[{"data":1,"prerenderedAt":3074},["ShallowReactive",2],{"\u002Fglossary\u002Fvulnerability-management":3,"explore-glossary-soc2-\u002Fglossary\u002Fvulnerability-management":217,"explore-topics-soc2-\u002Fglossary\u002Fvulnerability-management":1009,"explore-hub-soc2":1908,"explore-compare-vs-\u002Fglossary\u002Fvulnerability-management":2506,"explore-compare-\u002Fglossary\u002Fvulnerability-management":2672,"explore-blog-soc2-\u002Fglossary\u002Fvulnerability-management":2792,"explore-industry-soc2":2990},{"id":4,"title":5,"body":6,"description":184,"extension":195,"lastUpdated":196,"meta":197,"navigation":198,"path":199,"relatedFrameworks":200,"relatedTerms":206,"seo":211,"slug":214,"stem":215,"term":13,"__hash__":216},"glossary\u002F8.glossary\u002Fvulnerability-management.md","Vulnerability Management",{"type":7,"value":8,"toc":183},"minimark",[9,14,18,23,26,67,71,74,107,111,137,141,144,170,174],[10,11,13],"h2",{"id":12},"what-is-vulnerability-management","What is Vulnerability Management?",[15,16,17],"p",{},"Vulnerability management is the continuous process of identifying, classifying, prioritizing, and remediating security vulnerabilities in an organization's systems, software, and infrastructure. Unlike one-time assessments, vulnerability management is an ongoing program that adapts as new threats emerge and your environment changes.",[19,20,22],"h3",{"id":21},"the-vulnerability-management-lifecycle","The vulnerability management lifecycle",[15,24,25],{},"An effective program follows a repeating cycle:",[27,28,29,37,43,49,55,61],"ol",{},[30,31,32,36],"li",{},[33,34,35],"strong",{},"Asset discovery"," — maintain an accurate inventory of all hardware, software, and cloud resources in scope",[30,38,39,42],{},[33,40,41],{},"Vulnerability scanning"," — use automated tools to detect known vulnerabilities across your environment on a regular schedule",[30,44,45,48],{},[33,46,47],{},"Prioritization"," — rank findings by severity (CVSS score), exploitability, asset criticality, and business context — not every \"critical\" CVE is critical to your organization",[30,50,51,54],{},[33,52,53],{},"Remediation"," — apply patches, configuration changes, or compensating controls to address vulnerabilities within defined SLAs",[30,56,57,60],{},[33,58,59],{},"Verification"," — rescan to confirm that remediation was effective and didn't introduce new issues",[30,62,63,66],{},[33,64,65],{},"Reporting"," — track metrics like mean time to remediate (MTTR), vulnerability aging, and coverage rates",[19,68,70],{"id":69},"vulnerability-management-in-compliance-frameworks","Vulnerability management in compliance frameworks",[15,72,73],{},"Most security frameworks require a formal vulnerability management program:",[75,76,77,83,89,95,101],"ul",{},[30,78,79,82],{},[33,80,81],{},"PCI DSS"," — Requirement 6.3 requires patching critical vulnerabilities within defined timeframes; Requirement 11.3 requires internal and external vulnerability scanning",[30,84,85,88],{},[33,86,87],{},"SOC 2"," — CC7.1 covers detection of vulnerabilities and CC8.1 addresses change management for remediation",[30,90,91,94],{},[33,92,93],{},"ISO 27001"," — A.8.8 (management of technical vulnerabilities) requires timely identification and remediation of vulnerabilities",[30,96,97,100],{},[33,98,99],{},"NIST CSF"," — ID.RA (risk assessment) and PR.IP (information protection) directly relate to vulnerability identification and remediation",[30,102,103,106],{},[33,104,105],{},"CMMC"," — RA.L2-3.11.2 requires remediation of vulnerabilities in accordance with risk assessments",[19,108,110],{"id":109},"common-vulnerability-scanning-tools","Common vulnerability scanning tools",[75,112,113,119,125,131],{},[30,114,115,118],{},[33,116,117],{},"Infrastructure scanners"," — Nessus, Qualys, Rapid7 InsightVM for network and host-level vulnerabilities",[30,120,121,124],{},[33,122,123],{},"Application scanners"," — OWASP ZAP, Burp Suite for web application vulnerabilities",[30,126,127,130],{},[33,128,129],{},"Dependency scanners"," — Snyk, Dependabot, Trivy for software composition analysis (SCA)",[30,132,133,136],{},[33,134,135],{},"Cloud security posture"," — AWS Inspector, Azure Defender, GCP Security Command Center for cloud misconfigurations",[19,138,140],{"id":139},"sla-best-practices","SLA best practices",[15,142,143],{},"Define remediation timelines based on severity:",[75,145,146,152,158,164],{},[30,147,148,151],{},[33,149,150],{},"Critical"," — remediate within 24–72 hours",[30,153,154,157],{},[33,155,156],{},"High"," — remediate within 7–14 days",[30,159,160,163],{},[33,161,162],{},"Medium"," — remediate within 30 days",[30,165,166,169],{},[33,167,168],{},"Low"," — remediate within 90 days or accept risk with documented justification",[19,171,173],{"id":172},"how-episki-helps","How episki helps",[15,175,176,177,182],{},"episki tracks vulnerability findings, manages remediation workflows with due dates and ownership, and maps vulnerabilities to compliance framework requirements. The platform provides dashboards showing remediation progress and aging metrics for auditors. Learn more on our ",[178,179,181],"a",{"href":180},"\u002Fframeworks","compliance platform",".",{"title":184,"searchDepth":185,"depth":185,"links":186},"",2,[187],{"id":12,"depth":185,"text":13,"children":188},[189,191,192,193,194],{"id":21,"depth":190,"text":22},3,{"id":69,"depth":190,"text":70},{"id":109,"depth":190,"text":110},{"id":139,"depth":190,"text":140},{"id":172,"depth":190,"text":173},"md","2026-04-16",{},true,"\u002Fglossary\u002Fvulnerability-management",[201,202,203,204,205],"soc2","iso27001","pci","nistcsf","cmmc",[207,208,209,210],"penetration-testing","remediation","continuous-monitoring","web-application-security",{"title":212,"description":213},"What is Vulnerability Management? Definition & Compliance Guide","Vulnerability management is the ongoing process of identifying, classifying, prioritizing, and remediating security vulnerabilities across your systems and applications.","vulnerability-management","8.glossary\u002Fvulnerability-management","trqOInljYh6e_TV2H4ad-4rWHiLRpTTPS2g6EvKbZCc",[218,780],{"id":219,"title":220,"body":221,"description":184,"extension":195,"lastUpdated":196,"meta":766,"navigation":198,"path":767,"relatedFrameworks":768,"relatedTerms":770,"seo":774,"slug":777,"stem":778,"term":226,"__hash__":779},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":7,"value":222,"toc":752},[223,227,230,234,237,263,267,273,279,285,291,295,298,304,321,327,341,347,358,362,365,418,422,425,439,443,446,469,473,476,525,529,532,651,654,657,686,690,696,699,736,739,742,745,747],[10,224,226],{"id":225},"what-is-access-control","What is Access Control?",[15,228,229],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[19,231,233],{"id":232},"core-principles","Core principles",[15,235,236],{},"Access control is built on several foundational principles:",[75,238,239,245,251,257],{},[30,240,241,244],{},[33,242,243],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[30,246,247,250],{},[33,248,249],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[30,252,253,256],{},[33,254,255],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[30,258,259,262],{},[33,260,261],{},"Default deny"," — access is denied by default unless explicitly granted",[19,264,266],{"id":265},"types-of-access-control","Types of access control",[15,268,269,272],{},[33,270,271],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[15,274,275,278],{},[33,276,277],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[15,280,281,284],{},[33,282,283],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[15,286,287,290],{},[33,288,289],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[19,292,294],{"id":293},"access-control-components","Access control components",[15,296,297],{},"A complete access control program addresses:",[15,299,300,303],{},[33,301,302],{},"Authentication"," — verifying the identity of users:",[75,305,306,309,312,315,318],{},[30,307,308],{},"Passwords and passphrases",[30,310,311],{},"Multi-factor authentication (MFA)",[30,313,314],{},"Single sign-on (SSO)",[30,316,317],{},"Biometric authentication",[30,319,320],{},"Certificate-based authentication",[15,322,323,326],{},[33,324,325],{},"Authorization"," — determining what authenticated users can do:",[75,328,329,332,335,338],{},[30,330,331],{},"Permission assignments",[30,333,334],{},"Role definitions",[30,336,337],{},"Access control lists",[30,339,340],{},"Policy enforcement points",[15,342,343,346],{},[33,344,345],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[75,348,349,352,355],{},[30,350,351],{},"Provisioning (granting access when hired or role changes)",[30,353,354],{},"Review (periodic access certification)",[30,356,357],{},"Deprovisioning (revoking access upon termination or role change)",[19,359,361],{"id":360},"access-control-in-compliance-frameworks","Access control in compliance frameworks",[15,363,364],{},"Every major framework requires access control:",[75,366,367,375,388,402,410],{},[30,368,369,374],{},[33,370,371],{},[178,372,87],{"href":373},"\u002Fframeworks\u002Fsoc2"," — CC6.1 through CC6.8 cover logical and physical access controls",[30,376,377,382,383,387],{},[33,378,379],{},[178,380,93],{"href":381},"\u002Fframeworks\u002Fiso27001"," — ",[178,384,386],{"href":385},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[30,389,390,396,397,401],{},[33,391,392],{},[178,393,395],{"href":394},"\u002Fframeworks\u002Fhipaa","HIPAA"," — the ",[178,398,400],{"href":399},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[30,403,404,409],{},[33,405,406],{},[178,407,81],{"href":408},"\u002Fframeworks\u002Fpci"," — Requirements 7 and 8 address access restriction and user identification",[30,411,412,417],{},[33,413,414],{},[178,415,99],{"href":416},"\u002Fframeworks\u002Fnistcsf"," — PR.AC covers identity management, authentication, and access control",[19,419,421],{"id":420},"access-reviews","Access reviews",[15,423,424],{},"Regular access reviews (also called access certifications) are a critical control:",[75,426,427,430,433,436],{},[30,428,429],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[30,431,432],{},"Verify that access aligns with current job responsibilities",[30,434,435],{},"Identify and remove excessive or unnecessary access",[30,437,438],{},"Document review results and remediation actions",[19,440,442],{"id":441},"common-access-control-weaknesses","Common access control weaknesses",[15,444,445],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[75,447,448,451,454,457,460,463,466],{},[30,449,450],{},"Excessive permissions that accumulate over time (privilege creep)",[30,452,453],{},"Shared or generic accounts that prevent individual accountability",[30,455,456],{},"Delayed deprovisioning when employees leave or change roles",[30,458,459],{},"Lack of MFA on critical systems and remote access paths",[30,461,462],{},"Inconsistent access review processes with no documented remediation",[30,464,465],{},"Service accounts with standing privileged access and no rotation schedule",[30,467,468],{},"Lack of visibility into SaaS application access outside the corporate IdP",[19,470,472],{"id":471},"implementing-access-control-in-practice","Implementing access control in practice",[15,474,475],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[27,477,478,484,490,496,502,508,519],{},[30,479,480,483],{},[33,481,482],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[30,485,486,489],{},[33,487,488],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[30,491,492,495],{},[33,493,494],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[30,497,498,501],{},[33,499,500],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[30,503,504,507],{},[33,505,506],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[30,509,510,513,514,518],{},[33,511,512],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[178,515,517],{"href":516},"\u002Fglossary\u002Faudit-trail","audit trail"," that satisfies compliance requirements.",[30,520,521,524],{},[33,522,523],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[19,526,528],{"id":527},"access-control-requirements-by-framework","Access control requirements by framework",[15,530,531],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[533,534,535,555],"table",{},[536,537,538],"thead",{},[539,540,541,545,547,549,551,553],"tr",{},[542,543,544],"th",{},"Requirement",[542,546,87],{},[542,548,93],{},[542,550,395],{},[542,552,81],{},[542,554,99],{},[556,557,558,579,598,617,634],"tbody",{},[539,559,560,564,567,570,573,576],{},[561,562,563],"td",{},"Unique user IDs",[561,565,566],{},"CC6.1",[561,568,569],{},"A.5.16",[561,571,572],{},"§164.312(a)(2)(i)",[561,574,575],{},"Req 8.2.1",[561,577,578],{},"PR.AC-1",[539,580,581,584,586,589,592,595],{},[561,582,583],{},"MFA",[561,585,566],{},[561,587,588],{},"A.8.5",[561,590,591],{},"Addressable",[561,593,594],{},"Req 8.4",[561,596,597],{},"PR.AC-7",[539,599,600,602,605,608,611,614],{},[561,601,421],{},[561,603,604],{},"CC6.2",[561,606,607],{},"A.5.18",[561,609,610],{},"§164.312(a)(1)",[561,612,613],{},"Req 7.2",[561,615,616],{},"PR.AC-4",[539,618,619,621,624,627,629,632],{},[561,620,243],{},[561,622,623],{},"CC6.3",[561,625,626],{},"A.5.15",[561,628,610],{},[561,630,631],{},"Req 7.1",[561,633,616],{},[539,635,636,639,641,643,646,649],{},[561,637,638],{},"Deprovisioning",[561,640,604],{},[561,642,607],{},[561,644,645],{},"§164.312(a)(2)(ii)",[561,647,648],{},"Req 8.2.6",[561,650,578],{},[15,652,653],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[15,655,656],{},"A few notes on framework-specific