ScalePad
ControlMap

SOC 2 Field Guide for MSPs

SOC 2 compliance, made operational: the MSP's tactical playbook

A tactical playbook for managed service providers guiding service organizations, SaaS companies, data hosts, and your own MSP, through the report and its types, the Trust Services Criteria, and the audit journey, with a step-by-step ControlMap workflow.

The Report, Decoded

SOC 2 at a glance: why it lands on the MSP's desk

SOC 2 is an attestation report, not a certification: a licensed CPA firm examines a service organization's controls against the AICPA's Trust Services Criteria and issues a formal opinion. Unlike every regulation in this series, nobody is legally required to have one, and yet it's the report that decides whether B2B deals close, because enterprise buyers, platforms, and insurers have made it the de-facto ticket to handling other people's data.

Two Truths Up Front

What it is

An independent CPA's opinion that the organization's controls are suitably designed (Type I) and operating effectively over a period (Type II) against the criteria in scope. The deliverable is a detailed, restricted-distribution report customers read under NDA, typically refreshed annually.

What it isn't

Not a certificate, badge, or pass/fail score. There's no "SOC 2 certified." Not a government regulation. Not prescriptive: the criteria define outcomes; each organization designs its own controls to meet them, which is why two SOC 2 reports never look identical.

Who Gets Asked for One

Three flavors of MSP opportunity

Your SaaS & tech clients

Any client whose product touches customer data hits the SOC 2 wall the moment they sell upmarket. A prospect's security review asks for the report, and the deal stalls without it. You run their program; they close their deals.

Service organizations of every kind

Payroll processors, BPOs, data centers, healthcare billing, fintech back-offices, anyone operating systems on behalf of customers. SOC 2 is how they answer "why should we trust you with this?" once instead of per-deal.

Your own MSP

You hold admin access to dozens of businesses. That makes you a high-value target and a due-diligence subject. An MSP's own SOC 2 answers every client questionnaire, wins enterprise-adjacent deals, and is the strongest proof your CaaS practice knows its craft.

Don't Confuse the SOC Family

SOC 1

Controls relevant to customers' financial reporting (payroll, claims processing). Different criteria, different audience, their auditors.

SOC 2: this guide

Security, availability, processing integrity, confidentiality, and privacy controls. Restricted report for customers and prospects under NDA.

SOC 3

A short, general-use summary of the SOC 2: the public marketing version for the website trust page.

Why it matters: the cost of not having SOC 2 is measured in stalled pipelines, security reviews that drag for months, deals lost to attested competitors, and 300-question spreadsheets answered one painful row at a time. The flip side: a qualified or adverse opinion circulating to customers is worse than no report at all, which is why the audit journey opens with readiness. Go in clean or don't go in yet.

The Operating Model

Shared responsibility: the MSP is a subservice organization

SOC 2 has formal machinery for exactly this relationship. When the MSP runs infrastructure or security for the audited client, you're a subservice organization, and the report must account for you, either carved out (your services excluded, with your controls assumed via your own report) or included (your controls tested inside their audit). Either way, the auditor will want to know who does what, in writing.

MSP × service organization: who runs what

The client can delegate the operating, never the assertion. Capture the real split per client in the responsibility matrix.

MSP operates

  • Infrastructure & cloud ops
  • Identity, MFA & access admin
  • Endpoint & network security
  • Logging, SIEM & monitoring
  • Backup & recovery
  • Patching & change execution
  • Incident detection & response

Shared

  • Scoping & boundary
  • Risk assessment
  • Policies & procedures
  • Control design
  • Evidence & audit hosting
  • Vendor management
  • Security training

Client owns

  • Management's assertion
  • The system description
  • Hiring the CPA firm
  • Product & code decisions
  • HR, hiring & governance
  • Customer commitments & SLAs
  • Final risk acceptance

Decide carve-out vs inclusive

Carve-out is the default: the client's report excludes your services and references the controls expected of you, cleanest when the MSP has (or is building) its own SOC 2. Inclusive puts your controls inside their audit: more burden on you, every cycle, for every client.

