Cyber One Solutions logo.
Get Support
Compliance / SOC 2

SOC 2 Readiness: Implement the Controls Behind the Trust Services Criteria.

SOC 2 is the AICPA System and Organization Controls 2 report, an independent attestation issued by a licensed CPA firm on how a service organization protects customer data. It is built on the Trust Services Criteria (TSC): Security (the common criteria, always in scope) plus Availability, Processing Integrity, Confidentiality, and Privacy, which are added based on what your customers and contracts require. A Type I report describes the design of your controls at a single point in time; a Type II report tests whether those controls operated effectively over a review period, commonly three to twelve months. There is no SOC 2 certification: SOC 2 is an attestation report, and any framing that calls it a certification is incorrect. Compliance is demonstrated by the report itself, issued by the CPA firm after an examination of your controls and evidence.

SOC 2 is voluntary and market-driven. Unlike a government mandate, it is demanded by your customers during vendor due diligence, and it is now a routine condition of doing business for SaaS, technology, data hosting, and other service organizations. Cyber One Solutions implements and operates the security controls the report rests on: access control and multi-factor authentication, managed endpoint detection and response, centralized logging and monitoring, vulnerability and patch management, change management, incident response, encrypted and tested backups, and vendor risk management. We run the readiness and gap assessment, remediate what the examination would flag, gather and organize the evidence, and support the CPA firm through the examination. We are not the CPA firm and do not sign the report; the independent auditor performs the examination and issues the attestation.

What You Get
A readiness and gap assessment mapping your current controls against the Trust Services Criteria and identifying what the CPA examination would flag.
Security common-criteria controls implemented and operated: access control, multi-factor authentication, managed EDR, and centralized logging and monitoring.
Change management and vulnerability and patch management processes with documented procedures and evidence of consistent operation.
A written incident response plan, encrypted and tested backups, and vendor risk management aligned to the criteria in scope.
A continuously maintained evidence library: policies, access reviews, logs, tickets, and test results organized for the auditor's request list.
Examination support so the independent CPA firm can complete the Type I or Type II engagement and issue the attestation report.
The Short Answer

What is SOC 2, and who needs it?

SOC 2 is the AICPA System and Organization Controls 2 report, an attestation issued by an independent licensed CPA firm on how a service organization protects customer data. It is based on the Trust Services Criteria: Security (always in scope) plus Availability, Processing Integrity, Confidentiality, and Privacy as needed. It is voluntary and market-driven, requested by customers during vendor due diligence, and common for SaaS, technology, and data hosting providers. There is no SOC 2 certification; it is an attestation report. Cyber One Solutions implements and operates the security controls, runs the readiness assessment, gathers evidence, and supports the CPA firm's examination. We do not sign the report.

  • Attestation report by an independent CPA firm, not a certification
  • Built on the AICPA Trust Services Criteria
  • Type I tests control design; Type II tests operating effectiveness over a period
  • Voluntary and driven by customer vendor due diligence
  • Cyber One Solutions implements controls and prepares you for the examination
The Trust Services Criteria

The Control Areas a SOC 2 Examination Tests.

SOC 2 is organized around the AICPA Trust Services Criteria. Security is the common criteria and is always in scope; Availability, Processing Integrity, Confidentiality, and Privacy are added based on your services and customer requirements. These are the control areas a CPA firm examines, and the work Cyber One Solutions implements and operates against each one so the report has evidence to stand on.

Access Control and Authentication

Logical access to systems and data is restricted to authorized users, with unique identification, least-privilege roles, and multi-factor authentication on email, remote, and privileged access. Periodic access reviews and prompt deprovisioning of departed users provide the evidence the examination expects.

Logging, Monitoring, and Detection

Centralized logging and continuous monitoring detect anomalous activity and support investigation. Managed endpoint detection and response on workstations and servers, paired with 24/7/365 SOC monitoring, gives the examiner evidence that security events are identified, escalated, and acted on.

Change Management

Changes to systems and infrastructure follow a documented process: requested, reviewed, approved, tested, and tracked. Change records and approvals show the auditor that production changes are controlled rather than ad hoc, a recurring focus of the common criteria.

Vulnerability and Patch Management

A documented process identifies, prioritizes, and remediates vulnerabilities, with patch deployment tracked and time-bound. Evidence of scanning cadence and remediation timelines demonstrates that known weaknesses are managed rather than left open between reviews.

Incident Response and Recovery

A written incident response plan defines roles, escalation, and communication, and encrypted, tested backups support recovery and availability. Evidence of plan testing and successful restore tests shows the controls operate, not just exist on paper.

Vendor and Risk Management

A risk assessment identifies threats to the data in scope, and a vendor risk process evaluates the subservice organizations and tools that touch customer data. This addresses the common criteria around risk assessment and the vendor relationships the examination reviews.