nuances:",[75,658,659,664,672,679],{},[30,660,661,663],{},[33,662,395],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[30,665,666,671],{},[33,667,668,670],{},[178,669,81],{"href":408}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[30,673,674,678],{},[33,675,676],{},[178,677,87],{"href":373}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[30,680,681,685],{},[33,682,683],{},[178,684,99],{"href":416}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[19,687,689],{"id":688},"zero-trust-and-access-control","Zero trust and access control",[15,691,692,693,182],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[33,694,695],{},"never trust, always verify",[15,697,698],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[75,700,701,707,713,724,730],{},[30,702,703,706],{},[33,704,705],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[30,708,709,712],{},[33,710,711],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[30,714,715,718,719,723],{},[33,716,717],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[178,720,722],{"href":721},"\u002Fglossary\u002Fencryption","encryption",") is evaluated before access is granted.",[30,725,726,729],{},[33,727,728],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[30,731,732,735],{},[33,733,734],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[15,737,738],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[15,740,741],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[15,743,744],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[19,746,173],{"id":172},[15,748,749,750,182],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[178,751,181],{"href":180},{"title":184,"searchDepth":185,"depth":185,"links":753},[754],{"id":225,"depth":185,"text":226,"children":755},[756,757,758,759,760,761,762,763,764,765],{"id":232,"depth":190,"text":233},{"id":265,"depth":190,"text":266},{"id":293,"depth":190,"text":294},{"id":360,"depth":190,"text":361},{"id":420,"depth":190,"text":421},{"id":441,"depth":190,"text":442},{"id":471,"depth":190,"text":472},{"id":527,"depth":190,"text":528},{"id":688,"depth":190,"text":689},{"id":172,"depth":190,"text":173},{},"\u002Fglossary\u002Faccess-control",[205,201,202,769,203,204],"hipaa",[771,772,722,773],"minimum-necessary-rule","audit-trail","user-entity-controls",{"title":775,"description":776},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","aw9J1nXzlNuRVpTr3vx46B0ijrBB9hLxb3SnjmXE6cE",{"id":781,"title":782,"body":783,"description":184,"extension":195,"lastUpdated":196,"meta":999,"navigation":198,"path":516,"relatedFrameworks":1000,"relatedTerms":1001,"seo":1004,"slug":772,"stem":1007,"term":788,"__hash__":1008},"glossary\u002F8.glossary\u002Faudit-trail.md","Audit Trail",{"type":7,"value":784,"toc":989},[785,789,792,796,799,837,840,860,864,867,889,893,896,940,944,947,961,965,982,984],[10,786,788],{"id":787},"what-is-an-audit-trail","What is an Audit Trail?",[15,790,791],{},"An audit trail is a chronological record of activities, events, and changes within a system or process that provides documentary evidence of the sequence of actions performed. Audit trails answer the fundamental questions: who did what, when did they do it, where did it happen, and what was the result. They are essential for security monitoring, incident investigation, compliance demonstration, and accountability.",[19,793,795],{"id":794},"what-audit-trails-capture","What audit trails capture",[15,797,798],{},"Effective audit trails typically record:",[75,800,801,807,813,819,825,831],{},[30,802,803,806],{},[33,804,805],{},"User actions"," — logins, logouts, data access, data modifications, privilege changes",[30,808,809,812],{},[33,810,811],{},"System events"," — configuration changes, service starts and stops, errors, failures",[30,814,815,818],{},[33,816,817],{},"Administrative actions"," — user account creation and deletion, permission changes, policy updates",[30,820,821,824],{},[33,822,823],{},"Data changes"," — creation, modification, and deletion of records, including before and after values where applicable",[30,826,827,830],{},[33,828,829],{},"Access attempts"," — both successful and failed authentication and authorization attempts",[30,832,833,836],{},[33,834,835],{},"Security events"," — firewall rule changes, intrusion detection alerts, malware detections",[15,838,839],{},"Each audit trail entry should include:",[75,841,842,845,848,851,854,857],{},[30,843,844],{},"Timestamp (synchronized across systems)",[30,846,847],{},"User or system identity",[30,849,850],{},"Action performed",[30,852,853],{},"Target resource or data",[30,855,856],{},"Outcome (success or failure)",[30,858,859],{},"Source (IP address, device, or location)",[19,861,863],{"id":862},"audit-trail-requirements-across-frameworks","Audit trail requirements across frameworks",[15,865,866],{},"Multiple compliance frameworks require audit trails:",[75,868,869,874,879,884],{},[30,870,871,873],{},[33,872,87],{}," — CC7.2 requires monitoring of system components for anomalies, and CC6.1 requires logical access controls with logging",[30,875,876,878],{},[33,877,93],{}," — control A.8.15 addresses logging, and A.8.17 addresses clock synchronization for accurate audit trails",[30,880,881,883],{},[33,882,395],{}," — the Security Rule requires audit controls that record and examine activity in systems containing ePHI (45 CFR 164.312(b))",[30,885,886,888],{},[33,887,81],{}," — Requirement 10 mandates logging and monitoring all access to network resources and cardholder data",[19,890,892],{"id":891},"implementing-audit-trails","Implementing audit trails",[15,894,895],{},"To implement effective audit trails:",[27,897,898,904,910,916,922,928,934],{},[30,899,900,903],{},[33,901,902],{},"Enable logging"," — activate audit logging on all in-scope systems including applications, databases, operating systems, and network devices",[30,905,906,909],{},[33,907,908],{},"Centralize logs"," — aggregate logs into a central platform (SIEM) for correlation and analysis",[30,911,912,915],{},[33,913,914],{},"Protect integrity"," — ensure logs cannot be modified or deleted by users, including administrators",[30,917,918,921],{},[33,919,920],{},"Synchronize time"," — use NTP to ensure timestamps are consistent across all systems",[30,923,924,927],{},[33,925,926],{},"Define retention"," — establish retention periods aligned with compliance and business requirements",[30,929,930,933],{},[33,931,932],{},"Monitor actively"," — review audit trails for suspicious activity, not just for compliance evidence",[30,935,936,939],{},[33,937,938],{},"Automate alerts"," — configure alerts for critical events such as failed login attempts, privilege escalation, and unauthorized access",[19,941,943],{"id":942},"audit-trail-retention","Audit trail retention",[15,945,946],{},"Retention requirements vary by framework and jurisdiction:",[75,948,949,952,955,958],{},[30,950,951],{},"PCI DSS requires at least 12 months of audit trail history, with the most recent 3 months immediately available",[30,953,954],{},"HIPAA requires documentation retention for 6 years",[30,956,957],{},"ISO 27001 does not specify a fixed period but requires organizations to define and follow their own retention policy",[30,959,960],{},"SOC 2 audit periods typically require evidence covering the observation period",[19,962,964],{"id":963},"common-pitfalls","Common pitfalls",[75,966,967,970,973,976,979],{},[30,968,969],{},"Insufficient logging — missing critical events or systems",[30,971,972],{},"Log overload — logging too much without meaningful analysis",[30,974,975],{},"No log protection — allowing administrators to modify or delete logs",[30,977,978],{},"Inconsistent timestamps — making it impossible to correlate events across systems",[30,980,981],{},"No review process — collecting logs but never analyzing them",[19,983,173],{"id":172},[15,985,986,987,182],{},"episki integrates with your logging infrastructure to track compliance-relevant events, maintain audit trail records, and demonstrate continuous monitoring to auditors. The platform maps audit trail capabilities to framework requirements and flags gaps in coverage. Learn more on our ",[178,988,181],{"href":180},{"title":184,"searchDepth":185,"depth":185,"links":990},[991],{"id":787,"depth":185,"text":788,"children":992},[993,994,995,996,997,998],{"id":794,"depth":190,"text":795},{"id":862,"depth":190,"text":863},{"id":891,"depth":190,"text":892},{"id":942,"depth":190,"text":943},{"id":963,"depth":190,"text":964},{"id":172,"depth":190,"text":173},{},[201,202,769,203],[1002,777,209,1003],"evidence-collection","incident-response",{"title":1005,"description":1006},"What is an Audit Trail? Definition & Compliance Guide","An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.","8.glossary\u002Faudit-trail","TS31vs1S2ZQUFvm3zNALCcZaNNrpPCRC6ZQBgh0zKdE",[1010,1517],{"id":1011,"title":1012,"body":1013,"description":1502,"extension":195,"faq":1503,"frameworkSlug":201,"lastUpdated":196,"meta":1504,"navigation":198,"path":1505,"relatedTerms":1506,"relatedTopics":1508,"seo":1512,"stem":1515,"__hash__":1516},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Faudit-process.md","SOC 2 Audit Process",{"type":7,"value":1014,"toc":1478},[1015,1019,1028,1032,1035,1039,1064,1068,1076,1090,1093,1097,1100,1120,1128,1132,1135,1172,1175,1179,1187,1191,1229,1233,1290,1294,1297,1300,1338,1342,1388,1392,1395,1399,1402,1406,1409,1412,1415,1429,1432,1436,1466,1468],[10,1016,1018],{"id":1017},"how-the-soc-2-audit-process-works","How the SOC 2 audit process works",[15,1020,1021,1022,1024,1025,1027],{},"The ",[178,1023,87],{"href":373}," audit process can feel opaque if you have never been through one. Unlike a certification like ",[178,1026,93],{"href":381}," where a registrar issues a certificate, SOC 2 produces an auditor's report — a detailed opinion letter from a licensed CPA firm. Understanding each phase removes surprises and keeps your team on track.",[10,1029,1031],{"id":1030},"phase-1-scoping-and-readiness-assessment","Phase 1: Scoping and readiness assessment",[15,1033,1034],{},"Before engaging an auditor, define what is in scope and evaluate how ready you are.",[19,1036,1038],{"id":1037},"define-scope","Define scope",[75,1040,1041,1047,1058],{},[30,1042,1043,1046],{},[33,1044,1045],{},"Systems",": Identify the applications, infrastructure, databases, and third-party services that store, process, or transmit customer data.",[30,1048,1049,1052,1053,1057],{},[33,1050,1051],{},"Trust Services Criteria",": Security is required. Add availability, processing integrity, confidentiality, or privacy based on customer commitments and the nature of your service. See the ",[178,1054,1056],{"href":1055},"\u002Fframeworks\u002Fsoc2\u002Ftrust-services-criteria","Trust Services Criteria deep dive"," for guidance.",[30,1059,1060,1063],{},[33,1061,1062],{},"Service commitments",": Review your terms of service, SLAs, and data processing agreements. Auditors will test controls against these commitments.",[19,1065,1067],{"id":1066},"conduct-a-gap-analysis","Conduct a gap analysis",[15,1069,1070,1071,1075],{},"Compare your current controls against ",[178,1072,1074],{"href":1073},"\u002Fframeworks\u002Fsoc2\u002Frequirements","SOC 2 requirements",". A readiness assessment identifies:",[75,1077,1078,1081,1084,1087],{},[30,1079,1080],{},"Controls that already satisfy criteria",[30,1082,1083],{},"Gaps where controls are missing or undocumented",[30,1085,1086],{},"Evidence that exists versus evidence you still need to collect",[30,1088,1089],{},"Policies that need to be written or updated",[15,1091,1092],{},"Many organizations perform this internally or hire a consultant. The output should be a remediation plan with owners and deadlines.",[19,1094,1096],{"id":1095},"remediate-gaps","Remediate gaps",[15,1098,1099],{},"Address the findings from your gap analysis before the audit begins. Common remediation items include:",[75,1101,1102,1105,1108,1111,1114,1117],{},[30,1103,1104],{},"Writing or formalizing information security policies",[30,1106,1107],{},"Enabling multi-factor authentication across all critical systems",[30,1109,1110],{},"Implementing centralized logging and monitoring",[30,1112,1113],{},"Establishing a vendor risk management process",[30,1115,1116],{},"Conducting security awareness training for all employees",[30,1118,1119],{},"Documenting an incident response plan and running a tabletop exercise",[15,1121,1122,1123,1127],{},"Budget four to twelve weeks for remediation depending on the size of your gap list. Use the ",[178,1124,1126],{"href":1125},"\u002Fframeworks\u002Fsoc2\u002Fchecklist","SOC 2 compliance checklist"," to track progress systematically.",[10,1129,1131],{"id":1130},"phase-2-selecting-an-auditor","Phase 2: Selecting an auditor",[15,1133,1134],{},"SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Not all CPA firms are equal — look for:",[75,1136,1137,1143,1149,1155,1166],{},[30,1138,1139,1142],{},[33,1140,1141],{},"SOC 2 experience",": Ask how many SOC 2 engagements they complete per year and whether they have experience with companies at your stage and in your industry.",[30,1144,1145,1148],{},[33,1146,1147],{},"Technology alignment",": Firms that understand cloud-native architectures, CI\u002FCD pipelines, and modern SaaS stacks will ask better questions and move faster.",[30,1150,1151,1154],{},[33,1152,1153],{},"Communication style",": You will work closely with the audit team for weeks or months. Clear, responsive communication matters.",[30,1156,1157,1160,1161,1165],{},[33,1158,1159],{},"Pricing transparency",": Request a fixed-fee quote or a detailed estimate. Understand what triggers additional fees. See our ",[178,1162,1164],{"href":1163},"\u002Fframeworks\u002Fsoc2\u002Fcost","SOC 2 cost breakdown"," for benchmarks.",[30,1167,1168,1171],{},[33,1169,1170],{},"Timeline availability",": Popular audit firms