SOC 2

SOC 2 is an independent attestation report that evaluates a service organization’s controls against the AICPA Trust Services Criteria: Security (common), and optionally Availability, Processing Integrity, Confidentiality, and Privacy. It demonstrates whether controls are suitably designed (Type I) and operating effectively over time (Type II).

In practical terms, SOC 2 requires documented policies, repeatable processes, control monitoring, and evidence. Identity-centric controls show up throughout: onboarding/offboarding, authentication, authorization, access reviews, change management approvals, logging, and incident response.

How does it affect identity security?
From an identity perspective, preparing for SOC 2 typically means:

• Strong authentication: SSO and MFA for sensitive systems and administrative access; limited legacy auth.
• Least privilege: role-based access, periodic access certifications, and removal of unused entitlements.
• Timely lifecycle (JML): automated provisioning/deprovisioning tied to HR events; no orphaned accounts.
• Privileged access governance: approvals for elevation and session logging/recording where feasible.
• Monitoring & evidence: centralized identity logs (IdP, directory, cloud IAM, SaaS), alerting on risky events, and clear audit trails.

Case study
A B2B SaaS provider pursuing SOC 2 Type II discovered inconsistent offboarding and shared admin accounts in a few tools. They centralized identity through SSO, enforced MFA for admin roles, automated deprovisioning via HR triggers, and scheduled quarterly access reviews. In the next audit cycle, identity-related exceptions dropped, and evidence collection was faster because approvals and removals were already logged.