SOC 2 (AICPA Trust Services Criteria 2017, rev. 2022) — Gap Analysis
AICPA SOC 2 — Security, Availability, Confidentiality, Processing Integrity, PrivacyAbout SOC 2 (AICPA Trust Services Criteria 2017, rev. 2022)
SOC 2 is the AICPA System and Organization Controls report on the Trust Services Criteria (TSC). The Common Criteria (CC) cover Security and form the baseline; additional categories (Availability, Confidentiality, Processing Integrity, Privacy) are added based on the services in scope. SOC 2 reports are issued by a licensed CPA firm as either Type I (point-in-time design) or Type II (operating effectiveness over a period, typically 6 or 12 months). They are a standard contractual requirement for B2B SaaS in North America and increasingly globally.
Issuing Body
American Institute of Certified Public Accountants (AICPA)
Edition
2017
Coverage
Trust Services Criteria covering Common Criteria (Security) + Availability + Confidentiality + Processing Integrity + Privacy.
Typical Users
SaaS, cloud, MSPs, fintech, healthtech, B2B service providers needing customer assurance over data controls.
How to use this tool
1. Work through each clause. For each requirement, choose Compliant, Partial, Non-compliant, or leave as Not assessed.
2. Add notes against any requirement to record evidence, gaps, or corrective actions.
3. Click Save progress in the sidebar — data is stored locally in your browser, never uploaded.
4. Export the report as TXT, CSV, JSON or print to PDF for your audit file.
Note: This tool is a guided self-assessment. It does not replace a third-party audit and the authoritative version of the standard must be obtained from the issuing body.
ISO Xpert — Get in touch
UK-based consultancy specialising in management-system gap analysis, training and certification preparation across ISO, API, Halal, GFSI, ESG, cybersecurity and industry-specific standards.
Phone / WhatsApp
Office
71-75 Shelton Street, Covent Garden, London WC2H 9JQ, UK