and-physical-access",[16,6326,6327],{},"This is often the most evidence-intensive category. It covers how access to systems and facilities is restricted and managed.",[16,6329,6330],{},[49,6331,6194],{},[43,6333,6334,6337,6340,6343],{},[46,6335,6336],{},"Logical access security (authentication, authorization)",[46,6338,6339],{},"Credential management and password policies",[46,6341,6342],{},"Restrictions on physical access to facilities and hardware",[46,6344,6345],{},"Encryption and key management",[16,6347,6348,6350],{},[49,6349,6213],{}," SSO with MFA enforced, role-based access control, quarterly access reviews, disk and database encryption, visitor logs for physical facilities.",[38,6352,5296],{"id":6353},"cc7-system-operations",[16,6355,6356],{},"System operations controls ensure infrastructure is monitored and incidents are detected and responded to.",[16,6358,6359],{},[49,6360,6194],{},[43,6362,6363,6366,6369,6372],{},[46,6364,6365],{},"Detection of anomalies and security events",[46,6367,6368],{},"Monitoring of system components",[46,6370,6371],{},"Incident response procedures",[46,6373,6374],{},"Recovery from incidents",[16,6376,6377,6379],{},[49,6378,6213],{}," SIEM or centralized log analysis, alerting rules for anomalous activity, documented incident response plan, post-incident reviews.",[38,6381,5302],{"id":6382},"cc8-change-management",[16,6384,6385],{},"Controls over changes to infrastructure, software, and configurations help prevent unauthorized or untested modifications from affecting the production environment.",[16,6387,6388],{},[49,6389,6194],{},[43,6391,6392,6395,6398,6401],{},[46,6393,6394],{},"Authorization of changes before implementation",[46,6396,6397],{},"Testing of changes in non-production environments",[46,6399,6400],{},"Approval and documentation of change deployment",[46,6402,6403],{},"Emergency change procedures",[16,6405,6406,6408],{},[49,6407,6213],{}," Pull request review requirements, CI\u002FCD pipeline with automated testing, change approval workflows, rollback procedures.",[38,6410,5308],{"id":6411},"cc9-risk-mitigation",[16,6413,6414],{},"This category addresses how the organization mitigates risks from business disruptions and vendor relationships.",[16,6416,6417],{},[49,6418,6194],{},[43,6420,6421,6424,6427],{},[46,6422,6423],{},"Risk mitigation through business continuity planning",[46,6425,6426],{},"Vendor and third-party risk management",[46,6428,6429],{},"Risk acceptance decisions and ongoing monitoring",[16,6431,6432,6434],{},[49,6433,6213],{}," Business continuity and disaster recovery plans, vendor risk assessments, annual BCP\u002FDR testing exercises.",[11,6436,6438],{"id":6437},"availability","Availability",[16,6440,6441],{},"The availability criterion applies when an organization commits to specific uptime levels or recovery capabilities. If your customer contracts include SLAs, or if your product's availability is critical to customer operations, include this criterion.",[16,6443,6444],{},[49,6445,6194],{},[43,6447,6448,6451,6454,6457],{},[46,6449,6450],{},"Defined availability commitments and system performance standards",[46,6452,6453],{},"Environmental protections (redundancy, failover, capacity planning)",[46,6455,6456],{},"Disaster recovery and business continuity capabilities",[46,6458,6459],{},"Incident management for availability-impacting events",[16,6461,6462],{},[49,6463,6213],{},[43,6465,6466,6469,6471,6474,6476,6479],{},[46,6467,6468],{},"Published SLAs and status page",[46,6470,656],{},[46,6472,6473],{},"Auto-scaling and capacity monitoring",[46,6475,712],{},[46,6477,6478],{},"Regular DR testing with documented results",[46,6480,6481],{},"Incident communication procedures for outages",[16,6483,6484,6487],{},[49,6485,6486],{},"When to include it:"," Your service has published uptime commitments, customers depend on continuous availability, or your contracts include SLA terms with financial penalties.",[11,6489,6491],{"id":6490},"processing-integrity","Processing integrity",[16,6493,6494],{},"Processing integrity focuses on whether the system processes data completely, validly, accurately, timely, and with proper authorization. This criterion is especially relevant for platforms that perform calculations, financial transactions, or data transformations.",[16,6496,6497],{},[49,6498,6194],{},[43,6500,6501,6504,6507,6510,6513],{},[46,6502,6503],{},"Defined processing objectives and quality standards",[46,6505,6506],{},"Input validation and completeness checks",[46,6508,6509],{},"Processing accuracy and timeliness monitoring",[46,6511,6512],{},"Error handling and exception management",[46,6514,6515],{},"Output reviews and reconciliation",[16,6517,6518],{},[49,6519,6213],{},[43,6521,6522,6525,6528,6531,6534,6537],{},[46,6523,6524],{},"Input validation rules at application and API layers",[46,6526,6527],{},"Automated reconciliation for financial transactions",[46,6529,6530],{},"Processing monitoring with alerting on anomalies",[46,6532,6533],{},"Error queues with manual review procedures",[46,6535,6536],{},"Audit trails for data transformations",[46,6538,6539],{},"End-to-end transaction testing",[16,6541,6542,6544],{},[49,6543,6486],{}," Your platform processes financial transactions, performs calculations that customers rely on, transforms customer data, or generates reports used for decision-making.",[11,6546,4626],{"id":6547},"confidentiality",[16,6549,6550],{},"Confidentiality addresses information that is designated as confidential — distinct from personal information, which falls under privacy. This includes intellectual property, business plans, financial data shared under NDA, and other sensitive non-personal information.",[16,6552,6553],{},[49,6554,6194],{},[43,6556,6557,6560,6563,6566,6569],{},[46,6558,6559],{},"Identification and classification of confidential information",[46,6561,6562],{},"Access restrictions aligned to data classification",[46,6564,6565],{},"Protection of confidential information during processing, storage, and transmission",[46,6567,6568],{},"Secure disposal when confidentiality obligations end",[46,6570,5389],{},[16,6572,6573],{},[49,6574,6213],{},[43,6576,6577,6580,6583,6586,6589,6592],{},[46,6578,6579],{},"Data classification policy with defined sensitivity levels",[46,6581,6582],{},"Access controls that enforce classification-based restrictions",[46,6584,6585],{},"Encryption at rest and in transit for confidential data",[46,6587,6588],{},"Secure deletion procedures and verification",[46,6590,6591],{},"DLP monitoring for sensitive data exfiltration",[46,6593,6594],{},"Confidentiality agreements with employees and contractors",[16,6596,6597,6599],{},[49,6598,6486],{}," You handle customer data classified as confidential beyond what security alone covers, your contracts include confidentiality obligations, or you process intellectual property on behalf of clients.",[11,6601,2297],{"id":6602},"privacy",[16,6604,6605],{},"The privacy criterion applies to personal information — data that can identify an individual. It evaluates whether the organization's data practices match its stated privacy commitments. This criterion aligns closely with regulations like GDPR, CCPA, and other data protection laws.",[16,6607,6608],{},[49,6609,6194],{},[43,6611,6612,6615,6618,6621,6624,6627,6630,6633,6636],{},[46,6613,6614],{},"Notice and communication of privacy practices",[46,6616,6617],{},"Choice and consent mechanisms",[46,6619,6620],{},"Collection limited to stated purposes",[46,6622,6623],{},"Use, retention, and disposal aligned to the privacy notice",[46,6625,6626],{},"Access and correction rights for data subjects",[46,6628,6629],{},"Disclosure and sharing controls",[46,6631,6632],{},"Security of personal information",[46,6634,6635],{},"Quality and accuracy of personal data",[46,6637,6638],{},"Monitoring and enforcement of privacy commitments",[16,6640,6641],{},[49,6642,6213],{},[43,6644,6645,6648,6651,6654,6657,6660,6663,6666],{},[46,6646,6647],{},"Published privacy notice that accurately describes data practices",[46,6649,6650],{},"Consent management platform for collecting and recording consent",[46,6652,6653],{},"Data inventory mapping personal information flows",[46,6655,6656],{},"Data retention schedule with automated enforcement",[46,6658,6659],{},"Subject access request (SAR) handling procedure",[46,6661,6662],{},"Data processing agreements with subprocessors",[46,6664,6665],{},"Privacy impact assessments for new features or data uses",[46,6667,6668],{},"Breach notification procedures and templates",[16,6670,6671,6673],{},[49,6672,6486],{}," Your organization collects and processes personal information, you have a public privacy policy, customers or regulators expect demonstrated privacy controls, or you are subject to GDPR, CCPA, or similar regulations.",[11,6675,6677],{"id":6676},"choosing-the-right-criteria-for-your-audit","Choosing the right criteria for your audit",[16,6679,6680],{},"Selecting criteria is a strategic decision, not just a compliance exercise. Consider:",[198,6682,6683,6689,6695,6704,6714],{},[46,6684,6685,6688],{},[49,6686,6687],{},"Customer commitments"," — review your contracts, SLAs, and data processing agreements. What have you promised?",[46,6690,6691,6694],{},[49,6692,6693],{},"Buyer expectations"," — ask your sales team what security and compliance questions come up during deals.",[46,6696,6697,6700,6701,6703],{},[49,6698,6699],{},"Regulatory environment"," — if you operate in healthcare, consider ",[20,6702,3202],{"href":3201}," alignment. Financial services may require processing integrity.",[46,6705,6706,6709,6710,6713],{},[49,6707,6708],{},"Cost and effort"," — each additional criterion adds scope, evidence requirements, and ",[20,6711,6712],{"href":169},"audit cost",". Only include what is relevant.",[46,6715,6716,6719,6720,6722],{},[49,6717,6718],{},"Framework overlap"," — if you also pursue ",[20,6721,28],{"href":27},", many controls overlap with the security criterion. Leveraging this overlap reduces total effort.",[16,6724,6725],{},"Most first-time SOC 2 organizations start with security alone or security plus one to two additional criteria. You can always expand scope in future audit periods as your program matures.",[11,6727,6729],{"id":6728},"how-the-criteria-relate-to-each-other","How the criteria relate to each other",[16,6731,6732],{},"The five criteria are not isolated. Security underpins all of them — you cannot meaningfully address availability, processing integrity, confidentiality, or privacy without a solid security foundation. Many controls satisfy multiple criteria simultaneously. For example, encryption at rest satisfies elements of security (CC6), confidentiality, and privacy.",[16,6734,6735,6736,6738],{},"A well-designed ",[20,6737,5591],{"href":5590}," program maps controls to criteria once and tracks coverage across all applicable requirements, avoiding duplicate effort.",[11,6740,483],{"id":482},[16,6742,6743,6744,2927,6747,6750],{},"episki provides a complete Trust Services Criteria library with every point of focus mapped to actionable controls. When you select your criteria during onboarding, the platform generates a tailored control set with suggested narratives, testing procedures, and evidence requirements. Controls that satisfy multiple criteria are linked automatically, so you maintain one control with visibility into all the criteria it covers. As your program matures and you add criteria in future audit periods, episki highlights what you already have in place and what is new — making scope expansion straightforward. ",[20,6745,492],{"href":489,"rel":6746},[491],[20,6748,6749],{"href":2930},"compare episki to Drata"," to see the full criteria mapping in action.",{"title":495,"searchDepth":496,"depth":496,"links":6752},[6753,6754,6765,6766,6767,6768,6769,6770,6771],{"id":6163,"depth":496,"text":6164},{"id":6179,"depth":496,"text":6180,"children":6755},[6756,6757,6758,6759,6760,6761,6762,6763,6764],{"id":6186,"depth":502,"text":5260},{"id":6217,"depth":502,"text":5266},{"id":6243,"depth":502,"text":5272},{"id":6272,"depth":502,"text":5278},{"id":6298,"depth":502,"text":5284},{"id":6324,"depth":502,"text":5290},{"id":6353,"depth":502,"text":5296},{"id":6382,"depth":502,"text":5302},{"id":6411,"depth":502,"text":5308},{"id":6437,"depth":496,"text":6438},{"id":6490,"depth":496,"text":6491},{"id":6547,"depth":496,"text":4626},{"id":6602,"depth":496,"text":2297},{"id":6676,"depth":496,"text":6677},{"id":6728,"depth":496,"text":6729},{"id":482,"depth":496,"text":483},"A comprehensive guide to the five SOC 2 Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy — with points of focus and control examples.",{},[524,530,1975],[533,1977,532],{"title":6777,"description":6778},"SOC 2 Trust Services Criteria — Complete Guide With Control Examples","Deep dive into all five SOC 2 Trust Services Criteria. Understand points of focus, common controls, and how to select the right criteria for your audit.","5.frameworks\u002Fsoc2\u002Ftrust-services-criteria","ePAvLL3toSrL2KyyxVTFxtOGJpVYpI_7RGxTARqPa0c",{"id":6782,"title":5061,"body":6783,"description":7273,"extension":522,"faq":7274,"frameworkSlug":524,"lastUpdated":525,"meta":7291,"navigation":527,"path":190,"relatedTerms":7292,"relatedTopics":7293,"seo":7294,"stem":7297,"__hash__":7298},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Ftype-1-vs-type-2.md",{"type":8,"value":6784,"toc":7241},[6785,6789,6795,6798,6802,6811,6815,6829,6833,6844,6847,6851,6858,6861,6875,6878,6882,7001,7007,7011,7014,7018,7021,7025,7028,7032,7035,7039,7042,7046,7050,7053,7057,7060,7064,7067,7071,7074,7078,7081,7117,7120,7123,7138,7142,7145,7171,7174,7178,7181,7201,7204,7208,7212,7215,7219,7222,7226,7229,7231],[11,6786,6788],{"id":6787},"soc-2-type-i-vs-type-ii-what-is-the-difference","SOC 2 Type I vs Type II: what is the difference?",[16,6790,6791,6792,6794],{},"The distinction between SOC 2 Type I and Type II is one of the most common questions organizations face when beginning their ",[20,6793,2782],{"href":22}," journey. Both produce an auditor's report from a licensed CPA firm, but they evaluate different things and serve different purposes.",[16,6796,6797],{},"Understanding the differences helps you choose the right starting point, set realistic timelines, and communicate effectively with buyers who request your report.",[11,6799,6801],{"id":6800},"type-i-point-in-time-assessment","Type I: point-in-time assessment",[16,6803,6804,6805,6808,6809,799],{},"A SOC 2 Type I report evaluates whether your controls are ",[49,6806,6807],{},"suitably designed and implemented as of a specific date",". The auditor examines your control environment at a single point in time and provides an opinion on whether the controls, as designed, would reasonably meet the applicable ",[20,6810,57],{"href":61},[38,6812,6814],{"id":6813},"what-the-auditor-tests","What the auditor tests",[43,6816,6817,6820,6823,6826],{},[46,6818,6819],{},"Are written policies and procedures in place?",[46,6821,6822],{},"Are technical controls configured and active?",[46,6824,6825],{},"Are roles and responsibilities defined?",[46,6827,6828],{},"Does the control design address the relevant criteria?",[38,6830,6832],{"id":6831},"what-the-auditor-does-not-test","What the auditor does not test",[43,6834,6835,6838,6841],{},[46,6836,6837],{},"Whether controls operated consistently over time",[46,6839,6840],{},"Whether exceptions occurred during normal operations",[46,6842,6843],{},"Whether evidence was collected throughout a period",[16,6845,6846],{},"Think of Type I as a design review — it confirms your blueprint is sound but does not verify the building stands up under real conditions.",[11,6848,6850],{"id":6849},"type-ii-operating-effectiveness-over-time","Type II: operating effectiveness over time",[16,6852,6853,6854,6857],{},"A SOC 2 Type II report evaluates whether your controls ",[49,6855,6856],{},"operated effectively over a defined observation period",", typically three to twelve months. The auditor tests not just design but execution, sampling evidence from across the period to verify controls functioned as intended.",[38,6859,6814],{"id":6860},"what-the-auditor-tests-1",[43,6862,6863,6866,6869,6872],{},[46,6864,6865],{},"Everything from Type I (design and implementation)",[46,6867,6868],{},"Evidence that controls operated consistently throughout the period",[46,6870,6871],{},"Samples of transactions, access reviews, change approvals, and incident responses",[46,6873,6874],{},"Whether exceptions occurred and how they were handled",[16,6876,6877],{},"Type II is the standard that most enterprise buyers expect because it demonstrates sustained operational discipline, not just a snapshot.",[11,6879,6881],{"id":6880},"side-by-side-comparison","Side-by-side comparison",[241,6883,6884,6894],{},[244,6885,6886],{},[247,6887,6888,6890,6892],{},[250,6889,5666],{},[250,6891,5057],{},[250,6893,3149],{},[257,6895,6896,6909,6922,6935,6948,6962,6975,6988],{},[247,6897,6898,6903,6906],{},[262,6899,6900],{},[49,6901,6902],{},"What it evaluates",[262,6904,6905],{},"Control design and implementation",[262,6907,6908],{},"Control operating effectiveness over time",[247,6910,6911,6916,6919],{},[262,6912,6913],{},[49,6914,6915],{},"Time frame",[262,6917,6918],{},"Single point in time (a specific date)",[262,6920,6921],{},"Observation period (3–12 months)",[247,6923,6924,6929,6932],{},[262,6925,6926],{},[49,6927,6928],{},"Evidence requirements",[262,6930,6931],{},"Current-state documentation and configurations",[262,6933,6934],{},"Evidence collected throughout the observation period",[247,6936,6937,6942,6945],{},[262,6938,6939],{},[49,6940,6941],{},"Typical audit duration",[262,6943,6944],{},"3–6 weeks of fieldwork",[262,6946,6947],{},"Observation period + 4–8 weeks of