[{"data":1,"prerenderedAt":19765},["ShallowReactive",2],{"\u002Fframeworks\u002Fsoc2":3,"framework-hub-topics-soc2":644,"related-glossary-soc2":8230,"related-frameworks-soc2":16712},{"id":4,"title":5,"advantages":6,"body":28,"checklist":566,"cta":575,"description":546,"extension":578,"faq":579,"hero":596,"lastUpdated":610,"meta":611,"name":612,"navigation":613,"path":614,"resources":615,"seo":628,"slug":631,"stats":632,"stem":642,"__hash__":643},"frameworks\u002F5.frameworks\u002Fsoc2.md","Soc2",[7,14,21],{"title":8,"description":9,"bullets":10},"Mapped once, reused forever","Applies Trust Service Criteria to your existing controls and keeps overlaps synced.",[11,12,13],"Control graph highlights reuse across security, availability, and confidentiality","AI suggests narratives and testing procedures","Version history shows every update for auditors",{"title":15,"description":16,"bullets":17},"Evidence organized by control","Upload and track screenshots, configs, and exports in a structured evidence locker.",[18,19,20],"Organized screenshots, configs, and test exports","Alerting when evidence expires or SLAs slip","Immutable locker with reviewer threads",{"title":22,"description":23,"bullets":24},"Auditor collaboration hub","Invite your auditor with scoped access and keep Q&A right next to each control.",[25,26,27],"Bulk requests & fulfillment tracking","Redacted file sharing with access controls","One-click SOC 2 summaries for customers",{"type":29,"value":30,"toc":545},"minimark",[31,36,40,49,57,64,68,71,78,84,101,105,111,116,119,123,131,135,138,142,150,154,161,165,168,171,190,198,202,209,252,255,259,262,265,303,311,315,318,376,379,383,386,395,404,413,427,435,439,447,479,482,486,489,492,530],[32,33,35],"h2",{"id":34},"what-is-soc-2","What is SOC 2?",[37,38,39],"p",{},"SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how a service organization manages customer data. A SOC 2 report is the de facto security credential for modern SaaS companies — enterprise buyers request it before signing, procurement teams rely on it during vendor reviews, and auditors consult it when assessing outsourced systems. Unlike a prescriptive standard, SOC 2 is principle-based. It does not tell you which tools to deploy; it tells you which outcomes you must demonstrate and leaves the implementation details to you.",[37,41,42,43,48],{},"SOC 2 evolved from SAS 70, an older attestation framework used primarily for financial reporting systems. As technology service providers increased their role in handling sensitive data, the AICPA introduced the SOC reporting suite. SOC 1 continued to address controls relevant to financial reporting. SOC 2 and SOC 3 shifted attention to information security, availability, and related commitments. Today, SOC 2 is issued under the AICPA's AT-C 105 and AT-C 205 attestation standards, following the ",[44,45,47],"a",{"href":46},"\u002Fglossary\u002Fssae-18","SSAE 18"," framework.",[37,50,51,52,56],{},"A SOC 2 engagement produces an opinion letter from a licensed CPA firm. That letter is the report buyers ask for. It documents the system under audit, the ",[44,53,55],{"href":54},"\u002Fframeworks\u002Fsoc2\u002Ftrust-services-criteria","Trust Services Criteria"," selected, the controls in place, the testing the auditor performed, and any exceptions noted. A clean SOC 2 opinion signals to the market that a third party examined your controls and found them suitable — or in the case of Type II, found them operating effectively across a defined window.",[37,58,59,60,63],{},"SOC 2 is built on five ",[61,62,55],"strong",{},": security, availability, processing integrity, confidentiality, and privacy. Security is mandatory. The other four are optional and chosen based on your service commitments and customer expectations. Most first-time SOC 2 audits cover security alone or security plus one or two additional criteria. Scope expansion happens later, as the program matures.",[32,65,67],{"id":66},"soc-2-type-i-vs-type-ii","SOC 2 Type I vs Type II",[37,69,70],{},"Every SOC 2 engagement is either Type I or Type II, and the difference matters.",[37,72,73,74,77],{},"A ",[61,75,76],{},"SOC 2 Type I"," report evaluates whether controls are suitably designed and implemented as of a single date. Think of it as a design review. The auditor confirms your policies exist, your technical controls are configured, and your processes are in place. Type I is the fastest path to a SOC 2 report and is useful when a deal is on the line, but it does not prove your controls work day after day.",[37,79,73,80,83],{},[61,81,82],{},"SOC 2 Type II"," report evaluates whether controls operated effectively across an observation period, typically three to twelve months. The auditor samples evidence from throughout the period — access reviews, change approvals, incident tickets, monitoring alerts — to confirm that controls were not just designed but consistently executed. Most enterprise buyers require a Type II, and many will not accept a Type I at all.",[37,85,86,87,91,92,96,97,100],{},"For a full comparison including cost benchmarks, observation period tradeoffs, and decision frameworks, see ",[44,88,90],{"href":89},"\u002Fframeworks\u002Fsoc2\u002Ftype-1-vs-type-2","SOC 2 Type 1 vs Type 2",". Related glossary terms: ",[44,93,95],{"href":94},"\u002Fglossary\u002Fsoc2-type-2","SOC 2 Type 2"," and ",[44,98,55],{"href":99},"\u002Fglossary\u002Ftrust-services-criteria",".",[32,102,104],{"id":103},"the-five-trust-services-criteria","The five Trust Services Criteria",[37,106,107,108,110],{},"The ",[44,109,55],{"href":54}," define the principles your controls must satisfy. Each criterion addresses a different aspect of how a service organization protects and manages customer data.",[112,113,115],"h3",{"id":114},"security-common-criteria-required","Security (Common Criteria) — required",[37,117,118],{},"The security criterion, also called the Common Criteria, is required for every SOC 2 engagement. It evaluates whether the system is protected against unauthorized access — both logical and physical. The Common Criteria are organized into nine categories (CC1 through CC9) that map to the COSO internal control framework and cover governance, communication, risk assessment, monitoring, access control, system operations, change management, and vendor risk. Every SOC 2 report includes testing against these categories.",[112,120,122],{"id":121},"availability","Availability",[37,124,125,126,130],{},"The availability criterion applies when an organization commits to specific uptime levels or recovery capabilities. It covers environmental protections, capacity planning, disaster recovery, and incident management for availability-impacting events. If your product has published SLAs or customers rely on continuous uptime, include availability. Read the ",[44,127,129],{"href":128},"\u002Fframeworks\u002Fsoc2\u002Favailability-criteria","availability criteria deep dive"," for common controls and implementation patterns.",[112,132,134],{"id":133},"processing-integrity","Processing integrity",[37,136,137],{},"Processing integrity focuses on whether the system processes data completely, validly, accurately, timely, and with proper authorization. This criterion is relevant for platforms that perform calculations, process financial transactions, or transform customer data. It is less common in first-time SOC 2 audits but important for fintech, billing platforms, and data pipelines that customers rely on for operational decisions.",[112,139,141],{"id":140},"confidentiality","Confidentiality",[37,143,144,145,149],{},"The confidentiality criterion addresses information designated as confidential — distinct from personal information. It covers data classification, access restrictions, encryption, and secure disposal of confidential data. If you handle intellectual property, business plans, or other sensitive non-personal information on behalf of clients, include confidentiality. See the ",[44,146,148],{"href":147},"\u002Fframeworks\u002Fsoc2\u002Fconfidentiality-criteria","confidentiality criteria deep dive"," for details.",[112,151,153],{"id":152},"privacy","Privacy",[37,155,156,157,100],{},"The privacy criterion applies to personal information — data that can identify an individual. It evaluates whether your data practices match your stated privacy commitments across notice, choice, collection, use, retention, disclosure, security, and accuracy. Privacy aligns closely with regulations like GDPR and CCPA and is the most demanding criterion in terms of control coverage. For a full walkthrough, see the ",[44,158,160],{"href":159},"\u002Fframeworks\u002Fsoc2\u002Fprivacy-criteria","privacy criteria deep dive",[32,162,164],{"id":163},"who-needs-soc-2-compliance","Who needs SOC 2 compliance?",[37,166,167],{},"SOC 2 is not legally mandated, but the market treats it as a cost of doing business. Any SaaS company, cloud service provider, managed service provider, or data processor that handles customer data is a likely SOC 2 candidate. If your customers are businesses and their security teams will scrutinize your controls before signing, SOC 2 is almost certainly on your roadmap.",[37,169,170],{},"Companies typically pursue SOC 2 when one or more of the following is true:",[172,173,174,178,181,184,187],"ul",{},[175,176,177],"li",{},"Enterprise prospects are asking for a report during procurement or vendor reviews.",[175,179,180],{},"Sales cycles are slowing because buyers are blocking deals on security questionnaires.",[175,182,183],{},"Existing customers are requesting a current SOC 2 report during annual reviews.",[175,185,186],{},"Investors or partners are asking about the company's security posture.",[175,188,189],{},"The business is entering regulated verticals like financial services, healthcare, or government.",[37,191,192,193,197],{},"Industries that almost always require SOC 2 from their vendors include financial services, healthcare, legal technology, HR technology, martech that handles PII, and any B2B SaaS selling into enterprise accounts. For SaaS companies specifically, SOC 2 has become table stakes — see ",[44,194,196],{"href":195},"\u002Fnow\u002Fsoc2-for-saas","SOC 2 for SaaS"," for a deeper discussion.",[32,199,201],{"id":200},"the-soc-2-audit-process-overview","The SOC 2 audit process overview",[37,203,107,204,208],{},[44,205,207],{"href":206},"\u002Fframeworks\u002Fsoc2\u002Faudit-process","SOC 2 audit process"," follows a predictable sequence. Understanding each phase prevents surprises and helps you set realistic timelines with your team and auditor.",[210,211,212,228,234,240,246],"ol",{},[175,213,214,217,218,222,223,227],{},[61,215,216],{},"Scoping and readiness assessment."," Define what systems and Trust Services Criteria are in scope, then perform a ",[44,219,221],{"href":220},"\u002Fframeworks\u002Fsoc2\u002Freadiness-assessment","readiness assessment"," to compare current controls against ",[44,224,226],{"href":225},"\u002Fframeworks\u002Fsoc2\u002Frequirements","SOC 2 requirements",". The output is a prioritized remediation plan.",[175,229,230,233],{},[61,231,232],{},"Remediation."," Close the gaps identified during readiness. Common items include formalizing policies, enabling MFA everywhere, centralizing logging, documenting vendor risk processes, and running tabletop exercises.",[175,235,236,239],{},[61,237,238],{},"Auditor selection."," SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Request proposals from two to four firms, compare scope and pricing, and check references from similar companies.",[175,241,242,245],{},[61,243,244],{},"Audit fieldwork."," For Type I, the auditor validates control design at a point in time. For Type II, the auditor samples evidence from across the observation period and tests operating effectiveness.",[175,247,248,251],{},[61,249,250],{},"Report delivery and ongoing operation."," Once the report is issued, plan the next observation period so you maintain continuous coverage with no bridge gaps that buyers might question.",[37,253,254],{},"Most organizations complete their first Type I in three to six months and their first Type II in six to eighteen months, depending on starting maturity and observation period length.",[32,256,258],{"id":257},"what-does-soc-2-cost","What does SOC 2 cost?",[37,260,261],{},"SOC 2 cost varies widely based on scope, starting maturity, and whether you pursue Type I, Type II, or both. Auditor fees are the largest line item, but they are not the only cost. You should budget for readiness consulting, compliance tooling, internal staff time, remediation work, and penetration testing.",[37,263,264],{},"Typical benchmarks for a first-time SOC 2 engagement:",[172,266,267,273,279,285,291,297],{},[175,268,269,272],{},[61,270,271],{},"Type I auditor fees",": $15,000 to $40,000",[175,274,275,278],{},[61,276,277],{},"Type II auditor fees",": $25,000 to $80,000",[175,280,281,284],{},[61,282,283],{},"Readiness consulting"," (optional): $10,000 to $40,000",[175,286,287,290],{},[61,288,289],{},"Compliance platform",": $6,000 to $60,000 annually depending on vendor",[175,292,293,296],{},[61,294,295],{},"Penetration testing",": $8,000 to $30,000 per test",[175,298,299,302],{},[61,300,301],{},"Internal staff time",": 200 to 600 hours across the first cycle",[37,304,305,306,310],{},"Total first-year cost for most growth-stage SaaS companies lands between $40,000 and $200,000. See the full ",[44,307,309],{"href":308},"\u002Fframeworks\u002Fsoc2\u002Fcost","SOC 2 cost breakdown"," for detailed ranges and cost-reduction strategies.",[32,312,314],{"id":313},"common-soc-2-challenges","Common SOC 2 challenges",[37,316,317],{},"SOC 2 programs rarely fail because the audit is unfair. They fail because organizations underestimate the operational discipline required. The challenges show up in predictable places.",[172,319,320,326,332,338,344,355,366],{},[175,321,322,325],{},[61,323,324],{},"Scope creep."," Teams add new systems mid-audit or expand Trust Services Criteria without revisiting the control set. Every addition extends timelines and evidence requirements.",[175,327,328,331],{},[61,329,330],{},"Evidence gaps."," Screenshots expire. Configurations change. Ownership drifts between quarters. By the time the auditor asks, the evidence trail is broken.",[175,333,334,337],{},[61,335,336],{},"Cross-team coordination."," SOC 2 touches engineering, IT, HR, legal, and finance. Without a single source of truth for control status, teams duplicate work or miss handoffs.",[175,339,340,343],{},[61,341,342],{},"Policy drift."," Policies written for the audit do not match how the team actually operates. Auditors detect this quickly during interviews and walkthroughs.",[175,345,346,349,350,354],{},[61,347,348],{},"Vendor oversight."," Third-party vendors handle critical data but are rarely monitored with the same rigor as internal systems. See ",[44,351,353],{"href":352},"\u002Fframeworks\u002Fsoc2\u002Fvendor-management","vendor management"," for how to close this gap.",[175,356,357,360,361,365],{},[61,358,359],{},"Change management."," Production changes bypass approval workflows, leaving no audit trail. ",[44,362,364],{"href":363},"\u002Fframeworks\u002Fsoc2\u002Fchange-management","Change management"," is a frequent source of Type II exceptions.",[175,367,368,371,372,100],{},[61,369,370],{},"Incident response immaturity."," Teams have an incident response plan but have never tested it. Auditors look for evidence of real incidents handled end to end. See ",[44,373,375],{"href":374},"\u002Fframeworks\u002Fsoc2\u002Fincident-response","incident response",[37,377,378],{},"A structured approach — mapping controls, evidence, and owners from day one — removes most of these friction points before they become audit findings.",[32,380,382],{"id":381},"how-soc-2-compares-to-other-frameworks","How SOC 2 compares to other frameworks",[37,384,385],{},"SOC 2 is not the only security