book up quarters in advance. Start the selection process early.",[15,1173,1174],{},"Request proposals from two to four firms, compare scope and pricing, and check references from companies similar to yours.",[10,1176,1178],{"id":1177},"phase-3-the-type-i-audit","Phase 3: The Type I audit",[15,1180,1181,1182,1186],{},"A ",[178,1183,1185],{"href":1184},"\u002Fframeworks\u002Fsoc2\u002Ftype-1-vs-type-2","SOC 2 Type I"," audit evaluates whether controls are suitably designed and implemented as of a specific date — a point-in-time assessment.",[19,1188,1190],{"id":1189},"what-to-expect","What to expect",[27,1192,1193,1199,1205,1211,1217,1223],{},[30,1194,1195,1198],{},[33,1196,1197],{},"Kickoff meeting",": The auditor reviews scope, systems, and criteria with your team. They will share a request list detailing the evidence and documentation they need.",[30,1200,1201,1204],{},[33,1202,1203],{},"Evidence collection",": Your team gathers policies, configurations, screenshots, access lists, and other artifacts. This is typically the most time-consuming step.",[30,1206,1207,1210],{},[33,1208,1209],{},"Walkthroughs and inquiries",": The auditor conducts interviews with control owners to understand how processes work. They may ask for live demonstrations.",[30,1212,1213,1216],{},[33,1214,1215],{},"Testing",": The auditor inspects evidence to confirm controls are designed to meet the criteria. For Type I, they are validating design — not operating effectiveness over time.",[30,1218,1219,1222],{},[33,1220,1221],{},"Issue identification",": If the auditor finds control gaps or design deficiencies, they will flag them. You may have an opportunity to remediate before the report is finalized.",[30,1224,1225,1228],{},[33,1226,1227],{},"Report drafting and delivery",": The auditor produces a report containing their opinion, a description of your system, the criteria tested, and any exceptions noted.",[19,1230,1232],{"id":1231},"type-i-timeline","Type I timeline",[533,1234,1235,1245],{},[536,1236,1237],{},[539,1238,1239,1242],{},[542,1240,1241],{},"Step",[542,1243,1244],{},"Duration",[556,1246,1247,1255,1263,1271,1278],{},[539,1248,1249,1252],{},[561,1250,1251],{},"Readiness and remediation",[561,1253,1254],{},"4–12 weeks",[539,1256,1257,1260],{},[561,1258,1259],{},"Auditor selection and contracting",[561,1261,1262],{},"2–4 weeks",[539,1264,1265,1268],{},[561,1266,1267],{},"Evidence collection and fieldwork",[561,1269,1270],{},"3–6 weeks",[539,1272,1273,1276],{},[561,1274,1275],{},"Report drafting and review",[561,1277,1262],{},[539,1279,1280,1285],{},[561,1281,1282],{},[33,1283,1284],{},"Total",[561,1286,1287],{},[33,1288,1289],{},"11–26 weeks",[10,1291,1293],{"id":1292},"phase-4-the-type-ii-audit","Phase 4: The Type II audit",[15,1295,1296],{},"A SOC 2 Type II audit tests whether controls operated effectively over a defined observation period, typically three to twelve months. Most organizations choose a six-month or twelve-month window.",[19,1298,1190],{"id":1299},"what-to-expect-1",[27,1301,1302,1308,1314,1320,1326,1332],{},[30,1303,1304,1307],{},[33,1305,1306],{},"Observation period begins",": The clock starts on the agreed date. All controls must be operating from this point forward.",[30,1309,1310,1313],{},[33,1311,1312],{},"Ongoing evidence collection",": Unlike Type I, you need to collect evidence continuously throughout the observation period — access reviews, change approvals, incident logs, monitoring alerts.",[30,1315,1316,1319],{},[33,1317,1318],{},"Midpoint check-in"," (optional but recommended): Some auditors offer an interim review partway through the observation period to catch issues early.",[30,1321,1322,1325],{},[33,1323,1324],{},"Fieldwork",": After the observation period ends, the auditor performs detailed testing. They sample transactions, review logs, and verify that controls operated consistently.",[30,1327,1328,1331],{},[33,1329,1330],{},"Exception handling",": If a control failed during the period, the auditor documents the exception. A few exceptions do not automatically mean a qualified opinion, but patterns of failure will.",[30,1333,1334,1337],{},[33,1335,1336],{},"Final report",": The Type II report includes everything from Type I plus the auditor's testing results and opinion on operating effectiveness.",[19,1339,1341],{"id":1340},"type-ii-timeline","Type II timeline",[533,1343,1344,1352],{},[536,1345,1346],{},[539,1347,1348,1350],{},[542,1349,1241],{},[542,1351,1244],{},[556,1353,1354,1362,1370,1376],{},[539,1355,1356,1359],{},[561,1357,1358],{},"Observation period",[561,1360,1361],{},"3–12 months",[539,1363,1364,1367],{},[561,1365,1366],{},"Fieldwork after period ends",[561,1368,1369],{},"4–8 weeks",[539,1371,1372,1374],{},[561,1373,1275],{},[561,1375,1262],{},[539,1377,1378,1383],{},[561,1379,1380],{},[33,1381,1382],{},"Total (after readiness)",[561,1384,1385],{},[33,1386,1387],{},"5–15 months",[10,1389,1391],{"id":1390},"phase-5-report-delivery-and-beyond","Phase 5: Report delivery and beyond",[15,1393,1394],{},"Once you receive your SOC 2 report, the process does not end.",[19,1396,1398],{"id":1397},"distribute-the-report","Distribute the report",[15,1400,1401],{},"SOC 2 reports are restricted-use documents. Share them under NDA with customers, prospects, and partners who request them. Many companies set up a trust center or compliance portal to manage requests.",[19,1403,1405],{"id":1404},"plan-for-the-next-period","Plan for the next period",[15,1407,1408],{},"SOC 2 Type II reports cover a specific window. To maintain continuous coverage, plan the next observation period to begin immediately after the current one ends. Auditors call this a \"bridge period\" — any gap between periods means you have a coverage lapse that buyers may question.",[19,1410,1411],{"id":209},"Continuous monitoring",[15,1413,1414],{},"The most efficient SOC 2 programs do not treat the audit as a seasonal event. Instead, they:",[75,1416,1417,1420,1423,1426],{},[30,1418,1419],{},"Monitor control health in real time",[30,1421,1422],{},"Collect evidence automatically where possible",[30,1424,1425],{},"Review and update policies on a regular cadence",[30,1427,1428],{},"Track remediation items from previous audit exceptions",[15,1430,1431],{},"This continuous approach reduces the scramble before each audit and catches issues before they become exceptions.",[10,1433,1435],{"id":1434},"common-pitfalls-in-the-soc-2-audit-process","Common pitfalls in the SOC 2 audit process",[75,1437,1438,1444,1450,1456],{},[30,1439,1440,1443],{},[33,1441,1442],{},"Starting evidence collection too late",": Begin during readiness, not after the auditor's first request list arrives.",[30,1445,1446,1449],{},[33,1447,1448],{},"Single-threaded ownership",": SOC 2 touches engineering, IT, HR, and legal. Assign control owners across teams and give them visibility into the timeline.",[30,1451,1452,1455],{},[33,1453,1454],{},"Ignoring the observation period",": For Type II, controls must operate every day of the period. A policy that exists but is not followed will result in exceptions.",[30,1457,1458,1461,1462,1465],{},[33,1459,1460],{},"Choosing the wrong auditor",": A mismatched firm can slow the process and increase ",[178,1463,1464],{"href":1163},"costs",". Do your diligence upfront.",[10,1467,173],{"id":172},[15,1469,1470,1471,1477],{},"episki streamlines every phase of the audit process. During readiness, the platform performs automated gap analysis against SOC 2 requirements and generates a prioritized remediation plan. During the observation period, structured evidence collection with ownership tracking and review cadences ensures nothing falls through the cracks. When fieldwork begins, the auditor collaboration portal gives your CPA firm scoped access to controls, evidence, and Q&A threads — eliminating back-and-forth emails. ",[178,1472,1476],{"href":1473,"rel":1474},"https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",[1475],"nofollow","Start a free trial"," to see the full audit workflow in action.",{"title":184,"searchDepth":185,"depth":185,"links":1479},[1480,1481,1486,1487,1491,1495,1500,1501],{"id":1017,"depth":185,"text":1018},{"id":1030,"depth":185,"text":1031,"children":1482},[1483,1484,1485],{"id":1037,"depth":190,"text":1038},{"id":1066,"depth":190,"text":1067},{"id":1095,"depth":190,"text":1096},{"id":1130,"depth":185,"text":1131},{"id":1177,"depth":185,"text":1178,"children":1488},[1489,1490],{"id":1189,"depth":190,"text":1190},{"id":1231,"depth":190,"text":1232},{"id":1292,"depth":185,"text":1293,"children":1492},[1493,1494],{"id":1299,"depth":190,"text":1190},{"id":1340,"depth":190,"text":1341},{"id":1390,"depth":185,"text":1391,"children":1496},[1497,1498,1499],{"id":1397,"depth":190,"text":1398},{"id":1404,"depth":190,"text":1405},{"id":209,"depth":190,"text":1411},{"id":1434,"depth":185,"text":1435},{"id":172,"depth":185,"text":173},"A step-by-step guide to the SOC 2 audit process, from readiness assessment through final report delivery, including timelines for Type I and Type II engagements.",null,{},"\u002Fframeworks\u002Fsoc2\u002Faudit-process",[201,1507],"grc",[1509,1510,1511],"type-1-vs-type-2","requirements","cost",{"title":1513,"description":1514},"SOC 2 Audit Process — Step-by-Step Guide for 2026","Walk through the SOC 2 audit process step by step. Learn about readiness assessments, auditor selection, Type I vs Type II timelines, and what to expect.","5.frameworks\u002Fsoc2\u002Faudit-process","iyxfqb2dYCTbXKBkEJCPxss2rzK_gziKbfoMFkRC3V0",{"id":1518,"title":1519,"body":1520,"description":1877,"extension":195,"faq":1878,"frameworkSlug":201,"lastUpdated":196,"meta":1895,"navigation":198,"path":1896,"relatedTerms":1897,"relatedTopics":1901,"seo":1903,"stem":1906,"__hash__":1907},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Favailability-criteria.md","SOC 2 Availability Criteria",{"type":7,"value":1521,"toc":1856},[1522,1526,1532,1535,1539,1544,1564,1567,1571,1574,1578,1598,1602,1616,1619,1623,1626,1629,1652,1655,1672,1675,1679,1682,1685,1702,1705,1719,1732,1736,1739,1765,1776,1780,1783,1786,1790,1822,1826,1843,1845],[10,1523,1525],{"id":1524},"availability-is-the-soc-2-criterion-most-visible-to-customers","Availability is the SOC 2 criterion most visible to customers",[15,1527,1528,1529,1531],{},"When a customer's application goes down and they cannot log in, they blame your uptime. The availability Trust Services Criterion is where ",[178,1530,87],{"href":373}," turns that reality into a structured set of controls. The criterion applies when an organization commits to specific uptime levels or recovery capabilities — typically through published SLAs, status pages, or contractual obligations. If your customers rely on your service being up, availability belongs in your audit scope.",[15,1533,1534],{},"Availability is optional in SOC 2, but for SaaS companies selling into enterprise or mid-market, it is often the first additional criterion added beyond security. Enterprise procurement teams expect it because their risk frameworks treat vendor availability as a top-tier concern.",[10,1536,1538],{"id":1537},"what-the-availability-criterion-covers","What the availability criterion covers",[15,1540,1021,1541,1543],{},[178,1542,1051],{"href":1055}," define availability as \"the accessibility of the system, products, or services as stipulated by a contract or service level agreement.\" Availability has three dedicated control categories in the A1 series, plus overlap with several Common Criteria.",[75,1545,1546,1552,1558],{},[30,1547,1548,1551],{},[33,1549,1550],{},"A1.1"," — The entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity.",[30,1553,1554,1557],{},[33,1555,1556],{},"A1.2"," — The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its availability objectives.",[30,1559,1560,1563],{},[33,1561,1562],{},"A1.3"," — The entity tests recovery plan procedures supporting system recovery to meet its availability objectives.",[15,1565,1566],{},"A1 is short but dense. Each control generates operational evidence across the observation period.",[10,1568,1570],{"id":1569},"a11-capacity-planning-and-monitoring","A1.1 — Capacity planning and monitoring",[15,1572,1573],{},"A1.1 requires that you know how much capacity your system has, how much it is using, and how you will add more when demand grows. Auditors look for a capacity management process that operates continuously, not a one-time analysis.",[19,1575,1577],{"id":1576},"typical-controls","Typical controls",[75,1579,1580,1583,1586,1589,1592,1595],{},[30,1581,1582],{},"Real-time capacity monitoring dashboards (CPU, memory, storage, network, database connections)",[30,1584,1585],{},"Defined thresholds for capacity alerts",[30,1587,1588],{},"Scheduled capacity reviews with documented outcomes",[30,1590,1591],{},"Forecasting based on growth assumptions",[30,1593,1594],{},"Auto-scaling for elastic workloads",[30,1596,1597],{},"Procurement lead time built into capacity forecasting",[19,1599,1601],{"id":1600},"evidence-expectations","Evidence expectations",[75,1603,1604,1607,1610,1613],{},[30,1605,1606],{},"Capacity dashboards with historical data spanning the observation period",[30,1608,1609],{},"Capacity review meeting notes or tickets",[30,1611,1612],{},"Alert history showing capacity thresholds being monitored",[30,1614,1615],{},"Procurement or provisioning records when capacity was added",[15,1617,1618],{},"Organizations running in public cloud typically have strong A1.1 posture out of the box because auto-scaling and managed services remove much of the manual capacity work. Organizations running colocated hardware have more evidence to produce.",[10,1620,1622],{"id":1621},"a12-environmental-protections-and-recovery-infrastructure","A1.2 — Environmental protections and recovery infrastructure",[15,1624,1625],{},"A1.2 covers the infrastructure that supports availability — redundancy, backups, and environmental controls. The term \"environmental\" is broader than physical environment; it includes software resilience as well.",[19,1627,1577],{"id":1628},"typical-controls-1",[75,1630,1631,1634,1637,1640,1643,1646,1649],{},[30,1632,1633],{},"Multi-region or multi-AZ deployment architecture",[30,1635,1636],{},"Redundant components (load balancers, databases, caches)",[30,1638,1639],{},"Automated failover mechanisms",[30,1641,1642],{},"Backup and recovery procedures with defined retention",[30,1644,1645],{},"Data replication strategy",[30,1647,1648],{},"Physical environmental controls for on-premises facilities (power, cooling, fire suppression)",[30,1650,1651],{},"Network isolation and DDoS protections",[19,1653,1601],{"id":1654},"evidence-expectations-1",[75,1656,1657,1660,1663,1666,1669],{},[30,1658,1659],{},"Architecture diagrams showing redundancy",[30,1661,1662],{},"Backup job logs confirming successful backups",[30,1664,1665],{},"Backup restoration test records",[30,1667,1668],{},"Failover test results if applicable",[30,1670,1671],{},"Data center certifications (for colocated hardware)",[15,1673,1674],{},"A common gap in A1.2 is backup coverage. Teams have backups but do not test restoration until an incident forces it. Auditors look for proactive restoration tests.",[10,1676,1678],{"id":1677},"a13-recovery-testing","A1.3 — Recovery testing",[15,1680,1681],{},"A1.3 is where availability and business continuity meet. The control requires that recovery procedures be tested so they work when a real disruption occurs.",[19,1683,1577],{"id":1684},"typical-controls-2",[75,1686,1687,1690,1693,1696,1699],{},[30,1688,1689],{},"Documented disaster recovery plan with defined RPO and RTO",[30,1691,1692],{},"Annual or more frequent DR tests",[30,1694,1695],{},"Scenario-based testing (region failure, database failure, application failure)",[30,1697,1698],{},"Post-test reviews with remediation items",[30,1700,1701],{},"Business continuity plan integration",[19,1703,1601],{"id":1704},"evidence-expectations-2",[75,1706,1707,1710,1713,1716],{},[30,1708,1709],{},"Current DR plan document with approval evidence",[30,1711,1712],{},"DR test reports from the observation period",[30,1714,1715],{},"Remediation tracking for issues identified during tests",[30,1717,1718],{},"Evidence that lessons were incorporated into the plan",[15,1720,1721,1722,1726,1727,1731],{},"See ",[178,1723,1725],{"href":1724},"\u002Fglossary\u002Fbusiness-continuity","business continuity"," and ",[178,1728,1730],{"href":1729},"\u002Fglossary\u002Fdisaster-recovery","disaster recovery"," for related terms.",[10,1733,1735],{"id":1734},"overlap-with-other-trust-services-criteria","Overlap with other Trust Services Criteria",[15,1737,1738],{},"Availability does not exist in isolation. Several Common Criteria contribute to the picture.",[75,1740,1741,1747,1753,1759],{},[30,1742,1743,1746],{},[33,1744,1745],{},"CC7"," (system operations) — monitoring that detects availability events feeds the availability controls directly",[30,1748,1749,1752],{},[33,1750,1751],{},"CC9.1"," (business continuity) — overlaps heavily with A1.3",[30,1754,1755,1758],{},[33,1756,1757],{},"CC2"," (communication) — customer and internal communication during outages",[30,1760,1761,1764],{},[33,1762,1763],{},"CC8"," (change management) — poorly managed changes cause outages",[15,1766,1767,1768,1726,1772,182],{},"A well-designed SOC 2 program maps controls once and applies them to every applicable criterion. For example, a failover test may satisfy A1.2, A1.3, and CC9.1 simultaneously. The same mapping applies in ",[178,1769,1771],{"href":1770},"\u002Fframeworks\u002Fsoc2\u002Fcontinuous-monitoring","continuous monitoring",[178,1773,1775],{"href":1774},"\u002Fframeworks\u002Fsoc2\u002Fincident-response","incident response",[10,1777,1779],{"id":1778},"how-this-fits-into-soc-2","How this fits into SOC 2",[15,1781,1782],{},"Availability is the most visible criterion for customers — outages generate status page updates, incident reports, and sometimes contractual credits. Auditors know this, so they examine availability controls against both the design and real operational outcomes during the observation period. If you had an outage during the period, the auditor will typically request the incident record and verify that A1.3 controls — recovery procedures — were executed and effective.",[15,1784,1785],{},"This also means availability has the clearest connection between control effectiveness and business impact. A clean availability section in a SOC 2 report supports sales conversations about enterprise reliability in a way that the security criterion alone cannot.",[10,1787,1789],{"id":1788},"common-mistakes","Common mistakes",[75,1791,1792,1798,1804,1810,1816],{},[30,1793,1794,1797],{},[33,1795,1796],{},"SLA without monitoring."," A published uptime commitment that nobody measures is a recipe for exceptions. If you commit to 99.9%, measure it and report it.",[30,1799,1800,1803],{},[33,1801,1802],{},"Backups without restoration tests."," Untested backups are hope, not controls. Run periodic restorations.",[30,1805,1806,1809],{},[33,1807,1808],{},"DR plan in a drawer."," A plan that has not been updated in two years is a design problem even if no disaster happened. Review annually.",[30,1811,1812,1815],{},[33,1813,1814],{},"No RPO or RTO."," \"We'll figure it out\" is not an acceptable answer to what data loss you can tolerate. Define the numbers.",[30,1817,1818,1821],{},[33,1819,1820],{},"Single-region deployments with availability criterion."," If your architecture cannot survive a regional failure and you are claiming availability, the auditor will note the gap. Match the criterion to reality.",[10,1823,1825],{"id":1824},"implementation-tips","Implementation tips",[75,1827,1828,1831,1834,1837,1840],{},[30,1829,1830],{},"Publish a status page that reflects real uptime. Auditors sometimes check it against your internal incident records.",[30,1832,1833],{},"Define RPO and RTO per system tier. Not every service needs the same recovery targets, and differentiating them makes the plan credible.",[30,1835,1836],{},"Test DR quarterly with different scenarios rotating across the year. Document each test.",[30,1838,1839],{},"Treat capacity alerts as first-class signals. If capacity thresholds are consistently breached with no action, A1.1 is weak.",[30,1841,1842],{},"Integrate capacity planning with business forecasts. Sales pipeline can predict capacity demand if the signal is used.",[10,1844,173],{"id":172},[15,1846,1847,1848,1851,1852,1855],{},"episki maps the A1 series controls to your existing monitoring, backup, and DR tooling and collects evidence — capacity dashboards, DR test results, incident history — automatically across the observation period. ",[178,1849,1476],{"href":1473,"rel":1850},[1475]," or read the full ",[178,1853,1854],{"href":373},"SOC 2 framework guide"," for how availability sits inside a complete SOC 2 program.",{"title":184,"searchDepth":185,"depth":185,"links":1857},[1858,1859,1860,1864,1868,1872,1873,1874,1875,1876],{"id":1524,"depth":185,"text":1525},{"id":1537,"depth":185,"text":1538},{"id":1569,"depth":185,"text":1570,"children":1861},[1862,1863],{"id":1576,"depth":190,"text":1577},{"id":1600,"depth":190,"text":1601},{"id":1621,"depth":185,"text":1622,"children":1865},[1866,1867],{"id":1628,"depth":190,"text":1577},{"id":1654,"depth":190,"text":1601},{"id":1677,"depth":185,"text":1678,"children":1869},[1870,1871],{"id":1684,"depth":190,"text":1577},{"id":1704,"depth":190,"text":1601},{"id":1734,"depth":185,"text":1735},{"id":1778,"depth":185,"text":1779},{"id":1788,"depth":185,"text":1789},{"id":1824,"depth":185,"text":1825},{"id":172,"depth":185,"text":173},"Deep dive on the SOC 2 Availability Trust Services Criterion. A1 series controls, uptime commitments, capacity planning, and disaster recovery.",{"items":1879},[1880,1883,1886,1889,1892],{"label":1881,"content":1882},"When should I include the availability criterion in my SOC 2?","Include availability when you have published SLAs, customers depend on continuous uptime, or contracts include availability commitments with penalties. Many SaaS companies add availability in their first SOC 2 if they sell into enterprise or mid-market.",{"label":1884,"content":1885},"Does the availability criterion require 99.99% uptime?","No. SOC 2 does not set a specific uptime number. It requires that you have defined availability commitments, measure against them, and have controls that support those commitments. The number is whatever you commit to in SLAs or customer contracts.",{"label":1887,"content":1888},"What is the difference between availability and business continuity?","Availability in SOC 2 covers day-to-day operation of the system — capacity, redundancy, monitoring. Business continuity covers response to disruptive events — the ability to recover when something goes wrong. Both are tested under availability controls (A1.3 specifically).",{"label":1890,"content":1891},"Do I need to test disaster recovery annually?","Yes. Auditors expect documented DR tests at least annually, with defined scenarios, results, and corrective actions. Many mature SOC 2 programs test quarterly, rotating scenarios.",{"label":1893,"content":1894},"What evidence do auditors expect for availability?","Auditors typically review published SLAs, capacity monitoring dashboards, incident history for outages, DR test results, and evidence that the DR plan was executed or simulated during the observation period.",{},"\u002Fframeworks\u002Fsoc2\u002Favailability-criteria",[1898,1899,1900,201],"business-continuity","disaster-recovery","monitoring",[1902,209,1003],"trust-services-criteria",{"title":1904,"description":1905},"SOC 2 Availability Criteria (2026): A1 Controls Deep Dive","Master the SOC 2 Availability criterion. A1.1 capacity planning, A1.2 environmental protections, A1.3 recovery, and common audit evidence.","5.frameworks\u002Fsoc2\u002Favailability-criteria","KNruVOcwfKW-lBS_jQvoBBLXuh2wwZOLL0fROaBb2bw",{"id":1909,"title":1910,"advantages":1911,"body":1933,"checklist":2433,"cta":2442,"description":184,"extension":195,"faq":2445,"hero":2462,"meta":2476,"name":2477,"navigation":198,"path":373,"resources":2478,"seo":2491,"slug":201,"stats":2494,"stem":2504,"__hash__":2505},"frameworks\u002F5.frameworks\u002Fsoc2.md","Soc2",[1912,1919,1926],{"title":1913,"description":1914,"bullets":1915},"Mapped once, reused forever","Applies Trust Service Criteria to your existing controls and keeps overlaps synced.",[1916,1917,1918],"Control graph highlights reuse across security, availability, and confidentiality","AI suggests narratives and testing procedures","Version history shows every update for auditors",{"title":1920,"description":1921,"bullets":1922},"Evidence organized by control","Upload and track screenshots, configs, and exports in a structured evidence locker.",[1923,1924,1925],"Organized screenshots, configs, and test exports","Alerting when evidence expires or SLAs slip","Immutable locker with reviewer threads",{"title":1927,"description":1928,"bullets":1929},"Auditor collaboration hub","Invite your auditor with scoped access and keep Q&A right next to each control.",[1930,1931,1932],"Bulk requests & fulfillment tracking","Redacted file sharing with access controls","One-click SOC 2 summaries for customers",{"type":7,"value":1934,"toc":2415},[1935,1939,1942,1950,1956,1962,1966,1969,1974,1980,1994,1998,2003,2007,2010,2014,2021,2025,2028,2032,2040,2044,2051,2055,2058,2061,2078,2086,2090,2096,2136,2139,2143,2146,2149,2187,2193,2197,2200,2256,2259,2263,2266,2273,2280,2287,2300,2308,2312,2319,2351,2354,2358,2361,2364,2402],[10,1936,1938],{"id":1937},"what-is-soc-2","What is SOC 2?",[15,1940,1941],{},"SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data. A SOC 2 report is the de facto security credential for modern SaaS companies — enterprise buyers request it before signing, procurement teams rely on it during vendor reviews, and auditors consult it when assessing outsourced systems. Unlike a prescriptive standard, SOC 2 is principle-based. It does not tell you which tools to deploy; it tells you which outcomes you must demonstrate and leaves the implementation details to you.",[15,1943,1944,1945,1949],{},"SOC 2 evolved from SAS 70, an older attestation framework used primarily for financial reporting systems. As technology service providers increased their role in handling sensitive data, the AICPA introduced the SOC reporting suite. SOC 1 continued to address controls relevant to financial reporting. SOC 2 and SOC 3 shifted attention to information security, availability, and related commitments. Today, SOC 2 is issued under the AICPA's AT-C 105 and AT-C 205 attestation standards, following the ",[178,1946,1948],{"href":1947},"\u002Fglossary\u002Fssae-18","SSAE 18"," framework.",[15,1951,1952,1953,1955],{},"A SOC 2 engagement produces an opinion letter from a licensed CPA firm. That letter is the report buyers ask for. It documents the system under audit, the ",[178,1954,1051],{"href":1055}," selected, the controls in place, the testing the auditor performed, and any exceptions noted. A clean SOC 2 opinion signals to the market that a third party examined your controls and found them suitable — or in the case of Type II, found them operating effectively across a defined window.",[15,1957,1958,1959,1961],{},"SOC 2 is built on five ",[33,1960,1051],{},": security, availability, processing integrity, confidentiality, and privacy. Security is mandatory. The other four are