SOC 2 Type II Guide
Understand the SOC 2 Trust Services Criteria, map your controls, collect evidence, and prepare for your Type II audit with ComplyWise.
On this page
What is SOC 2?
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA for service organizations that handle customer data. It evaluates an organization's information systems against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type II reports cover a period of time (typically 6–12 months) and attest that controls were not only designed effectively but also operated effectively over that period.
- Developed by the AICPA (American Institute of CPAs)
- Type I: point-in-time — controls are designed effectively
- Type II: period of time — controls operated effectively over 6–12 months
- Required by most enterprise B2B SaaS customers and prospects
Trust Services Criteria
SOC 2 is organized around five Trust Services Criteria (TSC). Security (also called Common Criteria) is mandatory for all SOC 2 audits. The remaining four criteria are optional and selected based on the services you provide. ComplyWise includes 49 controls mapped to the Security, Availability, and Confidentiality criteria by default.
- CC (Common Criteria / Security) — Required. Covers access control, risk management, change management, monitoring, and logical/physical access. 9 control categories (CC1–CC9).
- A (Availability) — Optional. Covers system availability commitments, disaster recovery, and business continuity.
- PI (Processing Integrity) — Optional. Covers data processing accuracy and completeness.
- C (Confidentiality) — Optional. Covers classified data protection, encryption, and secure disposal.
- P (Privacy) — Optional. Covers personal information collection, use, retention, and disclosure.
SOC 2 in ComplyWise
ComplyWise includes 49 SOC 2 controls pre-mapped to the UCF. When you enable the SOC 2 framework, automated scans evaluate your AWS, Azure, identity provider, and code repository configurations against these controls. Evidence is auto-generated for controls that can be verified programmatically. Manual evidence upload is supported for controls requiring human attestation (e.g., background checks, security training completion).
- 49 controls covering CC, A, and C criteria
- Automated evidence for infrastructure, access, and configuration controls
- Manual evidence upload for HR, training, and governance controls
- Gap analysis report identifying unmet controls with remediation guidance
Evidence Collection
For each SOC 2 control, ComplyWise generates or accepts evidence artifacts. Automated evidence comes from integration scans — for example, IAM policy screenshots for CC6.1 (Logical Access) or CloudTrail configuration for CC7.2 (Monitoring). Manual evidence includes security awareness training records, vendor risk assessments, incident response plan documents, and business continuity test results.
- Auto-generated: IAM configurations, encryption status, network rules, audit logs
- Manual upload: training records, policies, business continuity tests, vendor assessments
- Evidence linked to specific controls and time periods
- Exportable evidence packages for auditor review
Preparing for Your Audit
ComplyWise's SOC 2 readiness report shows your compliance score, highlights gaps, and prioritizes remediation actions. Before your audit, ensure all controls are passing (or have documented exceptions), evidence is collected for the full audit period, and your security policies are current. The auditor portal provides read-only access to all evidence and control status for your CPA firm.
- Run the Compliance Readiness report to identify outstanding gaps
- Ensure continuous compliance over the full Type II observation period
- Grant your auditor access via the Auditor role for evidence review
- Export the full audit package as structured JSON for CPA firms using automated tools
Common SOC 2 Gaps
Based on data from ComplyWise customers, the most common SOC 2 gaps are: missing MFA on admin accounts, overly permissive security groups, incomplete audit logging, lack of formal change management process, and missing or outdated security policies. ComplyWise's remediation engine provides specific, actionable steps to close each gap.
- MFA not enforced for all users or admin accounts (CC6.1)
- Security groups with 0.0.0.0/0 ingress rules (CC6.6)
- CloudTrail or audit logging not enabled in all regions (CC7.2)
- No formal change management or code review process (CC8.1)
- Security policies not reviewed or updated annually (CC1.1)