Research Project: This is a free AI research project. No warranties, SLAs, or company associations. Learn more

AICPA Trust Services Framework

SOC 2 Trust ServicesCompliance

52 controls across 5 Trust Services Principles, continuously monitored and audit-ready. The gold standard for demonstrating security to enterprise customers.

Start Free TrialBook a Demo
52
Controls
Trust Services Criteria
13
Categories
Organized by function
5
Principles
Trust Services Core
Audit
Ready
Continuous evidence

The 5 Trust Services Principles

SOC 2 is built on five principles. Security is always required; the others are chosen based on your service commitments to customers.

Security

Always Required

Protection against unauthorized access and system vulnerabilities

Availability

System accessibility for operation and use as committed

Processing Integrity

System processing is complete, valid, accurate, and authorized

Confidentiality

Information designated as confidential is protected as committed

Privacy

Personal information is collected, used, and retained appropriately

13 Control Categories

SOC 2 controls are organized into 13 categories, with the first 9 (CC1-CC9) forming the Common Criteria that apply to all engagements. Additional criteria apply based on which Trust Services Principles you include.

Our platform continuously monitors evidence across all categories:

  • Common Criteria (CC1-CC9): 33 controls for Security
  • Availability (A1): 3 additional controls
  • Processing Integrity (PI1): 5 additional controls
  • Confidentiality (C1): 2 additional controls
  • Privacy (P1-P8): 9 additional controls

Control Categories

Control Environment
CC1 (5 controls)
Communication & Information
CC2 (3 controls)
Risk Assessment
CC3 (4 controls)
Monitoring Activities
CC4 (2 controls)
Control Activities
CC5 (3 controls)
Logical & Physical Access
CC6 (8 controls)
System Operations
CC7 (5 controls)
Change Management
CC8 (1 controls)
Risk Mitigation
CC9 (2 controls)
Availability Criteria
A1 (3 controls)
Processing Integrity
PI1 (5 controls)
Confidentiality Criteria
C1 (2 controls)
Privacy Criteria
P1-P8 (9 controls)
Report Types

Type I vs Type II: Which Do You Need?

Type I is a snapshot; Type II proves controls work over time. Most enterprise customers require Type II for vendor assessments.

AspectType I ReportType II Report
ScopeDesign of controlsDesign + Operating effectiveness
Time periodPoint-in-time (single date)6-12 month observation period
Evidence requiredPolicies and proceduresPolicies + execution evidence
Audit complexityLower (less testing)Higher (sampling & testing)
Market acceptanceInitial assessment onlyIndustry standard for trust
CostLower ($20K-$50K typical)Higher ($30K-$100K+ typical)

Our Recommendation

Start with Type I to validate your control design, then immediately begin your observation period for Type II. With continuous monitoring, you'll collect evidence automatically throughout the observation period, making your Type II audit straightforward.

Evidence From Your Existing Stack

SOC 2 evidence is collected automatically from tools you already use. No manual screenshots or spreadsheet maintenance.

Acronis Cyber Protect Cloud

  • Backup job statusA1.2
  • Encryption at restCC6.1
  • Disaster recovery testsA1.3
  • Agent deploymentCC6.6
  • Malware detectionCC6.8

Microsoft GDAP

  • Privileged accessCC6.2
  • MFA enforcementCC6.1
  • Role assignmentsCC6.3
  • Access reviewsCC6.2

Microsoft Entra

  • User authenticationCC6.1
  • Conditional accessCC6.3
  • Identity governanceCC6.2
Audit Readiness

Always Audit-Ready, Never Scrambling

Traditional SOC 2 prep means weeks of gathering screenshots, updating spreadsheets, and chasing down evidence. With continuous monitoring, you're always audit-ready.

  • Continuous control monitoring with evidence collection
  • Automated policy documentation and version control
  • Real-time gap detection and remediation tracking
  • Auditor-ready evidence packages on demand
  • Historical evidence retention for observation periods
  • Control effectiveness dashboards and trend analysis
Start Collecting Evidence
SOC 2 Type II Readiness
Observation Period
94%
Control Coverage
49
Controls Met
2
In Progress
1
Gaps
Evidence Collection
Access Reviews180+ days
Backup Verification365 days
Change Management142 days
Enterprise Trust

SOC 2 Opens Enterprise Doors

Enterprise customers require SOC 2 reports during vendor assessments. A clean SOC 2 Type II report accelerates sales cycles and reduces friction.

Faster Sales Cycles

Skip lengthy security questionnaires. Share your SOC 2 report and move straight to contract negotiations with enterprise prospects.

Vendor Assessments

Pass third-party risk assessments with confidence. SOC 2 is the most requested compliance report in enterprise procurement.

Competitive Advantage

Win deals against competitors who lack SOC 2. Enterprise buyers choose vendors who can demonstrate security controls.

Frequently Asked Questions

Type I evaluates whether your controls are properly designed at a specific point in time. Type II goes further, testing whether those controls actually operated effectively over a period of 6-12 months. Most customers and partners require Type II because it provides stronger assurance that controls work consistently.
Any organization that stores, processes, or transmits customer data should consider SOC 2. This includes SaaS companies, cloud service providers, MSPs, data centers, and IT service providers. If your enterprise customers ask for a SOC 2 report during vendor assessments, you need one.
Type I audits typically take 2-4 months from start to report. Type II audits require a 6-12 month observation period after controls are in place, plus 2-3 months for the actual audit. With continuous monitoring in place, you can significantly reduce the preparation burden.
No. SOC 2 results in an attestation report, not a certification. An independent CPA firm examines your controls and issues a report with their opinion. There is no pass/fail; instead, the auditor provides an opinion on whether controls are suitably designed and operating effectively.
Security is the only required criterion. The others (Availability, Processing Integrity, Confidentiality, Privacy) are optional and depend on your services. Most organizations include Security plus one or two others relevant to their offering.
Continuous monitoring collects evidence automatically throughout the year, eliminating the scramble before audits. It also helps detect control failures early so you can remediate before they become audit findings. This reduces audit prep from weeks to hours.

Start Your SOC 2 Journey Today

No credit card required. 14-day trial. Cancel anytime.

Connect your existing tools and begin collecting SOC 2 evidence immediately. Reduce audit prep from weeks to hours.

Start Free TrialBook a Demo