Frameworks/SOC 2

SOC 2

SOC 2 (AICPA Trust Services Criteria)

SOC 2 is an auditing standard for service organizations that defines criteria for managing customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Key requirements

What SOC 2 requires.

  • CC — Common Criteria (Security, mandatory)
  • Availability criteria (if in scope)
  • Confidentiality criteria (if in scope)
  • Evidence collection for Type II audit period
  • Vendor and risk management
AICPA Trust Services Criteria for Service Organizations

SOC 2 (AICPA Trust Services Criteria)

How Acuna helps

SOC 2 across all four panes.

Comply

Select applicable Trust Services Criteria, define scope, map controls to criteria.

Implement

Implement controls, collect evidence continuously across the audit period.

Operate

Maintain operational cadence: recurring checks, vendor reviews, access reviews.

Assure

Build the audit pack, manage auditor requests, track observations and remediation.

FAQ

Common questions about SOC 2.

What is the difference between SOC 2 Type I and Type II?

SOC 2 Type I evaluates whether controls are suitably designed at a point in time. Type II evaluates whether controls operated effectively over a period (typically 6-12 months). Acuna supports both but is optimized for continuous Type II evidence collection.

How does Acuna support continuous SOC 2 compliance?

Unlike point-in-time tools, Acuna's Operate pane maintains a continuous operational rhythm: recurring control checks, evidence collection, and vendor reviews, so you're always audit-ready.

Can Acuna map SOC 2 controls to ISO 27001?

Yes. SOC 2 Common Criteria and ISO 27001 Annex A share significant overlap. Acuna's cross-framework mapping reuses evidence across both standards.

Which SOC 2 Trust Services Criteria does Acuna support?

Acuna supports all five Trust Services Criteria: Security (CC), Availability (A), Processing Integrity (PI), Confidentiality (C), and Privacy (P). Most organizations scope Security as the baseline.

How does Acuna manage SOC 2 vendor risk requirements?

Vendor risk management under SOC 2 CC9.2 is handled by Supplier Shield inside Acuna: vendor assessments, risk ratings, and ongoing monitoring in one place.

Related answers

Questions practitioners ask.

What is the difference between SOC 2 Type I and Type II?

SOC 2 Type I evaluates whether controls are suitably designed at a specific point in time. SOC 2 Type II evaluates whether those controls operated effectively over a period, typically 6 to 12 months. Type II is more rigorous because it requires evidence of sustained operation — not just that controls exist on paper. Most enterprise buyers require a Type II report. Acuna is designed for continuous evidence collection during the Type II observation period, with recurring tasks, control health scoring, and audit-ready evidence packs.

Built for:CISOsCompliance LeadersMSSPs

See how Acuna handles SOC 2.

Get access and our team will walk you through the SOC 2 implementation in Acuna.

Get Access