This repository contains SOC 2 Trust Services Criteria (TSC), essentially the control requirements for SOC, and framework mappings in machine readable format. The Association of International Certified Professional Accountants (AICPA), originators of the data, do not provide the controls and mappings in machine readable formats. This repository is intended to make it easier to work with the data for compliance-as-code use cases. See Disclaimer below.
| Folder | Description |
|---|---|
| soc-2 | SOC 2 source documents |
| trust-services-criteria | Trust Services Criteria control requirements |
SOC 2 is an attestation, not a certification, meaning it's a report issued by an independent auditor (like a CPA firm) that verifies an organization's controls meet specific standards related to data security, availability, processing integrity, confidentiality, and privacy. SOC 2 itself is not prescriptive in the sense of dictating specific requirements, tools or processes, but rather sets criteria (the "Trust Services Criteria") for establishing and maintaining robust information security and privacy principles within an organization.
In essence, SOC 2 broadly sets the "what to do" (criteria) and the organization details the "how we do it" (implementation and operations) to achieve compliance to the criteria.
A SOC 2 Type I report focuses on the suitability of the design of controls, while a SOC 2 Type II report covers both design and the operating effectiveness of those controls. A Type I report offers a snapshot in time of the design of an organizatons controls (well designed / not well designed) while a Type II report provides a more comprehensive and descriptive view of how an organization's controls are implemented and operate in practice (well designed / not well designed + effective over time / not effective over time).
All source data comes from source files, usually the AICPA website (frequently in PDF files) and the links are listed in the References below, or within each subfolder. The source data is not modified, but converted to machine readable formats. All data rights are respective of their owners. If the data is modified, it is noted in the readme file within the subfolder. This repository is not affiliated with AICPA nor is it an official AICPA product. The data is provided as-is and should be used at your own risk. The data is not guaranteed to be up-to-date or accurate. Please refer to the AICPA website for the most current information.
Contributions are welcome! If you have any suggestions or improvements, please open an issue or submit a pull request. Please see the CONTRIBUTING.md file for more information.
This project is licensed under a GNU GPL v3 License. See the LICENSE file for details. This license applies only to the code and data files in this repository. The source data is not licensed under this license and is subject to the respective data rights of their owners. Please refer to the AICPA website for the most current licensing information.