SOC 2 compliance built onreal security controls.Not checkbox documentation.
Prepare, validate, and maintain SOC 2 Type I & II attestation with continuous controls monitoring and evidence automation. From initial gap assessment through audit support — with ongoing posture maintenance between cycles.
SOC 2 · AICPA TRUST SERVICE CRITERIA
Enterprise trust starts with SOC 2.
87% of enterprise buyers require SOC 2 attestation before engaging with vendors. SOC 2 Type I validates control design; Type II proves 12+ months of consistent, effective operation across all five Trust Service Criteria — the gold standard for cloud and SaaS vendors.
0%
Enterprise buyers require SOC 2
0+
TSC controls fully implemented
0+
Evidence items collected per month
0%
Audit prep time reduction
Security
100%
Availability
85%
Processing Integrity
72%
Confidentiality
68%
Privacy
60%
FIVE PILLARS OF TRUST
Trust Service Criteria. Deep-dive validation.
CC
Common Criteria (CC)
100% of scope covered
KEY REQUIREMENTS
- Multi-factor authentication enforcement on all privileged accounts
- Privileged access management (PAM) with session recording
- Intrusion detection & prevention systems coverage
- Vulnerability management programme — scan, triage, remediate
- Incident response plan tested at least annually
AICPA COMMON CRITERIA SERIES
CC Control Library. 49 controls, 9 categories.
The Common Criteria (CC) series is the required core of every SOC 2 engagement. CC6 (Logical Access) carries the largest sample burden — auditors test it most aggressively.
CC6
Logical & Physical Access
8
controls
CC6.1 — Logical access controls and IAM governance
CC6.2 — Authentication mechanisms including MFA
CC6.3 — Privileged access management and just-in-time access
CC6.4 — Physical access controls to data centres
CC6.5 — Account lifecycle (provisioning, modification, termination)
CC6.6 — External access restrictions and remote access controls
CC6.7 — Data transmission encryption standards
CC6.8 — Malicious software detection and prevention
High-focus area: CC6 carries the largest auditor sample sizes. MFA enforcement, PAM, and account lifecycle are examined across 25–40 samples each. Automated evidence collection is essential here.
ATTESTATION LEVELS
Type I vs Type II. Know the difference.
Point-in-Time
Auditor validates that controls are suitably designed at a single point in time.
Timeline
6–10 weeks
Evidence Period
Single snapshot
Audience
Early-stage / new vendors
Assurance
Design suitability only
AUDIT SCOPE — Type I
- Control design documented and reviewed
- Policies & procedures inspected by auditor
- System description validated per AICPA
- Suitability-of-design opinion issued
- No sample-based operational testing
JOURNEY TO ATTESTATION
Compliance lifecycle. 8 phases to Type II.
Scope Definition
W1–2
Define TSC in scope, system boundaries, and service commitments. Document the system description per AICPA guidance. Agree on observation period start date.
ALL PHASES
AUTOMATED EVIDENCE COLLECTION
Evidence engine. 320+ items collected monthly.
COLLECTION PIPELINE
Collect
Integrates with 10+ cloud & security platforms. Pulls logs, configs, access records, and change events continuously — no manual triggers.
Validate
Each evidence item is mapped to its CC control ID. Automated completeness checks verify format, timestamp, sample size, and auditor readiness.
Store
Immutable, tamper-evident evidence vault. Auditor-accessible portal with filtering by TSC, date range, control ID, and exception status.
INTEGRATIONS
AWS
CloudTrail
AZR
Az Monitor
GCP
Audit Logs
OKT
Okta
GIT
GitHub
DDG
Datadog
CRD
CrowdStrike
SNW
Snowflake
JRA
Jira
SEN
Sentinel
CROSS-STANDARD ALIGNMENT
Control crosswalk. SOC 2 maps to ISO / NIST / PCI.
Already certified ISO 27001 or aligned to NIST CSF? Your existing controls partially satisfy SOC 2 requirements. Here is the exact overlap — and where gaps remain.
COMMON OBSTACLES → SOLUTIONS
Challenges solved before they happen.
Challenge
Manual evidence sprawl
Before
1,200+ hrs/audit cycle
After
240 hrs (↓80%)
How we achieve it
Automated evidence collection from 10+ integrations — daily aggregation pipeline eliminates manual compiling
Challenge
Control design gaps
Before
15+ issues found at audit
After
0–2 late discoveries
How we achieve it
Pre-audit gap assessment maps every CC control before the auditor engages — no surprises
Challenge
Long audit timelines
Before
16–24 months to Type II
After
9–14 months typical
How we achieve it
Fast-track readiness programme with accelerated implementation and 6-month observation window option
Challenge
Scope creep & cost
Before
$200K–$400K first audit
After
$90K–$180K (↓55%)
How we achieve it
Fixed-scope definition, pre-tested controls, and no last-minute design changes from auditor feedback
WHY SPAKTO
Not consultants. Compliance accelerators.
100%
Type I & II Coverage
Full attestation lifecycle from gap through Type II report
Frequently Asked
Frequently asked
questions.
answered
The five TSC are Security (required for all SOC 2 reports), Availability, Processing Integrity, Confidentiality, and Privacy. Most organisations pursue Security plus Availability and Confidentiality. The scope of your report is determined by your service commitments to customers.
Achieving an initial Type II report typically takes 9–18 months: 3–6 months to implement controls and build evidence infrastructure, followed by a 6–12 month observation period. Organisations with existing security programmes typically reach readiness faster. Spakto's automated evidence collection significantly accelerates both phases.
SOC 2 requires continuous evidence of control operation: access reviews, vulnerability scan reports, penetration test results, change management records, security training completion logs, incident response logs, and vendor risk assessments. Spakto automates collection and organisation across all these categories.
Type I assesses whether your controls are suitably designed at a point in time. Type II assesses whether those controls are operating effectively over a defined observation period — typically 6–12 months. Type II provides significantly stronger assurance and is required by most enterprise buyers.
Both certifications are valuable but serve different audiences. ISO 27001 is the primary standard for European and global markets. SOC 2 is required by most US enterprise customers and SaaS buyers. The two standards share significant control overlap — achieving one accelerates the path to the other.
CC6 (Logical & Physical Access) consistently shows the most gaps: inadequate MFA coverage, missing privileged access reviews, and undocumented deprovisioning. CC7 (System Operations) is second — organisations often lack documented incident response procedures or anomaly detection. CC3 (Risk Assessment) gaps appear when risk registers are informal or not updated annually.
Ready for SOC 2 attestation?
Start with a no-obligation readiness assessment. We will identify gaps, design controls, and build your path to Type I & II attestation.