All insights
SOC 2
· 12 min read

SOC 2 — A Critical Standard for Modern Data Security

The five Trust Services Criteria, the CC1–CC9 controls, and why SOC 2 compliance now decides which SaaS vendors close enterprise deals.

Published 4 November 2025 · Updated 12 May 2026

Why SOC 2 has become table stakes

SOC 2 is no longer a differentiator — it is the entry ticket to enterprise procurement. Every mid-market and Fortune 500 buyer now expects a Type II report before signing a data-processing agreement.

Unlike ISO 27001, SOC 2 is designed around service organisations. The report is written for auditors of the buyer, which is why the narrative section matters as much as the control matrix.

The five Trust Services Criteria

Security is mandatory. Availability, Confidentiality, Processing Integrity, and Privacy are elective based on the commitments you make to customers.

Scoping the right combination avoids the classic mistake of over-scoping to Privacy without a real privacy programme underneath it.

CC1 through CC9 in practice

CC1 (control environment) and CC2 (communication) are almost entirely governance. CC3 through CC5 cover risk assessment, monitoring, and control activities.

CC6 (logical access), CC7 (system operations), CC8 (change management) and CC9 (risk mitigation) are where most first-time findings emerge.

Engage CHNYD Trace

Talk to a partner about SOC 2 — scoping calls are complimentary.

Request consultation →