SOC 2 is meant to be customized

Many organizations pursuing a SOC 2 report for the first time get frustrated when trying to achieve compliance. The biggest frustration is the misconception that SOC 2 dictates a rigid set of control requirements and evidence to demonstrate compliance. If you are pursuing a SOC 2, you should know that you can customize your set of security controls. Your auditor does not dictate your security controls.

Four things you need to know to customize your SOC 2 Report:

1) SOC 2 is designed to be unique to your environment

SOC 2 establishes high-level criteria but is flexible and customizable to fit your unique business and IT controls environment.

2) Design of Controls

The auditor should work with you to customize the SOC 2 controls and the evidence request list. In SOC 2 industry speak, this is called “design of controls”.

3) Firm Requirements

Some requirements are firm — for example, you have to have policies, and access to systems needs to be tight.

4) Wildly different processes for each organization

Some processes are wildly different from company to company — for example, the Software Development Lifecycle (SDLC). There are 100 different DevOps, Agile, and Scrum flavors.


If you are pursuing SOC 2 and the evidence requests don’t make sense or you haven’t had a conversation about your unique controls –  ask your auditor about the “design of controls”.  Your security/audit firm should be a partner when it comes to deciphering the nuances of SOC 2 and how they fit your business.