SOC 2 Compliance Guide

Complete guide to achieving SOC 2 Type I and Type II certification with Axura. Understand the Trust Services Criteria and how to demonstrate compliance.

12 min read

Updated: January 2026

SOC 2

AICPA

Trust Services

Audit

What is SOC 2?

SOC 2 (Service Organization Control 2) is a compliance framework developed by the AICPA that assesses how organizations manage customer data. It's based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

💡 Type I vs Type II

Type I evaluates controls at a point in time. Type IIevaluates controls over a period (typically 6-12 months). Most customers require Type II.

Trust Services Criteria

Criteria	Description	Required?
Security (Common Criteria)	Protection against unauthorized access	Always
Availability	System uptime and accessibility	Optional
Processing Integrity	Accurate and complete data processing	Optional
Confidentiality	Protection of confidential information	Optional
Privacy	Personal information handling	Optional

Security (Common Criteria)

The Security criteria (CC1-CC9) are required for all SOC 2 audits:

CC1 - Control Environment

Organizational structure, ethics, HR practices

CC2 - Communication & Information

Internal and external communication

CC3 - Risk Assessment

Risk identification and management

CC4 - Monitoring Activities

Ongoing evaluation of controls

CC5 - Control Activities

Policies and procedures

CC6 - Logical & Physical Access

Access management and authentication

CC7 - System Operations

Monitoring and incident response

CC8 - Change Management

System development and changes

CC9 - Risk Mitigation

Vendor management and risk transfer

SOC 2 Timeline

Typical SOC 2 Journey

Month 1-2: Gap Analysis & Planning
  └─ Identify gaps in current controls
  └─ Create remediation roadmap
  └─ Implement missing controls
  
Month 3-4: Evidence Collection
  └─ Configure automated evidence collection
  └─ Document policies and procedures
  └─ Complete employee training
  
Month 5: Type I Audit (Optional)
  └─ Point-in-time assessment
  └─ Quick validation of controls
  
Month 6-11: Observation Period
  └─ Continuous monitoring
  └─ Ongoing evidence collection
  └─ Address any findings
  
Month 12: Type II Audit
  └─ Full audit over observation period
  └─ Auditor testing and interviews
  └─ Receive SOC 2 report

How Axura Helps

Automated Gap Analysis

Identify what you need before you start.

Continuous Evidence

24/7 evidence collection from integrations.

Control Mapping

Automatic mapping of evidence to SOC 2 controls.

Auditor Workspace

Secure portal for your auditor to review evidence.

Audit Simulator

Practice for auditor questions.

Next Steps

ISO 27001

Information Security Management.

Audit Preparation

Prepare for your SOC 2 audit.