SOC 2 Trust Services Criteria

Service organization control framework for security, availability, processing integrity, confidentiality, and privacy.

2017 TSC54 Controls MappedCertification Available

Overview

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how service organizations manage customer data. Unlike prescriptive frameworks, SOC 2 is principles-based, allowing organizations flexibility in how they meet the Trust Services Criteria. A SOC 2 Type II report provides assurance that controls are not only designed appropriately but are operating effectively over a period of time, making it essential for SaaS vendors and cloud service providers.

Required by enterprise customers for vendor assessment
Demonstrates commitment to security and privacy
Flexibility in control implementation
Type II reports show ongoing operational effectiveness
Recognized globally by auditors and customers

Published by

American Institute of CPAs (AICPA)

Official Documentation

TrueConfig Control Mappings

TrueConfig maps 54 security controls to SOC 2 requirements, helping you demonstrate compliance and identify gaps.

18

critical

21

high

12

medium

3

low

Identity & Authentication

5 controls

ID-01User MFA Registration
critical
ID-02Block Legacy Authentication
high
ID-03Enable Self-Service Password Reset
medium
ID-05Configure Smart Lockout Protection
high
ID-04Require Phishing-Resistant MFA for All Users
critical

Privileged Access

8 controls

PA-01Limit Global Administrators to 2-4
critical
PA-02Use Dedicated Admin Accounts
high
PA-03Configure Emergency Access Accounts
critical
PA-01-L2Eliminate Permanent Global Administrators
critical
PA-04Require PIM for All Privileged Roles
critical
+3 more controls

Conditional Access

12 controls

CA-01Require MFA via Conditional Access Policy
critical
CA-02Require MFA for All Administrators
critical
CA-08Block Access from High-Risk Countries
medium
CA-11Enforce Session Lifetime Limits for Guests and Admins
medium
DV-01Require Compliant Devices for Admin Access
high
+7 more controls

Workload Identity & Applications

8 controls

APP-01Application Ownership for Apps with Credentials
low
APP-02Enforce Application Credential Expiration
critical
APP-05Service Principal Credential Hygiene
critical
APP-08Restrict User Application Consent
high
APP-03Internal App Registration Permissions
high
+3 more controls

Guest & External Access

7 controls

EXT-01Restrict Guest Invitation Permissions
high
EXT-02Require MFA for Guest Users
medium
EXT-06External Sharing Visibility
medium
EXT-07Detect External Mail Forwarding
critical
EXT-04Configure Guest Access Expiration
medium
+2 more controls

Governance & Hygiene

6 controls

GOV-01Review Stale User Accounts
medium
GOV-05Maintain Group Naming Conventions
low
GOV-07Audit Privileged Role Assignments
high
GOV-02Automatically Disable Stale Accounts
medium
GOV-03Conduct Quarterly Privileged Access Reviews
high
+1 more controls

Logging & Visibility

5 controls

LOG-01Enable Unified Audit Logging
high
LOG-04Configure Privileged Operation Alerts
critical
LOG-02Export Logs to Long-Term Storage
medium
LOG-05Admin Activity Anomaly Detection
high
LOG-03Stream All Security Events to SIEM in Real-Time
high

License Management

1 controls

LIC-01License Utilization Visibility
low

Data Protection

2 controls

DLP-01Enable Sensitive Data Classification
high
DLP-02Block Bulk Data Exfiltration
critical

Who Needs SOC 2?

Target Industries

TechnologySaasFinancial ServicesHealthcareProfessional Services

Audience Types

enterprisestartupsmb

Frequently Asked Questions

What is SOC 2 Trust Services Criteria?
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how service organizations manage customer data. Unlike prescriptive frameworks, SOC 2 is principles-based, allowing organizations flexibility in how they meet the Trust Services Criteria. A SOC 2 Type II report provides assurance that controls are not only designed appropriately but are operating effectively over a period of time, making it essential for SaaS vendors and cloud service providers.
How does TrueConfig help with SOC 2 compliance?
TrueConfig maps 54 security controls to SOC 2 requirements. Each control includes specific guidance on how it satisfies SOC 2 requirements, making it easier to demonstrate compliance and identify gaps.
Who needs to comply with SOC 2?
SOC 2 is typically required or recommended for enterprise organizations, startups and growing companies, small and medium businesses. Industries that commonly need this framework include technology, saas, financial-services.
Can I get SOC 2 certification?
Yes, SOC 2 offers formal certification. Organizations can undergo audits by accredited assessors to achieve and maintain certification. TrueConfig helps prepare for these audits by ensuring your Microsoft 365 environment meets the required controls.
What are the key benefits of SOC 2 compliance?
Required by enterprise customers for vendor assessment Demonstrates commitment to security and privacy Flexibility in control implementation Type II reports show ongoing operational effectiveness Recognized globally by auditors and customers

Related Frameworks

ISO 27001

International standard for information security management systems with Annex A controls.

54 controls →

CIS Benchmark

Industry-standard security configuration guide for Microsoft 365 developed by the Center for Internet Security.

53 controls →

Zero Trust

Microsoft's security model based on "never trust, always verify" principles for identity, devices, and data.

53 controls →

Automate SOC 2 Compliance

TrueConfig continuously monitors your Microsoft 365 tenant against SOC 2 requirements and helps you remediate deviations automatically.

Start Free Trial