SOC 2
Audit framework for service organizations based on Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy.
What is SOC 2?
SOC 2 (System and Organization Controls 2) is an auditing standard developed by AICPA. Unlike prescriptive frameworks, SOC 2 is principles-based—organizations choose how to meet the criteria. A Type II report demonstrates that controls are operating effectively over time (typically 6-12 months), providing assurance to customers that the organization takes security seriously.
In Microsoft 365
Microsoft 365 security features help meet SOC 2 Trust Services Criteria. CC6 (Logical and Physical Access Controls) maps to Conditional Access and MFA. CC7 (System Operations) maps to logging and monitoring. Organizations using M365 can leverage these built-in controls for their own SOC 2 compliance.
Examples
- 1CC6.1 - Logical access controls
- 2CC6.2 - Authentication mechanisms
- 3CC7.2 - Anomaly detection
Related TrueConfig Controls
These controls help implement and verify soc 2 in your Microsoft 365 environment.