SOC 2 Requirements

Everything you need to implement to achieve SOC 2 certification

Trust Service Criteria (TSC)

SOC 2 is based on 5 Trust Service Criteria. Security is required; the other 4 are optional based on your business and customer needs.

🔒

Security (Required)

32 controls

Protection of system resources against unauthorized access

Key Requirements:

  • Access controls (MFA, RBAC, least privilege)
  • Logical and physical access restrictions
  • System operations monitoring and logging
  • Change management and version control
  • Risk assessment and mitigation
  • Security incident response procedures

Availability (Optional)

12 controls

System is available for operation and use as committed

Key Requirements:

  • Infrastructure monitoring and alerting
  • Capacity planning and performance management
  • Backup and recovery procedures
  • Disaster recovery and business continuity plans
  • Incident response and escalation
  • Network and environmental protections

Processing Integrity (Optional)

10 controls

System processing is complete, valid, accurate, timely, and authorized

Key Requirements:

  • Input validation and data quality checks
  • Error detection and correction mechanisms
  • Processing authorization and approval
  • Output validation and reconciliation
  • System monitoring for accuracy
🔐

Confidentiality (Optional)

8 controls

Confidential information is protected as committed

Key Requirements:

  • Data classification and handling policies
  • Encryption at rest and in transit
  • Confidential data access restrictions
  • Non-disclosure agreements (NDAs)
  • Secure disposal of confidential data
  • Confidentiality training for employees
🛡️

Privacy (Optional)

8 controls

Personal information is collected, used, retained, and disclosed in conformity with commitments

Key Requirements:

  • Privacy notice and consent management
  • Data subject rights (access, deletion, portability)
  • Purpose limitation and data minimization
  • Third-party data sharing agreements
  • Privacy by design principles
  • Data retention and disposal policies

SOC 2 Control Categories

Organization & Management

8 controls
  • CISO or security leadership role
  • Risk assessment process
  • Security policies and procedures
  • Compliance program oversight

Communications

6 controls
  • Security awareness training
  • Incident response communication
  • Policy distribution and acknowledgment
  • External stakeholder communication

Risk Assessment

7 controls
  • Annual risk assessment
  • Threat modeling
  • Vendor risk management
  • Risk mitigation plans

Monitoring Activities

6 controls
  • SIEM and log monitoring
  • Intrusion detection
  • Vulnerability scanning
  • Control effectiveness reviews

Control Activities

12 controls
  • Logical access controls (MFA)
  • Change management
  • System operations procedures
  • Backup and recovery

Logical & Physical Access

15 controls
  • User provisioning/deprovisioning
  • Privileged access management
  • Data center security
  • Workstation hardening

System Operations

10 controls
  • Capacity and performance management
  • Environmental protections
  • Data backup procedures
  • Disaster recovery testing

Change Management

8 controls
  • Code review and approval
  • Testing before production
  • Change authorization
  • Rollback procedures

Risk Mitigation

6 controls
  • Incident response plan
  • Business continuity plan
  • Vulnerability remediation
  • Insurance coverage

Required Policies & Procedures

Information Security Policy

Available in LowerPlane

Overarching policy defining your security program, roles, and responsibilities

Access Control Policy

Available in LowerPlane

User provisioning, deprovisioning, MFA, password requirements, access reviews

Incident Response Plan

Available in LowerPlane

How to detect, respond to, and recover from security incidents

Business Continuity & Disaster Recovery Plan

Available in LowerPlane

Procedures for maintaining operations during disruptions

Change Management Policy

Available in LowerPlane

Code review, testing, approval, deployment, and rollback procedures

Risk Assessment Policy

Available in LowerPlane

How you identify, assess, and mitigate information security risks

Vendor Management Policy

Available in LowerPlane

Third-party risk assessment, contracts, ongoing monitoring

Data Classification & Handling

Available in LowerPlane

How you classify and protect different types of data

Acceptable Use Policy

Available in LowerPlane

Rules for employee use of company systems and data

Physical Security Policy

Available in LowerPlane

Data center access, badge controls, visitor management

Encryption Policy

Available in LowerPlane

Encryption standards for data at rest and in transit

Security Awareness Training Program

Available in LowerPlane

Annual training for all employees on security best practices

Technical Requirements

Infrastructure & Security

  • Multi-factor authentication (MFA) on all systems
  • Encrypted data at rest (AES-256) and in transit (TLS 1.2+)
  • Centralized logging and SIEM (6-12 month retention)
  • Intrusion detection and prevention systems
  • Vulnerability scanning and patch management
  • Antivirus/endpoint protection on all devices
  • Network segmentation and firewalls
  • Automated backups with tested restore procedures
  • Web application firewall (WAF) if applicable

Development & Operations

  • Code review process (pull requests)
  • Separate dev, staging, and production environments
  • Version control system (Git)
  • Automated testing before production deployment
  • Change management tickets for all deployments
  • Access controls on production systems
  • Database encryption and access logging
  • Secrets management (no hardcoded credentials)
  • Dependency scanning for vulnerabilities

Evidence You'll Need

Policies & Procedures

  • All 12+ required policies
  • Board approval documentation
  • Annual policy reviews
  • Employee acknowledgments

Access Control Evidence

  • User access reviews (quarterly)
  • MFA enforcement screenshots
  • Onboarding/offboarding tickets
  • Privileged access logs

Training & Awareness

  • Training completion records
  • Phishing simulation results
  • Security onboarding materials
  • Annual refresher courses

Change Management

  • Code review approvals
  • Deployment tickets
  • Testing evidence
  • Rollback procedures

Monitoring & Detection

  • SIEM alerts and logs
  • Vulnerability scan reports
  • Intrusion detection alerts
  • Incident tickets

Risk & Vendor Management

  • Annual risk assessment
  • Vendor security questionnaires
  • Vendor SOC 2 reports
  • Contracts and BAAs

Business Continuity

  • Backup logs and tests
  • Disaster recovery plan
  • BC/DR test results
  • Insurance certificates

Physical Security

  • Data center SOC 2 reports
  • Cloud provider certifications
  • Badge access logs
  • Visitor logs

Encryption & Data Protection

  • TLS/SSL certificates
  • Encryption configurations
  • Data retention procedures
  • Secure disposal records

LowerPlane Automation

We automate 30-50% of evidence collection by connecting to your AWS, Okta, GitHub, Jira, and 300+ other tools. Save 75+ hours per month and never miss critical evidence.

Ready to tackle SOC 2 requirements?

LowerPlane provides all policy templates, automates evidence collection, and guides you through every requirement

Book a DemoView Implementation Checklist