Map CUECs & CSOCs

Every report names complementary user entity controls (what customers must do) and complementary subservice organization controls (what providers like you must do). Extract them into the responsibility matrix, they're the contract behind the opinion.

Prove it continuously

Type II tests controls across the whole observation window, a quarter of missing access reviews is a finding no year-end scramble can fix. Centralize evidence in a GRC platform from day one of the period.

The auditor opines on what operated, not what was intended. SOC 2 is won in the boring weeks: the access review that happened on schedule, the change ticket with its approval, the incident with its post-mortem. The client can delegate the operating; never the assertion: management signs that the system description is accurate, and that signature is theirs alone.

01

Anatomy of the Attestation

The report: Type I, Type II, and what's inside

A SOC 2 engagement produces a structured attestation under the AICPA's standards. Understanding the report's anatomy, and the Type I / Type II distinction, is what lets you set the client's expectations, timeline, and budget correctly on day one.

Four Sections Every Reader Checks

Anatomy of the report

  1. §1

    Auditor's opinion

    The CPA firm's conclusion: the two pages everyone reads first.

  2. §2

    Management's assertion

    Leadership's signed claim that the description is accurate and controls met the criteria.

  3. §3

    System description

    The service, infrastructure, people, data, processes, subservice orgs, and CUECs: the document the client must largely write.

  4. §4

    Tests & results

    Every control, the auditor's test, and the result, including any exceptions. Where diligent buyers go digging.

Read §1 First

The four possible opinions: what page one can say

UnqualifiedClean: the goal. The opinion every security review wants to see on page one.
Qualified"Except for…", one or more criteria not met. Readable, but it raises questions buyers will ask.
AdversePervasive failures, commercially radioactive. Worse than no report at all in front of customers.
DisclaimerThe auditor couldn't get enough evidence to form an opinion at all.

MSP tip: the bridge letter. Reports cover a fixed period, but customers ask year-round. A bridge (gap) letter, management's statement that controls haven't materially changed since the period ended, covers the months between reports. Calendar it as a deliverable, not a scramble. And note: individual test exceptions can still appear in §4 of a clean report, buyers read them, so manage them (see the audit journey).

Type I or Type II: the snapshot and the real ask

Type I: a snapshot

Controls are suitably designed as of a single date. Faster and cheaper, a credible first milestone when a deal is waiting, but sophisticated buyers know it proves design, not operation.

Type II: the real ask

Controls are designed and operating effectively over an observation period, commonly 3–6 months for the first report, 12 months thereafter. This is what enterprise security reviews mean by "your SOC 2," and the report customers renew against annually.

Most organizations treat Type I as the stepping stone: a credible first milestone when a deal is waiting, followed by the Type II customers renew against annually. Set the expectation, and date the observation window, on day one.

Commitments Pick the Scope

Scoping the five Trust Services Categories

Security is mandatory; the other four are chosen, and the choice should follow the client's customer commitments, not ambition. Every added category adds criteria, controls, evidence, and audit fee. The discipline: scope to what customers actually rely on, and expand later if the market asks.

