SOC 2
assessment and readiness
Manage SOC 2 assessments with pre-built Trust Services Criteria controls. Track compliance across security, availability, processing integrity, confidentiality, and privacy.
No credit card required. Free plan available forever.
SOC 2: demonstrating trust through audited controls
SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates an organisation's controls relevant to security, availability, processing integrity, confidentiality, and privacy. These five categories, known as the Trust Services Criteria, provide a comprehensive framework for assessing how a service organisation manages customer data. SOC 2 reports are issued by independent CPA firms and are widely used by enterprise customers to evaluate the security posture of their vendors and service providers.
There are two types of SOC 2 reports. Type I evaluates the design of controls at a specific point in time, while Type II evaluates both the design and operating effectiveness of controls over a defined period (typically 6 to 12 months). Most enterprise customers require a Type II report, which means organisations must demonstrate that their controls are not only designed properly but also functioning consistently over time. This ongoing compliance requirement makes structured tracking and evidence management essential. SecPortal provides the tools to manage the entire SOC 2 lifecycle, from initial readiness assessment through audit support and continuous monitoring.
Trust Services Criteria
Security (Common Criteria)
The foundational criterion required for every SOC 2 engagement. Covers logical and physical access controls, system operations, change management, and risk mitigation. Security controls protect information and systems from unauthorised access, both physical and logical, throughout their lifecycle.
Availability
Addresses whether the system is available for operation and use as committed or agreed. Covers performance monitoring, disaster recovery, incident handling, and business continuity. Particularly relevant for SaaS providers and cloud service organisations with uptime commitments.
Processing Integrity
Ensures that system processing is complete, valid, accurate, timely, and authorised. Covers data processing controls, quality assurance, and monitoring procedures. Critical for organisations that process transactions or perform calculations on behalf of their customers.
Confidentiality
Protects information designated as confidential. Covers encryption, access restrictions, data classification, and secure disposal. Applies to intellectual property, business plans, pricing data, and any information that must be restricted to specified parties.
Privacy
Addresses the collection, use, retention, disclosure, and disposal of personal information. Aligns with common privacy principles and is relevant for organisations handling consumer data. Covers consent, notice, access, and data quality requirements.
Control templates by category
Access Controls (CC6)
Templates for logical and physical access control requirements, including user provisioning, authentication mechanisms, role-based access, and access review processes. Covers both system-level and application-level controls.
System Operations (CC7)
Templates for monitoring system operations, detecting anomalies, evaluating events, and responding to incidents. Includes change detection, vulnerability management, and operational monitoring requirements.
Change Management (CC8)
Templates for managing changes to infrastructure, data, software, and procedures. Covers change authorisation, testing, approval, and implementation processes that prevent unauthorised modifications.
Risk Mitigation (CC9)
Templates for identifying, assessing, and mitigating risks. Includes vendor management, business disruption planning, and risk assessment processes that inform the overall control environment.
Readiness assessment and evidence management
Preparing for a SOC 2 audit requires a systematic approach to evaluating current controls, identifying gaps, and building the evidence repository that auditors will examine. SecPortal structures this process with pre-built templates, readiness assessments, and AI-generated narratives that describe your control environment in the language auditors expect.
- Pre-built control templates for all Trust Services Criteria, with Security (Common Criteria) fully detailed
- Readiness assessment workflow that evaluates current control implementation against SOC 2 requirements
- Gap analysis reports identifying controls that need implementation or improvement before the audit period
- Control owner assignment with responsibility tracking for each criterion and sub-requirement
- Evidence collection repository linking policies, configurations, and process documentation to specific controls
- AI-generated audit narratives that describe control implementations in the format auditors expect
- Cross-mapping to other frameworks showing how existing ISO 27001 or NIST controls satisfy SOC 2 requirements
Readiness workflow
SecPortal guides organisations through a structured readiness workflow that covers the full SOC 2 preparation lifecycle. From scoping and assessment through remediation and audit support, each phase is tracked with clear milestones and ownership.
- Scoping phase: define which Trust Services Criteria are in scope based on service commitments
- Current state assessment: evaluate existing controls against each in-scope criterion
- Gap identification: document controls that are missing, partially implemented, or lack evidence
- Remediation planning: assign owners, set deadlines, and track progress for each identified gap
- Evidence collection: gather and organise documentation, configurations, and process artifacts
- Pre-audit review: conduct internal readiness checks before the external auditor begins fieldwork
- Audit support: provide structured evidence packages and control narratives during the examination period
SOC 2 compliance is increasingly a requirement for selling into enterprise markets, and the Type II report's emphasis on sustained control effectiveness means that compliance is an ongoing operational concern. SecPortal provides the persistent tracking, evidence management, and reporting infrastructure that transforms SOC 2 from a stressful annual project into a managed, continuous process. Whether you are preparing for your first SOC 2 examination or supporting clients through their third consecutive Type II audit, SecPortal delivers the structure and traceability that auditors and customers expect.
Key control areas
SecPortal helps you track and manage compliance across these domains.
Security (CC)
Track common criteria controls including access management, system operations, and change management.
Availability (A)
Assess system availability controls including monitoring, disaster recovery, and incident management.
Processing Integrity (PI)
Track data processing controls, quality assurance, and monitoring mechanisms.
Confidentiality (C)
Manage data classification, encryption, access restrictions, and data disposal controls.
Privacy (P)
Track privacy notice, consent, collection, use, retention, and disclosure controls.
Get SOC 2 ready
Pre-built Trust Services Criteria controls. AI-generated audit summaries.
No credit card required. Free plan available forever.