framework buyers may request. Understanding how SOC 2 relates to other standards helps you plan a cohesive compliance strategy rather than running parallel audits with overlapping work.",[37,387,388,394],{},[61,389,390],{},[44,391,393],{"href":392},"\u002Fframeworks\u002Fiso27001","ISO 27001"," is an international certification focused on information security management systems. Unlike SOC 2, which produces an auditor's opinion letter, ISO 27001 results in a certificate issued by an accredited registrar. ISO 27001 is prescriptive about building an ISMS but the control set in Annex A overlaps heavily with the SOC 2 Common Criteria. Many mature companies pursue both and reuse evidence across them. ISO 27001 tends to be preferred by European and international buyers; SOC 2 is the North American standard.",[37,396,397,403],{},[61,398,399],{},[44,400,402],{"href":401},"\u002Fframeworks\u002Fhipaa","HIPAA"," is a US healthcare law that mandates specific safeguards for protected health information. HIPAA is a regulatory requirement rather than a voluntary attestation — there is no HIPAA certificate, but business associates and covered entities must comply. SOC 2 controls address many HIPAA administrative and technical safeguards, and a SOC 2 Type II report is often used as evidence of HIPAA compliance in vendor due diligence.",[37,405,406,412],{},[61,407,408],{},[44,409,411],{"href":410},"\u002Fframeworks\u002Fpci","PCI DSS"," is the payment card industry's prescriptive standard for any organization that stores, processes, or transmits cardholder data. Unlike SOC 2, PCI DSS specifies exact controls down to firewall rules and encryption key rotation cadences. SOC 2 and PCI DSS share concepts like encryption, access control, and monitoring, but PCI DSS scope is narrower (cardholder data environment) and the requirements are more specific. Companies that process payments typically need both.",[37,414,415,418,419,422,423,426],{},[61,416,417],{},"NIST Cybersecurity Framework",", ",[61,420,421],{},"FedRAMP",", and ",[61,424,425],{},"CMMC"," address additional specialized audiences — federal contractors, defense industrial base, and government-adjacent systems. These are out of scope for most commercial SaaS but worth mapping if your buyer base includes public sector.",[37,428,429,430,434],{},"If you are comparing SOC 2 tooling options, our ",[44,431,433],{"href":432},"\u002Fcompare\u002Fvs\u002Fvanta-vs-drata","Vanta vs Drata comparison"," covers the leading compliance automation platforms.",[32,436,438],{"id":437},"soc-2-readiness-checklist","SOC 2 readiness checklist",[37,440,441,442,446],{},"A readiness checklist keeps your team focused during the months before the audit begins. The ",[44,443,445],{"href":444},"\u002Fframeworks\u002Fsoc2\u002Fchecklist","full SOC 2 checklist"," covers every category, but at a high level expect to address:",[172,448,449,452,455,458,461,464,467,470,473,476],{},[175,450,451],{},"Governance and policies (information security policy, acceptable use, code of conduct)",[175,453,454],{},"Access control (SSO, MFA, role-based access, quarterly access reviews)",[175,456,457],{},"Change management (code review, deployment approvals, production change logs)",[175,459,460],{},"Vendor risk management (inventory, assessments, monitoring)",[175,462,463],{},"Incident response (documented plan, tested at least annually)",[175,465,466],{},"Business continuity and disaster recovery (plan with defined RPO\u002FRTO, tested)",[175,468,469],{},"Logging and monitoring (centralized logs, alerting, incident tickets)",[175,471,472],{},"Security awareness training (annual minimum, tracked completion)",[175,474,475],{},"HR controls (background checks, onboarding, offboarding, confidentiality agreements)",[175,477,478],{},"Risk assessment (annual risk review, risk register, treatment plans)",[37,480,481],{},"Most companies find that the readiness phase surfaces gaps they did not know existed. That is the point — better to discover them before the auditor arrives.",[32,483,485],{"id":484},"getting-started-with-soc-2","Getting started with SOC 2",[37,487,488],{},"The best time to start a SOC 2 program is before the first buyer demands it. The second best time is now.",[37,490,491],{},"A reasonable starting sequence:",[210,493,494,500,506,512,518,524],{},[175,495,496,499],{},[61,497,498],{},"Pick your Trust Services Criteria."," Security is required. Add others only if you have customer commitments that map to them.",[175,501,502,505],{},[61,503,504],{},"Decide Type I vs Type II."," If you need a report fast for a specific deal, start with Type I. If you have time and buyer pressure is general, skip straight to Type II.",[175,507,508,511],{},[61,509,510],{},"Run a readiness assessment."," Either internally or with a consultant. The goal is a prioritized remediation list, not a polished report.",[175,513,514,517],{},[61,515,516],{},"Remediate in priority order."," Address policy gaps, access control weaknesses, and logging first — these are the most common sources of findings.",[175,519,520,523],{},[61,521,522],{},"Select an auditor."," Get proposals from two to four CPA firms. Check references from similar companies. Book early — good auditors are scheduled quarters in advance.",[175,525,526,529],{},[61,527,528],{},"Operate, collect, and iterate."," Run your controls, collect evidence continuously, and prepare for fieldwork. Do not treat the audit as a one-time event.",[37,531,532,533,539,540,544],{},"episki was built for exactly this journey. The platform maps your controls to Trust Services Criteria, automates evidence collection, tracks ownership across teams, and gives your auditor structured access when fieldwork begins. ",[44,534,538],{"href":535,"rel":536},"https:\u002F\u002Fepiski.app\u002Fauth\u002Fregister",[537],"nofollow","Start a free trial"," or ",[44,541,543],{"href":542},"\u002Fdemo","book a demo"," to see how SOC 2 looks with the scramble removed.",{"title":546,"searchDepth":547,"depth":547,"links":548},"",2,[549,550,551,559,560,561,562,563,564,565],{"id":34,"depth":547,"text":35},{"id":66,"depth":547,"text":67},{"id":103,"depth":547,"text":104,"children":552},[553,555,556,557,558],{"id":114,"depth":554,"text":115},3,{"id":121,"depth":554,"text":122},{"id":133,"depth":554,"text":134},{"id":140,"depth":554,"text":141},{"id":152,"depth":554,"text":153},{"id":163,"depth":547,"text":164},{"id":200,"depth":547,"text":201},{"id":257,"depth":547,"text":258},{"id":313,"depth":547,"text":314},{"id":381,"depth":547,"text":382},{"id":437,"depth":547,"text":438},{"id":484,"depth":547,"text":485},{"title":567,"description":568,"items":569},"SOC 2 readiness checklist inside episki","Everything is preloaded in your free trial so you can start assigning ownership and collecting proof immediately.",[570,571,572,573,574],"Trust Service Criteria library with mapped controls","Policy templates and AI drafting assistant","Evidence library with structured ownership and review cadences","Emulated auditor workspace with sample requests","Customer-facing compliance portal template",{"title":576,"description":577},"Launch your SOC 2 workspace today","Import your controls, connect evidence, and invite your auditor in under an hour.","md",{"title":580,"items":581},"SOC 2 frequently asked questions",[582,585,588,591,593],{"label":583,"content":584},"How long does a SOC 2 audit take?","A SOC 2 Type I audit typically takes 4-8 weeks of preparation plus the audit itself. Type II requires a 3-12 month observation period followed by the assessment. episki's automation can cut preparation time by up to 45 days.",{"label":586,"content":587},"What is the difference between SOC 2 Type I and Type II?","SOC 2 Type I evaluates whether controls are suitably designed at a single point in time. Type II tests whether those controls operated effectively over a sustained period, usually 3-12 months. Most enterprise buyers require a Type II report.",{"label":589,"content":590},"How