SOC 2 Type II
Achieve and maintain SOC 2 Type II compliance with CyberOrigen.
Overview
SOC 2 (Service Organization Control 2) is an auditing framework for service providers storing customer data. It evaluates controls based on five Trust Services Criteria.
Trust Services Criteria
Security (Required)
The Common Criteria - required for all SOC 2 audits:
| Category | Description |
|---|---|
| CC1 | Control Environment |
| CC2 | Communication & Information |
| CC3 | Risk Assessment |
| CC4 | Monitoring Activities |
| CC5 | Control Activities |
| CC6 | Logical & Physical Access |
| CC7 | System Operations |
| CC8 | Change Management |
| CC9 | Risk Mitigation |
Availability (Optional)
For services with uptime commitments:
- A1.1: Capacity planning
- A1.2: Environmental protections
- A1.3: Recovery procedures
Processing Integrity (Optional)
For accurate data processing:
- PI1.1-PI1.5: Input/output accuracy
Confidentiality (Optional)
For sensitive data protection:
- C1.1-C1.2: Data classification and disposal
Privacy (Optional)
For personal information handling:
- P1-P8: Privacy principles
Getting Started
1. Enable Framework
- Go to GRC → Frameworks
- Click Enroll on SOC 2 Type II
- Select applicable criteria
- Click Enable
2. Baseline Assessment
- Run a compliance scan
- Review gap analysis
- Prioritize remediation
3. Implement Controls
Use CyberOrigen's control library:
- Go to GRC → Control Library
- Filter by SOC 2
- Update implementation status
- Assign control owners
Key Controls
CC6 - Logical Access
Most commonly tested controls:
| Control | Requirement | CyberOrigen Feature |
|---|---|---|
| CC6.1 | Access controls | Scan for access issues |
| CC6.2 | User registration | Access review reports |
| CC6.6 | Access review | Automated access audits |
| CC6.7 | Encryption | TLS/encryption scanning |
CC7 - System Operations
| Control | Requirement | CyberOrigen Feature |
|---|---|---|
| CC7.1 | Vulnerability management | Continuous scanning |
| CC7.2 | Incident response | Remediation workflow |
| CC7.4 | Backup/restore | Configuration checks |
Evidence Collection
Automated Evidence
CyberOrigen automatically generates:
- Vulnerability scan reports
- Access configuration checks
- Encryption verification
- Patch status reports
Manual Evidence
Upload these documents:
- Policies and procedures
- Board meeting minutes
- Training records
- Incident logs
Evidence Mapping
- Go to GRC → Evidence
- Upload or link evidence
- Map to relevant controls
- Track collection status
Audit Preparation
Pre-Audit Checklist
3 Months Before:
- [ ] All controls implemented
- [ ] Evidence collection complete
- [ ] Internal testing done
- [ ] Gaps remediated
1 Month Before:
- [ ] Evidence reviewed
- [ ] Owners assigned
- [ ] Auditor access configured
Auditor Access
Professional Feature
Auditor Portal requires Professional or Enterprise plan.
Grant auditor read-only access:
- Go to GRC → Audit Engagements
- Create engagement
- Invite auditor
- Set access permissions
Report Builder
Generate audit-ready packages:
- Go to GRC → Report Builder
- Select SOC 2 framework
- Choose report type
- Export PDF
Continuous Compliance
After certification, maintain compliance:
- Weekly vulnerability scans
- Quarterly access reviews
- Annual policy reviews
- Continuous evidence collection
Monitoring
CyberOrigen tracks:
- Control status changes
- Evidence expiration
- Compliance score trends
- Finding remediation
Alerts
Configure alerts for:
- Compliance score drops
- Control failures
- Evidence expiration
- Audit period reminders
Common Gaps
| Control | Common Issue | Solution |
|---|---|---|
| CC6.1 | No MFA | Enable MFA everywhere |
| CC6.6 | No access reviews | Schedule quarterly reviews |
| CC7.1 | Unpatched systems | Automated patching |
| CC8.1 | No change control | Formal change process |