optional and chosen based on your service commitments and customer expectations. Most first-time SOC 2 audits cover security alone or security plus one or two additional criteria. Scope expansion happens later, as the program matures.",[10,1963,1965],{"id":1964},"soc-2-type-i-vs-type-ii","SOC 2 Type I vs Type II",[15,1967,1968],{},"Every SOC 2 engagement is either Type I or Type II, and the difference matters.",[15,1970,1181,1971,1973],{},[33,1972,1185],{}," report evaluates whether controls are suitably designed and implemented as of a single date. Think of it as a design review. The auditor confirms your policies exist, your technical controls are configured, and your processes are in place. Type I is the fastest path to a SOC 2 report and is useful when a deal is on the line, but it does not prove your controls work day after day.",[15,1975,1181,1976,1979],{},[33,1977,1978],{},"SOC 2 Type II"," report evaluates whether controls operated effectively across an observation period, typically three to twelve months. The auditor samples evidence from throughout the period — access reviews, change approvals, incident tickets, monitoring alerts — to confirm that controls were not just designed but consistently executed. Most enterprise buyers require a Type II, and many will not accept a Type I at all.",[15,1981,1982,1983,1986,1987,1726,1991,182],{},"For a full comparison including cost benchmarks, observation period tradeoffs, and decision frameworks, see ",[178,1984,1985],{"href":1184},"SOC 2 Type 1 vs Type 2",". Related glossary terms: ",[178,1988,1990],{"href":1989},"\u002Fglossary\u002Fsoc2-type-2","SOC 2 Type 2",[178,1992,1051],{"href":1993},"\u002Fglossary\u002Ftrust-services-criteria",[10,1995,1997],{"id":1996},"the-five-trust-services-criteria","The five Trust Services Criteria",[15,1999,1021,2000,2002],{},[178,2001,1051],{"href":1055}," define the principles your controls must satisfy. Each criterion addresses a different aspect of how a service organization protects and manages customer data.",[19,2004,2006],{"id":2005},"security-common-criteria-required","Security (Common Criteria) — required",[15,2008,2009],{},"The security criterion, also called the Common Criteria, is required for every SOC 2 engagement. It evaluates whether the system is protected against unauthorized access — both logical and physical. The Common Criteria are organized into nine categories (CC1 through CC9) that map to the COSO internal control framework and cover governance, communication, risk assessment, monitoring, access control, system operations, change management, and vendor risk. Every SOC 2 report includes testing against these categories.",[19,2011,2013],{"id":2012},"availability","Availability",[15,2015,2016,2017,2020],{},"The availability criterion applies when an organization commits to specific uptime levels or recovery capabilities. It covers environmental protections, capacity planning, disaster recovery, and incident management for availability-impacting events. If your product has published SLAs or customers rely on continuous uptime, include availability. Read the ",[178,2018,2019],{"href":1896},"availability criteria deep dive"," for common controls and implementation patterns.",[19,2022,2024],{"id":2023},"processing-integrity","Processing integrity",[15,2026,2027],{},"Processing integrity focuses on whether the system processes data completely, validly, accurately, timely, and with proper authorization. This criterion is relevant for platforms that perform calculations, process financial transactions, or transform customer data. It is less common in first-time SOC 2 audits but important for fintech, billing platforms, and data pipelines that customers rely on for operational decisions.",[19,2029,2031],{"id":2030},"confidentiality","Confidentiality",[15,2033,2034,2035,2039],{},"The confidentiality criterion addresses information designated as confidential — distinct from personal information. It covers data classification, access restrictions, encryption, and secure disposal of confidential data. If you handle intellectual property, business plans, or other sensitive non-personal information on behalf of clients, include confidentiality. See the ",[178,2036,2038],{"href":2037},"\u002Fframeworks\u002Fsoc2\u002Fconfidentiality-criteria","confidentiality criteria deep dive"," for details.",[19,2041,2043],{"id":2042},"privacy","Privacy",[15,2045,2046,2047,182],{},"The privacy criterion applies to personal information — data that can identify an individual. It evaluates whether your data practices match your stated privacy commitments across notice, choice, collection, use, retention, disclosure, security, and accuracy. Privacy aligns closely with regulations like GDPR and CCPA and is the most demanding criterion in terms of control coverage. For a full walkthrough, see the ",[178,2048,2050],{"href":2049},"\u002Fframeworks\u002Fsoc2\u002Fprivacy-criteria","privacy criteria deep dive",[10,2052,2054],{"id":2053},"who-needs-soc-2-compliance","Who needs SOC 2 compliance?",[15,2056,2057],{},"SOC 2 is not legally mandated, but the market treats it as a cost of doing business. Any SaaS company, cloud service provider, managed service provider, or data processor that handles customer data is a likely SOC 2 candidate. If your customers are businesses and their security teams will scrutinize your controls before signing, SOC 2 is almost certainly on your roadmap.",[15,2059,2060],{},"Companies typically pursue SOC 2 when one or more of the following is true:",[75,2062,2063,2066,2069,2072,2075],{},[30,2064,2065],{},"Enterprise prospects are asking for a report during procurement or vendor reviews.",[30,2067,2068],{},"Sales cycles are slowing because buyers are blocking deals on security questionnaires.",[30,2070,2071],{},"Existing customers are requesting a current SOC 2 report during annual reviews.",[30,2073,2074],{},"Investors or partners are asking about the company's security posture.",[30,2076,2077],{},"The business is entering regulated verticals like financial services, healthcare, or government.",[15,2079,2080,2081,2085],{},"Industries that almost always require SOC 2 from their vendors include financial services, healthcare, legal technology, HR technology, martech that handles PII, and any B2B SaaS selling into enterprise accounts. For SaaS companies specifically, SOC 2 has become table stakes — see ",[178,2082,2084],{"href":2083},"\u002Fnow\u002Fsoc2-for-saas","SOC 2 for SaaS"," for a deeper discussion.",[10,2087,2089],{"id":2088},"the-soc-2-audit-process-overview","The SOC 2 audit process overview",[15,2091,1021,2092,2095],{},[178,2093,2094],{"href":1505},"SOC 2 audit process"," follows a predictable sequence. Understanding each phase prevents surprises and helps you set realistic timelines with your team and auditor.",[27,2097,2098,2112,2118,2124,2130],{},[30,2099,2100,2103,2104,2108,2109,2111],{},[33,2101,2102],{},"Scoping and readiness assessment."," Define what systems and Trust Services Criteria are in scope, then perform a ",[178,2105,2107],{"href":2106},"\u002Fframeworks\u002Fsoc2\u002Freadiness-assessment","readiness assessment"," to compare current controls against ",[178,2110,1074],{"href":1073},". The output is a prioritized remediation plan.",[30,2113,2114,2117],{},[33,2115,2116],{},"Remediation."," Close the gaps identified during readiness. Common items include formalizing policies, enabling MFA everywhere, centralizing logging, documenting vendor risk processes, and running tabletop exercises.",[30,2119,2120,2123],{},[33,2121,2122],{},"Auditor selection."," SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Request proposals from two to four firms, compare scope and pricing, and check references from similar companies.",[30,2125,2126,2129],{},[33,2127,2128],{},"Audit fieldwork."," For Type I, the auditor validates control design at a point in time. For Type II, the auditor samples evidence from across the observation period and tests operating effectiveness.",[30,2131,2132,2135],{},[33,2133,2134],{},"Report delivery and ongoing operation."," Once the report is issued, plan the next observation period so you maintain continuous coverage with no bridge gaps that buyers might question.",[15,2137,2138],{},"Most organizations complete their first Type I in three to six months and their first Type II in six to eighteen months, depending on starting maturity and observation period length.",[10,2140,2142],{"id":2141},"what-does-soc-2-cost","What does SOC 2 cost?",[15,2144,2145],{},"SOC 2 cost varies widely based on scope, starting maturity, and whether you pursue Type I, Type II, or both. Auditor fees are the largest line item, but they are not the only cost. You should budget for readiness consulting, compliance tooling, internal staff time, remediation work, and penetration testing.",[15,2147,2148],{},"Typical benchmarks for a first-time SOC 2 engagement:",[75,2150,2151,2157,2163,2169,2175,2181],{},[30,2152,2153,2156],{},[33,2154,2155],{},"Type I auditor fees",": $15,000 to $40,000",[30,2158,2159,2162],{},[33,2160,2161],{},"Type II auditor fees",": $25,000 to $80,000",[30,2164,2165,2168],{},[33,2166,2167],{},"Readiness consulting"," (optional): $10,000 to $40,000",[30,2170,2171,2174],{},[33,2172,2173],{},"Compliance platform",": $6,000 to $60,000 annually depending on vendor",[30,2176,2177,2180],{},[33,2178,2179],{},"Penetration testing",": $8,000 to $30,000 per test",[30,2182,2183,2186],{},[33,2184,2185],{},"Internal staff time",": 200 to 600 hours across the first cycle",[15,2188,2189,2190,2192],{},"Total first-year cost for most growth-stage SaaS companies lands between $40,000 and $200,000. See the full ",[178,2191,1164],{"href":1163}," for detailed ranges and cost-reduction strategies.",[10,2194,2196],{"id":2195},"common-soc-2-challenges","Common SOC 2 challenges",[15,2198,2199],{},"SOC 2 programs rarely fail because the audit is unfair. They fail because organizations underestimate the operational discipline required. The challenges show up in predictable places.",[75,2201,2202,2208,2214,2220,2226,2237,2248],{},[30,2203,2204,2207],{},[33,2205,2206],{},"Scope creep."," Teams add new systems mid-audit or expand Trust Services Criteria without revisiting the control set. Every addition extends timelines and evidence requirements.",[30,2209,2210,2213],{},[33,2211,2212],{},"Evidence gaps."," Screenshots expire. Configurations change. Ownership drifts between quarters. By the time the auditor asks, the evidence trail is broken.",[30,2215,2216,2219],{},[33,2217,2218],{},"Cross-team coordination."," SOC 2 touches engineering, IT, HR, legal, and finance. Without a single source of truth for control status, teams duplicate work or miss handoffs.",[30,2221,2222,2225],{},[33,2223,2224],{},"Policy drift."," Policies written for the audit do not match how the team actually operates. Auditors detect this quickly during interviews and walkthroughs.",[30,2227,2228,2231,2232,2236],{},[33,2229,2230],{},"Vendor oversight."," Third-party vendors handle critical data but are rarely monitored with the same rigor as internal systems. See ",[178,2233,2235],{"href":2234},"\u002Fframeworks\u002Fsoc2\u002Fvendor-management","vendor management"," for how to close this gap.",[30,2238,2239,2242,2243,2247],{},[33,2240,2241],{},"Change management."," Production changes bypass approval workflows, leaving no audit trail. ",[178,2244,2246],{"href":2245},"\u002Fframeworks\u002Fsoc2\u002Fchange-management","Change management"," is a frequent source of Type II exceptions.",[30,2249,2250,2253,2254,182],{},[33,2251,2252],{},"Incident response immaturity."," Teams have an incident response plan but have never tested it. Auditors look for evidence of real incidents handled end to end. See ",[178,2255,1775],{"href":1774},[15,2257,2258],{},"A structured approach — mapping controls, evidence, and owners from day one — removes most of these friction points before they become audit findings.",[10,2260,2262],{"id":2261},"how-soc-2-compares-to-other-frameworks","How SOC 2 compares to other frameworks",[15,2264,2265],{},"SOC 2 is not the only security framework buyers may request. Understanding how SOC 2 relates to other standards helps you plan a cohesive compliance strategy rather than running parallel audits with overlapping work.",[15,2267,2268,2272],{},[33,2269,2270],{},[178,2271,93],{"href":381}," is an international certification focused on information security management systems. Unlike SOC 2, which produces an auditor's opinion letter, ISO 27001 results in a certificate issued by an accredited registrar. ISO 27001 is prescriptive about building an ISMS but the control set in Annex A overlaps heavily with the SOC 2 Common Criteria. Many mature companies pursue both and reuse evidence across them. ISO 27001 tends to be preferred by European and international buyers; SOC 2 is the North American standard.",[15,2274,2275,2279],{},[33,2276,2277],{},[178,2278,395],{"href":394}," is a US healthcare law that mandates specific safeguards for protected health information. HIPAA is a regulatory requirement rather than a voluntary attestation — there is no HIPAA certificate, but business associates and covered entities must comply. SOC 2 controls address many HIPAA administrative and technical safeguards, and a SOC 2 Type II report is often used as evidence of HIPAA compliance in vendor due diligence.",[15,2281,2282,2286],{},[33,2283,2284],{},[178,2285,81],{"href":408}," is the payment card industry's prescriptive standard for any organization that stores, processes, or transmits cardholder data. Unlike SOC 2, PCI DSS specifies exact controls down to firewall rules and encryption key rotation cadences. SOC 2 and PCI DSS share concepts like