fieldwork",[247,6949,6950,6956,6959],{},[262,6951,6952,6955],{},[49,6953,6954],{},"Total timeline"," (including prep)",[262,6957,6958],{},"3–6 months",[262,6960,6961],{},"6–18 months",[247,6963,6964,6969,6972],{},[262,6965,6966],{},[49,6967,6968],{},"Cost",[262,6970,6971],{},"$15,000 – $40,000 (auditor fees)",[262,6973,6974],{},"$25,000 – $80,000 (auditor fees)",[247,6976,6977,6982,6985],{},[262,6978,6979],{},[49,6980,6981],{},"Buyer acceptance",[262,6983,6984],{},"Acceptable for early-stage companies and initial deals",[262,6986,6987],{},"Required by most enterprise and mid-market buyers",[247,6989,6990,6995,6998],{},[262,6991,6992],{},[49,6993,6994],{},"Report validity",[262,6996,6997],{},"Generally useful for 6–12 months",[262,6999,7000],{},"Covers the observation period; new report needed for the next period",[16,7002,7003,7004,799],{},"For a detailed cost breakdown across all categories, see ",[20,7005,7006],{"href":169},"How much does SOC 2 cost",[11,7008,7010],{"id":7009},"when-to-choose-type-i","When to choose Type I",[16,7012,7013],{},"A Type I report makes sense in several scenarios:",[38,7015,7017],{"id":7016},"you-need-a-report-quickly","You need a report quickly",[16,7019,7020],{},"Type I can be completed in as little as three months from the start of preparation. If a deal is on the line and the buyer will accept a Type I, it is the fastest path to a report.",[38,7022,7024],{"id":7023},"you-are-building-your-program-from-scratch","You are building your program from scratch",[16,7026,7027],{},"Type I validates your control design before you commit to a multi-month observation period. If the auditor finds design issues during a Type I, you can fix them before starting the Type II clock — which is far cheaper than discovering problems during a Type II fieldwork phase.",[38,7029,7031],{"id":7030},"your-buyers-explicitly-accept-type-i","Your buyers explicitly accept Type I",[16,7033,7034],{},"Some buyers, particularly in the SMB and mid-market segments, accept Type I reports as sufficient proof of a security program. Ask your prospects what they need before assuming Type II is required.",[38,7036,7038],{"id":7037},"you-want-to-build-auditor-familiarity","You want to build auditor familiarity",[16,7040,7041],{},"A Type I engagement is a lower-stakes way to establish a working relationship with your CPA firm. You learn their process, they learn your environment, and the Type II that follows benefits from that shared context.",[11,7043,7045],{"id":7044},"when-to-choose-type-ii","When to choose Type II",[38,7047,7049],{"id":7048},"enterprise-buyers-require-it","Enterprise buyers require it",[16,7051,7052],{},"Most enterprise procurement and security teams require a Type II report. Their security questionnaires and vendor assessment processes are designed around the expectation of operating effectiveness evidence.",[38,7054,7056],{"id":7055},"you-are-in-a-regulated-industry","You are in a regulated industry",[16,7058,7059],{},"Companies serving financial services, healthcare, or government clients almost always need Type II. These buyers understand the difference and will not accept a point-in-time assessment.",[38,7061,7063],{"id":7062},"you-are-renewing-an-existing-report","You are renewing an existing report",[16,7065,7066],{},"After your first SOC 2 cycle, subsequent reports are almost always Type II. The initial program build is done, and the focus shifts to demonstrating ongoing operational maturity.",[38,7068,7070],{"id":7069},"you-want-maximum-market-credibility","You want maximum market credibility",[16,7072,7073],{},"A Type II report is the gold standard for demonstrating security posture to customers, partners, investors, and insurance carriers. It signals that your controls are not just theoretical — they work in practice.",[11,7075,7077],{"id":7076},"the-type-i-to-type-ii-pathway","The Type I to Type II pathway",[16,7079,7080],{},"Many organizations follow a staged approach:",[198,7082,7083,7093,7099,7105,7111],{},[46,7084,7085,7088,7089,7092],{},[49,7086,7087],{},"Months 1–3",": Readiness assessment, gap remediation, and control implementation. Use the ",[20,7090,7091],{"href":131},"SOC 2 checklist"," to track progress.",[46,7094,7095,7098],{},[49,7096,7097],{},"Months 3–5",": Type I audit. The auditor validates control design and identifies any remaining issues.",[46,7100,7101,7104],{},[49,7102,7103],{},"Months 5–6",": Remediate any findings from the Type I report.",[46,7106,7107,7110],{},[49,7108,7109],{},"Months 6–12",": Type II observation period begins. Controls operate and evidence is collected continuously.",[46,7112,7113,7116],{},[49,7114,7115],{},"Months 12–14",": Type II fieldwork and report delivery.",[16,7118,7119],{},"This pathway means you can have a Type I report in hand within five months while building toward the more comprehensive Type II. The Type I report satisfies near-term buyer requests, and the Type II demonstrates long-term maturity.",[16,7121,7122],{},"Some organizations skip Type I entirely and go straight to Type II. This works well when:",[43,7124,7125,7128,7131],{},[46,7126,7127],{},"The organization already has a mature security program",[46,7129,7130],{},"There is no immediate buyer pressure for a report",[46,7132,7133,7134,2927,7136],{},"The team has experience with compliance frameworks like ",[20,7135,28],{"href":27},[20,7137,3202],{"href":3201},[11,7139,7141],{"id":7140},"what-buyers-actually-care-about","What buyers actually care about",[16,7143,7144],{},"Understanding buyer expectations helps you prioritize:",[43,7146,7147,7153,7159,7165],{},[46,7148,7149,7152],{},[49,7150,7151],{},"Startup and SMB buyers",": Often accept Type I or even a completed security questionnaire. They want to know you take security seriously.",[46,7154,7155,7158],{},[49,7156,7157],{},"Mid-market buyers",": Increasingly request Type II but may accept Type I if you can show a Type II is in progress with a projected completion date.",[46,7160,7161,7164],{},[49,7162,7163],{},"Enterprise buyers",": Almost universally require Type II. Their vendor risk management programs are built around reviewing observation-period evidence.",[46,7166,7167,7170],{},[49,7168,7169],{},"Regulated industry buyers",": Require Type II and may also request specific Trust Services Criteria (availability for SaaS, processing integrity for fintech).",[16,7172,7173],{},"If you are unsure what your target market expects, ask your sales team what security questions come up most frequently during the deal cycle. That data will tell you whether Type I is sufficient or Type II is table stakes.",[11,7175,7177],{"id":7176},"observation-period-considerations-for-type-ii","Observation period considerations for Type II",[16,7179,7180],{},"The observation period length affects both cost and credibility:",[43,7182,7183,7189,7195],{},[46,7184,7185,7188],{},[49,7186,7187],{},"3 months",": The minimum. Acceptable for a first Type II but some buyers may view it as insufficient.",[46,7190,7191,7194],{},[49,7192,7193],{},"6 months",": A common choice for first-time Type II reports. Balances credibility with timeline.",[46,7196,7197,7200],{},[49,7198,7199],{},"12 months",": The gold standard. Demonstrates a full year of operating effectiveness and aligns with annual renewal cycles.",[16,7202,7203],{},"After your first Type II, most organizations standardize on a 12-month observation period that aligns with their fiscal year, creating a predictable annual rhythm.",[11,7205,7207],{"id":7206},"common-questions","Common questions",[38,7209,7211],{"id":7210},"can-i-have-both-type-i-and-type-ii","Can I have both Type I and Type II?",[16,7213,7214],{},"Yes. Many organizations obtain a Type I first and then transition to Type II. You can also have a current Type II that supersedes a previous Type I.",[38,7216,7218],{"id":7217},"does-type-ii-replace-type-i","Does Type II replace Type I?",[16,7220,7221],{},"Effectively, yes. A Type II report covers everything a Type I does plus operating effectiveness. Once you have a Type II, there is no reason to go back to Type I.",[38,7223,7225],{"id":7224},"how-often-do-i-need-a-new-type-ii-report","How often do I need a new Type II report?",[16,7227,7228],{},"Most organizations produce a new Type II report annually. The observation period for each new report should begin immediately after the previous one ends to maintain continuous coverage.",[11,7230,483],{"id":482},[16,7232,7233,7234,7236,7237,7240],{},"episki supports both Type I and Type II workflows with purpose-built tools for each phase. For Type I readiness, the platform maps your controls to ",[20,7235,80],{"href":79}," and flags design gaps. For Type II, continuous evidence collection with ownership tracking and automated reminders ensures your observation period is covered end to end. The auditor collaboration portal works the same way for both engagement types, giving your CPA firm structured access to everything they need. ",[20,7238,492],{"href":489,"rel":7239},[491]," to build your SOC 2 program with the right report type from day one.",{"title":495,"searchDepth":496,"depth":496,"links":7242},[7243,7244,7248,7251,7252,7258,7264,7265,7266,7267,7272],{"id":6787,"depth":496,"text":6788},{"id":6800,"depth":496,"text":6801,"children":7245},[7246,7247],{"id":6813,"depth":502,"text":6814},{"id":6831,"depth":502,"text":6832},{"id":6849,"depth":496,"text":6850,"children":7249},[7250],{"id":6860,"depth":502,"text":6814},{"id":6880,"depth":496,"text":6881},{"id":7009,"depth":496,"text":7010,"children":7253},[7254,7255,7256,7257],{"id":7016,"depth":502,"text":7017},{"id":7023,"depth":502,"text":7024},{"id":7030,"depth":502,"text":7031},{"id":7037,"depth":502,"text":7038},{"id":7044,"depth":496,"text":7045,"children":7259},[7260,7261,7262,7263],{"id":7048,"depth":502,"text":7049},{"id":7055,"depth":502,"text":7056},{"id":7062,"depth":502,"text":7063},{"id":7069,"depth":502,"text":7070},{"id":7076,"depth":496,"text":7077},{"id":7140,"depth":496,"text":7141},{"id":7176,"depth":496,"text":7177},{"id":7206,"depth":496,"text":7207,"children":7268},[7269,7270,7271],{"id":7210,"depth":502,"text":7211},{"id":7217,"depth":502,"text":7218},{"id":7224,"depth":502,"text":7225},{"id":482,"depth":496,"text":483},"A clear comparison of SOC 2 Type I and Type II reports, including differences in scope, timeline, cost, and which buyers require each type.",{"items":7275},[7276,7279,7282,7285,7288],{"label":7277,"content":7278},"What is the difference between SOC 2 Type 1 and Type 2?","SOC 2 Type 1 evaluates whether your controls are suitably designed and implemented as of a specific date. Type 2 evaluates whether those controls operated effectively over a period of time (typically 3–12 months). Type 2 is the standard most enterprise buyers require.",{"label":7280,"content":7281},"How long does a SOC 2 Type 2 audit take?","The observation period is typically 3–12 months, followed by 4–8 weeks of auditor fieldwork. Including preparation, most organizations complete their first Type 2 report in 6–18 months from the start of the program.",{"label":7283,"content":7284},"Can I skip Type 1 and go straight to Type 2?","Yes. Organizations with mature security programs or experience with other frameworks like ISO 27001 often skip Type 1 and go directly to Type 2. However, Type 1 can be useful for validating control design before committing to a longer observation period.",{"label":7286,"content":7287},"How much does a SOC 2 Type 2 audit cost?","SOC 2 Type 2 auditor fees typically range from $25,000 to $80,000, depending on the complexity of your environment and the scope of Trust Services Criteria. Type 1 audits are generally less expensive, ranging from $15,000 to $40,000.",{"label":7289,"content":7290},"Do enterprise buyers accept SOC 2 Type 1 reports?","Most enterprise procurement teams require Type 2 reports. Mid-market buyers may accept Type 1 if you can show a Type 2 is in progress. Startup and SMB buyers are more likely to accept Type 1 as sufficient.",{},[524,530],[1977,533,534],{"title":7295,"description":7296},"SOC 2 Type 1 vs Type 2 (2026): Differences, Costs & Which to Get First","SOC 2 Type I vs Type II compared — scope, timelines, costs, and buyer expectations. Includes decision framework for which report to pursue first.","5.frameworks\u002Fsoc2\u002Ftype-1-vs-type-2","LrW6Kqj3E-bir6a6ZrGagmdSRnan7ay3JM_Fb3mQF0A",{"id":7300,"title":7301,"body":7302,"description":7633,"extension":522,"faq":7634,"frameworkSlug":524,"lastUpdated":525,"meta":7651,"navigation":527,"path":2393,"relatedTerms":7652,"relatedTopics":7656,"seo":7657,"stem":7660,"__hash__":7661},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fvendor-management.md","SOC 2 Vendor Management",{"type":8,"value":7303,"toc":7618},[7304,7308,7313,7316,7320,7323,7343,7346,7350,7353,7357,7360,7380,7383,7387,7390,7437,7440,7444,7447,7464,7473,7477,7480,7500,7503,7507,7510,7513,7530,7532,7547,7550,7552,7587,7589,7606,7608],[11,7305,7307],{"id":7306},"vendor-risk-is-where-soc-2-programs-often-get-caught-off-guard","Vendor risk is where SOC 2 programs often get caught off guard",[16,7309,187,7310,7312],{},[20,7311,23],{"href":22}," audit does not stop at your firewall. If a vendor has access to your systems, handles your customer data, or provides critical infrastructure, their control failures can create your exceptions. CC9.2 — the Trust Services Criteria control for vendor and business partner risk — is consistently one of the higher-effort categories in first-time SOC 2 engagements. Organizations that treat vendor management as a procurement task rather than a security control usually underestimate what the auditor expects.",[16,7314,7315],{},"A mature SOC 2 vendor management program answers four questions at any moment: who are our vendors, what risk do they pose, what assessments have we done, and what are we doing to monitor them between assessments.",[11,7317,7319],{"id":7318},"what-cc92-requires","What CC9.2 requires",[16,7321,7322],{},"CC9.2 is the direct Trust Services Criteria reference for vendor management. The criterion requires that the entity \"assesses and manages risks associated with vendors and business partners.\" The points of focus expand this into concrete expectations.",[43,7324,7325,7328,7331,7334,7337,7340],{},[46,7326,7327],{},"Establish requirements for vendor and business partner engagements",[46,7329,7330],{},"Assess vendor and business partner risks",[46,7332,7333],{},"Assign responsibility and accountability for managing vendor relationships",[46,7335,7336],{},"Establish communication protocols for vendors",[46,7338,7339],{},"Address risks through vendor selection, contracting, and monitoring",[46,7341,7342],{},"Implement procedures for terminating vendor relationships",[16,7344,7345],{},"CC6 is also relevant — if a vendor has logical access to your systems, that access is in scope for access management controls. CC9.1 addresses business continuity, which extends to vendors that provide critical services.",[11,7347,7349],{"id":7348},"the-five-elements-of-a-soc-2-vendor-management-program","The five elements of a SOC 2 vendor management program",[16,7351,7352],{},"A vendor management program that holds up to auditor scrutiny has five elements. Each generates evidence that maps to CC9.2 and adjacent controls.",[38,7354,7356],{"id":7355},"_1-vendor-inventory","1. Vendor inventory",[16,7358,7359],{},"The inventory is the foundation. It lists every third party that has access to systems, data, or services in your SOC 2 scope. Each entry should capture:",[43,7361,7362,7365,7368,7371,7374,7377],{},[46,7363,7364],{},"Vendor name and primary service",[46,7366,7367],{},"Data the vendor handles (customer data, PII, credentials, none)",[46,7369,7370],{},"Criticality to operations",[46,7372,7373],{},"Assigned risk tier",[46,7375,7376],{},"Contract status and renewal date",[46,7378,7379],{},"Owner inside your organization",[16,7381,7382],{},"A common mistake is to keep a procurement list and call it a vendor inventory. Procurement usually misses contractors, free tools, and shadow SaaS. Sync the inventory with identity provider data, expense reports, and DNS records to catch gaps.",[38,7384,7386],{"id":7385},"_2-risk-tiering","2. Risk tiering",[16,7388,7389],{},"Not every vendor requires the same scrutiny. Most programs use three tiers.",[241,7391,7392,7402],{},[244,7393,7394],{},[247,7395,7396,7398,7400],{},[250,7397,2049],{},[250,7399,2052],{},[250,7401,2055],{},[257,7403,7404,7415,7426],{},[247,7405,7406,7409,7412],{},[262,7407,7408],{},"High",[262,7410,7411],{},"Hosts customer data, has production access, or is critical to uptime",[262,7413,7414],{},"Cloud infrastructure, primary database host, authentication provider",[247,7416,7417,7420,7423],{},[262,7418,7419],{},"Medium",[262,7421,7422],{},"Holds sensitive internal data or supports core operations",[262,7424,7425],{},"CRM, HRIS, code repository, payroll",[247,7427,7428,7431,7434],{},[262,7429,7430],{},"Low",[262,7432,7433],{},"Limited access, no sensitive data, easily replaceable",[262,7435,7436],{},"Marketing tools, scheduling apps, static hosting",[16,7438,7439],{},"Tiering drives the depth of assessment and the frequency of reassessment. High-risk vendors warrant a full security review, a current SOC 2 or equivalent report, and annual reassessment. Low-risk vendors may only need basic documentation.",[38,7441,7443],{"id":7442},"_3-assessment-process","3. Assessment process",[16,7445,7446],{},"For each in-scope vendor, document the assessment you performed. Typical artifacts include:",[43,7448,7449,7452,7455,7458,7461],{},[46,7450,7451],{},"The vendor's current SOC 2 Type II report",[46,7453,7454],{},"ISO 27001 certificate or other attestations",[46,7456,7457],{},"Completed security questionnaire (SIG, CAIQ, or