SOC 2 Type II Requirements: Complete Guide to Trust Services Criteria

Your organization must have a code of conduct and demonstrate that leadership takes ethics and integrity seriously. This means documented values, background checks, and disciplinary procedures.

Your board or oversight body must exercise independent oversight over internal controls. For startups without formal boards, this means having leadership review and approve security policies regularly.

You must define and perform control activities to mitigate risks to acceptable levels. This means having documented procedures for how you handle identified risks, including technology controls.

You must implement controls to restrict logical and physical access to your systems. This includes authentication mechanisms, role-based access, and physical security for offices and data centers.

New user accounts and access must be provisioned based on documented authorization. You need a process for granting, modifying, and revoking access based on job roles and the principle of least privilege.

Access to systems must be granted based on roles and follow the principle of least privilege. Users should only have access to the systems and data they need for their job function.

You must protect system boundaries using firewalls, intrusion detection, and network segmentation. Traffic entering and leaving your environment must be monitored and controlled.

Data in transit must be encrypted and protected. This applies to all data transfers whether over the internet, between internal systems, or to third parties.

You must have monitoring in place to detect unauthorized changes to configurations and identify new vulnerabilities. This includes vulnerability scanning, configuration monitoring, and intrusion detection.

You must monitor your systems for anomalies and security events that could indicate a breach or attack. This includes log collection, alerting, and regular review of security events.

When a security event is detected, you must evaluate whether it constitutes a security incident. There must be a defined process for triaging, classifying, and escalating security events.

You must have a documented incident response plan that includes containment, eradication, recovery, and post-incident review. The plan must be tested regularly.

All changes to infrastructure, software, and configurations must follow a documented change management process. This includes testing, approval, and rollback procedures.

You must identify, assess, and mitigate risks that could affect business continuity. This includes business continuity planning, disaster recovery, and testing of recovery procedures.

You must assess and manage risks associated with third-party vendors. This includes evaluating vendor security practices, contractual requirements, and ongoing monitoring.

You must monitor system capacity and performance to ensure availability meets commitments. This includes planning for growth, setting thresholds, and responding to capacity issues before they cause outages.

You must have tested disaster recovery and business continuity plans that allow you to restore systems within committed timeframes. Backup and recovery procedures must be documented and tested regularly.

You must identify and classify confidential information. A data classification policy should define what counts as confidential, how it is labeled, and who can access it.

Confidential information must be disposed of securely when no longer needed. This includes policies for data retention periods and secure deletion procedures.

You must provide clear privacy notices to data subjects and obtain consent where required. The notice must explain what data is collected, how it is used, and how individuals can exercise their rights.