encryption, access control, and monitoring, but PCI DSS scope is narrower (cardholder data environment) and the requirements are more specific. Companies that process payments typically need both.",[15,2288,2289,2292,2293,2296,2297,2299],{},[33,2290,2291],{},"NIST Cybersecurity Framework",", ",[33,2294,2295],{},"FedRAMP",", and ",[33,2298,105],{}," address additional specialized audiences — federal contractors, defense industrial base, and government-adjacent systems. These are out of scope for most commercial SaaS but worth mapping if your buyer base includes public sector.",[15,2301,2302,2303,2307],{},"If you are comparing SOC 2 tooling options, our ",[178,2304,2306],{"href":2305},"\u002Fcompare\u002Fvs\u002Fvanta-vs-drata","Vanta vs Drata comparison"," covers the leading compliance automation platforms.",[10,2309,2311],{"id":2310},"soc-2-readiness-checklist","SOC 2 readiness checklist",[15,2313,2314,2315,2318],{},"A readiness checklist keeps your team focused during the months before the audit begins. The ",[178,2316,2317],{"href":1125},"full SOC 2 checklist"," covers every category, but at a high level expect to address:",[75,2320,2321,2324,2327,2330,2333,2336,2339,2342,2345,2348],{},[30,2322,2323],{},"Governance and policies (information security policy, acceptable use, code of conduct)",[30,2325,2326],{},"Access control (SSO, MFA, role-based access, quarterly access reviews)",[30,2328,2329],{},"Change management (code review, deployment approvals, production change logs)",[30,2331,2332],{},"Vendor risk management (inventory, assessments, monitoring)",[30,2334,2335],{},"Incident response (documented plan, tested at least annually)",[30,2337,2338],{},"Business continuity and disaster recovery (plan with defined RPO\u002FRTO, tested)",[30,2340,2341],{},"Logging and monitoring (centralized logs, alerting, incident tickets)",[30,2343,2344],{},"Security awareness training (annual minimum, tracked completion)",[30,2346,2347],{},"HR controls (background checks, onboarding, offboarding, confidentiality agreements)",[30,2349,2350],{},"Risk assessment (annual risk review, risk register, treatment plans)",[15,2352,2353],{},"Most companies find that the readiness phase surfaces gaps they did not know existed. That is the point — better to discover them before the auditor arrives.",[10,2355,2357],{"id":2356},"getting-started-with-soc-2","Getting started with SOC 2",[15,2359,2360],{},"The best time to start a SOC 2 program is before the first buyer demands it. The second best time is now.",[15,2362,2363],{},"A reasonable starting sequence:",[27,2365,2366,2372,2378,2384,2390,2396],{},[30,2367,2368,2371],{},[33,2369,2370],{},"Pick your Trust Services Criteria."," Security is required. Add others only if you have customer commitments that map to them.",[30,2373,2374,2377],{},[33,2375,2376],{},"Decide Type I vs Type II."," If you need a report fast for a specific deal, start with Type I. If you have time and buyer pressure is general, skip straight to Type II.",[30,2379,2380,2383],{},[33,2381,2382],{},"Run a readiness assessment."," Either internally or with a consultant. The goal is a prioritized remediation list, not a polished report.",[30,2385,2386,2389],{},[33,2387,2388],{},"Remediate in priority order."," Address policy gaps, access control weaknesses, and logging first — these are the most common sources of findings.",[30,2391,2392,2395],{},[33,2393,2394],{},"Select an auditor."," Get proposals from two to four CPA firms. Check references from similar companies. Book early — good auditors are scheduled quarters in advance.",[30,2397,2398,2401],{},[33,2399,2400],{},"Operate, collect, and iterate."," Run your controls, collect evidence continuously, and prepare for fieldwork. Do not treat the audit as a one-time event.",[15,2403,2404,2405,2408,2409,2414],{},"episki was built for exactly this journey. The platform maps your controls to Trust Services Criteria, automates evidence collection, tracks ownership across teams, and gives your auditor structured access when fieldwork begins. ",[178,2406,1476],{"href":1473,"rel":2407},[1475]," or ",[178,2410,2413],{"href":2411,"rel":2412},"https:\u002F\u002Fcalendly.com\u002Fjustinleapline\u002Fepiski-demo",[1475],"book a demo"," to see how SOC 2 looks with the scramble removed.",{"title":184,"searchDepth":185,"depth":185,"links":2416},[2417,2418,2419,2426,2427,2428,2429,2430,2431,2432],{"id":1937,"depth":185,"text":1938},{"id":1964,"depth":185,"text":1965},{"id":1996,"depth":185,"text":1997,"children":2420},[2421,2422,2423,2424,2425],{"id":2005,"depth":190,"text":2006},{"id":2012,"depth":190,"text":2013},{"id":2023,"depth":190,"text":2024},{"id":2030,"depth":190,"text":2031},{"id":2042,"depth":190,"text":2043},{"id":2053,"depth":185,"text":2054},{"id":2088,"depth":185,"text":2089},{"id":2141,"depth":185,"text":2142},{"id":2195,"depth":185,"text":2196},{"id":2261,"depth":185,"text":2262},{"id":2310,"depth":185,"text":2311},{"id":2356,"depth":185,"text":2357},{"title":2434,"description":2435,"items":2436},"SOC 2 readiness checklist inside episki","Everything is preloaded in your free trial so you can start assigning ownership and collecting proof immediately.",[2437,2438,2439,2440,2441],"Trust Service Criteria library with mapped controls","Policy templates and AI drafting assistant","Evidence library with structured ownership and review cadences","Emulated auditor workspace with sample requests","Customer-facing compliance portal template",{"title":2443,"description":2444},"Launch your SOC 2 workspace today","Import your controls, connect evidence, and invite your auditor in under an hour.",{"title":2446,"items":2447},"SOC 2 frequently asked questions",[2448,2451,2454,2457,2459],{"label":2449,"content":2450},"How long does a SOC 2 audit take?","A SOC 2 Type I audit typically takes 4-8 weeks of preparation plus the audit itself. Type II requires a 3-12 month observation period followed by the assessment. episki's automation can cut preparation time by up to 45 days.",{"label":2452,"content":2453},"What is the difference between SOC 2 Type I and Type II?","SOC 2 Type I evaluates whether controls are suitably designed at a single point in time. Type II tests whether those controls operated effectively over a sustained period, usually 3-12 months. Most enterprise buyers require a Type II report.",{"label":2455,"content":2456},"How much does SOC 2 compliance cost?","Total costs typically range from $20,000 to $100,000+ depending on scope, readiness, and auditor fees. episki covers the platform side at a flat $500\u002Fmonth with no per-seat charges, significantly reducing the software portion of that budget.",{"label":2054,"content":2458},"Any SaaS company, cloud service provider, or data processor handling customer data is a likely candidate. Enterprise buyers in financial services, healthcare, and technology frequently require a current SOC 2 report before signing contracts.",{"label":2460,"content":2461},"What are the SOC 2 Trust Services Criteria?","The five Trust Services Criteria are security (required), availability, processing integrity, confidentiality, and privacy. Security is mandatory for every SOC 2 audit; the other four are optional and selected based on the services you provide.",{"headline":2463,"title":2464,"description":2465,"links":2466},"SOC 2 without the scramble","Ship SOC 2 audits without slowing product velocity","episki maps Trust Service Criteria, automates evidence, and keeps auditors in sync so your team can focus on building.",[2467,2470],{"label":2468,"icon":2469,"to":1473},"Start SOC 2 trial","i-lucide-rocket",{"label":2471,"icon":2472,"color":2473,"variant":2474,"to":2411,"target":2475},"Book a demo","i-lucide-message-circle","neutral","subtle","_blank",{},"SOC 2 Type I\u002FII",{"headline":2479,"title":2479,"description":2480,"items":2481},"SOC 2 acceleration resources","Give execs and customers visibility into progress at every stage.",[2482,2485,2488],{"title":2483,"description":2484},"Executive scorecard","Summaries translate control work into risk reduction and deals unlocked.",{"title":2486,"description":2487},"Sales enablement kit","SOC 2 FAQ answers and trust collateral ready for GTM teams.",{"title":2489,"description":2490},"Audit retro template","Capture what worked, track remediations, and prep the next period.",{"title":2492,"description":2493},"SOC 2 Compliance Software","Get SOC 2 Type I and Type II audit-ready faster with episki's automated controls, evidence tracking, and auditor collaboration. Start your free 14-day trial.",[2495,2498,2501],{"value":2496,"description":2497},"45 days faster","Average time saved reaching Type II readiness with episki’s automation.",{"value":2499,"description":2500},"120+ controls","Pre-mapped control narratives with owners, evidence, and review cadences.",{"value":2502,"description":2503},"100% coverage","Auditor portal with control health dashboards and SOC 2 exports.","5.frameworks\u002Fsoc2","shAxjjcx4JmL7Zy8hak9QyL4MkAUXkpn4CKU8l_0-Q4",{"id":2507,"title":2508,"body":2509,"comparison":2600,"competitorA":2645,"competitorB":2646,"cta":2647,"description":184,"extension":195,"faq":1503,"hero":2650,"meta":2658,"navigation":198,"path":2659,"seo":2660,"slug":2663,"slugA":2664,"slugB":2665,"stem":2666,"verdict":2667,"__hash__":2671},"compareVs\u002F7.compare\u002Fvs\u002Fdrata-vs-secureframe.md","Drata Vs Secureframe",{"type":7,"value":2510,"toc":2590},[2511,2515,2518,2522,2525,2531,2534,2538,2541,2544,2547,2551,2554,2557,2561,2564,2567,2571,2574,2577,2581,2584,2587],[10,2512,2514],{"id":2513},"drata-vs-secureframe-the-closest-comparison-in-compliance","Drata vs Secureframe: the closest comparison in compliance",[15,2516,2517],{},"If Vanta is the 800-pound gorilla, Drata and Secureframe are the two challengers most often compared against each other. They target similar buyers, cover similar frameworks, and offer similar automation. The differences are real but subtle — and they matter most in how your team experiences the platform day to day.",[19,2519,2521],{"id":2520},"feature-parity-with-different-emphasis","Feature parity with different emphasis",[15,2523,2524],{},"On paper, Drata and Secureframe look nearly identical. Both automate evidence collection, monitor your compliance posture continuously, support 15+ frameworks, and provide auditor-facing portals. The overlap is so significant that choosing between them often comes down to three factors: onboarding style, dashboard experience, and pricing.",[15,2526,2527,2530],{},[33,2528,2529],{},"Onboarding style"," is the clearest differentiator. Drata leans toward self-serve. The platform guides you through integration setup, control mapping, and evidence configuration with in-app workflows. For teams with compliance experience, this speed is an advantage — you can be operational in 1–2 weeks without waiting for a human to walk you through every step.",[15,2532,2533],{},"Secureframe takes the opposite approach. Every customer gets access to dedicated compliance managers who help interpret requirements, map controls to your environment, and prepare for audit. This white-glove model adds a week or two to implementation but dramatically reduces the learning curve for first-time audit teams.",[19,2535,2537],{"id":2536},"the-dashboard-question","The dashboard question",[15,2539,2540],{},"Drata's compliance dashboard is one of its signature features. The real-time posture view shows passing and failing controls across every framework, with compliance percentages and trend data. For compliance leads who report to a CISO or board, this visual layer simplifies status updates and makes it easy to demonstrate progress.",[15,2542,2543],{},"Secureframe also provides dashboards, but they feel more functional than visual. The platform surfaces actionable items — controls that need attention, evidence that's expiring, gaps to remediate — in a task-oriented format. It's effective, but it doesn't deliver the same at-a-glance executive view that Drata provides.",[15,2545,2546],{},"For teams that need board-ready compliance reporting, Drata has the edge. For teams that care more about daily workflow and task management, Secureframe's approach may feel more productive.",[19,2548,2550],{"id":2549},"integration-depth","Integration depth",[15,2552,2553],{},"Secureframe holds a slight advantage in integration count, with 150+ connections compared to Drata's 100+. The extra integrations primarily cover developer tools, identity providers, and security platforms. For teams running complex stacks with multiple CI\u002FCD pipelines, vulnerability scanners, and endpoint management tools, Secureframe's broader integration library means less manual evidence collection.",[15,2555,2556],{},"Drata's integrations, while fewer in number, tend to offer deeper configuration options for the platforms they do support. If your stack is standard — AWS or GCP, Okta or Google Workspace, GitHub, and a common HR tool — both platforms will serve you equally well.",[19,2558,2560],{"id":2559},"pricing-opacity","Pricing opacity",[15,2562,2563],{},"Neither Drata nor Secureframe publishes pricing. Both require a sales conversation to get a quote, and both scale based on team size, framework count, and contract terms. Based on market data, Drata typically starts around $10,000–$15,000\u002Fyr while Secureframe starts slightly lower at $8,000–$12,000\u002Fyr. At scale, both reach $30,000–$50,000\u002Fyr for larger organizations.",[15,2565,2566],{},"This pricing opacity creates a frustrating buying experience. You can't model costs internally before engaging sales. You can't easily compare options. And renewal conversations often involve price increases that are hard to predict at the time of initial