Framework B.07 · SOC 2

SOC 2 Type I & II - Trust Services Criteria, audit cycle and pen testing evidence.

SOC 2 is the AICPA-defined audit standard for service organisations. CyberFortify's penetration testing and compliance consulting services produce the technical evidence SOC 2 auditors specifically request - CC6.1 (logical access), CC7.1 (security event detection) and CC8.1 (change management).

Maintainer: AICPA Types: Type I (point-in-time) · Type II (period) Criteria: 5 Trust Services Criteria
5
Trust criteria (TSC)
33
Common Criteria (CC)
Type I
Point-in-time
Type II
3-12 month period
SOC 2 TSC: Security · Availability · Processing Integrity · Confidentiality · Privacy · CC6.1 Logical Access · CC7.1 Detection · CC8.1 Change Management · Type II Operating Effectiveness SOC 2 TSC: Security · Availability · Processing Integrity · Confidentiality · Privacy · CC6.1 Logical Access · CC7.1 Detection · CC8.1 Change Management · Type II Operating Effectiveness
// Executive summary

SOC 2 reports come in two types - Type I (control design at a point in time) and Type II (operating effectiveness over a 3-12 month period). CyberFortify's offensive testing evidence is core to satisfying CC6.1 and CC7.1 in both report types.

// 01 What SOC 2 actually is

// DefinitionSOC 2

An attestation report under AICPA SSAE 18 standard, covering a service organisation's controls relevant to one or more of the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy.

Two report types: Type I (control design as of a point in time) and Type II (operating effectiveness over a period, typically 3-12 months).

SOC 2 is dominant in the US SaaS market. Most enterprise-buyer security questionnaires now ask "do you have a SOC 2 Type II?" before they ask anything else. Unlike ISO 27001, SOC 2 is an attestation rather than a certification - the auditor opines on whether your controls are designed (Type I) or operating (Type II) appropriately. The deliverable is an attestation report, not a certificate.

// 02 The five Trust Services Criteria

SECAlways required

Security (Common Criteria)

The mandatory category. Includes 33 Common Criteria (CC1.x - CC9.x) covering control environment, risk assessment, monitoring, communication and the Common Controls.

AVLOptional

Availability

System uptime, capacity, environmental protection, backup. Often added for SaaS infrastructure providers.

PIOptional

Processing Integrity

Completeness, validity, accuracy, timeliness of processing. Relevant for transaction processors, payment platforms.

CONOptional

Confidentiality

Information designated confidential is protected. Relevant for B2B SaaS handling enterprise customer data.

PRVOptional

Privacy

Personal information lifecycle aligned with the AICPA Generally Accepted Privacy Principles. Less common.

// 03 How pen testing satisfies SOC 2 Common Criteria

Three Common Criteria are directly satisfied by penetration testing evidence on every CyberFortify engagement.

CC6.1

Logical and physical access controls

"The entity implements logical access security software, infrastructure and architectures over protected information assets to protect them from security events." Pen testing validates the effectiveness of these controls in production.

Direct evidence
CC7.1

Detection of security events

"To meet its objectives, the entity uses detection and monitoring procedures to identify... potential security events." Pen testing - and especially red teaming - tests the effectiveness of detection.

Detection evidence
CC7.2

Monitoring system components

"The entity monitors system components and the operation of those components for anomalies." Penetration testing produces controlled anomalous traffic auditors review against detection logs.

Telemetry test
CC8.1

Change management

Pen testing after material changes is the technical evidence change-management controls function. CyberFortify's free remediation retest closes this loop.

Post-change

// 04 The Type I → Type II progression

Most organisations begin with Type I and progress to Type II within 6-12 months. CyberFortify's testing cadence is designed to align with this progression.

The Type II report is what enterprise buyers actually want to see. Type I is a useful step but rarely terminal - plan the Type II audit window from day one of your SOC 2 programme.

CyberFortify compliance practice

// 05 Frequently asked questions

How long does a SOC 2 Type II audit take?

The audit period itself is typically 3, 6 or 12 months. Total elapsed time from gap assessment to issued report is typically 9-18 months for a first Type II.

Do auditors require pen testing?

CC7.1 and CC8.1 do not name penetration testing explicitly, but every reputable SOC 2 auditor expects pen testing as evidence of detection capability and change-management effectiveness. The big-four and second-tier auditors uniformly require it.

How does SOC 2 compare to ISO 27001?

SOC 2 is an attestation; ISO 27001 is a certifiable management system. Many CyberFortify customers run both. We can produce evidence acceptable to both audits from a single offensive engagement.

Ready for a SOC 2-aligned engagement?

Schedule a 30-minute scoping call. CyberFortify will recommend the right offensive testing service plus compliance consulting support and quote a fixed-price engagement.

Schedule scoping call → Back to CyberFortify home →