proprietary)",[46,7459,7460],{},"Data processing agreement (DPA) if PII is involved",[46,7462,7463],{},"Subprocessor lists with locations",[16,7465,7466,7467,749,7471,799],{},"Auditors sample vendor assessments from across the observation period. If an assessment was performed before the period began, that is fine — but reassessments during the period must have documentation. For related definitions, see ",[20,7468,7470],{"href":7469},"\u002Fglossary\u002Fthird-party-risk","third-party risk",[20,7472,2711],{"href":2710},[38,7474,7476],{"id":7475},"_4-contractual-controls","4. Contractual controls",[16,7478,7479],{},"Security requirements belong in the contract. Standard clauses include:",[43,7481,7482,7485,7488,7491,7494,7497],{},[46,7483,7484],{},"Confidentiality and data handling obligations",[46,7486,7487],{},"Breach notification timelines",[46,7489,7490],{},"Right to audit or to receive attestation reports",[46,7492,7493],{},"Subprocessor notification requirements",[46,7495,7496],{},"Data return and destruction on termination",[46,7498,7499],{},"Security minimums (encryption, MFA, logging)",[16,7501,7502],{},"The auditor may review a sample of executed contracts and look for consistent application of these clauses. Contracts signed before your SOC 2 program existed may be grandfathered, but new vendors should follow the current template.",[38,7504,7506],{"id":7505},"_5-ongoing-monitoring","5. Ongoing monitoring",[16,7508,7509],{},"Between assessments, vendors change. New subprocessors are added. Breaches happen. Certifications lapse. Monitoring catches these events without waiting for the next annual review.",[16,7511,7512],{},"Practical monitoring activities:",[43,7514,7515,7518,7521,7524,7527],{},[46,7516,7517],{},"Subscribe to vendor status pages and security advisories",[46,7519,7520],{},"Track SOC 2 and ISO 27001 certificate expiration dates",[46,7522,7523],{},"Review vendor breach disclosures and public incident reports",[46,7525,7526],{},"Monitor for changes in subprocessor lists",[46,7528,7529],{},"Revisit risk tier when the vendor adds new features or data flows",[11,7531,803],{"id":802},[16,7533,7534,7535,7537,7538,7540,7541,7543,7544,7546],{},"Vendor management generates some of the most audit-ready evidence in a SOC 2 program. Assessments, contracts, and monitoring artifacts are naturally documented and easy to produce on request. It also connects to several other ",[20,7536,57],{"href":61}," domains: ",[20,7539,794],{"href":793}," extends to vendor-related alerts, ",[20,7542,798],{"href":797}," includes vendor-initiated incidents, and ",[20,7545,1106],{"href":1271}," covers changes to vendor integrations.",[16,7548,7549],{},"Weak vendor management often surfaces as exceptions in CC6 (access control) when offboarded vendors still hold credentials, or in CC9 (risk mitigation) when a vendor incident affected customer data and the response was unstructured.",[11,7551,813],{"id":812},[43,7553,7554,7560,7566,7572,7578],{},[46,7555,7556,7559],{},[49,7557,7558],{},"Procurement list as inventory."," Procurement tracks contracts. It misses tools added via expense reports, personal credit cards, or free tiers. Reconcile against identity provider and network data.",[46,7561,7562,7565],{},[49,7563,7564],{},"One-time assessments."," The vendor you assessed last year may have changed. Without a reassessment cadence, the evidence goes stale.",[46,7567,7568,7571],{},[49,7569,7570],{},"Missing DPAs."," If a vendor processes personal data, a DPA is usually required by GDPR, CCPA, or equivalent. Auditors may not enforce this but your regulators will.",[46,7573,7574,7577],{},[49,7575,7576],{},"No offboarding."," Vendors whose contracts expired still hold access or data. Build a decommissioning checklist and use it.",[46,7579,7580,7583,7584,7586],{},[49,7581,7582],{},"Ignoring subprocessors."," Your vendor's vendors may also be in scope. Enterprise buyers will ask about them, and some ",[20,7585,3202],{"href":3201}," contexts require it.",[11,7588,849],{"id":848},[43,7590,7591,7594,7597,7600,7603],{},[46,7592,7593],{},"Build the vendor inventory once and treat it as a living system of record. Update it on every new contract signing and offboarding.",[46,7595,7596],{},"Use risk tier to drive process. A high-risk vendor triggers a full assessment; a low-risk vendor triggers a lightweight check. Tiered processes scale.",[46,7598,7599],{},"Require a SOC 2 or ISO 27001 report as part of procurement for any vendor that handles customer data. This shifts the security burden upstream.",[46,7601,7602],{},"Centralize vendor evidence in one place. Contracts, assessments, and monitoring reports should all be linked to the vendor record.",[46,7604,7605],{},"Revisit the vendor inventory quarterly with owners to catch drift.",[11,7607,483],{"id":482},[16,7609,7610,7611,7614,7615,7617],{},"episki manages the vendor inventory, risk tiering, assessment workflows, and contract repository in a single workspace mapped directly to CC9.2 and related SOC 2 controls. ",[20,7612,492],{"href":489,"rel":7613},[491]," or explore the full ",[20,7616,878],{"href":22}," to see how vendor management fits into the broader program.",{"title":495,"searchDepth":496,"depth":496,"links":7619},[7620,7621,7622,7629,7630,7631,7632],{"id":7306,"depth":496,"text":7307},{"id":7318,"depth":496,"text":7319},{"id":7348,"depth":496,"text":7349,"children":7623},[7624,7625,7626,7627,7628],{"id":7355,"depth":502,"text":7356},{"id":7385,"depth":502,"text":7386},{"id":7442,"depth":502,"text":7443},{"id":7475,"depth":502,"text":7476},{"id":7505,"depth":502,"text":7506},{"id":802,"depth":496,"text":803},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},"How to build a SOC 2 vendor management program. CC9.2 requirements, third-party risk assessments, and monitoring subprocessors across the observation period.",{"items":7635},[7636,7639,7642,7645,7648],{"label":7637,"content":7638},"Which SOC 2 criterion covers vendor management?","Vendor management is primarily addressed by CC9.2, which requires the entity to assess and manage risks associated with vendors and business partners. CC9.1 (business continuity) and CC6 (access control) are also relevant when vendors hold customer data or have system access.",{"label":7640,"content":7641},"Do I need a SOC 2 report from every vendor?","No. You need to assess every in-scope vendor, but the depth of assessment should be tiered to the risk. A vendor that processes customer data warrants a SOC 2 or equivalent report. A vendor that hosts a static marketing site does not.",{"label":7643,"content":7644},"How often should vendors be reassessed?","Most SOC 2 programs reassess high-risk vendors annually. Medium-risk vendors are typically reviewed every eighteen to twenty-four months. The key is that reassessments are documented and tied to risk tier, not performed ad hoc.",{"label":7646,"content":7647},"What counts as a vendor for SOC 2 purposes?","Any third party that has access to your systems, handles customer data, or provides services that support your in-scope environment. This includes SaaS tools, cloud infrastructure providers, contractors with production access, and managed service providers.",{"label":7649,"content":7650},"What evidence do auditors expect for vendor management?","Auditors typically review a vendor inventory with risk ratings, completed assessments for a sample of vendors, executed contracts with security clauses, evidence of ongoing monitoring, and the process for onboarding and offboarding vendors.",{},[7653,7654,7655],"third-party-risk","vendor-risk-management","risk-register",[926,1977,4154],{"title":7658,"description":7659},"SOC 2 Vendor Management (2026): CC9.2 Third-Party Risk","Build a SOC 2 vendor management program. Inventory, risk tiering, assessments, contracts, and ongoing monitoring that satisfy CC9.2 requirements.","5.frameworks\u002Fsoc2\u002Fvendor-management","H5ORMSYE7908_bIi_HypIdDT7pQNGxY6jJSzIToHjXk",{"id":7663,"title":7664,"advantages":7665,"body":7687,"checklist":8157,"cta":8166,"description":495,"extension":522,"faq":8169,"hero":8186,"meta":8200,"name":8201,"navigation":527,"path":22,"resources":8202,"seo":8215,"slug":524,"stats":8218,"stem":8228,"__hash__":8229},"frameworks\u002F5.frameworks\u002Fsoc2.md","Soc2",[7666,7673,7680],{"title":7667,"description":7668,"bullets":7669},"Mapped once, reused forever","Applies Trust Service Criteria to your existing controls and keeps overlaps synced.",[7670,7671,7672],"Control graph highlights reuse across security, availability, and confidentiality","AI suggests narratives and testing procedures","Version history shows every update for auditors",{"title":7674,"description":7675,"bullets":7676},"Evidence organized by control","Upload and track screenshots, configs, and exports in a structured evidence locker.",[7677,7678,7679],"Organized screenshots, configs, and test exports","Alerting when evidence expires or SLAs slip","Immutable locker with reviewer threads",{"title":7681,"description":7682,"bullets":7683},"Auditor collaboration hub","Invite your auditor with scoped access and keep Q&A right next to each control.",[7684,7685,7686],"Bulk requests & fulfillment tracking","Redacted file sharing with access controls","One-click SOC 2 summaries for customers",{"type":8,"value":7688,"toc":8139},[7689,7693,7696,7702,7708,7714,7718,7721,7726,7731,7743,7745,7750,7752,7755,7757,7764,7766,7769,7771,7777,7779,7785,7789,7792,7795,7812,7820,7824,7830,7868,7871,7875,7878,7881,7918,7924,7928,7931,7983,7986,7990,7993,8000,8007,8014,8026,8033,8037,8044,8076,8079,8083,8086,8089,8127],[11,7690,7692],{"id":7691},"what-is-soc-2","What is SOC 2?",[16,7694,7695],{},"SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data. A SOC 2 report is the de facto security credential for modern SaaS companies — enterprise buyers request it before signing, procurement teams rely on it during vendor reviews, and auditors consult it when assessing outsourced systems. Unlike a prescriptive standard, SOC 2 is principle-based. It does not tell you which tools to deploy; it tells you which outcomes you must demonstrate and leaves the implementation details to you.",[16,7697,7698,7699,7701],{},"SOC 2 evolved from SAS 70, an older attestation framework used primarily for financial reporting systems. As technology service providers increased their role in handling sensitive data, the AICPA introduced the SOC reporting suite. SOC 1 continued to address controls relevant to financial reporting. SOC 2 and SOC 3 shifted attention to information security, availability, and related commitments. Today, SOC 2 is issued under the AICPA's AT-C 105 and AT-C 205 attestation standards, following the ",[20,7700,5649],{"href":5648}," framework.",[16,7703,7704,7705,7707],{},"A SOC 2 engagement produces an opinion letter from a licensed CPA firm. That letter is the report buyers ask for. It documents the system under audit, the ",[20,7706,57],{"href":61}," selected, the controls in place, the testing the auditor performed, and any exceptions noted. A clean SOC 2 opinion signals to the market that a third party examined your controls and found them suitable — or in the case of Type II, found them operating effectively across a defined window.",[16,7709,7710,7711,7713],{},"SOC 2 is built on five ",[49,7712,57],{},": security, availability, processing integrity, confidentiality, and privacy. Security is mandatory. The other four are optional and chosen based on your service commitments and customer expectations. Most first-time SOC 2 audits cover security alone or security plus one or two additional criteria. Scope expansion happens later, as the program matures.",[11,7715,7717],{"id":7716},"soc-2-type-i-vs-type-ii","SOC 2 Type I vs Type II",[16,7719,7720],{},"Every SOC 2 engagement is either Type I or Type II, and the difference matters.",[16,7722,187,7723,7725],{},[49,7724,191],{}," report evaluates whether controls are suitably designed and implemented as of a single date. Think of it as a design review. The auditor confirms your policies exist, your technical controls are configured, and your processes are in place. Type I is the fastest path to a SOC 2 report and is useful when a deal is on the line, but it does not prove your controls work day after day.",[16,7727,187,7728,7730],{},[49,7729,2823],{}," report evaluates whether controls operated effectively across an observation period, typically three to twelve months. The auditor samples evidence from throughout the period — access reviews, change approvals, incident tickets, monitoring alerts — to confirm that controls were not just designed but consistently executed. Most enterprise buyers require a Type II, and many will not accept a Type I at all.",[16,7732,7733,7734,7736,7737,749,7740,799],{},"For a full comparison including cost benchmarks, observation period tradeoffs, and decision frameworks, see ",[20,7735,5061],{"href":190},". Related glossary terms: ",[20,7738,7739],{"href":5925},"SOC 2 Type 2",[20,7741,57],{"href":7742},"\u002Fglossary\u002Ftrust-services-criteria",[11,7744,5243],{"id":5242},[16,7746,18,7747,7749],{},[20,7748,57],{"href":61}," define the principles your controls must satisfy. Each criterion addresses a different aspect of how a service organization protects and manages customer data.",[38,7751,6180],{"id":6179},[16,7753,7754],{},"The security criterion, also called the Common Criteria, is required for every SOC 2 engagement. It evaluates whether the system is protected against unauthorized access — both logical and physical. The Common Criteria are organized into nine categories (CC1 through CC9) that map to the COSO internal control framework and cover governance, communication, risk assessment, monitoring, access control, system operations, change management, and vendor risk. Every SOC 2 report includes testing against these categories.",[38,7756,6438],{"id":6437},[16,7758,7759,7760,7763],{},"The availability criterion applies when an organization commits to specific uptime levels or recovery capabilities. It covers environmental protections, capacity planning, disaster recovery, and incident management for availability-impacting events. If your product has published SLAs or customers rely on continuous uptime, include availability. Read the ",[20,7761,7762],{"href":920},"availability criteria deep dive"," for common controls and implementation patterns.",[38,7765,6491],{"id":6490},[16,7767,7768],{},"Processing integrity focuses on whether the system processes data completely, validly, accurately, timely, and with proper authorization. This criterion is relevant for platforms that perform calculations, process financial transactions, or transform customer data. It is less common in first-time SOC 2 audits but important for fintech, billing platforms, and data pipelines that customers rely on for operational decisions.",[38,7770,4626],{"id":6547},[16,7772,7773,7774,1354],{},"The confidentiality criterion addresses information designated as confidential — distinct from personal information. It covers data classification, access restrictions, encryption, and secure disposal of confidential data. If you handle intellectual property, business plans, or other sensitive non-personal information on behalf of clients, include confidentiality. See the ",[20,7775,7776],{"href":2456},"confidentiality criteria deep dive",[38,7778,2297],{"id":6602},[16,7780,7781,7782,799],{},"The privacy criterion applies to personal information — data that can identify an individual. It evaluates whether your data practices match your stated privacy commitments across notice, choice, collection, use, retention, disclosure, security, and accuracy. Privacy aligns closely with regulations like GDPR and CCPA and is the most demanding criterion in terms of control coverage. For a full walkthrough, see the ",[20,7783,7784],{"href":2301},"privacy criteria deep dive",[11,7786,7788],{"id":7787},"who-needs-soc-2-compliance","Who needs SOC 2 compliance?",[16,7790,7791],{},"SOC 2 is not legally mandated, but the market treats it as a cost of doing business. Any SaaS company, cloud service provider, managed service provider, or data processor that handles customer data is a likely SOC 2 candidate. If your customers are businesses and their security teams will scrutinize your controls before signing, SOC 2 is almost certainly on your roadmap.",[16,7793,7794],{},"Companies typically pursue SOC 2 when one or more of the following is true:",[43,7796,7797,7800,7803,7806,7809],{},[46,7798,7799],{},"Enterprise prospects are asking for a report during procurement or vendor reviews.",[46,7801,7802],{},"Sales cycles are slowing because buyers are blocking deals on security questionnaires.",[46,7804,7805],{},"Existing customers are requesting a current SOC 2 report during annual reviews.",[46,7807,7808],{},"Investors or partners are asking about the company's security posture.",[46,7810,7811],{},"The business is entering regulated verticals like financial services, healthcare, or government.",[16,7813,7814,7815,7819],{},"Industries that almost always require SOC 2 from their vendors include financial services, healthcare, legal technology, HR technology, martech that handles PII, and any B2B SaaS selling into enterprise accounts. For SaaS companies specifically, SOC 2 has become table stakes — see ",[20,7816,7818],{"href":7817},"\u002Fnow\u002Fsoc2-for-saas","SOC 2 for SaaS"," for a deeper discussion.",[11,7821,7823],{"id":7822},"the-soc-2-audit-process-overview","The SOC 2 audit process overview",[16,7825,18,7826,7829],{},[20,7827,7828],{"href":528},"SOC 2 audit process"," follows a predictable sequence. Understanding each phase prevents surprises and helps you set realistic timelines with your team and