The Menu

The five Trust Services Categories

CategoryWhat it coversInclude it when…Criteria
SecurityRequiredProtection against unauthorized access, disclosure, and damage: the Common Criteria (CC1–CC9) covering governance, risk, access, operations, change, and mitigation. The backbone of every SOC 2.Always, it's the baseline category every report includes.33 (CC)
AvailabilityThe system is available for operation and use as committed: capacity planning, monitoring, backup, disaster recovery, and incident handling for outages.The client publishes SLAs or uptime commitments, true for nearly every SaaS. The most commonly added category.+3 (A1)
Processing integritySystem processing is complete, valid, accurate, timely, and authorized, inputs, processing, and outputs behave as specified.The product processes transactions customers rely on being right: payments, payroll, billing, claims, data pipelines.+5 (PI1)
ConfidentialityInformation designated confidential is protected through its lifecycle, identification, handling, retention, and destruction of confidential data.Contracts contain confidentiality commitments over customer business data (most B2B MSAs do), a frequent second addition.+2 (C1)
PrivacyPersonal information is collected, used, retained, disclosed, and disposed of per the org's privacy notice and the AICPA's privacy criteria, notice, choice, access, disclosure, quality, and monitoring.The client makes privacy commitments about personal information directly. The heaviest add, often better served by mapping to GDPR/state-privacy work; include deliberately, not by default.+18 (P1–P8)

What You'll Actually Quote

The three scopes MSPs quote

Security only

The lean first report

Included

  • The 33 Common Criteria: the mandatory baseline
  • Fastest path to a report in hand

Best for

Early-stage clients racing a deal deadline

Criteria in scope

33

Security + Availability (+ Confidentiality)

The SaaS standard, quote this as the default

Included

  • Matches the SLA and MSA commitments most clients have already made
  • Availability adds 3 criteria; Confidentiality adds 2

Best for

Nearly every SaaS client with published SLAs and B2B MSAs

Criteria in scope

36–38

All five

Maximum assurance, maximum lift

Included

  • Adds Processing Integrity (+5) and Privacy (+18)
  • Price and staff accordingly

Best for

Data-intensive platforms whose customers demand it

Criteria in scope

61

Read the client's MSA and SLA before picking categories: the commitments already made in contracts are the commitments the report should attest to. A report scoped narrower than the contracts looks evasive; scoped wider, it's paying to audit promises nobody asked for.

02

TSP §100, 2017 Edition

The Trust Services Criteria, decoded: outcomes, not products

The criteria (TSP §100, 2017 edition with revised points of focus) define what must be true, not which products to buy. The Common Criteria are organized on the COSO internal-control framework, which is why SOC 2 starts with governance and people, not firewalls. Each criterion carries "points of focus" that guide, but don't mandate, how auditors evaluate it.

The Numbers

9

Common Criteria series (CC1–CC9)

33

Criteria in the Security baseline

+28

Category criteria (A · PI · C · P) if all are scoped

~80–150

Controls in a typical SMB control set

How the Common Criteria Are Organized

Two halves of one system

CC1–CC5 · The governance half

Straight from COSO: control environment, communication, risk assessment, monitoring, and control activities. This is where SMBs are weakest, org charts, board oversight, documented risk process, policy governance, and where auditors start.

CC6–CC9 · The operational half

The supplemental series: logical & physical access (CC6: the biggest), system operations (CC7), change management (CC8), and risk mitigation and vendors (CC9). This is your MSP stack's home turf, already largely operating, rarely documented.

Criteria ≠ controls. You don't "implement CC6.1", you design controls (MFA policy, quarterly access reviews, SSO enforcement) that collectively satisfy CC6.1, and the auditor tests those controls. This freedom is SOC 2's gift to MSPs: your existing standardized stack, properly documented and evidenced, maps cleanly onto the criteria, exactly what ControlMap's cross-mapping and Stacks exploit in the workflow below.

Series by Series

The Common Criteria and category criteria, series by series

What each series demands in practice, the MSP translation, and the relative effort; then the four category series and who typically leads each. Capture the split per client in the responsibility matrix; it's the working contract behind the opinion.

