Workshop on preparing for a SOC 2 Type II examination. Covers Trust Services Criteria selection, control design, the audit period, evidence collection cadence, common auditor findings, and the relationship between SOC 2 and other frameworks (ISO 27001, FedRAMP, HIPAA). Targeted at SaaS providers with enterprise customers.
Achieving a SOC 2 Type II report is one of the most consequential milestones a SaaS provider can reach with enterprise customers. Unlike a point-in-time Type I assessment, a Type II examination evaluates whether your controls operated effectively across an entire audit period — typically six to twelve months. This workshop walks your team through every stage of that journey, from the decisions made before the audit clock starts to the findings that most commonly derail otherwise prepared organizations.
The workshop opens with the foundational decisions that shape everything downstream. Instructor Carl B. Johnson explains how to evaluate the five Trust Services Criteria categories — Security, Availability, Confidentiality, Processing Integrity, and Privacy — against your service commitments and customer contract obligations. You will learn why most SaaS providers anchor on the Security category (CC controls) and how to build a defensible rationale for including or excluding the remaining four criteria.
Under the SSAE 18 attestation standard, management is responsible for designing controls that satisfy the applicable Trust Services Criteria. This segment covers what "suitable design" means in practice: mapping criteria to specific control activities, identifying the people, processes, and technology that constitute each control, and documenting control owners and frequencies. Common design gaps — over-reliance on compensating controls, missing vendor management controls, and undefined change management procedures — are examined with concrete examples drawn from real audit cycles.
One of the most underestimated challenges in SOC 2 Type II readiness is sustaining evidence production month after month. This portion of the workshop establishes a practical evidence collection cadence aligned to control frequencies: continuous, daily, weekly, monthly, quarterly, and annual. You will build an understanding of the evidence types auditors expect — access review logs, vulnerability scan outputs, security awareness training completion records, incident response tickets, and change advisory board documentation — and how to organize them in a format that supports efficient auditor review.
Carl draws on direct audit experience to catalog the findings that appear most frequently in SOC 2 Type II engagements for SaaS providers: logical access exceptions not remediated within policy-defined windows, missing evidence for controls triggered by low-frequency events, undocumented risk assessment processes, and gaps in third-party vendor risk documentation. For each finding category, the session presents preventive measures you can implement before your audit period begins.
Enterprise customers in regulated industries rarely ask for SOC 2 in isolation. This segment maps the Trust Services Criteria to overlapping requirements in ISO 27001, FedRAMP, and HIPAA, identifying controls that satisfy multiple frameworks simultaneously and areas where SOC 2 alone leaves meaningful gaps. If your organization is pursuing or maintaining any of these parallel frameworks, understanding the relationship — and the divergences — saves significant duplication of effort. Organizations looking to integrate these efforts into a broader program may also benefit from Cleared Systems' Compliance Program Development services.
This workshop is designed for the practitioners who own the day-to-day work of SOC 2 readiness at SaaS companies: compliance managers, IT security analysts, cloud infrastructure engineers, and GRC program leads who are preparing for a first Type II examination or strengthening a program ahead of renewal. It is equally relevant for CTOs, VPs of Engineering, and Security Directors who need to understand the operational lift their teams will carry through an audit period and what it takes to sustain it.
Managers evaluating this training for their teams: if your organization has enterprise customers requiring SOC 2 Type II reports as a condition of doing business, the controls knowledge and evidence management discipline covered here directly reduces audit preparation time and the risk of qualified opinions. Organizations that also support federal or SLED customers may find additional value in pairing this workshop with Cleared Systems' Regulatory vCISO Services to maintain continuous readiness across multiple frameworks.
SOC 2 Type II readiness is not a sprint you run at the end of the year — it is a discipline built and maintained across every month of your audit period. This four-hour workshop gives your team the framework knowledge, practical tools, and gap-analysis skills to build that discipline before the examination begins. Explore our full compliance services to see how Cleared Systems supports organizations at every stage of their security and compliance journey.
Ask about group rates, private delivery of this curriculum for your team, or whether this session fits your compliance roadmap.
Contact Us