much does SOC 2 compliance cost?","Total costs typically range from $20,000 to $100,000+ depending on scope, readiness, and auditor fees. episki covers the platform side at a flat $500\u002Fmonth with no per-seat charges, significantly reducing the software portion of that budget.",{"label":164,"content":592},"Any SaaS company, cloud service provider, or data processor handling customer data is a likely candidate. Enterprise buyers in financial services, healthcare, and technology frequently require a current SOC 2 report before signing contracts.",{"label":594,"content":595},"What are the SOC 2 Trust Services Criteria?","The five Trust Services Criteria are security (required), availability, processing integrity, confidentiality, and privacy. Security is mandatory for every SOC 2 audit; the other four are optional and selected based on the services you provide.",{"headline":597,"title":598,"description":599,"links":600},"SOC 2 without the scramble","Ship SOC 2 audits without slowing product velocity","episki maps Trust Service Criteria, automates evidence, and keeps auditors in sync so your team can focus on building.",[601,604],{"label":602,"icon":603,"to":535},"Start SOC 2 trial","i-lucide-rocket",{"label":605,"icon":606,"color":607,"variant":608,"to":542,"target":609},"Book a demo","i-lucide-message-circle","neutral","subtle","_blank","2026-04-27",{},"SOC 2 Type I\u002FII",true,"\u002Fframeworks\u002Fsoc2",{"headline":616,"title":616,"description":617,"items":618},"SOC 2 acceleration resources","Give execs and customers visibility into progress at every stage.",[619,622,625],{"title":620,"description":621},"Executive scorecard","Summaries translate control work into risk reduction and deals unlocked.",{"title":623,"description":624},"Sales enablement kit","SOC 2 FAQ answers and trust collateral ready for GTM teams.",{"title":626,"description":627},"Audit retro template","Capture what worked, track remediations, and prep the next period.",{"title":629,"description":630},"SOC 2 Compliance Software","Get SOC 2 Type I and Type II audit-ready faster with episki's automated controls, evidence tracking, and auditor collaboration. Start your free 14-day trial.","soc2",[633,636,639],{"value":634,"description":635},"45 days faster","Average time saved reaching Type II readiness with episki’s automation.",{"value":637,"description":638},"120+ controls","Pre-mapped control narratives with owners, evidence, and review cadences.",{"value":640,"description":641},"100% coverage","Auditor portal with control health dashboards and SOC 2 exports.","5.frameworks\u002Fsoc2","bJbRF5XSL9ALksj1QWkHTg9lO2E2kfmot3QsCAz1naE",[645,1148,1536,1884,2584,3063,3364,3873,4195,4746,5394,5801,6214,6733,7349,7867],{"id":646,"title":647,"body":648,"description":1133,"extension":578,"faq":1134,"frameworkSlug":631,"lastUpdated":1135,"meta":1136,"navigation":613,"path":206,"relatedTerms":1137,"relatedTopics":1139,"seo":1143,"stem":1146,"__hash__":1147},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Faudit-process.md","SOC 2 Audit Process",{"type":29,"value":649,"toc":1109},[650,654,663,667,670,674,697,701,707,721,724,728,731,751,758,762,765,800,803,807,812,816,854,858,921,925,928,931,969,973,1019,1023,1026,1030,1033,1037,1040,1044,1047,1061,1064,1068,1098,1102],[32,651,653],{"id":652},"how-the-soc-2-audit-process-works","How the SOC 2 audit process works",[37,655,107,656,659,660,662],{},[44,657,658],{"href":614},"SOC 2"," audit process can feel opaque if you have never been through one. Unlike a certification like ",[44,661,393],{"href":392}," where a registrar issues a certificate, SOC 2 produces an auditor's report — a detailed opinion letter from a licensed CPA firm. Understanding each phase removes surprises and keeps your team on track.",[32,664,666],{"id":665},"phase-1-scoping-and-readiness-assessment","Phase 1: Scoping and readiness assessment",[37,668,669],{},"Before engaging an auditor, define what is in scope and evaluate how ready you are.",[112,671,673],{"id":672},"define-scope","Define scope",[172,675,676,682,691],{},[175,677,678,681],{},[61,679,680],{},"Systems",": Identify the applications, infrastructure, databases, and third-party services that store, process, or transmit customer data.",[175,683,684,686,687,690],{},[61,685,55],{},": Security is required. Add availability, processing integrity, confidentiality, or privacy based on customer commitments and the nature of your service. See the ",[44,688,689],{"href":54},"Trust Services Criteria deep dive"," for guidance.",[175,692,693,696],{},[61,694,695],{},"Service commitments",": Review your terms of service, SLAs, and data processing agreements. Auditors will test controls against these commitments.",[112,698,700],{"id":699},"conduct-a-gap-analysis","Conduct a gap analysis",[37,702,703,704,706],{},"Compare your current controls against ",[44,705,226],{"href":225},". A readiness assessment identifies:",[172,708,709,712,715,718],{},[175,710,711],{},"Controls that already satisfy criteria",[175,713,714],{},"Gaps where controls are missing or undocumented",[175,716,717],{},"Evidence that exists versus evidence you still need to collect",[175,719,720],{},"Policies that need to be written or updated",[37,722,723],{},"Many organizations perform this internally or hire a consultant. The output should be a remediation plan with owners and deadlines.",[112,725,727],{"id":726},"remediate-gaps","Remediate gaps",[37,729,730],{},"Address the findings from your gap analysis before the audit begins. Common remediation items include:",[172,732,733,736,739,742,745,748],{},[175,734,735],{},"Writing or formalizing information security policies",[175,737,738],{},"Enabling multi-factor authentication across all critical systems",[175,740,741],{},"Implementing centralized logging and monitoring",[175,743,744],{},"Establishing a vendor risk management process",[175,746,747],{},"Conducting security awareness training for all employees",[175,749,750],{},"Documenting an incident response plan and running a tabletop exercise",[37,752,753,754,757],{},"Budget four to twelve weeks for remediation depending on the size of your gap list. Use the ",[44,755,756],{"href":444},"SOC 2 compliance checklist"," to track progress systematically.",[32,759,761],{"id":760},"phase-2-selecting-an-auditor","Phase 2: Selecting an auditor",[37,763,764],{},"SOC 2 audits must be performed by a CPA firm licensed to issue SOC reports. Not all CPA firms are equal — look for:",[172,766,767,773,779,785,794],{},[175,768,769,772],{},[61,770,771],{},"SOC 2 experience",": Ask how many SOC 2 engagements they complete per year and whether they have experience with companies at your stage and in your industry.",[175,774,775,778],{},[61,776,777],{},"Technology alignment",": Firms that understand cloud-native architectures, CI\u002FCD pipelines, and modern SaaS stacks will ask better questions and move faster.",[175,780,781,784],{},[61,782,783],{},"Communication style",": You will work closely with the audit team for weeks or months. Clear, responsive communication matters.",[175,786,787,790,791,793],{},[61,788,789],{},"Pricing transparency",": Request a fixed-fee quote or a detailed estimate. Understand what triggers additional fees. See our ",[44,792,309],{"href":308}," for benchmarks.",[175,795,796,799],{},[61,797,798],{},"Timeline availability",": Popular audit firms book up quarters in advance. Start the selection process early.",[37,801,802],{},"Request proposals from two to four firms, compare scope and pricing, and check references from companies similar to yours.",[32,804,806],{"id":805},"phase-3-the-type-i-audit","Phase 3: The Type I audit",[37,808,73,809,811],{},[44,810,76],{"href":89}," audit evaluates whether controls are suitably designed and implemented as of a specific date — a point-in-time assessment.",[112,813,815],{"id":814},"what-to-expect","What to expect",[210,817,818,824,830,836,842,848],{},[175,819,820,823],{},[61,821,822],{},"Kickoff