auditor.",[198,7831,7832,7844,7850,7856,7862],{},[46,7833,7834,7837,7838,7840,7841,7843],{},[49,7835,7836],{},"Scoping and readiness assessment."," Define what systems and Trust Services Criteria are in scope, then perform a ",[20,7839,4024],{"href":4023}," to compare current controls against ",[20,7842,80],{"href":79},". The output is a prioritized remediation plan.",[46,7845,7846,7849],{},[49,7847,7848],{},"Remediation."," Close the gaps identified during readiness. Common items include formalizing policies, enabling MFA everywhere, centralizing logging, documenting vendor risk processes, and running tabletop exercises.",[46,7851,7852,7855],{},[49,7853,7854],{},"Auditor selection."," SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Request proposals from two to four firms, compare scope and pricing, and check references from similar companies.",[46,7857,7858,7861],{},[49,7859,7860],{},"Audit fieldwork."," For Type I, the auditor validates control design at a point in time. For Type II, the auditor samples evidence from across the observation period and tests operating effectiveness.",[46,7863,7864,7867],{},[49,7865,7866],{},"Report delivery and ongoing operation."," Once the report is issued, plan the next observation period so you maintain continuous coverage with no bridge gaps that buyers might question.",[16,7869,7870],{},"Most organizations complete their first Type I in three to six months and their first Type II in six to eighteen months, depending on starting maturity and observation period length.",[11,7872,7874],{"id":7873},"what-does-soc-2-cost","What does SOC 2 cost?",[16,7876,7877],{},"SOC 2 cost varies widely based on scope, starting maturity, and whether you pursue Type I, Type II, or both. Auditor fees are the largest line item, but they are not the only cost. You should budget for readiness consulting, compliance tooling, internal staff time, remediation work, and penetration testing.",[16,7879,7880],{},"Typical benchmarks for a first-time SOC 2 engagement:",[43,7882,7883,7889,7895,7901,7907,7912],{},[46,7884,7885,7888],{},[49,7886,7887],{},"Type I auditor fees",": $15,000 to $40,000",[46,7890,7891,7894],{},[49,7892,7893],{},"Type II auditor fees",": $25,000 to $80,000",[46,7896,7897,7900],{},[49,7898,7899],{},"Readiness consulting"," (optional): $10,000 to $40,000",[46,7902,7903,7906],{},[49,7904,7905],{},"Compliance platform",": $6,000 to $60,000 annually depending on vendor",[46,7908,7909,7911],{},[49,7910,3031],{},": $8,000 to $30,000 per test",[46,7913,7914,7917],{},[49,7915,7916],{},"Internal staff time",": 200 to 600 hours across the first cycle",[16,7919,7920,7921,7923],{},"Total first-year cost for most growth-stage SaaS companies lands between $40,000 and $200,000. See the full ",[20,7922,170],{"href":169}," for detailed ranges and cost-reduction strategies.",[11,7925,7927],{"id":7926},"common-soc-2-challenges","Common SOC 2 challenges",[16,7929,7930],{},"SOC 2 programs rarely fail because the audit is unfair. They fail because organizations underestimate the operational discipline required. The challenges show up in predictable places.",[43,7932,7933,7939,7945,7951,7957,7966,7975],{},[46,7934,7935,7938],{},[49,7936,7937],{},"Scope creep."," Teams add new systems mid-audit or expand Trust Services Criteria without revisiting the control set. Every addition extends timelines and evidence requirements.",[46,7940,7941,7944],{},[49,7942,7943],{},"Evidence gaps."," Screenshots expire. Configurations change. Ownership drifts between quarters. By the time the auditor asks, the evidence trail is broken.",[46,7946,7947,7950],{},[49,7948,7949],{},"Cross-team coordination."," SOC 2 touches engineering, IT, HR, legal, and finance. Without a single source of truth for control status, teams duplicate work or miss handoffs.",[46,7952,7953,7956],{},[49,7954,7955],{},"Policy drift."," Policies written for the audit do not match how the team actually operates. Auditors detect this quickly during interviews and walkthroughs.",[46,7958,7959,7962,7963,7965],{},[49,7960,7961],{},"Vendor oversight."," Third-party vendors handle critical data but are rarely monitored with the same rigor as internal systems. See ",[20,7964,2394],{"href":2393}," for how to close this gap.",[46,7967,7968,7971,7972,7974],{},[49,7969,7970],{},"Change management."," Production changes bypass approval workflows, leaving no audit trail. ",[20,7973,3453],{"href":1271}," is a frequent source of Type II exceptions.",[46,7976,7977,7980,7981,799],{},[49,7978,7979],{},"Incident response immaturity."," Teams have an incident response plan but have never tested it. Auditors look for evidence of real incidents handled end to end. See ",[20,7982,798],{"href":797},[16,7984,7985],{},"A structured approach — mapping controls, evidence, and owners from day one — removes most of these friction points before they become audit findings.",[11,7987,7989],{"id":7988},"how-soc-2-compares-to-other-frameworks","How SOC 2 compares to other frameworks",[16,7991,7992],{},"SOC 2 is not the only security framework buyers may request. Understanding how SOC 2 relates to other standards helps you plan a cohesive compliance strategy rather than running parallel audits with overlapping work.",[16,7994,7995,7999],{},[49,7996,7997],{},[20,7998,28],{"href":27}," is an international certification focused on information security management systems. Unlike SOC 2, which produces an auditor's opinion letter, ISO 27001 results in a certificate issued by an accredited registrar. ISO 27001 is prescriptive about building an ISMS but the control set in Annex A overlaps heavily with the SOC 2 Common Criteria. Many mature companies pursue both and reuse evidence across them. ISO 27001 tends to be preferred by European and international buyers; SOC 2 is the North American standard.",[16,8001,8002,8006],{},[49,8003,8004],{},[20,8005,3202],{"href":3201}," is a US healthcare law that mandates specific safeguards for protected health information. HIPAA is a regulatory requirement rather than a voluntary attestation — there is no HIPAA certificate, but business associates and covered entities must comply. SOC 2 controls address many HIPAA administrative and technical safeguards, and a SOC 2 Type II report is often used as evidence of HIPAA compliance in vendor due diligence.",[16,8008,8009,8013],{},[49,8010,8011],{},[20,8012,5232],{"href":5231}," is the payment card industry's prescriptive standard for any organization that stores, processes, or transmits cardholder data. Unlike SOC 2, PCI DSS specifies exact controls down to firewall rules and encryption key rotation cadences. SOC 2 and PCI DSS share concepts like encryption, access control, and monitoring, but PCI DSS scope is narrower (cardholder data environment) and the requirements are more specific. Companies that process payments typically need both.",[16,8015,8016,4009,8019,4014,8022,8025],{},[49,8017,8018],{},"NIST Cybersecurity Framework",[49,8020,8021],{},"FedRAMP",[49,8023,8024],{},"CMMC"," address additional specialized audiences — federal contractors, defense industrial base, and government-adjacent systems. These are out of scope for most commercial SaaS but worth mapping if your buyer base includes public sector.",[16,8027,8028,8029,8032],{},"If you are comparing SOC 2 tooling options, our ",[20,8030,8031],{"href":6011},"Vanta vs Drata comparison"," covers the leading compliance automation platforms.",[11,8034,8036],{"id":8035},"soc-2-readiness-checklist","SOC 2 readiness checklist",[16,8038,8039,8040,8043],{},"A readiness checklist keeps your team focused during the months before the audit begins. The ",[20,8041,8042],{"href":131},"full SOC 2 checklist"," covers every category, but at a high level expect to address:",[43,8045,8046,8049,8052,8055,8058,8061,8064,8067,8070,8073],{},[46,8047,8048],{},"Governance and policies (information security policy, acceptable use, code of conduct)",[46,8050,8051],{},"Access control (SSO, MFA, role-based access, quarterly access reviews)",[46,8053,8054],{},"Change management (code review, deployment approvals, production change logs)",[46,8056,8057],{},"Vendor risk management (inventory, assessments, monitoring)",[46,8059,8060],{},"Incident response (documented plan, tested at least annually)",[46,8062,8063],{},"Business continuity and disaster recovery (plan with defined RPO\u002FRTO, tested)",[46,8065,8066],{},"Logging and monitoring (centralized logs, alerting, incident tickets)",[46,8068,8069],{},"Security awareness training (annual minimum, tracked completion)",[46,8071,8072],{},"HR controls (background checks, onboarding, offboarding, confidentiality agreements)",[46,8074,8075],{},"Risk assessment (annual risk review, risk register, treatment plans)",[16,8077,8078],{},"Most companies find that the readiness phase surfaces gaps they did not know existed. That is the point — better to discover them before the auditor arrives.",[11,8080,8082],{"id":8081},"getting-started-with-soc-2","Getting started with SOC 2",[16,8084,8085],{},"The best time to start a SOC 2 program is before the first buyer demands it. The second best time is now.",[16,8087,8088],{},"A reasonable starting sequence:",[198,8090,8091,8097,8103,8109,8115,8121],{},[46,8092,8093,8096],{},[49,8094,8095],{},"Pick your Trust Services Criteria."," Security is required. Add others only if you have customer commitments that map to them.",[46,8098,8099,8102],{},[49,8100,8101],{},"Decide Type I vs Type II."," If you need a report fast for a specific deal, start with Type I. If you have time and buyer pressure is general, skip straight to Type II.",[46,8104,8105,8108],{},[49,8106,8107],{},"Run a readiness assessment."," Either internally or with a consultant. The goal is a prioritized remediation list, not a polished report.",[46,8110,8111,8114],{},[49,8112,8113],{},"Remediate in priority order."," Address policy gaps, access control weaknesses, and logging first — these are the most common sources of findings.",[46,8116,8117,8120],{},[49,8118,8119],{},"Select an auditor."," Get proposals from two to four CPA firms. Check references from similar companies. Book early — good auditors are scheduled quarters in advance.",[46,8122,8123,8126],{},[49,8124,8125],{},"Operate, collect, and iterate."," Run your controls, collect evidence continuously, and prepare for fieldwork. Do not treat the audit as a one-time event.",[16,8128,8129,8130,2927,8133,8138],{},"episki was built for exactly this journey. The platform maps your controls to Trust Services Criteria, automates evidence collection, tracks ownership across teams, and gives your auditor structured access when fieldwork begins. ",[20,8131,492],{"href":489,"rel":8132},[491],[20,8134,8137],{"href":8135,"rel":8136},"https:\u002F\u002Fcalendly.com\u002Fjustinleapline\u002Fepiski-demo",[491],"book a demo"," to see how SOC 2 looks with the scramble removed.",{"title":495,"searchDepth":496,"depth":496,"links":8140},[8141,8142,8143,8150,8151,8152,8153,8154,8155,8156],{"id":7691,"depth":496,"text":7692},{"id":7716,"depth":496,"text":7717},{"id":5242,"depth":496,"text":5243,"children":8144},[8145,8146,8147,8148,8149],{"id":6179,"depth":502,"text":6180},{"id":6437,"depth":502,"text":6438},{"id":6490,"depth":502,"text":6491},{"id":6547,"depth":502,"text":4626},{"id":6602,"depth":502,"text":2297},{"id":7787,"depth":496,"text":7788},{"id":7822,"depth":496,"text":7823},{"id":7873,"depth":496,"text":7874},{"id":7926,"depth":496,"text":7927},{"id":7988,"depth":496,"text":7989},{"id":8035,"depth":496,"text":8036},{"id":8081,"depth":496,"text":8082},{"title":8158,"description":8159,"items":8160},"SOC 2 readiness checklist inside episki","Everything is preloaded in your free trial so you can start assigning ownership and collecting proof immediately.",[8161,8162,8163,8164,8165],"Trust Service Criteria library with mapped controls","Policy templates and AI drafting assistant","Evidence library with structured ownership and review cadences","Emulated auditor workspace with sample requests","Customer-facing compliance portal template",{"title":8167,"description":8168},"Launch your SOC 2 workspace today","Import your controls, connect evidence, and invite your auditor in under an hour.",{"title":8170,"items":8171},"SOC 2 frequently asked questions",[8172,8175,8178,8181,8183],{"label":8173,"content":8174},"How long does a SOC 2 audit take?","A SOC 2 Type I audit typically takes 4-8 weeks of preparation plus the audit itself. Type II requires a 3-12 month observation period followed by the assessment. episki's automation can cut preparation time by up to 45 days.",{"label":8176,"content":8177},"What is the difference between SOC 2 Type I and Type II?","SOC 2 Type I evaluates whether controls are suitably designed at a single point in time. Type II tests whether those controls operated effectively over a sustained period, usually 3-12 months. Most enterprise buyers require a Type II report.",{"label":8179,"content":8180},"How much does SOC 2 compliance cost?","Total costs typically range from $20,000 to $100,000+ depending on scope, readiness, and auditor fees. episki covers the platform side at a flat $500\u002Fmonth with no per-seat charges, significantly reducing the software portion of that budget.",{"label":7788,"content":8182},"Any SaaS company, cloud service provider, or data processor handling customer data is a likely candidate. Enterprise buyers in financial services, healthcare, and technology frequently require a current SOC 2 report before signing contracts.",{"label":8184,"content":8185},"What are the SOC 2 Trust Services Criteria?","The five Trust Services Criteria are security (required), availability, processing integrity, confidentiality, and privacy. Security is mandatory for every SOC 2 audit; the other four are optional and selected based on the services you provide.",{"headline":8187,"title":8188,"description":8189,"links":8190},"SOC 2 without the scramble","Ship SOC 2 audits without slowing product velocity","episki maps Trust Service Criteria, automates evidence, and keeps auditors in sync so your team can focus on building.",[8191,8194],{"label":8192,"icon":8193,"to":489},"Start SOC 2 trial","i-lucide-rocket",{"label":8195,"icon":8196,"color":8197,"variant":8198,"to":8135,"target":8199},"Book a demo","i-lucide-message-circle","neutral","subtle","_blank",{},"SOC 2 Type I\u002FII",{"headline":8203,"title":8203,"description":8204,"items":8205},"SOC 2 acceleration resources","Give execs and customers visibility into progress at every stage.",[8206,8209,8212],{"title":8207,"description":8208},"Executive scorecard","Summaries translate control work into risk reduction and deals unlocked.",{"title":8210,"description":8211},"Sales enablement kit","SOC 2 FAQ answers and trust collateral ready for GTM teams.",{"title":8213,"description":8214},"Audit retro template","Capture what worked, track remediations, and prep the next period.",{"title":8216,"description":8217},"SOC 2 Compliance Software","Get SOC 2 Type I and Type II audit-ready faster with episki's automated controls, evidence tracking, and auditor collaboration. Start your free 14-day trial.",[8219,8222,8225],{"value":8220,"description":8221},"45 days faster","Average time saved reaching Type II readiness with episki’s automation.",{"value":8223,"description":8224},"120+ controls","Pre-mapped control narratives with owners, evidence, and review cadences.",{"value":8226,"description":8227},"100% coverage","Auditor portal with control health dashboards and SOC 2 exports.","5.frameworks\u002Fsoc2","shAxjjcx4JmL7Zy8hak9QyL4MkAUXkpn4CKU8l_0-Q4",[8231,8446,8566,8716],{"id":8232,"title":8233,"body":8234,"description":495,"extension":522,"lastUpdated":525,"meta":8434,"navigation":527,"path":2548,"relatedFrameworks":8435,"relatedTerms":8439,"seo":8441,"slug":1274,"stem":8444,"term":8239,"__hash__":8445},"glossary\u002F8.glossary\u002Fevidence-collection.md","Evidence Collection",{"type":8,"value":8235,"toc":8424},[8236,8240,8243,8247,8250,8264,8268,8271,8321,8325,8328,8334,8340,8346,8350,8394,8398,8415,8417],[11,8237,8239],{"id":8238},"what-is-evidence-collection","What is Evidence Collection?",[16,8241,8242],{},"Evidence collection is the systematic process of gathering, organizing, and maintaining documentation that demonstrates security controls are implemented and operating effectively. It is a critical activity for any compliance program — without evidence, an organization cannot prove to auditors, customers, or regulators that its controls actually work.",[38,8244,8246],{"id":8245},"why-evidence-collection-matters","Why evidence collection matters",[16,8248,8249],{},"Controls that exist only in policy documents are insufficient. Auditors and assessors require proof that controls are executed consistently. Evidence collection bridges the gap between \"we have a policy\" and \"we follow the policy.