SOC 2 (AICPA Trust Services Criteria) Compliance with SCF Connect
Use SCF Connect to map your security controls to SOC 2, assess maturity, and achieve audit readiness — all from a single GRC platform built on the Secure Controls Framework.
What Is SOC 2?
SOC 2 is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) for service organizations that store, process, or transmit customer data. It evaluates an organization's controls against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security (the "common criteria") is always in scope; the other four are optional depending on the services provided.
A SOC 2 Type I report assesses the design of controls at a point in time, while a Type II report evaluates both design and operating effectiveness over a period (typically 6 to 12 months). SOC 2 Type II reports have become a near-universal requirement in enterprise sales cycles for SaaS vendors, managed service providers, and data processors.
SCF Connect maps the AICPA Trust Services Criteria (with 2022 points of focus) to the Secure Controls Framework. When you scope SOC 2, the platform identifies every applicable SCF control, lets you assess maturity, and generates the evidence request lists your auditor will need — all while cross-mapping to any other frameworks you also need to satisfy.
Who Needs SOC 2 Compliance?
- SaaS companies and cloud service providers
- Managed service providers (MSPs) and managed security service providers (MSSPs)
- Data centers and hosting providers
- Any service organization handling customer data that must demonstrate security to prospects
- Organizations responding to enterprise customer due-diligence questionnaires
How SCF Connect Helps with SOC 2
Automatic Control Mapping
SCF Connect maps SCF controls directly to SOC 2 requirements. Select the framework and your required controls are identified instantly.
Maturity Assessment
Assess each control against the SCF Capability Maturity Model (SP-CMM) to understand your current posture and track improvement over time.
Evidence Collection
Generate Evidence Request Lists (ERLs) specific to your SOC 2 controls. Know exactly what documentation you need for your audit.
Gap Analysis
Use the SCRMS methodology to identify gaps between your compliance requirements and your actual security posture, then prioritize remediation.
Compliance Reporting
Generate detailed reports showing your SOC 2 compliance status, control maturity scores, and evidence collection progress.
Multi-Framework Support
Already mapped to another framework? Add SOC 2 and see how your existing controls satisfy additional requirements — no duplicate work.
Frequently Asked Questions About SOC 2
What is SOC 2?
SOC 2 is an auditing framework developed by the AICPA for service organizations. It evaluates controls related to Security, Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 report is issued by an independent CPA firm after examining your controls.
What is the difference between SOC 2 Type I and Type II?
A Type I report evaluates whether your controls are suitably designed at a specific point in time. A Type II report evaluates both design and operating effectiveness over a review period (usually 6-12 months). Type II reports are more rigorous and are what most enterprise customers require.
Which Trust Services Criteria should I include?
Security (the common criteria) is always required. Add Availability if you offer uptime SLAs, Confidentiality if you handle sensitive data, Processing Integrity if you process transactions, and Privacy if you collect personal information. Your auditor can help you determine the right scope.
How does SCF Connect help with SOC 2?
SCF Connect maps the AICPA Trust Services Criteria to the Secure Controls Framework. Select SOC 2 in the platform and your required controls are identified instantly. You can then assess maturity, collect evidence, and generate reports — all while leveraging the same controls for other frameworks like ISO 27001 or HIPAA.