Service Organization Controls

SOC 2 Type I & Type II

The attestation standard for cloud and SaaS service organizations.

Knowledge Hub
5 TSC Categories
CC · A · C · PI · P
Type I
Point-in-time design
Type II
6–12 month operation
AICPA Standard
SSAE 18
Overview

SOC 2 is an auditing standard developed by the American Institute of CPAs (AICPA) that evaluates how service organizations manage data security, availability, processing integrity, confidentiality, and privacy. Unlike a certification, SOC 2 is an attestation — a CPA firm examines the organization's controls against the Trust Services Criteria and issues a report.

Type I reports assess the design of controls at a point in time. Type II reports assess both the design and operating effectiveness of controls over a period (typically 6–12 months). Enterprise buyers increasingly require SOC 2 Type II reports as a condition of vendor selection. The documentation architecture supporting a SOC 2 engagement — system descriptions, control matrices, evidence collections, and management assertions — is foundational to audit success.

Standard Identity
SOC 2 Type I & Type II
Service Organization Controls
SOC 2
Key Requirements

What the standard
requires you to document.

CC – Common Criteria

Security controls covering logical access, change management, risk assessment, incident response, and monitoring.

A – Availability

System uptime, performance monitoring, incident and disaster recovery controls.

C – Confidentiality

Data classification, encryption, and confidential information handling controls.

PI – Processing Integrity

Complete, accurate, timely, and authorized processing controls.

P – Privacy

Collection, use, retention, disclosure, and disposal of personal information aligned with AICPA privacy criteria.

ELDR Documentation

Templates and resources
available from the Knowledge Hub.

SOC 2 Readiness Assessment Report
System Description Document (system boundaries, components, and relevant controls)
Trust Services Criteria Control Matrix — CC, A, C, PI, P mapping
Control Evidence Collection Workbook (per criteria, per test period)
Management Assertion Letter template
Common Criteria Control Narrative Pack (CC6.1–CC9.2)
POA&M — open findings tracking and remediation documentation
Vendor Assessment and Subservice Organization documentation
Request Access

Templates and implementation resources for SOC 2 Type I & Type II are available through the ELDR Institute Knowledge Hub and via direct request.

Or: [email protected]

Related Frameworks