meeting",": The auditor reviews scope, systems, and criteria with your team. They will share a request list detailing the evidence and documentation they need.",[175,825,826,829],{},[61,827,828],{},"Evidence collection",": Your team gathers policies, configurations, screenshots, access lists, and other artifacts. This is typically the most time-consuming step.",[175,831,832,835],{},[61,833,834],{},"Walkthroughs and inquiries",": The auditor conducts interviews with control owners to understand how processes work. They may ask for live demonstrations.",[175,837,838,841],{},[61,839,840],{},"Testing",": The auditor inspects evidence to confirm controls are designed to meet the criteria. For Type I, they are validating design — not operating effectiveness over time.",[175,843,844,847],{},[61,845,846],{},"Issue identification",": If the auditor finds control gaps or design deficiencies, they will flag them. You may have an opportunity to remediate before the report is finalized.",[175,849,850,853],{},[61,851,852],{},"Report drafting and delivery",": The auditor produces a report containing their opinion, a description of your system, the criteria tested, and any exceptions noted.",[112,855,857],{"id":856},"type-i-timeline","Type I timeline",[859,860,861,874],"table",{},[862,863,864],"thead",{},[865,866,867,871],"tr",{},[868,869,870],"th",{},"Step",[868,872,873],{},"Duration",[875,876,877,886,894,902,909],"tbody",{},[865,878,879,883],{},[880,881,882],"td",{},"Readiness and remediation",[880,884,885],{},"4–12 weeks",[865,887,888,891],{},[880,889,890],{},"Auditor selection and contracting",[880,892,893],{},"2–4 weeks",[865,895,896,899],{},[880,897,898],{},"Evidence collection and fieldwork",[880,900,901],{},"3–6 weeks",[865,903,904,907],{},[880,905,906],{},"Report drafting and review",[880,908,893],{},[865,910,911,916],{},[880,912,913],{},[61,914,915],{},"Total",[880,917,918],{},[61,919,920],{},"11–26 weeks",[32,922,924],{"id":923},"phase-4-the-type-ii-audit","Phase 4: The Type II audit",[37,926,927],{},"A SOC 2 Type II audit tests whether controls operated effectively over a defined observation period, typically three to twelve months. Most organizations choose a six-month or twelve-month window.",[112,929,815],{"id":930},"what-to-expect-1",[210,932,933,939,945,951,957,963],{},[175,934,935,938],{},[61,936,937],{},"Observation period begins",": The clock starts on the agreed date. All controls must be operating from this point forward.",[175,940,941,944],{},[61,942,943],{},"Ongoing evidence collection",": Unlike Type I, you need to collect evidence continuously throughout the observation period — access reviews, change approvals, incident logs, monitoring alerts.",[175,946,947,950],{},[61,948,949],{},"Midpoint check-in"," (optional but recommended): Some auditors offer an interim review partway through the observation period to catch issues early.",[175,952,953,956],{},[61,954,955],{},"Fieldwork",": After the observation period ends, the auditor performs detailed testing. They sample transactions, review logs, and verify that controls operated consistently.",[175,958,959,962],{},[61,960,961],{},"Exception handling",": If a control failed during the period, the auditor documents the exception. A few exceptions do not automatically mean a qualified opinion, but patterns of failure will.",[175,964,965,968],{},[61,966,967],{},"Final report",": The Type II report includes everything from Type I plus the auditor's testing results and opinion on operating effectiveness.",[112,970,972],{"id":971},"type-ii-timeline","Type II timeline",[859,974,975,983],{},[862,976,977],{},[865,978,979,981],{},[868,980,870],{},[868,982,873],{},[875,984,985,993,1001,1007],{},[865,986,987,990],{},[880,988,989],{},"Observation period",[880,991,992],{},"3–12 months",[865,994,995,998],{},[880,996,997],{},"Fieldwork after period ends",[880,999,1000],{},"4–8 weeks",[865,1002,1003,1005],{},[880,1004,906],{},[880,1006,893],{},[865,1008,1009,1014],{},[880,1010,1011],{},[61,1012,1013],{},"Total (after readiness)",[880,1015,1016],{},[61,1017,1018],{},"5–15 months",[32,1020,1022],{"id":1021},"phase-5-report-delivery-and-beyond","Phase 5: Report delivery and beyond",[37,1024,1025],{},"Once you receive your SOC 2 report, the process does not end.",[112,1027,1029],{"id":1028},"distribute-the-report","Distribute the report",[37,1031,1032],{},"SOC 2 reports are restricted-use documents. Share them under NDA with customers, prospects, and partners who request them. Many companies set up a trust center or compliance portal to manage requests.",[112,1034,1036],{"id":1035},"plan-for-the-next-period","Plan for the next period",[37,1038,1039],{},"SOC 2 Type II reports cover a specific window. To maintain continuous coverage, plan the next observation period to begin immediately after the current one ends. Auditors call this a \"bridge period\" — any gap between periods means you have a coverage lapse that buyers may question.",[112,1041,1043],{"id":1042},"continuous-monitoring","Continuous monitoring",[37,1045,1046],{},"The most efficient SOC 2 programs do not treat the audit as a seasonal event. Instead, they:",[172,1048,1049,1052,1055,1058],{},[175,1050,1051],{},"Monitor control health in real time",[175,1053,1054],{},"Collect evidence automatically where possible",[175,1056,1057],{},"Review and update policies on a regular cadence",[175,1059,1060],{},"Track remediation items from previous audit exceptions",[37,1062,1063],{},"This continuous approach reduces the scramble before each audit and catches issues before they become exceptions.",[32,1065,1067],{"id":1066},"common-pitfalls-in-the-soc-2-audit-process","Common pitfalls in the SOC 2 audit process",[172,1069,1070,1076,1082,1088],{},[175,1071,1072,1075],{},[61,1073,1074],{},"Starting evidence collection too late",": Begin during readiness, not after the auditor's first request list arrives.",[175,1077,1078,1081],{},[61,1079,1080],{},"Single-threaded ownership",": SOC 2 touches engineering, IT, HR, and legal. Assign control owners across teams and give them visibility into the timeline.",[175,1083,1084,1087],{},[61,1085,1086],{},"Ignoring the observation period",": For Type II, controls must operate every day of the period. A policy that exists but is not followed will result in exceptions.",[175,1089,1090,1093,1094,1097],{},[61,1091,1092],{},"Choosing the wrong auditor",": A mismatched firm can slow the process and increase ",[44,1095,1096],{"href":308},"costs",". Do your diligence upfront.",[32,1099,1101],{"id":1100},"how-episki-helps","How episki helps",[37,1103,1104,1105,1108],{},"episki streamlines every phase of the audit process. During readiness, the platform performs automated gap analysis against SOC 2 requirements and generates a prioritized remediation plan. During the observation period, structured evidence collection with ownership tracking and review cadences ensures nothing falls through the cracks. When fieldwork begins, the auditor collaboration portal gives your CPA firm scoped access to controls, evidence, and Q&A threads — eliminating back-and-forth emails. ",[44,1106,538],{"href":535,"rel":1107},[537]," to see the full audit workflow in action.",{"title":546,"searchDepth":547,"depth":547,"links":1110},[1111,1112,1117,1118,1122,1126,1131,1132],{"id":652,"depth":547,"text":653},{"id":665,"depth":547,"text":666,"children":1113},[1114,1115,1116],{"id":672,"depth":554,"text":673},{"id":699,"depth":554,"text":700},{"id":726,"depth":554,"text":727},{"id":760,"depth":547,"text":761},{"id":805,"depth":547,"text":806,"children":1119},[1120,1121],{"id":814,"depth":554,"text":815},{"id":856,"depth":554,"text":857},{"id":923,"depth":547,"text":924,"children":1123},[1124,1125],{"id":930,"depth":554,"text":815},{"id":971,"depth":554,"text":972},{"id":1021,"depth":547,"text":1022,"children":1127},[1128,1129,1130],{"id":1028,"depth":554,"text":1029},{"id":1035,"depth":554,"text":1036},{"id":1042,"depth":554,"text":1043},{"id":1066,"depth":547,"text":1067},{"id":1100,"depth":547,"text":1101},"A