Skip to main content

SOC 2 Compliance

SOC 2 (Service Organization Control 2) is a framework for managing customer data based on five Trust Services Criteria. Cloudgeni helps you achieve and maintain SOC 2 compliance across your cloud infrastructure.

SOC 2 Coverage

  • 200+ automated checks across AWS, Azure, and GCP
  • All 5 Trust Services Criteria covered
  • Continuous monitoring with real-time alerts
  • Audit-ready reports for Type I and Type II audits

Trust Services Criteria

Security (Common Criteria)

The security principle addresses protection against unauthorized access.
Control AreaCloudgeni Checks
Access ControlIAM policies, MFA enforcement, least privilege
Network SecuritySecurity groups, NACLs, firewall rules
EncryptionData at rest, data in transit, key management
LoggingAudit trails, CloudTrail, activity logs
Vulnerability ManagementSecurity scanning, patch management
Key Checks:
  • soc2_cc6_1 - Logical access controls implemented
  • soc2_cc6_2 - Authentication mechanisms enforced
  • soc2_cc6_3 - Access removal upon termination
  • soc2_cc6_6 - System boundaries protected

Availability

The availability principle ensures systems are operational and accessible.
Control AreaCloudgeni Checks
RedundancyMulti-AZ deployments, load balancing
BackupAutomated backups, retention policies
Disaster RecoveryCross-region replication, failover
MonitoringHealth checks, uptime monitoring
CapacityAuto-scaling, resource planning
Key Checks:
  • soc2_a1_1 - Capacity management implemented
  • soc2_a1_2 - Environmental protections in place
  • soc2_a1_3 - Recovery procedures documented

Processing Integrity

The processing integrity principle ensures system processing is complete, accurate, and authorized.
Control AreaCloudgeni Checks
Data ValidationInput validation, data integrity checks
Error HandlingException handling, error logging
Processing ControlsTransaction logging, reconciliation
Quality AssuranceTesting procedures, change validation
Key Checks:
  • soc2_pi1_1 - Processing integrity policies defined
  • soc2_pi1_2 - System inputs validated
  • soc2_pi1_3 - Processing monitored for completeness

Confidentiality

The confidentiality principle protects information designated as confidential.
Control AreaCloudgeni Checks
Data ClassificationTagging, labeling requirements
EncryptionEncryption at rest and in transit
Access RestrictionsRole-based access, data isolation
Data RetentionRetention policies, secure deletion
Key Checks:
  • soc2_c1_1 - Confidential information identified
  • soc2_c1_2 - Confidential information protected
  • soc2_c1_3 - Disposal procedures implemented

Privacy

The privacy principle addresses collection, use, and disposal of personal information.
Control AreaCloudgeni Checks
Data CollectionConsent management, purpose limitation
Data UseAccess controls, use restrictions
Data RetentionRetention schedules, deletion
Data DisclosureThird-party sharing controls
Key Checks:
  • soc2_p1_1 - Privacy notice provided
  • soc2_p2_1 - Personal information collected with consent
  • soc2_p3_1 - Personal information used as disclosed

Control Mapping

CC1 - Control Environment

ControlDescriptionAWS CheckAzure Check
CC1.1COSO principlesOrganizational policiesResource tagging
CC1.2Board oversightIAM governanceAzure AD governance
CC1.3Management philosophySecurity policiesCompliance policies

CC2 - Communication and Information

ControlDescriptionAWS CheckAzure Check
CC2.1Internal communicationSNS topicsService Bus
CC2.2External communicationAPI GatewayAPI Management
CC2.3Security awarenessTraining recordsTraining records

CC3 - Risk Assessment

ControlDescriptionAWS CheckAzure Check
CC3.1Risk objectivesSecurity HubDefender for Cloud
CC3.2Risk identificationGuardDutySentinel
CC3.3Fraud considerationCloudTrailActivity Log