purchase.",[19,2568,2570],{"id":2569},"where-both-platforms-struggle","Where both platforms struggle",[15,2572,2573],{},"The irony of comparing Drata and Secureframe is that their most significant limitations are shared. Both use pricing models that punish team growth. Both rely on templated control libraries that resist customization. Both treat policy documentation as a secondary concern — something generated through forms rather than crafted through a proper writing experience.",[15,2575,2576],{},"And both lock you into their workflow assumptions. If your compliance program doesn't map cleanly to their templates — if you run hybrid frameworks, need custom controls, or want to structure programs differently than the default — you'll spend time working around the platform instead of working within it.",[19,2578,2580],{"id":2579},"the-case-for-a-different-approach","The case for a different approach",[15,2582,2583],{},"When two products are this similar, the deciding factor often isn't which one is better — it's whether either one is the right category of tool for your needs. If you want maximum automation and are comfortable with enterprise pricing, Drata and Secureframe both deliver.",[15,2585,2586],{},"But if you want flat pricing at $500\u002Fmo, a Notion-like editor for compliance documentation, and the freedom to build programs that reflect how your team actually operates — episki offers something neither Drata nor Secureframe provides. No per-seat scaling. No opaque quotes. No templated policies that read like every other company's.",[15,2588,2589],{},"Just a workspace your compliance team will use daily, at a price that doesn't make your CFO wince.",{"title":184,"searchDepth":185,"depth":185,"links":2591},[2592],{"id":2513,"depth":185,"text":2514,"children":2593},[2594,2595,2596,2597,2598,2599],{"id":2520,"depth":190,"text":2521},{"id":2536,"depth":190,"text":2537},{"id":2549,"depth":190,"text":2550},{"id":2559,"depth":190,"text":2560},{"id":2569,"depth":190,"text":2570},{"id":2579,"depth":190,"text":2580},[2601,2606,2610,2615,2620,2625,2630,2635,2640],{"feature":2602,"competitorA":2603,"competitorB":2604,"episki":2605},"Pricing model","Custom pricing, typically starting around $10,000–$15,000\u002Fyr","Custom pricing, typically starting around $8,000–$12,000\u002Fyr","Flat $500\u002Fmo or $5,000\u002Fyr with unlimited seats",{"feature":2607,"competitorA":2608,"competitorB":2608,"episki":2609},"Framework coverage","SOC 2, ISO 27001, HIPAA, PCI DSS, GDPR, and 15+ frameworks","SOC 2, ISO 27001, HIPAA, PCI DSS, NIST CSF, and custom frameworks",{"feature":2611,"competitorA":2612,"competitorB":2613,"episki":2614},"Automation depth","Automated evidence collection with real-time compliance dashboards","Automated monitoring with continuous evidence collection and alerts","AI-assisted drafting and structured workflows with manual evidence uploads",{"feature":2616,"competitorA":2617,"competitorB":2618,"episki":2619},"Integration count","100+ integrations covering major cloud and SaaS platforms","150+ integrations covering cloud, identity, HR, and developer tools","Growing integration library with focus on structured evidence reuse",{"feature":2621,"competitorA":2622,"competitorB":2623,"episki":2624},"Auditor collaboration","Auditor-facing portal with read-only access and evidence downloads","Auditor-ready evidence rooms with structured access controls","Built-in auditor portal with scoped access and Q&A threads",{"feature":2626,"competitorA":2627,"competitorB":2628,"episki":2629},"AI features","AI-assisted control mapping and compliance recommendations","AI-driven compliance recommendations and automated risk scoring","AI drafts policies, narratives, remediation steps, and questionnaire answers",{"feature":2631,"competitorA":2632,"competitorB":2633,"episki":2634},"Implementation time","1–3 weeks with self-serve setup and optional guided onboarding","2–3 weeks with guided onboarding and compliance expertise","Same-day setup with self-serve onboarding and optional demo",{"feature":2636,"competitorA":2637,"competitorB":2638,"episki":2639},"Support model","In-app chat, email support, and dedicated CSM for larger accounts","Dedicated compliance managers, email, and in-app support","Direct founder access, in-app chat, and shared Slack channels",{"feature":2641,"competitorA":2642,"competitorB":2643,"episki":2644},"Free trial","Demo-based sales process, limited free trial availability","Demo-based sales process, no public free trial","14-day free trial with full access, no credit card required","Drata","Secureframe",{"title":2648,"description":2649},"Skip the comparison. Try episki free.","14-day trial with full access. No credit card required.",{"headline":2651,"title":2652,"description":2653,"links":2654},"Drata vs Secureframe","Similar features, different approaches to compliance automation","Compare Drata and Secureframe across pricing, onboarding, and compliance workflows. Two closely matched platforms with subtle but important differences for your team.",[2655,2657],{"label":2656,"icon":2469,"to":1473},"Try episki free",{"label":2471,"icon":2472,"color":2473,"variant":2474,"to":2411,"target":2475},{},"\u002Fcompare\u002Fvs\u002Fdrata-vs-secureframe",{"title":2661,"description":2662},"Drata vs Secureframe (2026): Pricing, Features & Honest Comparison","Drata vs Secureframe compared on pricing, onboarding, framework coverage, and compliance automation. See which platform fits your team — or why neither might be the best choice.","drata-vs-secureframe","drata","secureframe","7.compare\u002Fvs\u002Fdrata-vs-secureframe",{"chooseA":2668,"chooseB":2669,"chooseEpiski":2670},"Choose Drata if you value self-serve speed and visual compliance dashboards. Drata gets you operational faster and provides the clearest real-time view of your compliance posture — ideal for teams with in-house compliance knowledge.","Choose Secureframe if you want more hands-on guidance from dedicated compliance managers. Secureframe's human-led onboarding is better for teams running their first audit without experienced GRC staff.","Choose episki if you want transparent pricing, a writing-first editor, and the flexibility to structure programs your way. episki is for teams that want to own their compliance narrative without paying enterprise prices.","HuA5a0qhJVkEPHNLT6GY_VEempd7yA1ONnXItxDt-ZQ",{"id":2673,"title":2645,"advantages":2674,"body":2696,"comparison":2747,"competitor":2645,"cta":2773,"description":184,"extension":195,"hero":2776,"meta":2785,"navigation":198,"path":2786,"seo":2787,"slug":2664,"stem":2790,"__hash__":2791},"compare\u002F7.compare\u002Fdrata.md",[2675,2682,2689],{"title":2676,"description":2677,"bullets":2678},"One flat price for everything","episki includes unlimited frameworks, teammates, and portals for a single monthly or annual fee. No tiers, no negotiations.",[2679,2680,2681],"Add frameworks without upgrading to a higher tier","Invite auditors, customers, and stakeholders at no extra cost","Predictable billing that does not scale with headcount",{"title":2683,"description":2684,"bullets":2685},"Connected programs and assessments","episki treats compliance as connected work. Programs, assessments, controls, tasks, and issues link together so nothing falls through the cracks.",[2686,2687,2688],"Run recurring programs and one-time assessments side by side","Tasks inherit context from parent controls and programs","Evidence attaches once and stays available across every framework",{"title":2690,"description":2691,"bullets":2692},"Fast, keyboard-driven workspace","episki is built for people who spend hours in the tool. Keyboard shortcuts, global search, and a rich editor make daily compliance work feel fast.",[2693,2694,2695],"Navigate between programs, controls, and evidence without lifting your hands","Inline editing for policies, narratives, and response drafts","Dark mode and responsive layout for any screen",{"type":7,"value":2697,"toc":2742},[2698,2702,2705,2708,2728,2732,2735,2739],[10,2699,2701],{"id":2700},"why-teams-evaluate-drata-alternatives","Why teams evaluate Drata alternatives",[15,2703,2704],{},"Drata has built a comprehensive compliance automation platform with strong automated evidence collection and a wide library of supported frameworks. It works well for organizations that want continuous monitoring with minimal manual intervention.",[15,2706,2707],{},"Some teams look for alternatives when they need:",[75,2709,2710,2716,2722],{},[30,2711,2712,2715],{},[33,2713,2714],{},"Simpler pricing"," — Drata's tiered pricing based on framework count and company size can make budgeting unpredictable, especially for organizations running multiple frameworks or growing quickly.",[30,2717,2718,2721],{},[33,2719,2720],{},"Unified program management"," — teams managing overlapping compliance programs want controls, evidence, and tasks connected across frameworks in a single workspace rather than managed as separate compliance tracks.",[30,2723,2724,2727],{},[33,2725,2726],{},"A daily-use workspace"," — compliance teams that spend significant time writing, reviewing, and collaborating want an editor and navigation experience that feels productive rather than transactional.",[10,2729,2731],{"id":2730},"when-drata-might-be-the-better-fit","When Drata might be the better fit",[15,2733,2734],{},"Drata is a strong choice for teams that prioritize automated continuous monitoring and need a platform with deep integration coverage across cloud, identity, HR, and development tools. If your primary concern is automating evidence collection and you operate in a well-defined framework like SOC 2 or ISO 27001, Drata's automation depth is compelling.",[10,2736,2738],{"id":2737},"when-episki-shines","When episki shines",[15,2740,2741],{},"episki is designed for teams that view compliance as ongoing, cross-functional work rather than a monitoring dashboard. If you run multiple programs, collaborate with auditors directly in the tool, and want a workspace that feels as fast as your engineering tools, episki delivers a different kind of compliance experience.",{"title":184,"searchDepth":185,"depth":185,"links":2743},[2744,2745,2746],{"id":2700,"depth":185,"text":2701},{"id":2730,"depth":185,"text":2731},{"id":2737,"depth":185,"text":2738},[2748,2750,2751,2755,2758,2761,2765,2769],{"feature":2602,"episki":2605,"competitor":2749},"Tiered pricing based on framework count and company size",{"feature":2607,"episki":2609,"competitor":2608},{"feature":2752,"episki":2753,"competitor":2754},"Control management","Linked control graph with cross-framework reuse and ownership","Control library with automated testing and monitoring",{"feature":1203,"episki":2756,"competitor":2757},"Manual uploads with structured ownership and reuse across frameworks","Automated evidence collection with 100+ integrations",{"feature":2759,"episki":2629,"competitor":2760},"AI assistance","AI-powered compliance automation",{"feature":2762,"episki":2763,"competitor":2764},"Risk management","Risk registers with remediation tracking tied to controls","Built-in risk management with scoring and treatment plans",{"feature":2766,"episki":2767,"competitor":2768},"Editor experience","Notion-like rich text editor with inline editing","Structured forms and workflow-based interface",{"feature":2770,"episki":2771,"competitor":2772},"Collaboration","Built-in auditor portal, customer portals, and team workspaces","Auditor-facing dashboards and team collaboration features",{"title":2774,"description":2775},"Try episki side by side with Drata","Start a free trial with all features enabled. Import your controls and see the difference.",{"headline":2777,"title":2778,"description":2779,"links":2780},"episki vs Drata","How episki compares to Drata for compliance teams","A head-to-head on pricing, workflow design, and framework flexibility. See why teams that want a faster, more collaborative compliance workspace switch from Drata to episki.",[2781,2783],{"label":2782,"icon":2469,"to":1473},"Start free trial",{"label":2784,"icon":2472,"color":2473,"variant":2474,"to":2411,"target":2475},"See a live demo",{},"\u002Fcompare\u002Fdrata",{"title":2788,"description":2789},"episki vs Drata (2026): Pricing, Flexibility & Why Teams Switch","Compare episki and Drata on pricing, workflow design, and framework flexibility. See why compliance teams switch from Drata to episki.","7.compare\u002Fdrata","rehdI9NC6n1m3mFaD-M9xGliPjg5awlPauCt-LCW_es",{"id":2793,"title":2794,"api":1503,"authors":2795,"body":2801,"category":2979,"date":2980,"description":2981,"extension":195,"features":1503,"fixes":1503,"highlight":1503,"image":2982,"improvements":1503,"meta":2984,"navigation":198,"path":2986,"seo":2987,"stem":2988,"__hash__":2989},"posts\u002F3.now\u002Fdefined-roles-pci-compliance-mistakes.md","Defined Roles in PCI: The Compliance Mistakes That Fly Under the Radar",[2796],{"name":2797,"to":2798,"avatar":2799},"Justin Leapline","https:\u002F\u002Fwww.linkedin.com\u002Fin\u002Fjustinleapline\u002F",{"src":2800},"\u002Fimages\u002Fjustinleapline.png",{"type":7,"value":2802,"toc":2971},[2803,2809,2812,2815,2818,2821,2824,2826,2830,2840,2843,2846,2849,2851,2855,2858,2861,2864,2867,2869,2873,2881,2884,2887,2890,2892,2896,2899,2902,2905,2907,2911,2914,2917,2920,2923,2925,2929,2932,2935,2938,2940,2945,2957,2963,2965],[2804,2805,2806],"blockquote",{},[15,2807,2808],{},"When it comes to PCI DSS, most organizations focus on the technical controls — encryption, access management, logging. But one of the most persistent failure points isn't technical at all. It's the question of who owns what. Undefined or poorly assigned roles quietly undermine even the most well-resourced compliance programs. This post breaks