step-by-step guide to the SOC 2 audit process, from readiness assessment through final report delivery, including timelines for Type I and Type II engagements.",null,"2026-04-16",{},[631,1138],"grc",[1140,1141,1142],"type-1-vs-type-2","requirements","cost",{"title":1144,"description":1145},"SOC 2 Audit Process — Step-by-Step Guide for 2026","Walk through the SOC 2 audit process step by step. Learn about readiness assessments, auditor selection, Type I vs Type II timelines, and what to expect.","5.frameworks\u002Fsoc2\u002Faudit-process","iyxfqb2dYCTbXKBkEJCPxss2rzK_gziKbfoMFkRC3V0",{"id":1149,"title":1150,"body":1151,"description":1505,"extension":578,"faq":1506,"frameworkSlug":631,"lastUpdated":1135,"meta":1523,"navigation":613,"path":128,"relatedTerms":1524,"relatedTopics":1528,"seo":1531,"stem":1534,"__hash__":1535},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Favailability-criteria.md","SOC 2 Availability Criteria",{"type":29,"value":1152,"toc":1484},[1153,1157,1163,1166,1170,1175,1195,1198,1202,1205,1209,1229,1233,1247,1250,1254,1257,1260,1283,1286,1303,1306,1310,1313,1316,1333,1336,1350,1362,1366,1369,1395,1404,1408,1411,1414,1418,1450,1454,1471,1473],[32,1154,1156],{"id":1155},"availability-is-the-soc-2-criterion-most-visible-to-customers","Availability is the SOC 2 criterion most visible to customers",[37,1158,1159,1160,1162],{},"When a customer's application goes down and they cannot log in, they blame your uptime. The availability Trust Services Criterion is where ",[44,1161,658],{"href":614}," turns that reality into a structured set of controls. The criterion applies when an organization commits to specific uptime levels or recovery capabilities — typically through published SLAs, status pages, or contractual obligations. If your customers rely on your service being up, availability belongs in your audit scope.",[37,1164,1165],{},"Availability is optional in SOC 2, but for SaaS companies selling into enterprise or mid-market, it is often the first additional criterion added beyond security. Enterprise procurement teams expect it because their risk frameworks treat vendor availability as a top-tier concern.",[32,1167,1169],{"id":1168},"what-the-availability-criterion-covers","What the availability criterion covers",[37,1171,107,1172,1174],{},[44,1173,55],{"href":54}," define availability as \"the accessibility of the system, products, or services as stipulated by a contract or service level agreement.\" Availability has three dedicated control categories in the A1 series, plus overlap with several Common Criteria.",[172,1176,1177,1183,1189],{},[175,1178,1179,1182],{},[61,1180,1181],{},"A1.1"," — The entity maintains, monitors, and evaluates current processing capacity and use of system components to manage capacity demand and to enable the implementation of additional capacity.",[175,1184,1185,1188],{},[61,1186,1187],{},"A1.2"," — The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data backup processes, and recovery infrastructure to meet its availability objectives.",[175,1190,1191,1194],{},[61,1192,1193],{},"A1.3"," — The entity tests recovery plan procedures supporting system recovery to meet its availability objectives.",[37,1196,1197],{},"A1 is short but dense. Each control generates operational evidence across the observation period.",[32,1199,1201],{"id":1200},"a11-capacity-planning-and-monitoring","A1.1 — Capacity planning and monitoring",[37,1203,1204],{},"A1.1 requires that you know how much capacity your system has, how much it is using, and how you will add more when demand grows. Auditors look for a capacity management process that operates continuously, not a one-time analysis.",[112,1206,1208],{"id":1207},"typical-controls","Typical controls",[172,1210,1211,1214,1217,1220,1223,1226],{},[175,1212,1213],{},"Real-time capacity monitoring dashboards (CPU, memory, storage, network, database connections)",[175,1215,1216],{},"Defined thresholds for capacity alerts",[175,1218,1219],{},"Scheduled capacity reviews with documented outcomes",[175,1221,1222],{},"Forecasting based on growth assumptions",[175,1224,1225],{},"Auto-scaling for elastic workloads",[175,1227,1228],{},"Procurement lead time built into capacity forecasting",[112,1230,1232],{"id":1231},"evidence-expectations","Evidence expectations",[172,1234,1235,1238,1241,1244],{},[175,1236,1237],{},"Capacity dashboards with historical data spanning the observation period",[175,1239,1240],{},"Capacity review meeting notes or tickets",[175,1242,1243],{},"Alert history showing capacity thresholds being monitored",[175,1245,1246],{},"Procurement or provisioning records when capacity was added",[37,1248,1249],{},"Organizations running in public cloud typically have strong A1.1 posture out of the box because auto-scaling and managed services remove much of the manual capacity work. Organizations running colocated hardware have more evidence to produce.",[32,1251,1253],{"id":1252},"a12-environmental-protections-and-recovery-infrastructure","A1.2 — Environmental protections and recovery infrastructure",[37,1255,1256],{},"A1.2 covers the infrastructure that supports availability — redundancy, backups, and environmental controls. The term \"environmental\" is broader than physical environment; it includes software resilience as well.",[112,1258,1208],{"id":1259},"typical-controls-1",[172,1261,1262,1265,1268,1271,1274,1277,1280],{},[175,1263,1264],{},"Multi-region or multi-AZ deployment architecture",[175,1266,1267],{},"Redundant components (load balancers, databases, caches)",[175,1269,1270],{},"Automated failover mechanisms",[175,1272,1273],{},"Backup and recovery procedures with defined retention",[175,1275,1276],{},"Data replication strategy",[175,1278,1279],{},"Physical environmental controls for on-premises facilities (power, cooling, fire suppression)",[175,1281,1282],{},"Network isolation and DDoS protections",[112,1284,1232],{"id":1285},"evidence-expectations-1",[172,1287,1288,1291,1294,1297,1300],{},[175,1289,1290],{},"Architecture diagrams showing redundancy",[175,1292,1293],{},"Backup job logs confirming successful backups",[175,1295,1296],{},"Backup restoration test records",[175,1298,1299],{},"Failover test results if applicable",[175,1301,1302],{},"Data center certifications (for colocated hardware)",[37,1304,1305],{},"A common gap in A1.2 is backup coverage. Teams have backups but do not test restoration until an incident forces it. Auditors look for proactive restoration tests.",[32,1307,1309],{"id":1308},"a13-recovery-testing","A1.3 — Recovery testing",[37,1311,1312],{},"A1.3 is where availability and business continuity meet. The control requires that recovery procedures be tested so they work when a real disruption occurs.",[112,1314,1208],{"id":1315},"typical-controls-2",[172,1317,1318,1321,1324,1327,1330],{},[175,1319,1320],{},"Documented disaster recovery plan with defined RPO and RTO",[175,1322,1323],{},"Annual or more frequent DR tests",[175,1325,1326],{},"Scenario-based testing (region failure, database failure, application failure)",[175,1328,1329],{},"Post-test reviews with remediation items",[175,1331,1332],{},"Business continuity plan integration",[112,1334,1232],{"id":1335},"evidence-expectations-2",[172,1337,1338,1341,1344,1347],{},[175,1339,1340],{},"Current DR plan document with approval evidence",[175,1342,1343],{},"DR test reports from the observation period",[175,1345,1346],{},"Remediation tracking for issues identified during tests",[175,1348,1349],{},"Evidence that lessons were incorporated into the plan",[37,1351,1352,1353,96,1357,1361],{},"See ",[44,1354,1356],{"href":1355},"\u002Fglossary\u002Fbusiness-continuity","business continuity",[44,1358,1360],{"href":1359},"\u002Fglossary\u002Fdisaster-recovery","disaster recovery"," for related terms.",[32,1363,1365],{"id":1364},"overlap-with-other-trust-services-criteria","Overlap with other Trust Services