CC4 - Monitoring Activities

ControlDescriptionAWS CheckAzure Check
CC4.1Ongoing evaluationConfig RulesAzure Policy
CC4.2Internal assessmentsInspectorDefender scans
CC4.3Deficiency evaluationSecurity findingsSecurity alerts

CC5 - Control Activities

ControlDescriptionAWS CheckAzure Check
CC5.1Control selectionSecurity groupsNSGs
CC5.2Technology controlsWAF, ShieldApplication Gateway
CC5.3Policy deploymentSCPsManagement Groups

CC6 - Logical and Physical Access

ControlDescriptionAWS CheckAzure Check
CC6.1Logical accessIAM policiesAzure RBAC
CC6.2AuthenticationMFA enabledConditional Access
CC6.3Access removalIAM auditAccess reviews
CC6.6System boundariesVPC isolationVNet isolation
CC6.7Data transmissionTLS/SSLTLS/SSL
CC6.8Malicious softwareGuardDutyDefender

CC7 - System Operations

ControlDescriptionAWS CheckAzure Check
CC7.1Vulnerability detectionInspectorDefender
CC7.2Anomaly detectionGuardDutySentinel
CC7.3Security evaluationSecurity HubSecurity Center
CC7.4Incident responseCloudWatch AlarmsAzure Monitor

CC8 - Change Management

ControlDescriptionAWS CheckAzure Check
CC8.1Infrastructure changesCloudTrailActivity Log
CC8.2Software changesCodePipelineDevOps
CC8.3Emergency changesChange trackingChange tracking

CC9 - Risk Mitigation

ControlDescriptionAWS CheckAzure Check
CC9.1Risk mitigationSecurity HubDefender
CC9.2Vendor managementThird-party auditThird-party audit

Getting Compliant

Step 1: Run SOC 2 Assessment

  1. Go to Compliance in Cloudgeni dashboard
  2. Select SOC 2 framework
  3. Click Run Assessment
  4. Review findings by control

Step 2: Prioritize Remediation

Focus on high-impact controls first:
PriorityControl AreaImpact
1Access Control (CC6)Critical - protects all data
2Logging (CC7)Critical - audit trail
3Encryption (CC6.7)High - data protection
4Change Management (CC8)Medium - operational

Step 3: Remediate Findings

For each finding:
  1. Click Remediate to generate fix
  2. Review generated IaC code
  3. Create pull request
  4. Merge and verify with re-scan

Step 4: Generate Audit Report

  1. Go to ComplianceSOC 2
  2. Click Generate Report
  3. Select date range and filters
  4. Download PDF for auditors

Continuous Compliance

Automated Monitoring

Cloudgeni continuously monitors your infrastructure:
  • Real-time detection of configuration changes
  • Automatic re-assessment on resource changes
  • Drift alerts when compliance degrades
  • Trend tracking over time

Compliance Score

Track your SOC 2 compliance score: 
Score = (Passing Controls / Total Controls) × 100
ScoreStatusAction
95-100%Audit ReadyMaintain controls
85-94%GoodAddress gaps before audit
70-84%Needs WorkPrioritize remediation
Below 70%At RiskImmediate attention

Audit Preparation

Type I Audit

Point-in-time assessment of control design:
  1. Run comprehensive SOC 2 scan
  2. Document control implementations
  3. Generate evidence report
  4. Prepare control narratives

Type II Audit

Assessment of control effectiveness over time:
  1. Enable continuous monitoring
  2. Maintain evidence over audit period (typically 6-12 months)
  3. Track remediation timelines
  4. Document exceptions and compensating controls

Evidence Collection

Cloudgeni automatically collects:
  • Configuration snapshots
  • Change history
  • Access logs
  • Security scan results
  • Remediation records

Compliance Frameworks

Overview of all frameworks

ISO 27001

ISO 27001 compliance guide

Remediation

Fix compliance issues

Cloud Compliance

Cloud security posture