\" Without organized evidence:",[43,8251,8252,8255,8258,8261],{},[46,8253,8254],{},"Audits take longer and cost more due to scrambling for documentation",[46,8256,8257],{},"Control gaps go undetected until audit time",[46,8259,8260],{},"Audit opinions may be qualified due to insufficient evidence",[46,8262,8263],{},"Customer trust erodes when security claims cannot be substantiated",[38,8265,8267],{"id":8266},"types-of-evidence","Types of evidence",[16,8269,8270],{},"Evidence takes many forms depending on the control being demonstrated:",[43,8272,8273,8279,8285,8291,8297,8303,8309,8315],{},[46,8274,8275,8278],{},[49,8276,8277],{},"Screenshots"," — system configurations, access control settings, dashboard views",[46,8280,8281,8284],{},[49,8282,8283],{},"Logs"," — audit logs, access logs, change management logs, security event logs",[46,8286,8287,8290],{},[49,8288,8289],{},"Documents"," — policies, procedures, meeting minutes, training records",[46,8292,8293,8296],{},[49,8294,8295],{},"Tickets"," — change management tickets, incident response tickets, access request tickets",[46,8298,8299,8302],{},[49,8300,8301],{},"Reports"," — vulnerability scan reports, penetration test reports, risk assessment reports",[46,8304,8305,8308],{},[49,8306,8307],{},"Certifications"," — employee training certificates, vendor SOC 2 reports, compliance attestations",[46,8310,8311,8314],{},[49,8312,8313],{},"Configurations"," — infrastructure-as-code files, system configuration exports",[46,8316,8317,8320],{},[49,8318,8319],{},"Interviews"," — auditor interviews with control owners (for live audits)",[38,8322,8324],{"id":8323},"evidence-collection-approaches","Evidence collection approaches",[16,8326,8327],{},"Organizations typically use one of three approaches:",[16,8329,8330,8333],{},[49,8331,8332],{},"Manual collection"," — control owners manually gather screenshots, exports, and documents on a scheduled basis. This is the most common starting point but is labor-intensive and error-prone.",[16,8335,8336,8339],{},[49,8337,8338],{},"Semi-automated collection"," — integrations with key systems (cloud providers, identity providers, ticketing systems) automatically pull evidence, supplemented by manual collection for controls without integration support.",[16,8341,8342,8345],{},[49,8343,8344],{},"Continuous automated collection"," — deep integrations with infrastructure and applications automatically collect and organize evidence on an ongoing basis, with minimal manual intervention.",[38,8347,8349],{"id":8348},"best-practices-for-evidence-collection","Best practices for evidence collection",[43,8351,8352,8358,8364,8370,8376,8382,8388],{},[46,8353,8354,8357],{},[49,8355,8356],{},"Define evidence requirements upfront"," — for each control, specify what evidence is needed, how often it should be collected, and who is responsible",[46,8359,8360,8363],{},[49,8361,8362],{},"Collect continuously, not just before audits"," — evidence collected throughout the period is more credible than evidence gathered in a rush before the audit",[46,8365,8366,8369],{},[49,8367,8368],{},"Timestamp everything"," — evidence must demonstrate when the control was operating, not just that it exists",[46,8371,8372,8375],{},[49,8373,8374],{},"Organize by control"," — structure evidence so it maps directly to controls and framework requirements",[46,8377,8378,8381],{},[49,8379,8380],{},"Maintain chain of custody"," — ensure evidence cannot be tampered with after collection",[46,8383,8384,8387],{},[49,8385,8386],{},"Review evidence quality"," — periodically verify that collected evidence actually demonstrates the control is working",[46,8389,8390,8393],{},[49,8391,8392],{},"Retain evidence appropriately"," — keep evidence for the required retention period (typically matching the audit cycle plus any regulatory requirements)",[38,8395,8397],{"id":8396},"common-challenges","Common challenges",[43,8399,8400,8403,8406,8409,8412],{},[46,8401,8402],{},"Evidence collection is distributed across many teams and systems",[46,8404,8405],{},"Control owners forget to collect on schedule",[46,8407,8408],{},"Evidence quality varies — screenshots may be unclear or incomplete",[46,8410,8411],{},"Evidence becomes stale if not collected at the right frequency",[46,8413,8414],{},"Storing and organizing large volumes of evidence is difficult without proper tooling",[38,8416,483],{"id":482},[16,8418,8419,8420,799],{},"episki automates evidence collection through integrations with cloud providers, identity systems, and development tools. The platform assigns collection tasks to control owners, sends reminders, validates evidence quality, and organizes everything by control and framework. When audit time arrives, evidence is already collected and organized. Learn more on our ",[20,8421,8423],{"href":8422},"\u002Fframeworks","compliance platform",{"title":495,"searchDepth":496,"depth":496,"links":8425},[8426],{"id":8238,"depth":496,"text":8239,"children":8427},[8428,8429,8430,8431,8432,8433],{"id":8245,"depth":502,"text":8246},{"id":8266,"depth":502,"text":8267},{"id":8323,"depth":502,"text":8324},{"id":8348,"depth":502,"text":8349},{"id":8396,"depth":502,"text":8397},{"id":482,"depth":502,"text":483},{},[524,8436,8437,8438],"iso27001","hipaa","pci",[1275,6148,424,8440],"control-objectives",{"title":8442,"description":8443},"What is Evidence Collection? Definition & Compliance Guide","Evidence collection is the process of gathering documentation that proves security controls are implemented and operating effectively for compliance audits.","8.glossary\u002Fevidence-collection","GPkRF1T5KoTAunaW0xisMR-w9mNhEBY90EzK_CfJono",{"id":8447,"title":8448,"body":8449,"description":495,"extension":522,"lastUpdated":525,"meta":8556,"navigation":527,"path":5590,"relatedFrameworks":8557,"relatedTerms":8559,"seo":8561,"slug":530,"stem":8564,"term":8454,"__hash__":8565},"glossary\u002F8.glossary\u002Fgrc.md","Grc",{"type":8,"value":8450,"toc":8547},[8451,8455,8462,8466,8469,8483,8487,8490,8504,8508,8519,8523,8526,8540,8544],[11,8452,8454],{"id":8453},"what-is-grc","What is GRC?",[16,8456,8457,8458,8461],{},"GRC stands for ",[49,8459,8460],{},"governance, risk, and compliance"," — a coordinated approach to aligning IT and security practices with business objectives, managing risk, and meeting regulatory requirements.",[38,8463,8465],{"id":8464},"governance","Governance",[16,8467,8468],{},"Governance defines the policies, roles, and decision-making structures that guide how an organization operates. In a security context, governance includes:",[43,8470,8471,8474,8477,8480],{},[46,8472,8473],{},"Establishing security policies and standards",[46,8475,8476],{},"Assigning ownership for controls and programs",[46,8478,8479],{},"Setting risk appetite and tolerance levels",[46,8481,8482],{},"Board-level oversight of security posture",[38,8484,8486],{"id":8485},"risk-management","Risk management",[16,8488,8489],{},"Risk management is the process of identifying, assessing, and treating threats that could affect the organization. Common activities include:",[43,8491,8492,8495,8498,8501],{},[46,8493,8494],{},"Maintaining a risk register with likelihood and impact scores",[46,8496,8497],{},"Prioritizing remediation based on business impact",[46,8499,8500],{},"Tracking treatment plans with owners and deadlines",[46,8502,8503],{},"Reviewing risk posture on a recurring schedule",[38,8505,8507],{"id":8506},"compliance","Compliance",[16,8509,8510,8511,4009,8513,4009,8515,4014,8517,799],{},"Compliance means meeting the requirements of external standards, regulations, and contractual obligations. Common compliance frameworks include ",[20,8512,23],{"href":22},[20,8514,28],{"href":27},[20,8516,3202],{"href":3201},[20,8518,5232],{"href":5231},[38,8520,8522],{"id":8521},"why-grc-matters","Why GRC matters",[16,8524,8525],{},"Without a coordinated approach, organizations end up with fragmented policies, duplicated controls, and gaps between what auditors expect and what teams actually do. A GRC program brings these disciplines together so that:",[43,8527,8528,8531,8534,8537],{},[46,8529,8530],{},"Controls are mapped once and reused across frameworks",[46,8532,8533],{},"Risk decisions inform which controls get priority",[46,8535,8536],{},"Evidence is collected continuously rather than scrambled before audits",[46,8538,8539],{},"Leadership has visibility into security posture and compliance status",[38,8541,8543],{"id":8542},"grc-software","GRC software",[16,8545,8546],{},"GRC platforms like episki centralize controls, evidence, risk registers, and auditor collaboration in one workspace. Instead of managing compliance in spreadsheets, teams can assign owners, track evidence, and run programs across multiple frameworks simultaneously.",{"title":495,"searchDepth":496,"depth":496,"links":8548},[8549],{"id":8453,"depth":496,"text":8454,"children":8550},[8551,8552,8553,8554,8555],{"id":8464,"depth":502,"text":8465},{"id":8485,"depth":502,"text":8486},{"id":8506,"depth":502,"text":8507},{"id":8521,"depth":502,"text":8522},{"id":8542,"depth":502,"text":8543},{},[524,8436,8437,8438,8558],"nistcsf",[7655,8560,1275,1274],"control-framework",{"title":8562,"description":8563},"What is GRC? Governance, Risk, and Compliance Explained","GRC stands for governance, risk, and compliance. Learn how GRC programs help organizations manage risk, meet regulatory requirements, and align security with business goals.","8.glossary\u002Fgrc","z7uTPh4PsV0D9njj62M4FXnwjHgD1TiZCXJGfk_tnG8",{"id":8567,"title":8568,"body":8569,"description":495,"extension":522,"lastUpdated":525,"meta":8704,"navigation":527,"path":8705,"relatedFrameworks":8706,"relatedTerms":8707,"seo":8711,"slug":1975,"stem":8714,"term":8574,"__hash__":8715},"glossary\u002F8.glossary\u002Fisms.md","Isms",{"type":8,"value":8570,"toc":8695},[8571,8575,8581,8584,8587,8601,8605,8608,8645,8649,8652,8678,8682,8685,8689],[11,8572,8574],{"id":8573},"what-is-an-isms","What is an ISMS?",[16,8576,8577,8578,8580],{},"An ISMS (Information Security Management System) is a systematic framework of policies, processes, and controls that an organization uses to manage information security risks. It is the core requirement of ",[20,8579,28],{"href":27}," certification.",[38,8582,3670],{"id":8583},"purpose",[16,8585,8586],{},"An ISMS provides a structured approach to:",[43,8588,8589,8592,8595,8598],{},[46,8590,8591],{},"Identifying information security risks and opportunities",[46,8593,8594],{},"Implementing controls proportionate to those risks",[46,8596,8597],{},"Monitoring and measuring security performance",[46,8599,8600],{},"Continually improving the security posture",[38,8602,8604],{"id":8603},"key-components","Key components",[16,8606,8607],{},"An effective ISMS typically includes:",[43,8609,8610,8615,8621,8627,8633,8639],{},[46,8611,8612,8614],{},[49,8613,1416],{}," — top-level commitment from leadership",[46,8616,8617,8620],{},[49,8618,8619],{},"Risk assessment methodology"," — how the organization identifies, analyzes, and evaluates risks",[46,8622,8623,8626],{},[49,8624,8625],{},"Risk treatment plan"," — how identified risks are addressed (mitigate, accept, transfer, avoid)",[46,8628,8629,8632],{},[49,8630,8631],{},"Statement of Applicability"," — which controls from Annex A apply and why",[46,8634,8635,8638],{},[49,8636,8637],{},"Internal audit program"," — regular reviews of ISMS effectiveness",[46,8640,8641,8644],{},[49,8642,8643],{},"Management review"," — leadership evaluation of ISMS performance and direction",[38,8646,8648],{"id":8647},"isms-lifecycle","ISMS lifecycle",[16,8650,8651],{},"The ISMS follows a Plan-Do-Check-Act (PDCA) cycle:",[198,8653,8654,8660,8666,8672],{},[46,8655,8656,8659],{},[49,8657,8658],{},"Plan"," — establish objectives, policies, and processes for managing risk",[46,8661,8662,8665],{},[49,8663,8664],{},"Do"," — implement and operate the ISMS",[46,8667,8668,8671],{},[49,8669,8670],{},"Check"," — monitor, measure, and review against objectives",[46,8673,8674,8677],{},[49,8675,8676],{},"Act"," — take corrective actions and improve",[38,8679,8681],{"id":8680},"isms-vs-individual-controls","ISMS vs individual controls",[16,8683,8684],{},"An ISMS is not a list of controls — it is the management system that governs how controls are selected, implemented, monitored, and improved. Individual controls (like access management or encryption) operate within the ISMS framework.",[38,8686,8688],{"id":8687},"how-episki-supports-your-isms","How episki supports your ISMS",[16,8690,8691,8692,799],{},"episki provides the workspace for building and operating an ISMS: control libraries, risk registers, evidence tracking, ownership assignment, and review cadences. Learn more on our ",[20,8693,8694],{"href":27},"ISO 27001 page",{"title":495,"searchDepth":496,"depth":496,"links":8696},[8697],{"id":8573,"depth":496,"text":8574,"children":8698},[8699,8700,8701,8702,8703],{"id":8583,"depth":502,"text":3670},{"id":8603,"depth":502,"text":8604},{"id":8647,"depth":502,"text":8648},{"id":8680,"depth":502,"text":8681},{"id":8687,"depth":502,"text":8688},{},"\u002Fglossary\u002Fisms",[8436],[8436,8708,8709,8710],"annex-a","statement-of-applicability","risk-treatment-plan",{"title":8712,"description":8713},"What is an ISMS? Information Security Management System Explained","An ISMS is a systematic framework for managing information security risks. Learn how an ISMS works, its components, and how it relates to ISO 27001 certification.","8.glossary\u002Fisms","rQdOoLmkQHwR1X4s6Q3AKwrLHhTEhcrGfNMBNM1CSvg",{"id":8717,"title":7664,"body":8718,"description":495,"extension":522,"lastUpdated":525,"meta":8842,"navigation":527,"path":1846,"relatedFrameworks":8843,"relatedTerms":8844,"seo":8846,"slug":524,"stem":8849,"term":7692,"__hash__":8850},"glossary\u002F8.glossary\u002Fsoc2.md",{"type":8,"value":8719,"toc":8833},[8720,8722,8725,8727,8730,8757,8760,8764,8776,8779,8783,8786,8789,8792,8823,8827],[11,8721,7692],{"id":7691},[16,8723,8724],{},"SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how service organizations protect customer data. It is one of the most requested security certifications for SaaS companies and technology vendors.",[38,8726,57],{"id":926},[16,8728,8729],{},"SOC 2 is built around five Trust Services Criteria (TSC):",[43,8731,8732,8737,8742,8747,8752],{},[46,8733,8734,8736],{},[49,8735,4634],{}," (required) — protection against unauthorized access",[46,8738,8739,8741],{},[49,8740,6438],{}," — system uptime and operational reliability",[46,8743,8744,8746],{},[49,8745,6491],{}," — accurate and complete data processing",[46,8748,8749,8751],{},[49,8750,4626],{}," — protection of confidential information",[46,8753,8754,8756],{},[49,8755,2297],{}," — handling of personal information per commitments",[16,8758,8759],{},"Most organizations start with Security and add additional criteria based on customer requirements.",[38,8761,8763],{"id":8762},"type-i-vs-type-ii","Type I vs Type II",[43,8765,8766,8771],{},[46,8767,8768,8770],{},[49,8769,191],{}," evaluates whether controls are designed appropriately at a specific point in time",[46,8772,8773,8775],{},[49,8774,2823],{}," evaluates whether controls operated effectively over a period (typically 3-12 months)",[16,8777,8778],{},"Type II reports carry more weight with enterprise buyers because they demonstrate sustained compliance rather than a single snapshot.",[38,8780,8782],{"id":8781},"who-needs-soc-2","Who needs SOC 2?",[16,8784,8785],{},"SOC 2 is not legally required, but it is effectively mandatory for SaaS companies selling to enterprises. Buyers, procurement teams, and security reviewers routinely request SOC 2 reports as part of vendor diligence.",[38,8787,8173],{"id":8788},"how-long-does-a-soc-2-audit-take",[16,8790,8791],{},"A typical timeline:",[43,8793,8794,8800,8806,8811,8817],{},[46,8795,8796,8799],{},[49,8797,8798],{},"Readiness assessment:"," 2-4 weeks",[46,8801,8802,8805],{},[49,8803,8804],{},"Remediation:"," 4-12 weeks depending on gaps",[46,8807,8808,8799],{},[49,8809,8810],{},"Type I audit:",[46,8812,8813,8816],{},[49,8814,8815],{},"Observation period for Type II:"," 3-12 months",[46,8818,8819,8822],{},[49,8820,8821],{},"Type II audit:"," 4-6 weeks",[38,8824,8826],{"id":8825},"how-episki-helps-with-soc-2","How episki helps with SOC 2",[16,8828,8829,8830,799],{},"episki maps controls to Trust Services Criteria, tracks evidence with ownership and review cadences, and provides auditor portals for streamlined collaboration. Learn more on our ",[20,8831,8832],{"href":22},"SOC 2 compliance page",{"title":495,"searchDepth":496,"depth":496,"links":8834},[8835],{"id":7691,"depth":496,"text":7692,"children":8836},[8837,8838,8839,8840,8841],{"id":926,"depth":502,"text":57},{"id":8762,"depth":502,"text":8763},{"id":8781,"depth":502,"text":8782},{"id":8788,"depth":502,"text":8173},{"id":8825,"depth":502,"text":8826},{},[524],[926,8845,6148,6150,6149],"soc2-type-1",{"title":8847,"description":8848},"What is SOC 2? Compliance Requirements Explained","SOC 2 is an auditing framework for service organizations based on five Trust Services Criteria. Learn about SOC 2 Type I vs Type II, audit timelines, and what it takes to get compliant.","8.glossary\u002Fsoc2","HxCJ-MVx4pErD7AwYkHgr_2aiZffYJTt9jhfAl9AgSw",[8852,9397],{"id":8853,"title":8854,"body":8855,"description":495,"extension":522,"lastUpdated":525,"meta":9384,"navigation":527,"path":9385,"relatedFrameworks":9386,"relatedTerms":9388,"seo":9391,"slug":9394,"stem":9395,"term":8860,"__hash__":9396},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":8,"value":8856,"toc":9370},[8857,8861,8864,8868,8871,8897,8901,8907,8913,8919,8925,8929,8932,8938,8955,8960,8974,8980,8991,8995,8998,9046,9050,9053,9067,9071,9074,9097,9101,9104,9151,9155,9158,9271,9274,9277,9306,9310,9316,9319,9354,9357,9360,9363,9365],[11,8858,8860],{"id":8859},"what-is-access-control","What is Access Control?",[16,8862,8863],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[38,8865,8867],{"id":8866},"core-principles","Core principles",[16,8869,8870],{},"Access control is built on several foundational principles:",[43,8872,8873,8879,8885,8891],{},[46,8874,8875,8878],{},[49,8876,8877],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[46,8880,8881,8884],{},[49,8882,8883],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[46,8886,8887,8890],{},[49,8888,8889],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[46,8892,8893,8896],{},[49,8894,8895],{},"Default deny"," — access is denied by default unless explicitly granted",[38,8898,8900],{"id":8899},"types-of-access-control","Types of access