Why SOC 2 Matters to Your Business

SOC 2 is voluntary, but your customers make it mandatory.

SOC 2 is not imposed by a regulator. It is driven by the market: your customers ask for the report during vendor due diligence before they will sign or renew. For SaaS, technology, data hosting, and other service organizations, a SOC 2 report has become the standard way to prove to enterprise buyers that customer data is protected. The report is an attestation by an independent CPA firm, not a certification, and its credibility rests on controls that genuinely operate.

SOC 2 is an attestation report, not a certification.

SOC 2 reports are issued under the AICPA System and Organization Controls framework and examined by a licensed CPA firm. The CPA firm evaluates whether your controls meet the Trust Services Criteria and expresses an opinion in a formal report. There is no certificate and no certifying body: the deliverable is the report itself, and anyone who calls it a SOC 2 certification is describing it incorrectly.

A Type I report covers the design of controls at a point in time: it describes your system and confirms the controls are suitably designed on a specific date. A Type II report goes further and tests whether the controls operated effectively over a review period, commonly three to twelve months, which is why it carries more weight with enterprise buyers.

SOC 2 also sits alongside related reports. SOC 1 covers controls relevant to a customer's financial reporting; SOC 3 is a short, general-use summary that can be shared publicly. SOC 2 is the report buyers most often request when they are evaluating how you protect their data.

The Trust Services Criteria define what gets examined.

Security is the common criteria and is always part of a SOC 2 engagement. It covers access control, system operations, change management, risk assessment, and the monitoring and response controls that protect against unauthorized access. Most of the implementation work for a first SOC 2 concentrates here.

The other four criteria are added based on scope. Availability addresses uptime, performance monitoring, and recovery. Processing Integrity addresses whether processing is complete, valid, accurate, and timely. Confidentiality addresses information designated as confidential. Privacy addresses the collection, use, retention, and disposal of personal information.

You scope the report to the criteria your customers and contracts require. Adding criteria you do not need lengthens the examination and the evidence burden without commercial benefit, so the readiness assessment starts by defining the right scope before any controls work begins.

The report is only as good as the evidence behind it.

A Type II examination tests operating effectiveness across the entire review period, not just on the day the auditor looks. That means the controls must run consistently for months and produce a record: access reviews completed on schedule, change tickets approved, patches deployed within target windows, backups tested, and alerts triaged. Gaps in that record become exceptions in the report.

Cyber One Solutions builds the evidence into operations rather than reconstructing it at audit time. We operate the controls on your environment, capture the logs and tickets as a byproduct of running them, and keep the evidence organized against the auditor's request list so the examination moves quickly.

The independent CPA firm performs the examination and issues the opinion. Our role is to make sure that when they sample your controls across the period, the controls were genuinely operating and the evidence is there to prove it.

Frequently asked questions.

Should we start with a Type I or a Type II report?

It depends on what your customers are asking for and how soon. A Type I confirms your controls are suitably designed at a point in time and can be completed sooner, which is useful when a customer needs evidence quickly or you are early in your SOC 2 program. A Type II tests operating effectiveness over a review period, commonly three to twelve months, and carries more weight in enterprise vendor due diligence. Many organizations begin with a Type I to validate design, then move to an annual Type II. Cyber One Solutions runs the readiness assessment first so you choose the path that matches your customer demand and timeline, then implements and operates the controls either route requires.

Which Trust Services Criteria should be in scope?

Security, the common criteria, is always in scope. The other four, Availability, Processing Integrity, Confidentiality, and Privacy, are added based on your services and what your customers and contracts require. A data hosting provider often adds Availability; a business handling sensitive customer information often adds Confidentiality; a service that processes transactions may add Processing Integrity; a service handling personal information may add Privacy. We help you scope to the criteria that match your commitments, because adding criteria you do not need lengthens the examination and the evidence burden without commercial benefit.

Common Questions

SOC 2 Compliance, Answered.

Common questions from service organizations on SOC 2 scope, report types, the Trust Services Criteria, examination timelines, and who does what.

Don't see your question?
Our team answers questions like these every day, no sales pitch attached.
Ask a Question
Related Services

Related Services.

Compliance works best as part of a managed security program. Explore the services that deliver and sustain these controls.

Compliance Management
Full compliance programs across SOC 2, HIPAA, CMMC, PCI DSS, the Texas Data Privacy and Security Act, and cyber-insurance readiness.
Learn More
Managed Cybersecurity
24/7/365 SOC, managed EDR, centralized logging, and threat response, the operational foundation of the SOC 2 security common criteria.
Learn More
CMMC Compliance
Readiness for the Cybersecurity Maturity Model Certification for defense contractors and their supply chain.
Learn More
Texas Data Privacy and Security Act
Controls and readiness for the Texas Data Privacy and Security Act for businesses handling personal data.
Learn More