SOC 2 Compliance Guide
SOC 2 is the enterprise security attestation demanded by US and European enterprise customers. Saudi technology, SaaS, cloud, and managed service providers increasingly require a SOC 2 Type II report to win and retain enterprise contracts. This guide covers all 5 Trust Service Criteria, Type I vs Type II, the Common Criteria breakdown, and how to achieve attestation.
The mandatory criterion. CC1 Control Environment, CC2 Communication & Information, CC3 Risk Assessment, CC4 Monitoring, CC5 Control Activities, CC6 Logical & Physical Access, CC7 System Operations, CC8 Change Management, CC9 Risk Mitigation.
System and service accessibility per committed service level agreements. Covers capacity monitoring, environmental safeguards, backup and recovery, and incident response to restore availability.
System processing is complete, valid, accurate, timely, and authorized. Covers input validation, processing controls, output reconciliation, and error handling for transactional systems.
Information designated as confidential is protected. Covers identification of confidential information, restriction of access, and secure disposal — relevant for organizations handling client or proprietary data.
Personal information is collected, used, retained, disclosed, and disposed of per commitments and applicable regulations. Covers notice, choice, access, disclosure, security, quality, and monitoring.
What is SOC 2?
SOC 2 (Service Organization Control 2) is an attestation framework developed by the American Institute of Certified Public Accountants (AICPA) for service organizations — primarily technology companies, cloud providers, SaaS platforms, and managed service providers that store, process, or transmit customer data. A SOC 2 report is issued by a licensed CPA firm and provides an independent auditor's opinion on whether the service organization's controls related to security, availability, processing integrity, confidentiality, and privacy meet the AICPA's Trust Services Criteria.
Unlike ISO 27001 (which results in a certificate), SOC 2 produces an attestation report describing how controls operated over a defined period. SOC 2 is not mandated by any Saudi regulation, but it is widely required by US and European enterprise customers as a vendor security due diligence requirement. Saudi technology and SaaS companies targeting global enterprise markets increasingly find SOC 2 Type II effectively mandatory for enterprise sales.
The framework is governed by the Trust Services Criteria (TSC 2017, updated 2022). The Security criterion — the Common Criteria (CC) — is always included and covers 33 criteria across 9 categories. Organizations select additional criteria (Availability, Processing Integrity, Confidentiality, Privacy) based on the services they provide to customers.
Common Criteria (CC1–CC9) — 33 criteria
The Common Criteria are mandatory for every SOC 2 engagement. They map to the COSO framework and cover the control environment, risk assessment, logical and physical access, system operations, and change management.
Control Environment
- Board and management oversight of security
- Organizational structure and accountability
- Commitment to competence
- Human resource policies for security
Communication & Information
- Internal communication of security responsibilities
- External communication with customers and regulators
- Relevant information obtained from external sources
Risk Assessment
- Risk identification and assessment process
- Fraud risk considerations
- Risk assessment for changes to the environment
Monitoring Controls
- Ongoing and separate monitoring evaluations
- Remediation of identified control deficiencies
Control Activities
- Design of control activities to mitigate risks
- Technology control activities
- Deployment through policies and procedures
Logical & Physical Access
- Access provisioning and deprovisioning
- Multi-factor authentication
- Network and infrastructure security
- Data encryption at rest and in transit
- Physical access controls to facilities
System Operations
- Threat and vulnerability detection
- Incident response procedures
- Anomaly and security event monitoring
Change Management
- Authorized, tested, and documented changes
- Change tracking and approval workflows
Risk Mitigation
- Vendor and business partner risk management
- Insurance and risk acceptance
- Complementary User Entity Controls (CUECs)
SOC 2 Type I vs Type II
Understanding the distinction between Type I and Type II determines your sequencing strategy and what enterprise customers will actually accept.
| Aspect | Type I | Type II |
|---|---|---|
| Point in time | Yes — single date | No — period (6–12 months) |
| Controls tested | Design and implementation | Design, implementation, and operating effectiveness |
| Auditor testing | Inquiry and inspection only | Inquiry, inspection, observation, and re-performance |
| Enterprise acceptance | Limited — demonstrates intent | Gold standard for enterprise due diligence |
| Time to complete | 3–6 months from readiness | 9–18 months (6+ month observation period) |
| Report value | Useful for early-stage proof to prospects | Required by US/EU enterprise customers |
Who needs SOC 2 in Saudi Arabia
SaaS and cloud companies
Saudi SaaS and cloud providers with US or European enterprise customers are routinely required to hold a SOC 2 Type II report as a condition of procurement or contract renewal.
Fintech and payments companies
Saudi fintech companies processing payments or financial data for US/EU counterparties frequently need SOC 2 in addition to SAMA and NCA compliance.
Managed service providers
IT managed service providers and outsourcing companies handling customer infrastructure or data for international clients increasingly carry SOC 2 Type II.
Data centres and colocation
Saudi data centre operators hosting international tenants find SOC 2 reports requested alongside ISO 27001 as part of vendor due diligence.
Technology consultancies
Professional services firms with US/EU clients that involve data access or system management are increasingly subject to SOC 2 vendor assessment requirements.
AI and data processing companies
Companies processing customer data through AI pipelines or analytics services find SOC 2 Trust Services Criteria directly relevant to demonstrating processing integrity and confidentiality.