control",[16,8902,8903,8906],{},[49,8904,8905],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[16,8908,8909,8912],{},[49,8910,8911],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[16,8914,8915,8918],{},[49,8916,8917],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[16,8920,8921,8924],{},[49,8922,8923],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[38,8926,8928],{"id":8927},"access-control-components","Access control components",[16,8930,8931],{},"A complete access control program addresses:",[16,8933,8934,8937],{},[49,8935,8936],{},"Authentication"," — verifying the identity of users:",[43,8939,8940,8943,8946,8949,8952],{},[46,8941,8942],{},"Passwords and passphrases",[46,8944,8945],{},"Multi-factor authentication (MFA)",[46,8947,8948],{},"Single sign-on (SSO)",[46,8950,8951],{},"Biometric authentication",[46,8953,8954],{},"Certificate-based authentication",[16,8956,8957,8959],{},[49,8958,1124],{}," — determining what authenticated users can do:",[43,8961,8962,8965,8968,8971],{},[46,8963,8964],{},"Permission assignments",[46,8966,8967],{},"Role definitions",[46,8969,8970],{},"Access control lists",[46,8972,8973],{},"Policy enforcement points",[16,8975,8976,8979],{},[49,8977,8978],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[43,8981,8982,8985,8988],{},[46,8983,8984],{},"Provisioning (granting access when hired or role changes)",[46,8986,8987],{},"Review (periodic access certification)",[46,8989,8990],{},"Deprovisioning (revoking access upon termination or role change)",[38,8992,8994],{"id":8993},"access-control-in-compliance-frameworks","Access control in compliance frameworks",[16,8996,8997],{},"Every major framework requires access control:",[43,8999,9000,9007,9019,9031,9038],{},[46,9001,9002,9006],{},[49,9003,9004],{},[20,9005,23],{"href":22}," — CC6.1 through CC6.8 cover logical and physical access controls",[46,9008,9009,9013,9014,9018],{},[49,9010,9011],{},[20,9012,28],{"href":27}," — ",[20,9015,9017],{"href":9016},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[46,9020,9021,9025,9026,9030],{},[49,9022,9023],{},[20,9024,3202],{"href":3201}," — the ",[20,9027,9029],{"href":9028},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[46,9032,9033,9037],{},[49,9034,9035],{},[20,9036,5232],{"href":5231}," — Requirements 7 and 8 address access restriction and user identification",[46,9039,9040,9045],{},[49,9041,9042],{},[20,9043,6004],{"href":9044},"\u002Fframeworks\u002Fnistcsf"," — PR.AC covers identity management, authentication, and access control",[38,9047,9049],{"id":9048},"access-reviews","Access reviews",[16,9051,9052],{},"Regular access reviews (also called access certifications) are a critical control:",[43,9054,9055,9058,9061,9064],{},[46,9056,9057],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[46,9059,9060],{},"Verify that access aligns with current job responsibilities",[46,9062,9063],{},"Identify and remove excessive or unnecessary access",[46,9065,9066],{},"Document review results and remediation actions",[38,9068,9070],{"id":9069},"common-access-control-weaknesses","Common access control weaknesses",[16,9072,9073],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[43,9075,9076,9079,9082,9085,9088,9091,9094],{},[46,9077,9078],{},"Excessive permissions that accumulate over time (privilege creep)",[46,9080,9081],{},"Shared or generic accounts that prevent individual accountability",[46,9083,9084],{},"Delayed deprovisioning when employees leave or change roles",[46,9086,9087],{},"Lack of MFA on critical systems and remote access paths",[46,9089,9090],{},"Inconsistent access review processes with no documented remediation",[46,9092,9093],{},"Service accounts with standing privileged access and no rotation schedule",[46,9095,9096],{},"Lack of visibility into SaaS application access outside the corporate IdP",[38,9098,9100],{"id":9099},"implementing-access-control-in-practice","Implementing access control in practice",[16,9102,9103],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[198,9105,9106,9112,9118,9124,9130,9136,9145],{},[46,9107,9108,9111],{},[49,9109,9110],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[46,9113,9114,9117],{},[49,9115,9116],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[46,9119,9120,9123],{},[49,9121,9122],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[46,9125,9126,9129],{},[49,9127,9128],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[46,9131,9132,9135],{},[49,9133,9134],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[46,9137,9138,9141,9142,9144],{},[49,9139,9140],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[20,9143,1110],{"href":1109}," that satisfies compliance requirements.",[46,9146,9147,9150],{},[49,9148,9149],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[38,9152,9154],{"id":9153},"access-control-requirements-by-framework","Access control requirements by framework",[16,9156,9157],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[241,9159,9160,9177],{},[244,9161,9162],{},[247,9163,9164,9167,9169,9171,9173,9175],{},[250,9165,9166],{},"Requirement",[250,9168,23],{},[250,9170,28],{},[250,9172,3202],{},[250,9174,5232],{},[250,9176,6004],{},[257,9178,9179,9199,9218,9237,9254],{},[247,9180,9181,9184,9187,9190,9193,9196],{},[262,9182,9183],{},"Unique user IDs",[262,9185,9186],{},"CC6.1",[262,9188,9189],{},"A.5.16",[262,9191,9192],{},"§164.312(a)(2)(i)",[262,9194,9195],{},"Req 8.2.1",[262,9197,9198],{},"PR.AC-1",[247,9200,9201,9204,9206,9209,9212,9215],{},[262,9202,9203],{},"MFA",[262,9205,9186],{},[262,9207,9208],{},"A.8.5",[262,9210,9211],{},"Addressable",[262,9213,9214],{},"Req 8.4",[262,9216,9217],{},"PR.AC-7",[247,9219,9220,9222,9225,9228,9231,9234],{},[262,9221,9049],{},[262,9223,9224],{},"CC6.2",[262,9226,9227],{},"A.5.18",[262,9229,9230],{},"§164.312(a)(1)",[262,9232,9233],{},"Req 7.2",[262,9235,9236],{},"PR.AC-4",[247,9238,9239,9241,9244,9247,9249,9252],{},[262,9240,8877],{},[262,9242,9243],{},"CC6.3",[262,9245,9246],{},"A.5.15",[262,9248,9230],{},[262,9250,9251],{},"Req 7.1",[262,9253,9236],{},[247,9255,9256,9259,9261,9263,9266,9269],{},[262,9257,9258],{},"Deprovisioning",[262,9260,9224],{},[262,9262,9227],{},[262,9264,9265],{},"§164.312(a)(2)(ii)",[262,9267,9268],{},"Req 8.2.6",[262,9270,9198],{},[16,9272,9273],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[16,9275,9276],{},"A few notes on framework-specific nuances:",[43,9278,9279,9284,9292,9299],{},[46,9280,9281,9283],{},[49,9282,3202],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[46,9285,9286,9291],{},[49,9287,9288,9290],{},[20,9289,5232],{"href":5231}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[46,9293,9294,9298],{},[49,9295,9296],{},[20,9297,23],{"href":22}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[46,9300,9301,9305],{},[49,9302,9303],{},[20,9304,6004],{"href":9044}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[38,9307,9309],{"id":9308},"zero-trust-and-access-control","Zero trust and access control",[16,9311,9312,9313,799],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[49,9314,9315],{},"never trust, always verify",[16,9317,9318],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[43,9320,9321,9327,9333,9342,9348],{},[46,9322,9323,9326],{},[49,9324,9325],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[46,9328,9329,9332],{},[49,9330,9331],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[46,9334,9335,9338,9339,9341],{},[49,9336,9337],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[20,9340,2180],{"href":2179},") is evaluated before access is granted.",[46,9343,9344,9347],{},[49,9345,9346],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[46,9349,9350,9353],{},[49,9351,9352],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[16,9355,9356],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[16,9358,9359],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[16,9361,9362],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[38,9364,483],{"id":482},[16,9366,9367,9368,799],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[20,9369,8423],{"href":8422},{"title":495,"searchDepth":496,"depth":496,"links":9371},[9372],{"id":8859,"depth":496,"text":8860,"children":9373},[9374,9375,9376,9377,9378,9379,9380,9381,9382,9383],{"id":8866,"depth":502,"text":8867},{"id":8899,"depth":502,"text":8900},{"id":8927,"depth":502,"text":8928},{"id":8993,"depth":502,"text":8994},{"id":9048,"depth":502,"text":9049},{"id":9069,"depth":502,"text":9070},{"id":9099,"depth":502,"text":9100},{"id":9153,"depth":502,"text":9154},{"id":9308,"depth":502,"text":9309},{"id":482,"depth":502,"text":483},{},"\u002Fglossary\u002Faccess-control",[9387,524,8436,8437,8438,8558],"cmmc",[9389,1275,2180,9390],"minimum-necessary-rule","user-entity-controls",{"title":9392,"description":9393},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","aw9J1nXzlNuRVpTr3vx46B0ijrBB9hLxb3SnjmXE6cE",{"id":9398,"title":9399,"body":9400,"description":495,"extension":522,"lastUpdated":525,"meta":9616,"navigation":527,"path":1109,"relatedFrameworks":9617,"relatedTerms":9618,"seo":9619,"slug":1275,"stem":9622,"term":9405,"__hash__":9623},"glossary\u002F8.glossary\u002Faudit-trail.md","Audit Trail",{"type":8,"value":9401,"toc":9606},[9402,9406,9409,9413,9416,9454,9457,9477,9481,9484,9506,9510,9513,9557,9561,9564,9578,9582,9599,9601],[11,9403,9405],{"id":9404},"what-is-an-audit-trail","What is an Audit Trail?",[16,9407,9408],{},"An audit trail is a chronological record of activities, events, and changes within a system or process that provides documentary evidence of the sequence of actions performed. Audit trails answer the fundamental questions: who did what, when did they do it, where did it happen, and what was the result. They are essential for security monitoring, incident investigation, compliance demonstration, and accountability.",[38,9410,9412],{"id":9411},"what-audit-trails-capture","What audit trails capture",[16,9414,9415],{},"Effective audit trails typically record:",[43,9417,9418,9424,9430,9436,9442,9448],{},[46,9419,9420,9423],{},[49,9421,9422],{},"User actions"," — logins, logouts, data access, data modifications, privilege changes",[46,9425,9426,9429],{},[49,9427,9428],{},"System events"," — configuration changes, service starts and stops, errors, failures",[46,9431,9432,9435],{},[49,9433,9434],{},"Administrative actions"," — user account creation and deletion, permission changes, policy updates",[46,9437,9438,9441],{},[49,9439,9440],{},"Data changes"," — creation, modification, and deletion of records, including before and after values where applicable",[46,9443,9444,9447],{},[49,9445,9446],{},"Access attempts"," — both successful and failed authentication and authorization attempts",[46,9449,9450,9453],{},[49,9451,9452],{},"Security events"," — firewall rule changes, intrusion detection alerts, malware detections",[16,9455,9456],{},"Each audit trail entry should include:",[43,9458,9459,9462,9465,9468,9471,9474],{},[46,9460,9461],{},"Timestamp (synchronized across systems)",[46,9463,9464],{},"User or system identity",[46,9466,9467],{},"Action performed",[46,9469,9470],{},"Target resource or data",[46,9472,9473],{},"Outcome (success or failure)",[46,9475,9476],{},"Source (IP address, device, or location)",[38,9478,9480],{"id":9479},"audit-trail-requirements-across-frameworks","Audit trail requirements across frameworks",[16,9482,9483],{},"Multiple compliance frameworks require audit trails:",[43,9485,9486,9491,9496,9501],{},[46,9487,9488,9490],{},[49,9489,23],{}," — CC7.2 requires monitoring of system components for anomalies, and CC6.1 requires logical access controls with logging",[46,9492,9493,9495],{},[49,9494,28],{}," — control A.8.15 addresses logging, and A.8.17 addresses clock synchronization for accurate audit trails",[46,9497,9498,9500],{},[49,9499,3202],{}," — the Security Rule requires audit controls that record and examine activity in systems containing ePHI (45 CFR 164.312(b))",[46,9502,9503,9505],{},[49,9504,5232],{}," — Requirement 10 mandates logging and monitoring all access to network resources and cardholder data",[38,9507,9509],{"id":9508},"implementing-audit-trails","Implementing audit trails",[16,9511,9512],{},"To implement effective audit trails:",[198,9514,9515,9521,9527,9533,9539,9545,9551],{},[46,9516,9517,9520],{},[49,9518,9519],{},"Enable logging"," — activate audit logging on all in-scope systems including applications, databases, operating systems, and network devices",[46,9522,9523,9526],{},[49,9524,9525],{},"Centralize logs"," — aggregate logs into a central platform (SIEM) for correlation and analysis",[46,9528,9529,9532],{},[49,9530,9531],{},"Protect integrity"," — ensure logs cannot be modified or deleted by users, including administrators",[46,9534,9535,9538],{},[49,9536,9537],{},"Synchronize time"," — use NTP to ensure timestamps are consistent across all systems",[46,9540,9541,9544],{},[49,9542,9543],{},"Define retention"," — establish retention periods aligned with compliance and business requirements",[46,9546,9547,9550],{},[49,9548,9549],{},"Monitor actively"," — review audit trails for suspicious activity, not just for compliance evidence",[46,9552,9553,9556],{},[49,9554,9555],{},"Automate alerts"," — configure alerts for critical events such as failed login attempts, privilege escalation, and unauthorized access",[38,9558,9560],{"id":9559},"audit-trail-retention","Audit trail retention",[16,9562,9563],{},"Retention requirements vary by framework and jurisdiction:",[43,9565,9566,9569,9572,9575],{},[46,9567,9568],{},"PCI DSS requires at least 12 months of audit trail history, with the most recent 3 months immediately available",[46,9570,9571],{},"HIPAA requires documentation retention for 6 years",[46,9573,9574],{},"ISO 27001 does not specify a fixed period but requires organizations to define and follow their own retention policy",[46,9576,9577],{},"SOC 2 audit periods typically require evidence covering the observation period",[38,9579,9581],{"id":9580},"common-pitfalls","Common pitfalls",[43,9583,9584,9587,9590,9593,9596],{},[46,9585,9586],{},"Insufficient logging — missing critical events or systems",[46,9588,9589],{},"Log overload — logging too much without meaningful analysis",[46,9591,9592],{},"No log protection — allowing administrators to modify or delete logs",[46,9594,9595],{},"Inconsistent timestamps — making it impossible to correlate events across systems",[46,9597,9598],{},"No review process — collecting logs but never analyzing them",[38,9600,483],{"id":482},[16,9602,9603,9604,799],{},"episki integrates with your logging infrastructure to track compliance-relevant events, maintain audit trail records, and demonstrate continuous monitoring to auditors. The platform maps audit trail capabilities to framework requirements and flags gaps in coverage. Learn more on our ",[20,9605,8423],{"href":8422},{"title":495,"searchDepth":496,"depth":496,"links":9607},[9608],{"id":9404,"depth":496,"text":9405,"children":9609},[9610,9611,9612,9613,9614,9615],{"id":9411,"depth":502,"text":9412},{"id":9479,"depth":502,"text":9480},{"id":9508,"depth":502,"text":9509},{"id":9559,"depth":502,"text":9560},{"id":9580,"depth":502,"text":9581},{"id":482,"depth":502,"text":483},{},[524,8436,8437,8438],[1274,9394,424,927],{"title":9620,"description":9621},"What is an Audit Trail? Definition & Compliance