Quick Guide to SOC 2 Controls

SOC 2 is more than an audit report; it is a way for companies to prove they take data protection seriously. Defined by the American Institute of CPAs (AICPA), SOC 2 sets expectations for how service providers are expected to manage and protect customer data across five principles: security, availability, processing integrity, confidentiality, and privacy. These principles are translated into specific controls that auditors test for effectiveness.

This blog will simplify what SOC 2 controls are, why they matter, and how they connect to building customer trust. 

What are SOC 2 controls?

SOC 2 controls are the specific policies, procedures, and technical measures a company puts in place to meet the requirements of the SOC 2 framework. 

Controls can be preventive, detective, or corrective. Preventive controls stop problems before they occur. Detective controls identify issues when they happen. Corrective controls fix problems and reduce future risk. Together, they create a system that auditors can test to confirm that controls are suitably designed and operating effectively.

Understanding the SOC 2 Trust Services Criteria

SOC 2 controls are not random; they are meticulously designed to meet the five Trust Service Criteria, which are defined by the AICPA. These criteria form the backbone of the audit, setting the standards for how you must protect and manage customer data.

Here’s a brief overview of what each criterion entails:

• Security: The foundation. Protects systems and data from unauthorized access, both physical and logical.
• Availability: Ensures your systems and services are operational and accessible as promised to users.
• Processing Integrity: Guarantees that your system's data processing is complete, valid, accurate, and timely.
• Confidentiality: Safeguards information designated as confidential from unauthorized disclosure.
• Privacy: Focuses on the proper collection, use, retention, and disposal of personal information.

Complete SOC 2 controls list

A common question we get is, "How many controls are needed for SOC 2?" The truth is, there is no official, fixed number. The AICPA doesn't provide a one-size-fits-all checklist. Instead, your unique set of controls is determined by your specific systems, services, and risks. However, all SOC 2 audits are based on a common framework of criteria.

The following list details common control activities organized by the core security categories (known as the Common Criteria) that are mandatory for every SOC 2 examination. Consider this a practical starting point for what your control environment will likely include.

Access controls (logical & physical)

1. ‍Multi-factor authentication (MFA): Best practice for all remote network access and privileged users.‍
2. Password policies: Enforce strong password complexity and expiration rules.
3. ‍User access reviews: Conduct periodic reviews to ensure employees only have access necessary for their roles.
4. ‍Formal onboarding/offboarding: Documented procedures for granting and revoking system access.
5. ‍Account lockout policies: Automatically lock accounts after repeated failed login attempts.

Security & network monitoring

1. ‍Intrusion detection/prevention: Systems in place to monitor and block malicious network activity.
2. ‍Vulnerability management: Regular scans are performed, and critical vulnerabilities are patched within a defined timeframe.
3. ‍Endpoint detection and response (EDR) or extended detection and response (XDR) solutions: Deployed and updated on all relevant systems.
4. ‍Web application firewall (WAF): Protects web apps from common exploits.
5. ‍Security event logging: Systems generate logs for security events, which are retained and reviewed.

Change management controls

1. ‍Formal change management process: All system changes require a formal request, approval, and documentation.
2. ‍Development & testing: Changes are tested in a separate environment before deployment to production.
3. ‍Segregation of duties: Development, testing, and production environments are separated.

Risk mitigation & operational resilience

1. ‍Formal risk assessment: A documented risk assessment is performed periodically and updated as needed.‍
2. Incident response plan: A formal plan exists for responding to and managing security incidents.‍
3. Business continuity & disaster recovery (BC/DR): Documented plans are in place and tested regularly.‍
4. Data backups: Regular backups of critical data are performed and tested for restoration.

Policies & governance

1. ‍Information security policy: A formal, management-approved security policy is established and communicated.‍
2. Security awareness training: All employees complete mandatory security training periodically.‍
3. Vendor risk management: A process exists for assessing and monitoring the security of third-party vendors.‍
4. Data classification policy: A policy defines how data is classified (e.g., Public, Confidential, Restricted).

A real-world example of SOC 2 controls

The best way to understand SOC 2 controls is to see how they work in practice. Take the example of Orca, a Canadian SaaS company in the freight audit and analytics space. When Orca prepared for their SOC 2 renewal, they used Scrut’s platform to strengthen their controls around security, availability, and confidentiality.

For instance, Orca applied logical access controls like multi-factor authentication to reduce the risk of unauthorized entry. They also implemented system operations controls, such as real-time monitoring and incident response plans to catch issues quickly. In addition, change management controls ensured that new system updates were tested and approved before going live.

By consolidating these controls on Scrut, Orca cut their audit preparation time by almost half and gained better visibility across their compliance program.

