What SOC 2 actually asks of you, in plain language: the five criteria, the controls, and the evidence auditors want.
SOC 2 is built on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Only Security (the "common criteria") is mandatory; you add the others based on what you promise customers. Meeting the requirements means having documented policies, technical controls (access control, encryption, logging, change management), and evidence that they operated over time, not just on paper.
SOC 2 does not hand you a fixed checklist of controls. Instead it organizes everything around five categories, and you choose which apply based on the promises you make to customers.
Start with Security, because it is mandatory. Add the others only when you actually commit to them. If you offer an uptime SLA, include Availability. If you handle sensitive personal data, Privacy and Confidentiality may matter. Adding criteria you do not need just adds cost and evidence burden, so scope deliberately.
Underneath the criteria, the work is concrete. Most startups end up with somewhere between 60 and 100-plus controls across a familiar set of categories.
The single biggest reason audits slip is evidence. It is not enough for a control to exist; for a Type II report you must show it operated consistently over the observation window. That means collecting tickets, logs, review records, and approvals over months. Start evidence collection on day one, not the week before the auditor arrives.
| Criterion | Required? | Include when |
|---|---|---|
| Security | Yes (always) | Every SOC 2. The common criteria baseline. |
| Availability | Optional | You commit to uptime or an SLA. |
| Processing Integrity | Optional | Your system transacts or processes customer data. |
| Confidentiality | Optional | You handle data customers designate confidential. |
| Privacy | Optional | You collect and process personal information. |
Only one. Security, also called the common criteria, is mandatory in every SOC 2 report. The other four (Availability, Processing Integrity, Confidentiality, and Privacy) are optional and added only when they reflect commitments you make to customers.
There is no fixed number. SOC 2 defines criteria, not a rigid control list, so the count depends on your scope and systems. Most startups end up with roughly 60 to 100-plus controls once you account for policies, access management, encryption, logging, and change management.
For a Type II report, the auditor wants proof that controls operated over the whole observation window: access review records, change approvals, logs, ticket histories, and policy acknowledgements. Designing a control is not enough; you have to show it ran consistently.
No, and you usually should not. Adding criteria you do not actually commit to just increases cost and evidence work. Include Security plus only the additional criteria that match what you promise customers.
Criteria are the high-level objectives (for example, "logical access is restricted"). Controls are the specific things you do to meet them (MFA, quarterly access reviews, offboarding within 24 hours). You map your controls to the criteria and then prove they work.
Run the free SOC 2 readiness tool, or have us scope your criteria and run the program end to end.
Book a strategy callWant the human version?
Jacob sends a few short, practical notes on getting security and compliance right without the months of pain. No fluff, unsubscribe in one click. Reply anytime; it reaches him directly.
From Jacob Masse, founder of traztech. No spam, unsubscribe in one click.