Guide","An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.","8.glossary\u002Faudit-trail","TS31vs1S2ZQUFvm3zNALCcZaNNrpPCRC6ZQBgh0zKdE",[9625,9969],{"id":5,"title":6,"body":9626,"description":521,"extension":522,"faq":523,"frameworkSlug":524,"lastUpdated":525,"meta":9965,"navigation":527,"path":528,"relatedTerms":9966,"relatedTopics":9967,"seo":9968,"stem":538,"__hash__":539},{"type":8,"value":9627,"toc":9941},[9628,9630,9636,9638,9640,9642,9658,9660,9664,9674,9676,9678,9680,9694,9698,9700,9702,9726,9728,9730,9734,9736,9762,9764,9810,9812,9814,9816,9842,9844,9884,9886,9888,9890,9892,9894,9896,9898,9900,9910,9912,9914,9934,9936],[11,9629,14],{"id":13},[16,9631,18,9632,24,9634,29],{},[20,9633,23],{"href":22},[20,9635,28],{"href":27},[11,9637,33],{"id":32},[16,9639,36],{},[38,9641,41],{"id":40},[43,9643,9644,9648,9654],{},[46,9645,9646,52],{},[49,9647,51],{},[46,9649,9650,58,9652,63],{},[49,9651,57],{},[20,9653,62],{"href":61},[46,9655,9656,69],{},[49,9657,68],{},[38,9659,73],{"id":72},[16,9661,76,9662,81],{},[20,9663,80],{"href":79},[43,9665,9666,9668,9670,9672],{},[46,9667,86],{},[46,9669,89],{},[46,9671,92],{},[46,9673,95],{},[16,9675,98],{},[38,9677,102],{"id":101},[16,9679,105],{},[43,9681,9682,9684,9686,9688,9690,9692],{},[46,9683,110],{},[46,9685,113],{},[46,9687,116],{},[46,9689,119],{},[46,9691,122],{},[46,9693,125],{},[16,9695,128,9696,133],{},[20,9697,132],{"href":131},[11,9699,137],{"id":136},[16,9701,140],{},[43,9703,9704,9708,9712,9716,9722],{},[46,9705,9706,148],{},[49,9707,147],{},[46,9709,9710,154],{},[49,9711,153],{},[46,9713,9714,160],{},[49,9715,159],{},[46,9717,9718,166,9720,171],{},[49,9719,165],{},[20,9721,170],{"href":169},[46,9723,9724,177],{},[49,9725,176],{},[16,9727,180],{},[11,9729,184],{"id":183},[16,9731,187,9732,192],{},[20,9733,191],{"href":190},[38,9735,196],{"id":195},[198,9737,9738,9742,9746,9750,9754,9758],{},[46,9739,9740,205],{},[49,9741,204],{},[46,9743,9744,211],{},[49,9745,210],{},[46,9747,9748,217],{},[49,9749,216],{},[46,9751,9752,223],{},[49,9753,222],{},[46,9755,9756,229],{},[49,9757,228],{},[46,9759,9760,235],{},[49,9761,234],{},[38,9763,239],{"id":238},[241,9765,9766,9774],{},[244,9767,9768],{},[247,9769,9770,9772],{},[250,9771,252],{},[250,9773,255],{},[257,9775,9776,9782,9788,9794,9800],{},[247,9777,9778,9780],{},[262,9779,264],{},[262,9781,267],{},[247,9783,9784,9786],{},[262,9785,272],{},[262,9787,275],{},[247,9789,9790,9792],{},[262,9791,280],{},[262,9793,283],{},[247,9795,9796,9798],{},[262,9797,288],{},[262,9799,275],{},[247,9801,9802,9806],{},[262,9803,9804],{},[49,9805,297],{},[262,9807,9808],{},[49,9809,302],{},[11,9811,306],{"id":305},[16,9813,309],{},[38,9815,196],{"id":312},[198,9817,9818,9822,9826,9830,9834,9838],{},[46,9819,9820,320],{},[49,9821,319],{},[46,9823,9824,326],{},[49,9825,325],{},[46,9827,9828,332],{},[49,9829,331],{},[46,9831,9832,338],{},[49,9833,337],{},[46,9835,9836,344],{},[49,9837,343],{},[46,9839,9840,350],{},[49,9841,349],{},[38,9843,354],{"id":353},[241,9845,9846,9854],{},[244,9847,9848],{},[247,9849,9850,9852],{},[250,9851,252],{},[250,9853,255],{},[257,9855,9856,9862,9868,9874],{},[247,9857,9858,9860],{},[262,9859,371],{},[262,9861,374],{},[247,9863,9864,9866],{},[262,9865,379],{},[262,9867,382],{},[247,9869,9870,9872],{},[262,9871,288],{},[262,9873,275],{},[247,9875,9876,9880],{},[262,9877,9878],{},[49,9879,395],{},[262,9881,9882],{},[49,9883,400],{},[11,9885,404],{"id":403},[16,9887,407],{},[38,9889,411],{"id":410},[16,9891,414],{},[38,9893,418],{"id":417},[16,9895,421],{},[38,9897,425],{"id":424},[16,9899,428],{},[43,9901,9902,9904,9906,9908],{},[46,9903,433],{},[46,9905,436],{},[46,9907,439],{},[46,9909,442],{},[16,9911,445],{},[11,9913,449],{"id":448},[43,9915,9916,9920,9924,9928],{},[46,9917,9918,457],{},[49,9919,456],{},[46,9921,9922,463],{},[49,9923,462],{},[46,9925,9926,469],{},[49,9927,468],{},[46,9929,9930,475,9932,479],{},[49,9931,474],{},[20,9933,478],{"href":169},[11,9935,483],{"id":482},[16,9937,486,9938,493],{},[20,9939,492],{"href":489,"rel":9940},[491],{"title":495,"searchDepth":496,"depth":496,"links":9942},[9943,9944,9949,9950,9954,9958,9963,9964],{"id":13,"depth":496,"text":14},{"id":32,"depth":496,"text":33,"children":9945},[9946,9947,9948],{"id":40,"depth":502,"text":41},{"id":72,"depth":502,"text":73},{"id":101,"depth":502,"text":102},{"id":136,"depth":496,"text":137},{"id":183,"depth":496,"text":184,"children":9951},[9952,9953],{"id":195,"depth":502,"text":196},{"id":238,"depth":502,"text":239},{"id":305,"depth":496,"text":306,"children":9955},[9956,9957],{"id":312,"depth":502,"text":196},{"id":353,"depth":502,"text":354},{"id":403,"depth":496,"text":404,"children":9959},[9960,9961,9962],{"id":410,"depth":502,"text":411},{"id":417,"depth":502,"text":418},{"id":424,"depth":502,"text":425},{"id":448,"depth":496,"text":449},{"id":482,"depth":496,"text":483},{},[524,530],[532,533,534],{"title":536,"description":537},{"id":541,"title":542,"body":9970,"description":901,"extension":522,"faq":10212,"frameworkSlug":524,"lastUpdated":525,"meta":10219,"navigation":527,"path":920,"relatedTerms":10220,"relatedTopics":10221,"seo":10222,"stem":931,"__hash__":932},{"type":8,"value":9971,"toc":10191},[9972,9974,9978,9980,9982,9986,10000,10002,10004,10006,10008,10022,10024,10034,10036,10038,10040,10042,10058,10060,10072,10074,10076,10078,10080,10092,10094,10104,10110,10112,10114,10132,10138,10140,10142,10144,10146,10168,10170,10182,10184],[11,9973,548],{"id":547},[16,9975,551,9976,554],{},[20,9977,23],{"href":22},[16,9979,557],{},[11,9981,561],{"id":560},[16,9983,18,9984,566],{},[20,9985,57],{"href":61},[43,9987,9988,9992,9996],{},[46,9989,9990,574],{},[49,9991,573],{},[46,9993,9994,580],{},[49,9995,579],{},[46,9997,9998,586],{},[49,9999,585],{},[16,10001,589],{},[11,10003,593],{"id":592},[16,10005,596],{},[38,10007,600],{"id":599},[43,10009,10010,10012,10014,10016,10018,10020],{},[46,10011,605],{},[46,10013,608],{},[46,10015,611],{},[46,10017,614],{},[46,10019,617],{},[46,10021,620],{},[38,10023,624],{"id":623},[43,10025,10026,10028,10030,10032],{},[46,10027,629],{},[46,10029,632],{},[46,10031,635],{},[46,10033,638],{},[16,10035,641],{},[11,10037,645],{"id":644},[16,10039,648],{},[38,10041,600],{"id":651},[43,10043,10044,10046,10048,10050,10052,10054,10056],{},[46,10045,656],{},[46,10047,659],{},[46,10049,662],{},[46,10051,665],{},[46,10053,668],{},[46,10055,671],{},[46,10057,674],{},[38,10059,624],{"id":677},[43,10061,10062,10064,10066,10068,10070],{},[46,10063,682],{},[46,10065,685],{},[46,10067,688],{},[46,10069,691],{},[46,10071,694],{},[16,10073,697],{},[11,10075,701],{"id":700},[16,10077,704],{},[38,10079,600],{"id":707},[43,10081,10082,10084,10086,10088,10090],{},[46,10083,712],{},[46,10085,715],{},[46,10087,718],{},[46,10089,721],{},[46,10091,724],{},[38,10093,624],{"id":727},[43,10095,10096,10098,10100,10102],{},[46,10097,732],{},[46,10099,735],{},[46,10101,738],{},[46,10103,741],{},[16,10105,744,10106,749,10108,754],{},[20,10107,748],{"href":747},[20,10109,753],{"href":752},[11,10111,758],{"id":757},[16,10113,761],{},[43,10115,10116,10120,10124,10128],{},[46,10117,10118,769],{},[49,10119,768],{},[46,10121,10122,775],{},[49,10123,774],{},[46,10125,10126,781],{},[49,10127,780],{},[46,10129,10130,787],{},[49,10131,786],{},[16,10133,790,10134,749,10136,799],{},[20,10135,794],{"href":793},[20,10137,798],{"href":797},[11,10139,803],{"id":802},[16,10141,806],{},[16,10143,809],{},[11,10145,813],{"id":812},[43,10147,10148,10152,10156,10160,10164],{},[46,10149,10150,821],{},[49,10151,820],{},[46,10153,10154,827],{},[49,10155,826],{},[46,10157,10158,833],{},[49,10159,832],{},[46,10161,10162,839],{},[49,10163,838],{},[46,10165,10166,845],{},[49,10167,844],{},[11,10169,849],{"id":848},[43,10171,10172,10174,10176,10178,10180],{},[46,10173,854],{},[46,10175,857],{},[46,10177,860],{},[46,10179,863],{},[46,10181,866],{},[11,10183,483],{"id":482},[16,10185,871,10186,875,10189,879],{},[20,10187,492],{"href":489,"rel":10188},[491],[20,10190,878],{"href":22},{"title":495,"searchDepth":496,"depth":496,"links":10192},[10193,10194,10195,10199,10203,10207,10208,10209,10210,10211],{"id":547,"depth":496,"text":548},{"id":560,"depth":496,"text":561},{"id":592,"depth":496,"text":593,"children":10196},[10197,10198],{"id":599,"depth":502,"text":600},{"id":623,"depth":502,"text":624},{"id":644,"depth":496,"text":645,"children":10200},[10201,10202],{"id":651,"depth":502,"text":600},{"id":677,"depth":502,"text":624},{"id":700,"depth":496,"text":701,"children":10204},[10205,10206],{"id":707,"depth":502,"text":600},{"id":727,"depth":502,"text":624},{"id":757,"depth":496,"text":758},{"id":802,"depth":496,"text":803},{"id":812,"depth":496,"text":813},{"id":848,"depth":496,"text":849},{"id":482,"depth":496,"text":483},{"items":10213},[10214,10215,10216,10217,10218],{"label":905,"content":906},{"label":908,"content":909},{"label":911,"content":912},{"label":914,"content":915},{"label":917,"content":918},{},[922,923,924,524],[926,424,927],{"title":929,"description":930},{"id":7663,"title":7664,"advantages":10224,"body":10231,"checklist":10557,"cta":10559,"description":495,"extension":522,"faq":10560,"hero":10567,"meta":10571,"name":8201,"navigation":527,"path":22,"resources":10572,"seo":10577,"slug":524,"stats":10578,"stem":8228,"__hash__":8229},[10225,10227,10229],{"title":7667,"description":7668,"bullets":10226},[7670,7671,7672],{"title":7674,"description":7675,"bullets":10228},[7677,7678,7679],{"title":7681,"description":7682,"bullets":10230},[7684,7685,7686],{"type":8,"value":10232,"toc":10539},[10233,10235,10237,10241,10245,10249,10251,10253,10257,10261,10269,10271,10275,10277,10279,10281,10285,10287,10289,10291,10295,10297,10301,10303,10305,10307,10319,10323,10325,10329,10355,10357,10359,10361,10363,10389,10393,10395,10397,10433,10435,10437,10439,10445,10451,10457,10465,10469,10471,10475,10497,10499,10501,10503,10505,10531],[11,10234,7692],{"id":7691},[16,10236,7695],{},[16,10238,7698,10239,7701],{},[20,10240,5649],{"href":5648},[16,10242,7704,10243,7707],{},[20,10244,57],{"href":61},[16,10246,7710,10247,7713],{},[49,10248,57],{},[11,10250,7717],{"id":7716},[16,10252,7720],{},[16,10254,187,10255,7725],{},[49,10256,191],{},[16,10258,187,10259,7730],{},[49,10260,2823],{},[16,10262,7733,10263,7736,10265,749,10267,799],{},[20,10264,5061],{"href":190},[20,10266,7739],{"href":5925},[20,10268,57],{"href":7742},[11,10270,5243],{"id":5242},[16,10272,18,10273,7749],{},[20,10274,57],{"href":61},[38,10276,6180],{"id":6179},[16,10278,7754],{},[38,10280,6438],{"id":6437},[16,10282,7759,10283,7763],{},[20,10284,7762],{"href":920},[38,10286,6491],{"id":6490},[16,10288,7768],{},[38,10290,4626],{"id":6547},[16,10292,7773,10293,1354],{},[20,10294,7776],{"href":2456},[38,10296,2297],{"id":6602},[16,10298,7781,10299,799],{},[20,10300,7784],{"href":2301},[11,10302,7788],{"id":7787},[16,10304,7791],{},[16,10306,7794],{},[43,10308,10309,10311,10313,10315,10317],{},[46,10310,7799],{},[46,10312,7802],{},[46,10314,7805],{},[46,10316,7808],{},[46,10318,7811],{},[16,10320,7814,10321,7819],{},[20,10322,7818],{"href":7817},[11,10324,7823],{"id":7822},[16,10326,18,10327,7829],{},[20,10328,7828],{"href":528},[198,10330,10331,10339,10343,10347,10351],{},[46,10332,10333,7837,10335,7840,10337,7843],{},[49,10334,7836],{},[20,10336,4024],{"href":4023},[20,10338,80],{"href":79},[46,10340,10341,7849],{},[49,10342,7848],{},[46,10344,10345,7855],{},[49,10346,7854],{},[46,10348,10349,7861],{},[49,10350,7860],{},[46,10352,10353,7867],{},[49,10354,7866],{},[16,10356,7870],{},[11,10358,7874],{"id":7873},[16,10360,7877],{},[16,10362,7880],{},[43,10364,10365,10369,10373,10377,10381,10385],{},[46,10366,10367,7888],{},[49,10368,7887],{},[46,10370,10371,7894],{},[49,10372,7893],{},[46,10374,10375,7900],{},[49,10376,7899],{},[46,10378,10379,7906],{},[49,10380,7905],{},[46,10382,10383,7911],{},[49,10384,3031],{},[46,10386,10387,7917],{},[49,10388,7916],{},[16,10390,7920,10391,7923],{},[20,10392,170],{"href":169},[11,10394,7927],{"id":7926},[16,10396,7930],{},[43,10398,10399,10403,10407,10411,10415,10421,10427],{},[46,10400,10401,7938],{},[49,10402,7937],{},[46,10404,10405,7944],{},[49,10406,7943],{},[46,10408,10409,7950],{},[49,10410,7949],{},[46,10412,10413,7956],{},[49,10414,7955],{},[46,10416,10417,7962,10419,7965],{},[49,10418,7961],{},[20,10420,2394],{"href":2393},[46,10422,10423,7971,10425,7974],{},[49,10424,7970],{},[20,10426,3453],{"href":1271},[46,10428,10429,7980,10431,799],{},[49,10430,7979],{},[20,10432,798],{"href":797},[16,10434,7985],{},[11,10436,7989],{"id":7988},[16,10438,7992],{},[16,10440,10441,7999],{},[49,10442,10443],{},[20,10444,28],{"href":27},[16,10446,10447,8006],{},[49,10448,10449],{},[20,10450,3202],{"href":3201},[16,10452,10453,8013],{},[49,10454,10455],{},[20,10456,5232],{"href":5231},[16,10458,10459,4009,10461,4014,10463,8025],{},[49,10460,8018],{},[49,10462,8021],{},[49,10464,8024],{},[16,10466,8028,10467,8032],{},[20,10468,8031],{"href":6011},[11,10470,8036],{"id":8035},[16,10472,8039,10473,8043],{},[20,10474,8042],{"href":131},[43,10476,10477,10479,10481,10483,10485,10487,10489,10491,10493,10495],{},[46,10478,8048],{},[46,10480,8051],{},[46,10482,8054],{},[46,10484,8057],{},[46,10486,8060],{},[46,10488,8063],{},[46,10490,8066],{},[46,10492,8069],{},[46,10494,8072],{},[46,10496,8075],{},[16,10498,8078],{},[11,10500,8082],{"id":8081},[16,10502,8085],{},[16,10504,8088],{},[198,10506,10507,10511,10515,10519,10523,10527],{},[46,10508,10509,8096],{},[49,10510,8095],{},[46,10512,10513,8102],{},[49,10514,8101],{},[46,10516,10517,8108],{},[49,10518,8107],{},[46,10520,10521,8114],{},[49,10522,8113],{},[46,10524,10525,8120],{},[49,10526,8119],{},[46,10528,10529,8126],{},[49,10530,8125],{},[16,10532,8129,10533,2927,10536,8138],{},[20,10534,492],{"href":489,"rel":10535},[491],[20,10537,8137],{"href":8135,"rel":10538},[491],{"title":495,"searchDepth":496,"depth":496,"links":10540},[10541,10542,10543,10550,10551,10552,10553,10554,10555,10556],{"id":7691,"depth":496,"text":7692},{"id":7716,"depth":496,"text":7717},{"id":5242,"depth":496,"text":5243,"children":10544},[10545,10546,10547,10548,10549],{"id":6179,"depth":502,"text":6180},{"id":6437,"depth":502,"text":6438},{"id":6490,"depth":502,"text":6491},{"id":6547,"depth":502,"text":4626},{"id":6602,"depth":502,"text":2297},{"id":7787,"depth":496,"text":7788},{"id":7822,"depth":496,"text":7823},{"id":7873,"depth":496,"text":7874},{"id":7926,"depth":496,"text":7927},{"id":7988,"depth":496,"text":7989},{"id":8035,"depth":496,"text":8036},{"id":8081,"depth":496,"text":8082},{"title":8158,"description":8159,"items":10558},[8161,8162,8163,8164,8165],{"title":8167,"description":8168},{"title":8170,"items":10561},[10562,10563,10564,10565,10566],{"label":8173,"content":8174},{"label":8176,"content":8177},{"label":8179,"content":8180},{"label":7788,"content":8182},{"label":8184,"content":8185},{"headline":8187,"title":8188,"description":8189,"links":10568},[10569,10570],{"label":8192,"icon":8193,"to":489},{"label":8195,"icon":8196,"color":8197,"variant":8198,"to":8135,"target":8199},{},{"headline":8203,"title":8203,"description":8204,"items":10573},[10574,10575,10576],{"title":8207,"description":8208},{"title":8210,"description":8211},{"title":8213,"description":8214},{"title":8216,"description":8217},[10579,10580,10581],{"value":8220,"description":8221},{"value":8223,"description":8224},{"value":8226,"description":8227},{"id":10583,"title":10584,"body":10585,"comparison":10676,"competitorA":2931,"competitorB":10721,"cta":10722,"description":495,"extension":522,"faq":523,"hero":10725,"meta":10733,"navigation":527,"path":10734,"seo":10735,"slug":10738,"slugA":10739,"slugB":10740,"stem":10741,"verdict":10742,"__hash__":10746},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":8,"value":10586,"toc":10666},[10587,10591,10594,10598,10601,10607,10610,10614,10617,10620,10623,10627,10630,10633,10637,10640,10643,10647,10650,10653,10657,10660,10663],[11,10588,10590],{"id":10589},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[16,10592,10593],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[38,10595,10597],{"id":10596},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[16,10599,10600],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[16,10602,10603,10606],{},[49,10604,10605],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[16,10608,10609],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[38,10611,10613],{"id":10612},"the-dashboard-question","The dashboard question",[16,10615,10616],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[16,10618,10619],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[16,10621,10622],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[38,10624,10626],{"id":10625},"integration-depth","Integration depth",[16,10628,10629],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[16,10631,10632],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[38,10634,10636],{"id":10635},"pricing-opacity","Pricing opacity",[16,10638,10639],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[16,10641,10642],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[38,10644,10646],{"id":10645},"where-both-platforms-struggle","Where both platforms struggle",[16,10648,10649],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[16,10651,10652],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[38,10654,10656],{"id":10655},"the-case-for-a-different-approach","The case for a different approach",[16,10658,10659],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[16,10661,10662],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[16,10664,10665],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":495,"searchDepth":496,"depth":496,"links":10667},[10668],{"id":10589,"depth":496,"text":10590,"children":10669},[10670,10671,10672,10673,10674,10675],{"id":10596,"depth":502,"text":10597},{"id":10612,"depth":502,"text":10613},{"id":10625,"depth":502,"text":10626},{"id":10635,"depth":502,"text":10636},{"id":10645,"depth":502,"text":10646},{"id":10655,"depth":502,"text":10656},[10677,10682,10686,10691,10696,10701,10706,10711,10716],{"feature":10678,"competitorA":10679,"competitorB":10680,"episki":10681},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":10683,"competitorA":10684,"competitorB":10684,"episki":10685},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":10687,"competitorA":10688,"competitorB":10689,"episki":10690},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":10692,"competitorA":10693,"competitorB":10694,"episki":10695},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":10697,"competitorA":10698,"competitorB":10699,"episki":10700},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":10702,"competitorA":10703,"competitorB":10704,"episki":10705},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":10707,"competitorA":10708,"competitorB":10709,"episki":10710},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":10712,"competitorA":10713,"competitorB":10714,"episki":10715},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":10717,"competitorA":10718,"competitorB":10719,"episki":10720},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Secureframe",{"title":10723,"description":10724},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":10726,"title":10727,"description":10728,"links":10729},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[10730,10732],{"label":10731,"icon":8193,"to":489},"Try episki free",{"label":8195,"icon":8196,"color":8197,"variant":8198,"to":8135,"target":8199},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":10736,"description":10737},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":10743,"chooseB":10744,"chooseEpiski":10745},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","HuA5a0qhJVkEPHNLT6GY_VEempd7yA1ONnXItxDt-ZQ",{"id":10748,"title":2931,"advantages":10749,"body":10771,"comparison":10822,"competitor":2931,"cta":10847,"description":495,"extension":522,"hero":10850,"meta":10859,"navigation":527,"path":2930,"seo":10860,"slug":10739,"stem":10863,"__hash__":10864},"compare\u002F7.compare\u002Fdrata.md",[10750,10757,10764],{"title":10751,"description":10752,"bullets":10753},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[10754,10755,10756],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":10758,"description":10759,"bullets":10760},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[10761,10762,10763],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":10765,"description":10766,"bullets":10767},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[10768,10769,10770],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":8,"value":10772,"toc":10817},[10773,10777,10780,10783,10803,10807,10810,10814],[11,10774,10776],{"id":10775},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[16,10778,10779],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[16,10781,10782],{},"Some