The Backbone

The Common Criteria: CC1 through CC9

SeriesWhat it demands in practiceMSP translationEffort
CC1 · Control environment5 criteriaIntegrity and ethics, board/owner oversight, org structure with defined authority, commitment to competence, and individual accountability: the COSO tone-at-the-top set.Code of conduct, org chart, role descriptions, security accountability in reviews.Moderate
CC2 · Communication & information3 criteriaQuality information supports controls; objectives and responsibilities communicated internally; commitments and incidents communicated externally.Policy portal with attestations, customer status page, security contact channel.Light
CC3 · Risk assessment4 criteriaSpecified objectives, risks identified and analyzed (including fraud), and changes that could impact controls assessed.Annual risk assessment plus a living risk register with treatments.Moderate
CC4 · Monitoring activities2 criteriaOngoing and/or separate evaluations of controls; deficiencies evaluated and communicated to those responsible for action.Internal control reviews, the GRC dashboard, a tracked findings-to-fix loop.Light
CC5 · Control activities3 criteriaControl activities selected and developed to mitigate risks, including over technology, and deployed through policies and procedures.The documented control set itself, policies mapped to controls mapped to criteria.Moderate
CC6 · Logical & physical access8 criteriaThe biggest series: identity and authentication, access provisioning and timely removal, least privilege, physical access, media disposal, boundary protection, and prevention of malicious software via access paths.SSO + MFA, JML workflow, quarterly access reviews, encryption, device management.Heavy
CC7 · System operations5 criteriaVulnerability detection and monitoring, anomaly detection, incident evaluation and response, and recovery from incidents, including disaster recovery.Vulnerability scanning, EDR/SIEM with alerting, IR plan plus post-mortems, tested backups.Heavy
CC8 · Change management1 criterionOne criterion, big surface: infrastructure, data, and software changes are authorized, designed, developed, tested, approved, and implemented in a controlled way.PR reviews and CI/CD gates for code; ticketed infra changes with approval trails.Moderate
CC9 · Risk mitigation2 criteriaRisk mitigation for business disruption (insurance, BCP) and management of vendor and business-partner risk.Vendor register with diligence and their SOC 2s on file; cyber insurance; BCP.Light

Where first audits stumble: CC6's timely access removal (the contractor whose account lived three weeks past the contract), CC8 changes merged without recorded approval, and CC1 governance that exists in practice but not on paper. None are technology problems, all are cadence-and-evidence problems, which is why the observation window matters more than the tooling.

The Category Criteria

A, PI, C & P in practice

SeriesWhat the auditor testsTypical controls & evidence
A1 · Availability3 criteriaCapacity is monitored and managed to meet commitments; environmental protections, backup, and recovery infrastructure exist; recovery is actually tested.Capacity dashboards, BCDR plan, backup job reports, annual DR test results, uptime/SLA reports.
PI1 · Processing integrity5 criteriaDefinitions of data and processing are documented; inputs, processing, and outputs are complete, accurate, timely, and authorized; stored items protected during processing.Data validation rules, reconciliation jobs, error queues with resolution SLAs, processing specs.
C1 · Confidentiality2 criteriaConfidential information is identified and protected through its lifecycle, and destroyed per commitments when retention ends.Data classification policy, encryption coverage, retention schedule, disposal/offboarding records.
P1–P8 · Privacy18 criteriaThe full personal-information lifecycle: notice, choice and consent, collection, use/retention/disposal, access, disclosure to third parties, quality, and monitoring against the privacy notice.Privacy notice plus data map, consent records, DSAR workflow, processor agreements, coordinate with GDPR/state-privacy programs rather than duplicating them.

Who Does What

Criteria responsibility split

Typical allocation across the criteria for an MSP-supported service organization, capture the real split per client in the responsibility matrix.

Access, identity & device controlsCC6
MSP
Shared
Client
Operations, monitoring, IR & backupCC7, A1
MSP
Shared
Client
Change management: infra vs codeCC8
MSP
Shared
Client
Risk assessment, monitoring & vendorsCC3, CC4, CC9
MSP
Shared
Client
Governance, HR & tone at the topCC1, CC2
MSP
Shared
Client
Processing integrity & product behaviorPI1
MSP
Shared
Client
System description, assertion & auditor relationship
MSP
Shared
Client
MSP leadsSharedClient leadsProportions measured from the source guide's chart: the responsibility matrix records the real allocation per client.