SOC 2 vs ISO 27001
Many Saudi organizations pursue both SOC 2 and ISO 27001. They serve different audiences — SOC 2 for US/EU enterprise customers, ISO 27001 for regulators and global markets — but share significant control overlap that GRC Vantage cross-maps automatically.
| Topic | SOC 2 (TSC 2017 rev. 2022) | ISO/IEC 27001:2022 |
|---|---|---|
| Issuer | AICPA (American Institute of Certified Public Accountants) | ISO / IEC (International Organization for Standardization) |
| Nature / output | Attestation report issued by a licensed CPA firm | Certificate issued by an accredited certification body |
| Scope | Trust Services Criteria for service organizations | ISMS for any organization type |
| Depth of testing | Operating effectiveness over 6–12 months (Type II) | Controls implemented and conforming to standard |
| Renewal | Annual — new report covers prior year period | 3-year certification with annual surveillance |
| Saudi recognition | Not a Saudi regulation; required by US/EU enterprise customers | Accepted by NCA as partial ECC evidence; widely required by enterprise clients |
| Primary audience | Enterprise customers and prospects in US/EU markets | Regulators, enterprise clients, and global markets |
| Evidence approach | CPA auditor collects and tests evidence across the observation period | Certification body auditor samples controls at Stage 1 and Stage 2 |
How GRC Vantage accelerates SOC 2 Type II
GRC Vantage ships a pre-built SOC 2 programme — all 5 Trust Service Criteria, CC1–CC9 Common Criteria controls, Type II evidence collection over the observation period, and audit-ready report generation — so your CPA firm receives a structured, defensible pack instead of a last-minute document hunt.
Pre-mapped TSC control library
All 5 Trust Service Criteria — including all 33 Common Criteria across CC1–CC9 — are pre-loaded with control descriptions, evidence templates, and ownership workflows so your team starts implementation immediately.
Type II evidence collection over audit period
Scheduled evidence requests, automated document collection, and audit trail logging over your observation period ensure controls are continuously evidenced — not scrambled together at report time.
CUEC (Complementary User Entity Controls) tracking
GRC Vantage tracks Complementary User Entity Controls — the controls your customers must implement for your shared environment to operate securely — and provides customer-facing documentation for vendor due diligence.
Vendor and subservice organization monitoring
Map subservice organizations, track their SOC 2 reports and certifications, and maintain the vendor oversight evidence CPA auditors expect for CC9 risk mitigation criteria.
Audit-ready report generation
Generate structured evidence packages organized by Trust Service Criterion and Common Criteria reference — ready to hand to your CPA firm and dramatically reducing fieldwork time.
ISO 27001 ↔ SOC 2 cross-mapping
GRC Vantage cross-maps ISO 27001 Annex A controls to SOC 2 Common Criteria so organizations pursuing both can satisfy requirements with a single evidence item — eliminating duplicated work.
Frequently asked questions
- What is SOC 2?
- SOC 2 (Service Organization Control 2) is an attestation framework developed by the AICPA for service organizations — primarily technology, cloud, SaaS, and managed service providers. A SOC 2 report provides customers and business partners with an independent auditor's assessment of whether the service organization's controls meet the AICPA's Trust Services Criteria.
- What is the difference between SOC 2 Type I and Type II?
- SOC 2 Type I is a point-in-time assessment: an auditor evaluates whether controls are suitably designed and implemented as of a specific date. SOC 2 Type II is a period-of-time assessment covering 6–12 months: the auditor tests whether controls operated effectively throughout the review period. Type II is the gold standard for enterprise sales — most enterprise customers in the US and EU require a Type II report.
- What are the 5 Trust Service Criteria?
- The 5 Trust Service Criteria are: (1) Security — the mandatory Common Criteria (CC1–CC9); (2) Availability — system availability per committed SLAs; (3) Processing Integrity — complete, valid, accurate, timely, authorized processing; (4) Confidentiality — confidential information is protected; (5) Privacy — personal information is handled per commitments. Security is always included; the others are selected based on services offered.
- Is SOC 2 required in Saudi Arabia?
- SOC 2 is not a Saudi regulation, but it is increasingly required by US and European enterprise customers as a procurement condition. Saudi fintech, SaaS, cloud, and technology companies selling to US or EU enterprises are frequently required to hold a SOC 2 Type II report. Saudi data centres and managed service providers also find SOC 2 an increasingly common requirement from international tenants.
- How long does SOC 2 Type II take to achieve?
- Achieving SOC 2 Type II typically takes 9–18 months from the start of a readiness programme. The audit observation period itself must be at least 6 months. Before the period begins, organizations typically need 2–4 months to design and implement controls. Some organizations achieve a SOC 2 Type I first (3–6 months) to demonstrate progress to enterprise customers while the Type II audit period runs.
- How does SOC 2 relate to ISO 27001?
- SOC 2 and ISO 27001 are both security frameworks but differ in their output. ISO 27001 results in a certificate; SOC 2 results in an attestation report from a licensed CPA firm. They overlap significantly on security controls — organizations with ISO 27001 certification can reuse substantial evidence for SOC 2 Common Criteria. GRC Vantage cross-maps both frameworks so control evidence satisfies both simultaneously.
Build your SOC 2 programme with GRC Vantage
The complete SOC 2 Trust Services Criteria control library, Type II evidence collection over the observation period, CUEC tracking, vendor subservice monitoring, and ISO 27001 cross-mapping are pre-loaded in GRC Vantage. Book a demo to see how Saudi technology companies achieve attestation faster.