teams look for alternatives when they need:",[43,10784,10785,10791,10797],{},[46,10786,10787,10790],{},[49,10788,10789],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[46,10792,10793,10796],{},[49,10794,10795],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[46,10798,10799,10802],{},[49,10800,10801],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[11,10804,10806],{"id":10805},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[16,10808,10809],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[11,10811,10813],{"id":10812},"when-episki-shines","When episki shines",[16,10815,10816],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":495,"searchDepth":496,"depth":496,"links":10818},[10819,10820,10821],{"id":10775,"depth":496,"text":10776},{"id":10805,"depth":496,"text":10806},{"id":10812,"depth":496,"text":10813},[10823,10825,10826,10830,10833,10836,10839,10843],{"feature":10678,"episki":10681,"competitor":10824},"Tiered pricing based on framework count and company size",{"feature":10683,"episki":10685,"competitor":10684},{"feature":10827,"episki":10828,"competitor":10829},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":210,"episki":10831,"competitor":10832},"Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":10834,"episki":10705,"competitor":10835},"AI assistance","AI-powered compliance automation",{"feature":8486,"episki":10837,"competitor":10838},"Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":10840,"episki":10841,"competitor":10842},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":10844,"episki":10845,"competitor":10846},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":10848,"description":10849},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":10851,"title":10852,"description":10853,"links":10854},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[10855,10857],{"label":10856,"icon":8193,"to":489},"Start free trial",{"label":10858,"icon":8196,"color":8197,"variant":8198,"to":8135,"target":8199},"See a live demo",{},{"title":10861,"description":10862},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","rehdI9NC6n1m3mFaD-M9xGliPjg5awlPauCt-LCW_es",{"id":10866,"title":10867,"api":523,"authors":10868,"body":10874,"category":11050,"date":11051,"description":11052,"extension":522,"features":523,"fixes":523,"highlight":523,"image":11053,"improvements":523,"meta":11055,"navigation":527,"path":11057,"seo":11058,"stem":11059,"__hash__":11060},"posts\u002F3.now\u002Fdefined-roles-pci-compliance-mistakes.md","Defined Roles in PCI: The Compliance Mistakes That Fly Under the Radar",[10869],{"name":10870,"to":10871,"avatar":10872},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":10873},"\u002Fimages\u002Fjustinleapline.png",{"type":8,"value":10875,"toc":11042},[10876,10882,10885,10888,10891,10894,10897,10899,10903,10913,10916,10919,10922,10924,10928,10931,10934,10937,10940,10942,10946,10953,10956,10959,10962,10964,10968,10971,10974,10977,10979,10983,10986,10989,10992,10995,10997,11001,11004,11007,11010,11012,11017,11028,11034,11036],[10877,10878,10879],"blockquote",{},[16,10880,10881],{},"When it comes to PCI DSS, most organizations focus on the technical controls — encryption, access management, logging. But one of the most persistent failure points isn't technical at all. It's the question of who owns what. Undefined or poorly assigned roles quietly undermine even the most well-resourced compliance programs. This post breaks down the most common role-related mistakes security leaders make in PCI — and what to do differently.",[10883,10884],"hr",{},[16,10886,10887],{},"Most PCI compliance failures don't happen because teams don't know the standard.",[16,10889,10890],{},"They happen because nobody agreed on who was responsible for following it.",[16,10892,10893],{},"It sounds simple. In practice, it's one of the hardest problems in compliance programs — and one of the least discussed. When a QSA walks in for an assessment and finds gaps, the root cause is often not a missing control. It's a missing owner.",[16,10895,10896],{},"For CISOs leading PCI programs, role clarity isn't a nice-to-have. It's the foundation everything else sits on.",[10883,10898],{},[11,10900,10902],{"id":10901},"mistake-1-treating-pci-ownership-as-an-it-problem","Mistake #1: Treating PCI Ownership as an IT Problem",[16,10904,10905,10907,10908,10912],{},[20,10906,5232],{"href":5231}," governs the entire ",[20,10909,10911],{"href":10910},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment"," — and the cardholder data environment touches far more than IT.",[16,10914,10915],{},"It includes how sales teams handle card data over the phone. How finance processes refunds. How third-party vendors connect to your systems. How HR onboards employees who access payment infrastructure. And yet, in most organizations, PCI ownership sits almost exclusively with the security or IT team — while the business units that handle cardholder data daily operate with little awareness of their own obligations.",[16,10917,10918],{},"This creates a structural gap. Controls get implemented technically but not operationally. Policies exist on paper but aren't followed in practice because the people they govern don't know they apply to them.",[16,10920,10921],{},"The fix isn't adding more controls. It's expanding the ownership model. Every team that touches cardholder data needs a defined role in the compliance program — with accountability, not just awareness.",[10883,10923],{},[11,10925,10927],{"id":10926},"mistake-2-confusing-responsible-with-accountable","Mistake #2: Confusing \"Responsible\" with \"Accountable\"",[16,10929,10930],{},"One of the most reliable ways to spot a broken compliance program is to ask two people on the same team who owns a specific PCI requirement. If you get two different answers — or two blank stares — you have an accountability problem.",[16,10932,10933],{},"The distinction between responsibility and accountability matters here. Responsibility is operational: this person performs the task. Accountability is governance: this person owns the outcome. In PCI, these roles are often blurred or duplicated, which means that when something goes wrong, nobody is clearly on the hook — and when audits come around, multiple people claim ownership of the same control without any of them actually running it.",[16,10935,10936],{},"The RACI model (Responsible, Accountable, Consulted, Informed) is a well-worn solution to this problem — but only when applied with rigor. A RACI matrix that was built two years ago and hasn't been updated since an acquisition, a reorg, or a new product launch is often worse than no RACI at all. It creates false confidence.",[16,10938,10939],{},"PCI role assignments need to be reviewed every time the business changes — not just every time the standard does.",[10883,10941],{},[11,10943,10945],{"id":10944},"mistake-3-letting-vendor-relationships-create-ownership-gaps","Mistake #3: Letting Vendor Relationships Create Ownership Gaps",[16,10947,10948,10949,10952],{},"PCI DSS Requirement 12.8 is clear: organizations are responsible for managing the compliance of all ",[20,10950,10951],{"href":7469},"third-party service providers"," who have access to cardholder data. In practice, many organizations interpret this requirement as \"get a copy of their AOC and file it.\"",[16,10954,10955],{},"That's not management. That's documentation.",[16,10957,10958],{},"The gap shows up when a vendor has a breach, when a third-party integration introduces a vulnerability, or when an assessor asks how the organization monitors the compliance posture of its vendors — and the answer is \"we check their certificate once a year.\"",[16,10960,10961],{},"Vendor ownership in PCI requires a named internal owner for each critical third-party relationship. Someone who understands what that vendor does, what data they access, what their contractual security obligations are, and what the escalation path looks like if something goes wrong. Without that, vendor risk exists on paper but is managed by nobody.",[10883,10963],{},[11,10965,10967],{"id":10966},"mistake-4-role-assignments-that-dont-survive-personnel-changes","Mistake #4: Role Assignments That Don't Survive Personnel Changes",[16,10969,10970],{},"PCI roles are often documented at the person level — \"Sarah owns firewall management,\" \"Marco is responsible for log review\" — rather than at the function level. When Sarah leaves or Marco moves to a different team, the role doesn't transfer cleanly. Institutional knowledge walks out the door, and the new person inherits a responsibility they weren't briefed on.",[16,10972,10973],{},"This is especially dangerous in small security teams, where one person often carries multiple PCI functions. When that person leaves without a proper transition, entire sections of the compliance program can become effectively unowned — sometimes for months before anyone notices.",[16,10975,10976],{},"Sustainable role assignment means documenting at the position level, not the individual level. It means keeping role documentation alive and connected to onboarding processes, so that new team members understand their compliance obligations from day one. And it means building succession into the program architecture, not treating it as an afterthought.",[10883,10978],{},[11,10980,10982],{"id":10981},"mistake-5-assuming-the-ciso-owns-everything-that-isnt-assigned-elsewhere","Mistake #5: Assuming the CISO Owns Everything That Isn't Assigned Elsewhere",[16,10984,10985],{},"In many organizations, the CISO is the implicit owner of last resort. If a PCI requirement doesn't have a clear owner, it defaults upward — and eventually lands on the security leader's desk.",[16,10987,10988],{},"This is a governance problem masquerading as an efficiency problem. When the CISO is the catch-all for unassigned compliance obligations, two things happen: the CISO is spending time on operational tasks that should be delegated, and the organization's compliance program lacks the distributed ownership structure it needs to function at scale.",[16,10990,10991],{},"The CISO's role in PCI should be strategic: defining the program, setting the accountability structure, owning the relationship with assessors, and reporting to the board on risk posture. The moment the CISO is personally responsible for reviewing firewall rule changes or validating log configurations, something in the ownership model has broken down.",[16,10993,10994],{},"A well-structured PCI program distributes operational ownership to the teams closest to the work — and gives the CISO visibility into all of it without requiring their direct involvement in any of it.",[10883,10996],{},[11,10998,11000],{"id":10999},"what-getting-it-right-actually-looks-like","What Getting It Right Actually Looks Like",[16,11002,11003],{},"The organizations that manage PCI compliance most effectively share a few traits. Their role assignments are documented at the function level and reviewed on a regular cadence. Their business unit owners understand their obligations — not just their technical ones. Their vendor relationships have named internal owners with active oversight responsibilities. And their CISO has clear visibility into the program without being buried in its day-to-day operations.",[16,11005,11006],{},"None of this requires a larger team. It requires a more deliberate structure.",[16,11008,11009],{},"PCI compliance isn't won or lost in the technical controls. It's won or lost in the clarity of who owns them, who monitors them, and who is accountable when they fail.",[10883,11011],{},[16,11013,11014],{},[49,11015,11016],{},"Is your PCI ownership model as clear as you think it is?",[16,11018,11019,11020,11023,11024,11027],{},"At ",[20,11021,2908],{"href":11022},"\u002F",", we help security leaders build compliance programs where accountability is real — not just documented. From role mapping to third-party oversight to board-level reporting, we work alongside your team to make sure your ",[20,11025,11026],{"href":5231},"PCI"," program holds up when it matters most.",[16,11029,11030],{},[20,11031,11033],{"href":8135,"rel":11032},[491],"Let's talk →",[10883,11035],{},[16,11037,11038],{},[11039,11040,11041],"em",{},"Compliance on paper isn't compliance. It's paperwork.",{"title":495,"searchDepth":496,"depth":496,"links":11043},[11044,11045,11046,11047,11048,11049],{"id":10901,"depth":496,"text":10902},{"id":10926,"depth":496,"text":10927},{"id":10944,"depth":496,"text":10945},{"id":10966,"depth":496,"text":10967},{"id":10981,"depth":496,"text":10982},{"id":10999,"depth":496,"text":11000},"craft","2026-04-15","Unclear ownership is one of the most common — and costly — failures in PCI compliance. Here's what security leaders get wrong about defining roles, and how to fix it.",{"src":11054},"\u002Fimages\u002Fblog\u002FPCI.jpg",{"slug":11056},"defined-roles-pci-compliance-mistakes","\u002Fnow\u002Fdefined-roles-pci-compliance-mistakes",{"title":10867,"description":11052},"3.now\u002Fdefined-roles-pci-compliance-mistakes","0u0CncSJsrHMYJZWMH_BzWgau-vuQTBQ7NdBBVQMz7Q",{"id":11062,"title":11063,"advantages":11064,"body":11086,"checklist":11093,"cta":11102,"description":11090,"extension":522,"faq":523,"hero":11105,"meta":11113,"name":11114,"navigation":527,"path":11115,"resources":11116,"seo":11129,"slug":11132,"stats":11133,"stem":11143,"__hash__":11144},"industries\u002F6. industry\u002F1.healthcare.md","Healthcare",[11065,11072,11079],{"title":11066,"description":11067,"bullets":11068},"PHI-aware control mapping","Map administrative, technical, and physical safeguards to your stack without rebuilding every audit.",[11069,11070,11071],"Track EHR, identity, and cloud evidence with structured ownership","Track segmentation, backups, and log retention against HIPAA safeguards","Map once for HIPAA and reuse for HITRUST or regional requirements",{"title":11073,"description":11074,"bullets":11075},"Clinician-friendly workflows","Keep nurses, clinicians, and ops aligned without burying them in tickets.",[11076,11077,11078],"Role-aware tasks routed to the right owner with due dates","Playbooks show “what good looks like” for PHI handling","Attestations and approvals captured inline for auditors",{"title":11080,"description":11081,"bullets":11082},"Auditor and partner collaboration","Give regulators, payers, and partners scoped access instead of email threads.",[11083,11084,11085],"Auditor portal with threaded Q&A per safeguard","Secure uploads with expirations and access controls","Exports for SOC 2, PCI, or privacy questionnaires",{"type":8,"value":11087,"toc":11091},[11088],[16,11089,11090],{},"Healthcare buyers move fast when they trust your safeguards. episki keeps PHI protections documented, monitored, and shareable without slowing product or patient care.",{"title":495,"searchDepth":496,"depth":496,"links":11092},[],{"title":11094,"description":11095,"items":11096},"Healthtech compliance checklist","Use this inside your trial to assign owners, attach evidence, and track renewals.",[11097,11098,11099,11100,11101],"HIPAA safeguard library mapped to your systems","BAA tracker with renewal reminders and risk scoring","Incident response runbooks with timelines and owners","Access, logging, and backup verification tasks","Third-party risk reviews tied to PHI data flows",{"title":11103,"description":11104},"Launch a healthtech-ready workspace","Connect your stack, invite stakeholders, and show PHI protections the same day.",{"headline":11106,"title":11107,"description":11108,"links":11109},"HIPAA-grade governance without slowing clinicians","Keep PHI protections provable across cloud apps, clinics, and vendors","episki maps safeguards, automates evidence, and gives auditors scoped access so healthtech teams can keep shipping.",[11110,11112],{"label":11111,"icon":8193,"to":489},"Start healthtech trial",{"label":8195,"icon":8196,"color":8197,"variant":8198,"to":8135,"target":8199},{},"healthcare and healthtech","\u002Findustry\u002Fhealthcare",{"headline":11117,"title":11117,"description":11118,"items":11119},"Healthcare enablement kit","Keep leadership, clinicians, and auditors aligned on the same story.",[11120,11123,11126],{"title":11121,"description":11122},"PHI data flow deck","Share sanitized diagrams plus segmentation notes for customers and partners.",{"title":11124,"description":11125},"Board + payer brief","Summarize control health, incidents, and remediation in plain language.",{"title":11127,"description":11128},"Auditor-ready workspace","Prebuilt template for requests, evidence, and walkthrough scheduling.",{"title":11130,"description":11131},"Healthcare Compliance Software","HIPAA-ready GRC for healthtech teams. Map safeguards, track PHI evidence, and collaborate with auditors in one secure workspace. Start your free trial.","healthcare",[11134,11137,11140],{"value":11135,"description":11136},"30-day rollout","Move from baseline controls to monitored safeguards in under a month.",{"value":11138,"description":11139},"PHI-safe sharing","Role-based portals keep BAAs, policies, and diagrams organized and protected.",{"value":11141,"description":11142},"Continuous watch","Drift detection across access, logging, vendors, and incidents.","6. industry\u002F1.healthcare","831E5Bdk5x1SUBhE8YrTZtQjqMJj9Q3vjQivX_AG0IQ",1776395349303]