The dev-shop reality check

For SaaS clients, CC8 splits in two: your MSP controls infrastructure change; their engineers control code change (PR review, CI gates, deploy approvals). Don't promise the auditor a development pipeline you don't run, wire the client's repo and pipeline evidence into the program from day one.

Cross-framework dividend

A SOC 2 control set built on CIS-aligned operations satisfies large slices of HIPAA, FTC Safeguards, and ISO 27001 via cross-mapping. For MSPs running multi-framework clients, SOC 2 is usually the second framework that costs 40%, not 100%: the pricing mechanic from the CaaS guide in action.

03

Readiness to Renewal

The audit journey: from first ask to clean Type II

Get from "a prospect asked for our SOC 2" to a clean Type II renewing annually. The first cycle typically runs 9–15 months end to end: readiness and remediation, then the observation window where controls must operate, then fieldwork. The auditor must be a licensed, independent CPA firm, pick one experienced in the client's size and stack.

The First-Cycle Path, End to End

  1. 1

    Scope

    Categories per commitments · system boundary · subservice orgs · Type I-first or straight to II.

  2. 2

    Readiness

    Gap assessment against the criteria · design the control set · find every miss before the auditor does.

  3. 3

    Remediate & document

    Close gaps · policies live with attestations · system description drafted.

  4. 4

    Observation window

    3–6 months (first report) of controls operating, evidence accruing the whole time.

  5. 5

    Fieldwork

    Evidence requests, sampling, interviews, walkthroughs, 4–8 weeks of auditor traffic.

  6. 6

    Report & renew

    Opinion issued · trust page updated · the 12-month window for next year starts immediately.

When something fails: managing exceptions

A missed review or late patch becomes a §4 exception, not automatically a qualified opinion, auditors weigh pervasiveness and compensating controls. Catch it first, remediate, and document a management response that ships alongside the finding. An exception with a crisp response reads as maturity; one discovered by the auditor reads as the tip of an iceberg.

Choosing the CPA firm

Interview 2–3 firms: ask for SMB/SaaS references, whether they work natively in GRC platforms, fieldwork timelines, and fixed-fee quotes. The readiness consultant and the auditor must be independent of each other: your CaaS practice does readiness; the CPA firm opines. That separation is your business model, not a limitation.

The Paper Trail

The document pack: what the auditor asks for first

Eight artifacts do the audit's heavy lifting: the auditor examines them for accuracy, samples against them through the window, and opines from them. The opinion only holds up if each one is real, current, and owned.

Eight Artifacts, One Opinion

The document pack

ArtifactWhat it is & what good looks likeOwner / cadence
System descriptionReport §3The narrative of the service: infrastructure, software, people, procedures, and data; boundaries; subservice organizations and the carve-out/inclusive choice; CUECs. Management's document: the auditor examines it for accuracy, not authorship.Client signs; MSP co-drafts · annual refresh
Management's assertionReport §2Leadership's formal claim that the description is fair and controls met the criteria. Short, signed, and the legal anchor of the whole engagement.Client executives · per report
Control matrixEvery control mapped to the criteria it satisfies, its owner, frequency, and evidence source: the working backbone the auditor tests from. Lives in the GRC platform, exported on demand.Shared · living document
Policy library + attestationsInfoSec, access, change, incident, vendor, BC/DR, data classification, acceptable use, approved, versioned, and acknowledged by staff. Auditors sample the acknowledgments.Shared · annual review
Risk assessment & registerThe CC3 engine: documented methodology, scored risks, treatments, and review records.Shared · annual + on change
Vendor registerCC9 in a table: critical vendors, their SOC 2/attestations on file, diligence and reassessment records, including your MSP's own entry.Shared · reassessed on cycle
Evidence libraryPeriod-stamped artifacts per control: access-review sign-offs, change tickets, scan reports, backup/DR test results, training exports, onboarding/offboarding records. Organized by control, ready for sampling.MSP-heavy · continuous through the window
Incident log + post-mortemsCC7's proof of life: incidents tracked, evaluated, and closed with lessons learned, and a tested IR plan behind them. "No incidents at all" invites scrutiny; honest logs build credibility.Shared · continuous