How to implement SOC 2 controls

Implementing SOC 2 controls can feel complex, but breaking it into clear steps makes it manageable. Here’s a practical approach:

1. Assess your environment

Map out all systems, processes, and data flows that will be part of the SOC 2 scope. Identify which Trust Service Criteria apply to your organization and document current policies, procedures, and controls. This step ensures you know exactly what needs to be protected and evaluated.

2. Design and deploy controls

Based on your assessment, design specific controls to meet each criterion. Implement technical safeguards like access management and monitoring, along with process controls like change management, incident response, and employee training. Ensure each control is measurable and auditable.

3. Monitor, test, and improve

Continuously monitor the effectiveness of your controls. Perform regular internal testing, track incidents, and update controls as your systems or risks change. Continuous improvement ensures that your SOC 2 program stays effective and ready for audit.

Can SOC 2 controls be integrated with other compliance frameworks?

Yes. SOC 2 controls are flexible and can often align with other frameworks like ISO 27001, HIPAA, or PCI DSS. Many controls, such as access management, incident response, and monitoring, address overlapping requirements. Integrating frameworks allows organizations to reduce duplication, create a unified compliance program, and maintain consistency across audits, saving time and resources.

How much does it cost to implement SOC 2 controls?

The cost of implementing SOC 2 controls varies widely depending on your organization’s size, complexity, and audit scope. Smaller startups preparing for their first SOC 2 report may spend a few thousand dollars on essential tools, documentation, and consulting. Larger or more regulated organizations can expect higher costs due to additional systems, processes, and testing requirements.

Key factors influencing cost include the number of Trust Service Criteria selected, the maturity of your existing controls, and whether you use automation platforms to manage compliance.

Fast track SOC 2 compliance with Scrut

Building and maintaining SOC 2 controls doesn’t have to be complicated. With Scrut, you can accelerate your SOC 2 journey using prebuilt controls, automated monitoring, and real-time visibility into your compliance posture. 

From mapping Trust Service Criteria to collaborating with auditors, Scrut helps you stay audit-ready and earn customer trust faster, with less manual effort and more confidence.

FAQs

What are internal controls in SOC 2?

Internal controls are the policies, procedures, and technical measures your organization implements to meet SOC 2 requirements. They cover aspects like security, availability, processing integrity, confidentiality, and privacy, and are what auditors test to ensure data is handled safely.

Is there a checklist for SOC 2 controls?

Yes, many organizations use checklists to track implementation of SOC 2 controls across the Trust Service Criteria. These checklists help ensure all required controls are addressed and ready for audit.

Are all Trust Services Criteria mandatory for SOC 2?

No. Only the Security criterion is mandatory. The other four (Availability, Confidentiality, Processing Integrity, and Privacy) are optional and selected based on your organization’s services and commitments.

Is SOC 2 certification mandatory for organizations?

No. SOC 2 is not legally required, but it is a widely recognized attestation framework for proving data protection practices. Many clients and partners expect SOC 2 compliance when working with service providers.

How long does a SOC 2 audit usually take?

The duration varies based on your organization’s size, scope, and control maturity. A Type 1 audit typically takes 2–3 months, while a Type 2 audit, which tests control effectiveness over time, can take 4–6 months or longer.

Do you need to implement all SOC 2 controls?

Not necessarily. Organizations implement controls based on the selected Trust Service Criteria and the specific risks and systems in scope. The goal is to design controls that adequately address your SOC 2 objectives.

What happens if an organization doesn’t meet SOC 2 control requirements?

Failing to meet SOC 2 controls can result in audit findings or a qualified report. Organizations must remediate gaps, strengthen controls, and undergo retesting to demonstrate compliance. Non-compliance may also affect client trust and business opportunities.

What’s the difference between SOC 1 and SOC 2 controls?

SOC 1 focuses on financial reporting controls relevant to a client’s financial statements, whereas SOC 2 evaluates operational controls for security, availability, processing integrity, confidentiality, and privacy. SOC 2 is broader in scope and applies to technology and service organizations.

What are the Common Criteria controls in SOC 2?

‍Common Criteria (CC1–CC9) form the foundation of SOC 2’s Security principle. They cover areas like control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access, system operations, change management, and risk mitigation.

Are the Trust Services Criteria and Common Criteria the same?

No. Common Criteria are a subset of the Trust Services Criteria that underpin the Security principle. The full Trust Services Criteria include Security (mandatory) and optional criteria like Availability, Confidentiality, Processing Integrity, and Privacy.

How can you implement SOC 2 controls quickly?

You can accelerate implementation using compliance software like Scrut. Platforms like Scrut provide prebuilt controls, auditor-approved templates, and automated monitoring. This allows organizations to map Trust Service Criteria, assign control owners, track progress, and generate audit-ready evidence faster than manual methods. With tools like Scrut, organizations can significantly reduce setup time while ensuring comprehensive coverage.