SOC 2 Identity Requirements: A Practical Guide

SOC 2 has become the de facto security certification for B2B companies. If you're selling to enterprises, you'll likely face SOC 2 requirements from customers and prospects. Here's what identity-related controls you need to implement.

Understanding SOC 2

SOC 2 (Service Organization Control 2) is an audit standard developed by the American Institute of CPAs (AICPA). It reports on a service organisation's controls relevant to security, availability, processing integrity, confidentiality, or privacy.

SOC 2 Trust Service Criteria

SOC 2 is built around five Trust Service Criteria:

1. Security - The system is protected against unauthorized access (both physical and logical)
2. Availability - The system is available for operation and use as committed or agreed
3. Processing integrity - System processing is complete, valid, accurate, timely, and authorized
4. Confidentiality - Information designated as confidential is protected as committed or agreed
5. Privacy - Personal information is collected, used, retained, disclosed, and disposed of appropriately

Most organisations pursue SOC 2 for the Security criteria, which is the most relevant for identity.

Type I vs Type II

• SOC 2 Type I: Point-in-time assessment of controls design
• SOC 2 Type II: Assessment of control effectiveness over time (typically 6-12 months)

Most enterprises require Type II for due diligence.

Identity-related SOC 2 requirements

Access Control (CC6.1)

This is the core identity-related criteria:

Logical access controls:

• Implement logical access security measures
• Control who can access the system and what they can do
• Restrict access to sensitive data and functionality

User registration and authorization:

• Have formal processes for granting access
• Document who has access to what
• Remove access when no longer needed

What this means in practice:

• User provisioning process for new employees
• Access request and approval workflow
• Role-based access control implementation
• Periodic access reviews

Access Enforcement (CC6.2)

Controls must be in place to enforce access decisions:

Authorization mechanisms:

• Implement technical controls to enforce access decisions
• Prevent unauthorized access to systems and data
• Use role-based or attribute-based access control

Segregation of duties:

• Separate incompatible functions
• Prevent single individuals from completing risky workflows
• Document segregation of duties matrix

Access Removal (CC6.3)

When access is no longer needed:

Timely removal:

• Remove access promptly when relationships end
• Implement automated deprovisioning where possible
• Have processes for emergency access removal

What auditors look for:

• Evidence of access removal within defined timeframes
• Process for handling access when employment ends
• Testing that departed employee accounts are disabled

System Credentials (CC6.4)

Managing system identities:

Credential management:

• Securely manage passwords, keys, and other credentials
• Implement password complexity requirements
• Control who can reset credentials

Service account management:

• Document service accounts and their purpose
• Control service account access
• Rotate credentials regularly

Multi-Factor Authentication (CC6.6)

For systems with sensitive data:

MFA implementation:

• Require multi-factor authentication for access
• Use methods resistant to phishing
• Protect MFA enrollment processes

Monitoring (CC7.2)

Detecting anomalous activity:

Anomaly detection:

• Implement monitoring to detect unauthorized access
• Alert on suspicious activity
• Investigate detected anomalies

What this means:

• Log access to sensitive systems
• Review logs for anomalous patterns
• Have incident response processes

Common SOC 2 identity gaps

Incomplete user directories

Often missing:

• Complete inventory of all user accounts
• Clear ownership of user directories
• Regular reconciliation of user lists

Manual provisioning

Common issues:

• Informal processes for granting access
• No documented approval workflows
• Inconsistent application of access rules

Poor access reviews

Frequent findings:

• Access reviews not conducted regularly
• Reviews not documented
• Findings not remediated

Weak credential policies

Common problems:

• Password policies not enforced
• No MFA on sensitive systems
• Service accounts with excessive permissions

Insufficient logging

Often missing:

• Comprehensive logging of access
• Log retention per SOC 2 requirements
• Review of logs for anomalies

Preparing for SOC 2

12 months before audit

1. Define scope: Which systems, services, and data are in scope?
2. Select trust service criteria: Which criteria are you addressing?
3. Gap analysis: Compare current controls to SOC 2 requirements
4. Remediation plan: Address identified gaps

6 months before audit

1. Implement controls: Deploy technical and procedural controls
2. Document procedures: Write operational procedures for all controls
3. Train staff: Ensure everyone knows their responsibilities
4. Begin monitoring: Start collecting evidence of control operation

3 months before audit

1. Test controls: Run tests of control effectiveness
2. Address findings: Remediate any control failures
3. Prepare documentation: Organise evidence for auditors
4. Select auditor: Engage your SOC 2 audit firm

1 month before audit

1. Final review: Ensure all documentation is complete
2. Evidence collection: Compile all required evidence
3. Auditor coordination: Confirm logistics with audit firm
4. Kick-off: Begin the audit process

Key identity controls to implement

User lifecycle management

Provisioning:

• Formal request process
• Approval workflow
• Role assignment based on job function
• Welcome communications

Changes:

• Process for role changes
• Access modification workflow
• Manager notification

Deprovisioning:

• Triggered by termination or role change
• Immediate access removal
• Exit interview checklist
• Asset return process

Access certification

Quarterly reviews:

• Review all user access
• Attestation from managers
• Documentation of review

Annual certification:

• Comprehensive review
• Executive attestation
• Evidence retention

Credential management

Password policy:

• Length and complexity requirements
• History restrictions
• Maximum age limits

MFA requirements:

• Enforced for all users
• Phishing-resistant methods preferred
• Exceptions documented and approved

Service accounts:

• Inventory of all service accounts
• Documented owners
• Credential rotation schedule

Logging and monitoring

Event logging:

• Authentication events
• Authorization decisions
• Administrative actions
• Data access

Log review:

• Automated alerting
• Periodic manual review
• Anomaly investigation

Retention:

• Minimum 12 months
• Protected from tampering
• Available for analysis

Evidence you'll need

Auditors will request evidence of control operation:

Access management

• User provisioning documentation
• Access request forms
• Access review reports
• Termination checklists

Credential management

• Password policy documentation
• MFA enrollment reports
• Service account inventory
• Credential rotation evidence

Monitoring

• Log sample showing access events
• Alert configuration documentation
• Incident response records

Policies

• Access management policy
• Password policy
• Acceptable use policy
• Incident response policy

Working with auditors

Selecting an auditor

• Look for AICPA membership
• Check industry experience
• Consider firm size and resources
• Understand their approach

During the audit

• Provide evidence promptly
• Respond to auditor questions
• Be transparent about gaps
• Ask for clarification when needed

After the audit

• Review the report carefully
• Address any exceptions
• Plan remediation
• Prepare for next audit

Maintaining SOC 2 compliance

SOC 2 isn't a one-time achievement—it requires ongoing attention:

Continuous monitoring

• Regular control testing
• Automated alerting
• Continuous evidence collection

Periodic activities

• Quarterly access reviews
• Annual policy reviews
• Regular penetration testing
• Annual audit preparation

Continuous improvement

• Address audit findings promptly
• Update controls as needed
• Document changes
• Maintain evidence

Conclusion

SOC 2 compliance is achievable for organisations of all sizes. The key is implementing proper identity controls, documenting your processes, and maintaining evidence of control operation.

Start early, stay consistent, and remember: SOC 2 is about demonstrating that you have controls in place to protect customer data. Good identity management is the foundation of that protection.