How sampling works: design evidence for it

For recurring controls the auditor samples the period: "show me 25 random terminations and the access-removal ticket for each, within SLA." Evidence generated by the workflow itself (tickets, pipeline logs, platform exports) survives sampling; evidence assembled retroactively doesn't. Build the habit in week one of the window.

Budget anchors: set expectations early

Typical SMB first cycle: readiness and remediation support $10K–$40K, Type II audit fee $20K–$60K (scope- and firm-dependent; Type I less), plus platform and any tooling gaps; then a lighter annual renewal. Position against the pipeline it unblocks: one enterprise deal usually pays for the entire program.

The annual rhythm after report #1: the next observation window opens the day the last one closed. Renewals are won by keeping the machine running, recurring evidence tasks, quarterly access reviews, the annual risk and policy refresh, so year two's fieldwork is a formality. Let the program lapse for a quarter and you're rebuilding, not renewing.

ControlMap by ScalePad

From security-questionnaire panic to a clean Type II: in one platform

ControlMap is ScalePad's multi-tenant GRC platform built for MSPs. Everything the audit journey demands: the control matrix, policies with attestations, risk and vendor registers, period-stamped evidence, and auditor collaboration, lives in one workspace per client, accruing through the observation window so fieldwork becomes a guided tour.

The Five-Step ControlMap Workflow for SOC 2

  1. 1

    Onboard & adopt with the right categories

    Create a dedicated client workspace and load the Trust Services Criteria scoped to the categories their commitments require (Security + Availability as the SaaS default). Record the scoping decisions, system boundary, and subservice-organization choices as foundation documents: the raw material of the §3 description.

  2. 2

    Run the readiness assessment: with Stacks pre-answering

    Declare the client's stack and let Stacks' vendor-product mappings auto-answer the assessment questions their existing EDR, identity, backup, and email-security tools already satisfy; your analyst verifies and works the genuine gaps. Build the CC3 risk register from the risk library in the same pass.

  3. 3

    Design the control set: and split it in the matrix

    Map each control to the criteria it satisfies with in-tool guidance; assign owners across your engineers, the client's developers (CC8 code change!), and inherited cloud providers; set frequencies. Cross-mapping means the same control set banks progress toward HIPAA, CIS, or ISO for multi-framework clients.

  4. 4

    Build policies from templates: and get them signed

    Draft the policy library from templates, tailor to the environment, version-control approvals, and push to staff for electronic acknowledgment, producing the CC1/CC2 governance paper trail and the attestation samples auditors request, automatically.

  5. 5

    Run the window on rails: then hand the auditor the keys

    Recurring tasks enforce every cadence, access reviews, vulnerability scans, backup tests, training, with evidence attached as it happens, automated where cloud and MSP-stack integrations allow. At fieldwork, the auditor works from an organized, period-stamped library instead of a six-week email thread.

Package it as a service

Productize the journey: Readiness (scoping, gap, control design, one-time) → Operate (monthly program through the observation window) → Audit support (fieldwork hosting, per cycle). SOC 2's annual renewal makes it the most naturally recurring framework in the CaaS catalog.

Make the QBR land

For SOC 2 clients the scorecard is commercial: window-readiness percentage, evidence freshness, days to next report, and: the number founders actually feel, security reviews answered this quarter from the trust package. Compliance progress that visibly shortens their sales cycle renews itself.

Keep it alive

Scope drifts: a new product line, a new subservice provider, a migration, an acquisition, each changes the system description and possibly the categories. Make "what changed in the system?" a standing QBR question, and update §3 as it happens rather than reconstructing it at fieldwork.

