SOC 2 Type II Security TSC
SOC 2 (System and Organization Controls 2) is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates service organizations against Trust Service Criteria (TSC) — a set of principles covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. The Security TSC (also called the Common Criteria) is the baseline required in every SOC 2 engagement and is what Ayliea’s 84-question assessment evaluates. A SOC 2 Type II report covers a period of time (typically 6 to 12 months) rather than a point in time. The report provides evidence that your controls were not just designed correctly but operated effectively throughout the review period. This distinction makes SOC 2 Type II the gold standard that enterprise buyers, investors, and partners request when assessing the security of service organizations. If your organization is a SaaS company, cloud platform, data processor, or any business that stores or processes customer data, you will almost certainly be asked to provide a SOC 2 report at some point in a sales cycle or enterprise vendor assessment. Ayliea’s assessment helps you understand your readiness before you engage an auditor.What Ayliea Assesses
The assessment maps to the AICPA’s Common Criteria (CC) organized into seven logical groupings.Control Environment (CC1)
Control Environment (CC1)
The foundation of your internal control program. Evaluates board and management commitment to security, assignment of authority and responsibility, human resources practices, and the overall tone and accountability structures that support effective controls.
Communication & Information (CC2)
Communication & Information (CC2)
How your organization obtains, generates, and uses information relevant to security objectives. Covers internal communication of security policies and responsibilities and external communication of commitments to customers and third parties.
Risk Assessment (CC3)
Risk Assessment (CC3)
Your process for identifying and assessing risks to achieving security commitments. Evaluates risk identification methodology, fraud risk consideration, and how risk assessment informs control design and investment.
Monitoring Controls (CC4)
Monitoring Controls (CC4)
How your organization evaluates whether controls are present and functioning. Covers ongoing monitoring activities, independent evaluations, and how deficiencies are identified, reported, and remediated.
Control Activities (CC5)
Control Activities (CC5)
The selection and development of specific controls that mitigate identified risks. Evaluates how controls are designed, implemented, and updated in response to changing risk conditions.
Logical Access & Change Management (CC6–CC8)
Logical Access & Change Management (CC6–CC8)
The most technical section of the Common Criteria. Covers logical and physical access restrictions to assets, encryption and key management, network and endpoint security, change management processes (including software development lifecycle controls), and risk mitigation for vendor and business partner access.
Incident Response & Risk Mitigation (CC9)
Incident Response & Risk Mitigation (CC9)
Business disruption risk identification and mitigation, and vendor and business partner risk management. Evaluates how your organization monitors for threats, responds to incidents, and manages the risks introduced by the third parties you depend on.
Who Needs This Assessment
- SaaS companies that sell to enterprise customers who require SOC 2 reports as a condition of purchase
- Cloud service providers, data centers, and managed security service providers
- Any organization that stores, processes, or transmits sensitive customer data
- Companies preparing for a SOC 2 Type I or Type II audit — use the assessment to identify gaps before the auditor arrives
- Organizations responding to security questionnaires that reference SOC 2 criteria
- Compliance teams that need to map existing controls to the Common Criteria before a readiness assessment