Looking for SOC 2 control automation? Strac Comply auto-maps live evidence from your cloud, SaaS, endpoints, and AI surfaces to each SOC 2 control — with Strac\'s DLP product providing the underlying data-protection evidence directly. One platform, every framework. Start at comply.strac.io →
The AICPA's 2017 Trust Services Criteria (the version current auditors use) organizes controls into:
Each control point has one or more Points of Focus — suggested implementation guidance the auditor uses to evaluate sufficiency. Points of Focus are not mandatory; they inform professional judgment.
The foundation. Auditors confirm leadership commitment to security and ethical conduct.
How the organization captures and shares security-relevant information.
Common evidence: internal security newsletters, customer-facing security pages, employee training records, change-communication artifacts.
How you identify, assess, and treat risk.
Common evidence: annual risk assessment, risk register, threat-modeling exercises, fraud risk review.
How the organization confirms controls are still working.
Common evidence: internal audit reports, continuous monitoring dashboards (this is where compliance automation platforms shine), remediation tracking.
The actual implementation of policies and procedures.
Common evidence: policy documents (information security, acceptable use, access control, change management, incident response, business continuity, vendor management), policy acknowledgment records.
The largest section. This is where most SOC 2 audit time gets spent. 8 control points cover the entire access-and-data-protection surface.
CC6.6 and CC6.7 are where Strac Comply uniquely differentiates — Strac DLP's continuous data classification and redaction across SaaS/cloud/endpoint/AI surfaces produces the audit evidence directly. Most compliance platforms send you to integrate a separate DLP; Strac Comply ships with the DLP product.
Day-to-day operational security.
Production change controls.
Common evidence: peer-reviewed pull requests, change tickets, deployment automation logs, infrastructure-as-code repositories with approval gates.
Business continuity and third-party risk.
Common evidence: BC/DR plan with tabletop exercise records, vendor security review process with documented assessments per critical vendor.
18 control points aligned to the OECD privacy principles, covering notice (P1), choice and consent (P2), collection (P3), use and retention (P4), access (P5), disclosure (P6), quality (P7), and monitoring (P8). Privacy is the longest optional criterion and requires the most policy documentation.
Strac Comply is the AI-native compliance automation platform built for security-led teams. The platform watches your live systems and auto-maps the right evidence to each SOC 2 control.
Where Strac Comply uniquely covers controls competitors don't:
What Strac Comply automates per Common Criterion:
Strac Comply maps every piece of live evidence to the right SOC 2 control automatically — cloud config, SaaS audit logs, endpoint posture, DLP events, MCP tool calls. The same Strac platform protecting your data is the platform generating your audit evidence.
Mapping controls to your tools? See the integration-specific SOC 2 guides: AWS SOC 2, GitHub SOC 2, Google Workspace SOC 2, Microsoft 365 SOC 2.
The Security TSC alone has 9 Common Criteria (CC1-CC9) with approximately 64 underlying control points. Adding all optional TSCs gets you to about 92 total. The exact count depends on which Points of Focus your auditor evaluates as separate controls.
Principles-based. The AICPA defines the criteria; you design the controls. Two companies can satisfy CC6.7 differently — one with full-disk encryption and a vault, another with DLP plus tokenization — and both pass. The auditor evaluates sufficiency.
CC6 (Logical and Physical Access Controls) with 8 control points. It covers access provisioning, MFA, encryption, DLP, network segmentation, and endpoint protection. Most audit hours land here.
Only if you scope them in. If your audit covers Security only, you don't need Availability, Confidentiality, Processing Integrity, or Privacy controls. Most SaaS companies start Security-only; healthcare and fintech add Confidentiality and Availability.
A control is the requirement (e.g., "Logical access security software, infrastructure, and architectures over protected information assets"). A Point of Focus is the AICPA's suggested implementation example (e.g., "Identifies and Manages the Inventory of Information Assets"). Controls are mandatory; Points of Focus inform auditor judgment but are not themselves required.
CC6.7 reads: "The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives." In 2026 that means DLP coverage on SaaS messages and files, encryption in transit, and increasingly — redaction at the MCP tool-call boundary when AI agents pull data. Strac is the only platform that provides all three from a single product. See MCP security.
Yes. Every piece of evidence is mapped to all applicable frameworks simultaneously — SOC 2, HIPAA, ISO 27001, PCI DSS, GDPR, CCPA, EU AI Act, ISO 42001. One control evidence covers up to seven frameworks at once.
Most controls auto-light up on integration. Policy generation (CC5) takes a 10-minute questionnaire. Access reviews (CC6.3) become quarterly automation. The longest task is human-driven controls — risk assessments (CC3.2), tabletop exercises (CC7.4), vendor reviews (CC9.2) — which still require expert judgment but become tracked workflows in the platform.
The AICPA Trust Services Criteria are US-defined. International audits typically use ISO 27001 instead, though SOC 2 is increasingly accepted globally by US-headquartered customers buying from non-US vendors. See SOC 2 vs ISO 27001 for the cross-framework view.
SOC 2 controls are organized into 9 Common Criteria (mandatory) plus optional TSCs. CC6 (access + data protection) is where most evaluation time lands. Strac Comply maps every live system event to the right control automatically — and uniquely covers CC6.6 and CC6.7 with the Strac DLP product directly.
.avif){kind=icon}
.gif)
.webp)