down the most common role-related mistakes security leaders make in PCI — and what to do differently.",[2810,2811],"hr",{},[15,2813,2814],{},"Most PCI compliance failures don't happen because teams don't know the standard.",[15,2816,2817],{},"They happen because nobody agreed on who was responsible for following it.",[15,2819,2820],{},"It sounds simple. In practice, it's one of the hardest problems in compliance programs — and one of the least discussed. When a QSA walks in for an assessment and finds gaps, the root cause is often not a missing control. It's a missing owner.",[15,2822,2823],{},"For CISOs leading PCI programs, role clarity isn't a nice-to-have. It's the foundation everything else sits on.",[2810,2825],{},[10,2827,2829],{"id":2828},"mistake-1-treating-pci-ownership-as-an-it-problem","Mistake #1: Treating PCI Ownership as an IT Problem",[15,2831,2832,2834,2835,2839],{},[178,2833,81],{"href":408}," governs the entire ",[178,2836,2838],{"href":2837},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment"," — and the cardholder data environment touches far more than IT.",[15,2841,2842],{},"It includes how sales teams handle card data over the phone. How finance processes refunds. How third-party vendors connect to your systems. How HR onboards employees who access payment infrastructure. And yet, in most organizations, PCI ownership sits almost exclusively with the security or IT team — while the business units that handle cardholder data daily operate with little awareness of their own obligations.",[15,2844,2845],{},"This creates a structural gap. Controls get implemented technically but not operationally. Policies exist on paper but aren't followed in practice because the people they govern don't know they apply to them.",[15,2847,2848],{},"The fix isn't adding more controls. It's expanding the ownership model. Every team that touches cardholder data needs a defined role in the compliance program — with accountability, not just awareness.",[2810,2850],{},[10,2852,2854],{"id":2853},"mistake-2-confusing-responsible-with-accountable","Mistake #2: Confusing \"Responsible\" with \"Accountable\"",[15,2856,2857],{},"One of the most reliable ways to spot a broken compliance program is to ask two people on the same team who owns a specific PCI requirement. If you get two different answers — or two blank stares — you have an accountability problem.",[15,2859,2860],{},"The distinction between responsibility and accountability matters here. Responsibility is operational: this person performs the task. Accountability is governance: this person owns the outcome. In PCI, these roles are often blurred or duplicated, which means that when something goes wrong, nobody is clearly on the hook — and when audits come around, multiple people claim ownership of the same control without any of them actually running it.",[15,2862,2863],{},"The RACI model (Responsible, Accountable, Consulted, Informed) is a well-worn solution to this problem — but only when applied with rigor. A RACI matrix that was built two years ago and hasn't been updated since an acquisition, a reorg, or a new product launch is often worse than no RACI at all. It creates false confidence.",[15,2865,2866],{},"PCI role assignments need to be reviewed every time the business changes — not just every time the standard does.",[2810,2868],{},[10,2870,2872],{"id":2871},"mistake-3-letting-vendor-relationships-create-ownership-gaps","Mistake #3: Letting Vendor Relationships Create Ownership Gaps",[15,2874,2875,2876,2880],{},"PCI DSS Requirement 12.8 is clear: organizations are responsible for managing the compliance of all ",[178,2877,2879],{"href":2878},"\u002Fglossary\u002Fthird-party-risk","third-party service providers"," who have access to cardholder data. In practice, many organizations interpret this requirement as \"get a copy of their AOC and file it.\"",[15,2882,2883],{},"That's not management. That's documentation.",[15,2885,2886],{},"The gap shows up when a vendor has a breach, when a third-party integration introduces a vulnerability, or when an assessor asks how the organization monitors the compliance posture of its vendors — and the answer is \"we check their certificate once a year.\"",[15,2888,2889],{},"Vendor ownership in PCI requires a named internal owner for each critical third-party relationship. Someone who understands what that vendor does, what data they access, what their contractual security obligations are, and what the escalation path looks like if something goes wrong. Without that, vendor risk exists on paper but is managed by nobody.",[2810,2891],{},[10,2893,2895],{"id":2894},"mistake-4-role-assignments-that-dont-survive-personnel-changes","Mistake #4: Role Assignments That Don't Survive Personnel Changes",[15,2897,2898],{},"PCI roles are often documented at the person level — \"Sarah owns firewall management,\" \"Marco is responsible for log review\" — rather than at the function level. When Sarah leaves or Marco moves to a different team, the role doesn't transfer cleanly. Institutional knowledge walks out the door, and the new person inherits a responsibility they weren't briefed on.",[15,2900,2901],{},"This is especially dangerous in small security teams, where one person often carries multiple PCI functions. When that person leaves without a proper transition, entire sections of the compliance program can become effectively unowned — sometimes for months before anyone notices.",[15,2903,2904],{},"Sustainable role assignment means documenting at the position level, not the individual level. It means keeping role documentation alive and connected to onboarding processes, so that new team members understand their compliance obligations from day one. And it means building succession into the program architecture, not treating it as an afterthought.",[2810,2906],{},[10,2908,2910],{"id":2909},"mistake-5-assuming-the-ciso-owns-everything-that-isnt-assigned-elsewhere","Mistake #5: Assuming the CISO Owns Everything That Isn't Assigned Elsewhere",[15,2912,2913],{},"In many organizations, the CISO is the implicit owner of last resort. If a PCI requirement doesn't have a clear owner, it defaults upward — and eventually lands on the security leader's desk.",[15,2915,2916],{},"This is a governance problem masquerading as an efficiency problem. When the CISO is the catch-all for unassigned compliance obligations, two things happen: the CISO is spending time on operational tasks that should be delegated, and the organization's compliance program lacks the distributed ownership structure it needs to function at scale.",[15,2918,2919],{},"The CISO's role in PCI should be strategic: defining the program, setting the accountability structure, owning the relationship with assessors, and reporting to the board on risk posture. The moment the CISO is personally responsible for reviewing firewall rule changes or validating log configurations, something in the ownership model has broken down.",[15,2921,2922],{},"A well-structured PCI program distributes operational ownership to the teams closest to the work — and gives the CISO visibility into all of it without requiring their direct involvement in any of it.",[2810,2924],{},[10,2926,2928],{"id":2927},"what-getting-it-right-actually-looks-like","What Getting It Right Actually Looks Like",[15,2930,2931],{},"The organizations that manage PCI compliance most effectively share a few traits. Their role assignments are documented at the function level and reviewed on a regular cadence. Their business unit owners understand their obligations — not just their technical ones. Their vendor relationships have named internal owners with active oversight responsibilities. And their CISO has clear visibility into the program without being buried in its day-to-day operations.",[15,2933,2934],{},"None of this requires a larger team. It requires a more deliberate structure.",[15,2936,2937],{},"PCI compliance isn't won or lost in the technical controls. It's won or lost in the clarity of who owns them, who monitors them, and who is accountable when they fail.",[2810,2939],{},[15,2941,2942],{},[33,2943,2944],{},"Is your PCI ownership model as clear as you think it is?",[15,2946,2947,2948,2952,2953,2956],{},"At ",[178,2949,2951],{"href":2950},"\u002F","episki",", we help security leaders build compliance programs where accountability is real — not just documented. From role mapping to third-party oversight to board-level reporting, we work alongside your team to make sure your ",[178,2954,2955],{"href":408},"PCI"," program holds up when it matters most.",[15,2958,2959],{},[178,2960,2962],{"href":2411,"rel":2961},[1475],"Let's talk →",[2810,2964],{},[15,2966,2967],{},[2968,2969,2970],"em",{},"Compliance on paper isn't compliance. It's paperwork.",{"title":184,"searchDepth":185,"depth":185,"links":2972},[2973,2974,2975,2976,2977,2978],{"id":2828,"depth":185,"text":2829},{"id":2853,"depth":185,"text":2854},{"id":2871,"depth":185,"text":2872},{"id":2894,"depth":185,"text":2895},{"id":2909,"depth":185,"text":2910},{"id":2927,"depth":185,"text":2928},"craft","2026-04-15","Unclear ownership is one of the most common — and costly — failures in PCI compliance. Here's what security leaders get wrong about defining roles, and how to fix it.",{"src":2983},"\u002Fimages\u002Fblog\u002Fcybersecurity.jpg",{"slug":2985},"defined-roles-pci-compliance-mistakes","\u002Fnow\u002Fdefined-roles-pci-compliance-mistakes",{"title":2794,"description":2981},"3.now\u002Fdefined-roles-pci-compliance-mistakes","wUSlpELz3cIZ3lA25UBbUUGJv-rErSVQDYA4CT6Y22s",{"id":2991,"title":2992,"advantages":2993,"body":3015,"checklist":3022,"cta":3031,"description":3019,"extension":195,"faq":1503,"hero":3034,"meta":3042,"name":3043,"navigation":198,"path":3044,"resources":3045,"seo":3058,"slug":3061,"stats":3062,"stem":3072,"__hash__":3073},"industries\u002F6. industry\u002F1.healthcare.md","Healthcare",[2994,3001,3008],{"title":2995,"description":2996,"bullets":2997},"PHI-aware control mapping","Map administrative, technical, and physical safeguards to your stack without rebuilding every audit.",[2998,2999,3000],"Track EHR, identity, and cloud evidence with structured ownership","Track segmentation, backups, and log retention against HIPAA safeguards","Map once for HIPAA and reuse for HITRUST or regional requirements",{"title":3002,"description":3003,"bullets":3004},"Clinician-friendly workflows","Keep nurses, clinicians, and ops aligned without burying them in tickets.",[3005,3006,3007],"Role-aware tasks routed to the right owner with due dates","Playbooks show “what good looks like” for PHI handling","Attestations and approvals captured inline for auditors",{"title":3009,"description":3010,"bullets":3011},"Auditor and partner collaboration","Give regulators, payers, and partners scoped access instead of email threads.",[3012,3013,3014],"Auditor portal with threaded Q&A per safeguard","Secure uploads with expirations and access controls","Exports for SOC 2, PCI, or privacy questionnaires",{"type":7,"value":3016,"toc":3020},[3017],[15,3018,3019],{},"Healthcare buyers move fast when they trust your safeguards. episki keeps PHI protections documented, monitored, and shareable without slowing product or patient care.",{"title":184,"searchDepth":185,"depth":185,"links":3021},[],{"title":3023,"description":3024,"items":3025},"Healthtech compliance checklist","Use this inside your trial to assign owners, attach evidence, and track renewals.",[3026,3027,3028,3029,3030],"HIPAA safeguard library mapped to your systems","BAA tracker with renewal reminders and risk scoring","Incident response runbooks with timelines and owners","Access, logging, and backup verification tasks","Third-party risk reviews tied to PHI data flows",{"title":3032,"description":3033},"Launch a healthtech-ready workspace","Connect your stack, invite stakeholders, and show PHI protections the same day.",{"headline":3035,"title":3036,"description":3037,"links":3038},"HIPAA-grade governance without slowing clinicians","Keep PHI protections provable across cloud apps, clinics, and vendors","episki maps safeguards, automates evidence, and gives auditors scoped access so healthtech teams can keep shipping.",[3039,3041],{"label":3040,"icon":2469,"to":1473},"Start healthtech trial",{"label":2471,"icon":2472,"color":2473,"variant":2474,"to":2411,"target":2475},{},"healthcare and healthtech","\u002Findustry\u002Fhealthcare",{"headline":3046,"title":3046,"description":3047,"items":3048},"Healthcare enablement kit","Keep leadership, clinicians, and auditors aligned on the same story.",[3049,3052,3055],{"title":3050,"description":3051},"PHI data flow deck","Share sanitized diagrams plus segmentation notes for customers and partners.",{"title":3053,"description":3054},"Board + payer brief","Summarize control health, incidents, and remediation in plain language.",{"title":3056,"description":3057},"Auditor-ready workspace","Prebuilt template for requests, evidence, and walkthrough scheduling.",{"title":3059,"description":3060},"Healthcare Compliance Software","HIPAA-ready GRC for healthtech teams. Map safeguards, track PHI evidence, and collaborate with auditors in one secure workspace. Start your free trial.","healthcare",[3063,3066,3069],{"value":3064,"description":3065},"30-day rollout","Move from baseline controls to monitored safeguards in under a month.",{"value":3067,"description":3068},"PHI-safe sharing","Role-based portals keep BAAs, policies, and diagrams organized and protected.",{"value":3070,"description":3071},"Continuous watch","Drift detection across access, logging, vendors, and incidents.","6. industry\u002F1.healthcare","831E5Bdk5x1SUBhE8YrTZtQjqMJj9Q3vjQivX_AG0IQ",1776666338736]