New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

Back to frameworks
Assurance

SOC 2 Trust Services Criteria

A flexible attestation framework for service organisations, built around security, availability, confidentiality, and more.

SOC 2 reports give customers independent assurance that a service organisation protects their data. Unlike prescriptive frameworks, SOC 2 is criteria-based: you design controls that meet the Trust Services Criteria relevant to your offering.

Type I vs Type IILink to this section

A Type I report describes control design at a point in time. A Type II report tests operating effectiveness over a period – usually 6–12 months. Most enterprise buyers expect Type II; plan your observation window before promising dates to customers.

Scoping your reportLink to this section

Security (Common Criteria) is always in scope. Availability, confidentiality, processing integrity, and privacy are optional categories you select based on what you promise customers. Scope creep is expensive – we help teams pick categories that match contracts, not aspirations.

How we support SOC 2 readinessLink to this section

We translate criteria into engineering-friendly controls: what to log, what to review monthly, and what evidence your auditor will ask for on day one of fieldwork.

Trust Services Criteria coverage

Common Criteria

CriterionFocus areaHow we help
CC1Control environmentGovernance structure, tone-at-the-top messaging, and org charts that satisfy auditor walkthroughs.
CC6Logical and physical accessAccess reviews, SSO/MFA standards, and vendor access policies with quarterly evidence exports.
CC7System operationsMonitoring runbooks, incident response drills, and change-management records tied to deployments.
CC8Change managementPR templates, separation of duties, and release evidence that maps cleanly to Git history.

Availability

CriterionFocus areaHow we help
A1Capacity and recoverySLA definitions, backup/restore tests, and disaster-recovery tabletop exercises with documented outcomes.

Confidentiality

CriterionFocus areaHow we help
C1Data classification and handlingClassification scheme, encryption standards, and customer-data handling procedures for engineering teams.

Need help with compliance?

From ISO 27001 readiness to SOC 2 audits, we help teams build practical programs that satisfy assessors and work in the real world.