Take Action

Map the platform, run the first 90 days, work the checklist

Where each part of the SOC 2 journey lives in ControlMap and the artifacts auditors expect; a realistic first-90-days arc per client, months 1–3 of a 9–15 month first cycle; and the ten-point quick-start checklist to put the whole guide in motion.

ControlMap in Action

Mapping ControlMap to the SOC 2 journey

AreaDo this in ControlMapArtifacts you'll bank
The reportRecord category scoping with the commitment rationale; store the system-description draft and management-assertion templates; track Type I → Type II milestones and the bridge-letter calendar between reports.Scoping decision record · §3 description source material · bridge letters · report archive by year
The criteriaRun the control matrix mapped to CC1–CC9 and scoped category criteria; assign owners across MSP, client devs, and cloud providers; schedule every recurring cadence the window demands.Control matrix exports · access-review sign-offs · change & incident records · training attestations
The auditGive the auditor scoped access to work requests natively; respond to sample pulls from the period-stamped evidence library; log exceptions with management responses; flip the workspace into next year's window the day this one closes.Fieldwork request log · sampled evidence packages · exception register with responses · year-over-year continuity
Your own MSPStand up a workspace for your own SOC 2: the answer to every client questionnaire, the cleanest path through carve-out treatment in client reports, and the credential that sells your CaaS practice. Same platform, same playbook, client zero.Your own Type II · questionnaire-ready trust package · subservice-organization answers for client auditors

Per Client

A realistic first-90-days arc

  1. W1-2

    Scope & stand up

    Commitments reviewed · categories & type chosen · workspace created · subservice decisions made.

  2. W3-6

    Assess & design

    Readiness assessment complete (Stacks-accelerated) · control set designed · remediation priced and approved.

  3. W7-10

    Remediate & draft

    Gaps closing · policies live with attestations · CPA firms interviewed · system description drafting.

  4. W11-13

    Engage & operate

    Auditor engaged & window dated · recurring cadences live · evidence flowing · first progress report at QBR.

Take Action

Your 10-point SOC 2 quick-start checklist

1

Read the client's MSA and SLA first

The commitments already made in contracts pick the Trust Services Categories.

2

Choose the path

Type I as a deal-unblocking milestone, Type II as the destination, and date the observation window.

3

Settle the subservice-organization treatment

Carve-out vs inclusive, and your MSP's role in it, in writing.

4

Run the readiness assessment in ControlMap

Stacks pre-answers what the existing stack already satisfies; your analyst works the genuine gaps.

5

Attack CC6 first

SSO + MFA, the joiner-mover-leaver workflow, and quarterly access reviews, where first audits stumble.

6

Wire CC8 change evidence at the source

PR approvals and CI gates for code, ticketed approvals for infrastructure.

7

Publish the policy library with attestations

And stand up the risk and vendor registers (CC1–CC3, CC9).

8

Interview 2–3 CPA firms early

SMB references, GRC-platform fluency, fixed fees, and book the fieldwork slot before remediation finishes.

9

Run the window on recurring tasks

Evidence attached as it happens, catch exceptions yourself and write the management response.

10

Ship the report, then start again

Update the trust page, calendar the bridge letter, and start next year's window the same day.

This guide is provided for general educational purposes and reflects SOC 2 examinations under the AICPA's attestation standards and 2017 Trust Services Criteria (with revised points of focus) as commonly understood at time of publication. It is not accounting, audit, or legal advice; engagement structure, independence requirements, observation periods, and fees vary by CPA firm and circumstance, confirm specifics with a licensed practitioner. Companion guides in this series: HIPAA, PCI DSS, CMMC, FTC Safeguards (GLBA), and the CaaS Build Guide.

ControlMap

ControlMap by ScalePad

Turn SOC 2 into your next managed service

See how MSPs run multi-client SOC 2 programs, readiness, control matrices, period-stamped evidence, and auditor collaboration, in ControlMap.