Criteria",[37,1367,1368],{},"Availability does not exist in isolation. Several Common Criteria contribute to the picture.",[172,1370,1371,1377,1383,1389],{},[175,1372,1373,1376],{},[61,1374,1375],{},"CC7"," (system operations) — monitoring that detects availability events feeds the availability controls directly",[175,1378,1379,1382],{},[61,1380,1381],{},"CC9.1"," (business continuity) — overlaps heavily with A1.3",[175,1384,1385,1388],{},[61,1386,1387],{},"CC2"," (communication) — customer and internal communication during outages",[175,1390,1391,1394],{},[61,1392,1393],{},"CC8"," (change management) — poorly managed changes cause outages",[37,1396,1397,1398,96,1402,100],{},"A well-designed SOC 2 program maps controls once and applies them to every applicable criterion. For example, a failover test may satisfy A1.2, A1.3, and CC9.1 simultaneously. The same mapping applies in ",[44,1399,1401],{"href":1400},"\u002Fframeworks\u002Fsoc2\u002Fcontinuous-monitoring","continuous monitoring",[44,1403,375],{"href":374},[32,1405,1407],{"id":1406},"how-this-fits-into-soc-2","How this fits into SOC 2",[37,1409,1410],{},"Availability is the most visible criterion for customers — outages generate status page updates, incident reports, and sometimes contractual credits. Auditors know this, so they examine availability controls against both the design and real operational outcomes during the observation period. If you had an outage during the period, the auditor will typically request the incident record and verify that A1.3 controls — recovery procedures — were executed and effective.",[37,1412,1413],{},"This also means availability has the clearest connection between control effectiveness and business impact. A clean availability section in a SOC 2 report supports sales conversations about enterprise reliability in a way that the security criterion alone cannot.",[32,1415,1417],{"id":1416},"common-mistakes","Common mistakes",[172,1419,1420,1426,1432,1438,1444],{},[175,1421,1422,1425],{},[61,1423,1424],{},"SLA without monitoring."," A published uptime commitment that nobody measures is a recipe for exceptions. If you commit to 99.9%, measure it and report it.",[175,1427,1428,1431],{},[61,1429,1430],{},"Backups without restoration tests."," Untested backups are hope, not controls. Run periodic restorations.",[175,1433,1434,1437],{},[61,1435,1436],{},"DR plan in a drawer."," A plan that has not been updated in two years is a design problem even if no disaster happened. Review annually.",[175,1439,1440,1443],{},[61,1441,1442],{},"No RPO or RTO."," \"We'll figure it out\" is not an acceptable answer to what data loss you can tolerate. Define the numbers.",[175,1445,1446,1449],{},[61,1447,1448],{},"Single-region deployments with availability criterion."," If your architecture cannot survive a regional failure and you are claiming availability, the auditor will note the gap. Match the criterion to reality.",[32,1451,1453],{"id":1452},"implementation-tips","Implementation tips",[172,1455,1456,1459,1462,1465,1468],{},[175,1457,1458],{},"Publish a status page that reflects real uptime. Auditors sometimes check it against your internal incident records.",[175,1460,1461],{},"Define RPO and RTO per system tier. Not every service needs the same recovery targets, and differentiating them makes the plan credible.",[175,1463,1464],{},"Test DR quarterly with different scenarios rotating across the year. Document each test.",[175,1466,1467],{},"Treat capacity alerts as first-class signals. If capacity thresholds are consistently breached with no action, A1.1 is weak.",[175,1469,1470],{},"Integrate capacity planning with business forecasts. Sales pipeline can predict capacity demand if the signal is used.",[32,1472,1101],{"id":1100},[37,1474,1475,1476,1479,1480,1483],{},"episki maps the A1 series controls to your existing monitoring, backup, and DR tooling and collects evidence — capacity dashboards, DR test results, incident history — automatically across the observation period. ",[44,1477,538],{"href":535,"rel":1478},[537]," or read the full ",[44,1481,1482],{"href":614},"SOC 2 framework guide"," for how availability sits inside a complete SOC 2 program.",{"title":546,"searchDepth":547,"depth":547,"links":1485},[1486,1487,1488,1492,1496,1500,1501,1502,1503,1504],{"id":1155,"depth":547,"text":1156},{"id":1168,"depth":547,"text":1169},{"id":1200,"depth":547,"text":1201,"children":1489},[1490,1491],{"id":1207,"depth":554,"text":1208},{"id":1231,"depth":554,"text":1232},{"id":1252,"depth":547,"text":1253,"children":1493},[1494,1495],{"id":1259,"depth":554,"text":1208},{"id":1285,"depth":554,"text":1232},{"id":1308,"depth":547,"text":1309,"children":1497},[1498,1499],{"id":1315,"depth":554,"text":1208},{"id":1335,"depth":554,"text":1232},{"id":1364,"depth":547,"text":1365},{"id":1406,"depth":547,"text":1407},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"Deep dive on the SOC 2 Availability Trust Services Criterion. A1 series controls, uptime commitments, capacity planning, and disaster recovery.",{"items":1507},[1508,1511,1514,1517,1520],{"label":1509,"content":1510},"When should I include the availability criterion in my SOC 2?","Include availability when you have published SLAs, customers depend on continuous uptime, or contracts include availability commitments with penalties. Many SaaS companies add availability in their first SOC 2 if they sell into enterprise or mid-market.",{"label":1512,"content":1513},"Does the availability criterion require 99.99% uptime?","No. SOC 2 does not set a specific uptime number. It requires that you have defined availability commitments, measure against them, and have controls that support those commitments. The number is whatever you commit to in SLAs or customer contracts.",{"label":1515,"content":1516},"What is the difference between availability and business continuity?","Availability in SOC 2 covers day-to-day operation of the system — capacity, redundancy, monitoring. Business continuity covers response to disruptive events — the ability to recover when something goes wrong. Both are tested under availability controls (A1.3 specifically).",{"label":1518,"content":1519},"Do I need to test disaster recovery annually?","Yes. Auditors expect documented DR tests at least annually, with defined scenarios, results, and corrective actions. Many mature SOC 2 programs test quarterly, rotating scenarios.",{"label":1521,"content":1522},"What evidence do auditors expect for availability?","Auditors typically review published SLAs, capacity monitoring dashboards, incident history for outages, DR test results, and evidence that the DR plan was executed or simulated during the observation period.",{},[1525,1526,1527,631],"business-continuity","disaster-recovery","monitoring",[1529,1042,1530],"trust-services-criteria","incident-response",{"title":1532,"description":1533},"SOC 2 Availability Criteria (2026): A1 Controls Deep Dive","Master the SOC 2 Availability criterion. A1.1 capacity planning, A1.2 environmental protections, A1.3 recovery, and common audit evidence.","5.frameworks\u002Fsoc2\u002Favailability-criteria","KNruVOcwfKW-lBS_jQvoBBLXuh2wwZOLL0fROaBb2bw",{"id":1537,"title":1538,"body":1539,"description":1855,"extension":578,"faq":1856,"frameworkSlug":631,"lastUpdated":1135,"meta":1873,"navigation":613,"path":363,"relatedTerms":1874,"relatedTopics":1878,"seo":1879,"stem":1882,"__hash__":1883},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fchange-management.md","SOC 2 Change Management",{"type":29,"value":1540,"toc":1839},[1541,1545,1551,1554,1558,1564,1587,1590,1594,1597,1601,1604,1621,1625,1628,1632,1635,1646,1650,1653,1670,1673,1677,1680,1703,1714,1718,1721,1746,1749,1751,1754,1770,1773,1775,1807,1809,1826,1828],[32,1542,1544],{"id":1543},"change-management-is-the-most-tested-control-in-soc-2","Change management is the most-tested control in SOC 2",[37,1546,1547,1548,1550],{},"If continuous monitoring is where Type II is won, change management is where it is most often lost. Every modern SaaS company deploys constantly. Every deployment is a change that auditors consider in scope under CC8.1. A ",[44,1549,658],{"href":614}," Type II audit over a six- or twelve-month observation period may involve thousands of production changes, and auditors will sample them.",[37,1552,1553],{},"The good news is that mature engineering teams already have most of the controls — code review, CI\u002FCD, infrastructure as code — they just need to be mapped to CC8.1, documented, and made visible to auditors. The bad news is that any change that bypasses those controls and reaches production creates an exception that is hard to explain away.",[32,1555,1557],{"id":1556},"what-cc81-requires","What CC8.1 requires",[37,1559,1560,1561,1563],{},"CC8.1 in the ",[44,1562,55],{"href":54}," requires that the entity \"authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures.\" The points of focus expand this into seven expectations.",[172,1565,1566,1569,1572,1575,1578,1581,1584],{},[175,1567,1568],{},"Manages changes throughout the system development life cycle",[175,1570,1571],{},"Authorizes changes before implementation",[175,1573,1574],{},"Designs and develops changes with appropriate controls",[175,1576,1577],{},"Documents changes so they can be traced and reproduced",[175,1579,1580],{},"Tracks system changes to confirm authorization and intended outcomes",[175,1582,1583],{},"Configures software with approved configurations",[175,1585,1586],{},"Tests system changes before implementation",[37,1588,1589],{},"CC8.1 also intersects with CC6.1 (access control) because only authorized people should be able to approve and deploy changes, and CC7.1 (configuration monitoring) because unauthorized changes should generate alerts.",[32,1591,1593],{"id":1592},"the-four-lanes-of-soc-2-change-management","The four lanes of SOC 2 change management",[37,1595,1596],{},"Different types of changes need different controls. Organizations that try to use a single workflow for everything end up with either too much bureaucracy or too many exceptions.",[112,1598,1600],{"id":1599},"_1-application-code-changes","1. Application code changes",[37,1602,1603],{},"Standard developer workflow: feature branch, pull request, code review, automated tests, merge to main, deploy. Controls to document:",[172,1605,1606,1609,1612,1615,1618],{},[175,1607,1608],{},"Branch protection requiring reviewer approval",[175,1610,1611],{},"Required status checks (tests passing, security scans clean)",[175,1613,1614],{},"Merge restrictions to authorized committers",[175,1616,1617],{},"Automated deployment from the main branch",[175,1619,1620],{},"Linkage from commit to pull request to deployment record",[112,1622,1624],{"id":1623},"_2-infrastructure-changes","2. Infrastructure changes",[37,1626,1627],{},"Infrastructure-as-code is the cleanest path. Terraform, Pulumi, CloudFormation, or equivalent in version control means infrastructure changes follow the same review workflow as application code. Manual console changes to production should be minimized and, when made, logged with a ticket.",[112,1629,1631],{"id":1630},"_3-configuration-changes","3. Configuration changes",[37,1633,1634],{},"Application configuration, feature flags, and runtime settings often change outside the code deployment workflow. Controls include:",[172,1636,1637,1640,1643],{},[175,1638,1639],{},"Config stored in version control or a secrets manager with audit logs",[175,1641,1642],{},"Feature flag changes logged with actor and timestamp",[175,1644,1645],{},"Production console access restricted and monitored",[112,1647,1649],{"id":1648},"_4-emergency-changes","4. Emergency changes",[37,1651,1652],{},"Every engineering team has moments when normal process must be bypassed. SOC 2 accommodates this as long as the exception is managed.",[172,1654,1655,1658,1661,1664,1667],{},[175,1656,1657],{},"Define an emergency change procedure in policy",[175,1659,1660],{},"Require at least one authorized approver (even if post-hoc)",[175,1662,1663],{},"Require a written justification",[175,1665,1666],{},"Log the change in the same system as normal changes",[175,1668,1669],{},"Review emergency changes in a monthly or quarterly retrospective",[37,1671,1672],{},"Auditors look at the population of emergency changes and ask why each one qualified. If everything is an emergency, the normal process is not working.",[32,1674,1676],{"id":1675},"evidence-auditors-expect","Evidence auditors expect",[37,1678,1679],{},"A Type II audit will generate specific requests around change management.",[172,1681,1682,1685,1688,1691,1694,1697,1700],{},[175,1683,1684],{},"Change management policy document",[175,1686,1687],{},"Inventory of systems covered by the process",[175,1689,1690],{},"A list of changes deployed during the observation period",[175,1692,1693],{},"Samples of individual changes with their full audit trail",[175,1695,1696],{},"Evidence of emergency change approvals and justifications",[175,1698,1699],{},"Evidence of segregation between developers and production deployers (where applicable)",[175,1701,1702],{},"Branch protection and CI\u002FCD configuration settings",[37,1704,1705,1706,96,1710,100],{},"The auditor may pull changes from your version control system directly or request an export. The fastest way to pass this section is to ensure the audit trail is complete by default rather than reconstructing it after the fact. Related glossary: ",[44,1707,1709],{"href":1708},"\u002Fglossary\u002Fchange-management","change management",[44,1711,1713],{"href":1712},"\u002Fglossary\u002Faudit-trail","audit trail",[32,1715,1717],{"id":1716},"approval-workflows-that-satisfy-soc-2","Approval workflows that satisfy SOC 2",[37,1719,1720],{},"The workflow itself is not prescribed. The outcomes are. The workflow must demonstrate:",[210,1722,1723,1729,1734,1740],{},[175,1724,1725,1728],{},[61,1726,1727],{},"Authorization",". Someone with appropriate authority approved the change before it reached production.",[175,1730,1731,1733],{},[61,1732,840],{},". The change was tested in a non-production environment (unless covered by emergency procedures).",[175,1735,1736,1739],{},[61,1737,1738],{},"Documentation",". The change is recorded in a way that a reviewer can understand what changed and why.",[175,1741,1742,1745],{},[61,1743,1744],{},"Traceability",". The deployment can be traced back to the approval and the approval back to the requesting actor.",[37,1747,1748],{},"For most modern teams, a pull request workflow with branch protection enforces all four by default. Older teams with manual deployment processes have more work to do.",[32,1750,1407],{"id":1406},[37,1752,1753],{},"Change management generates some of the highest-volume evidence in a SOC 2 audit. Every pull request, every deployment, every configuration change contributes to the population auditors sample from. Weak change management often causes exceptions in adjacent areas:",[172,1755,1756,1761,1767],{},[175,1757,1758,1760],{},[44,1759,1043],{"href":1400}," misses unauthorized changes if configuration drift alerting is absent",[175,1762,1763,1766],{},[44,1764,1765],{"href":374},"Incident response"," requires change management correlation when an incident is traced to a deployment",[175,1768,1769],{},"Access controls (CC6) overlap when emergency deployment access is granted temporarily",[37,1771,1772],{},"Change management also supports the availability criterion if applicable. Failed deployments are a common cause of outages, so rollback procedures and testing discipline feed both security and availability controls.",[32,1774,1417],{"id":1416},[172,1776,1777,1783,1789,1795,1801],{},[175,1778,1779,1782],{},[61,1780,1781],{},"Manual console changes to production."," Engineers who make one-off changes in the AWS console without a ticket leave evidence gaps. Restrict console write access or require change tickets for any change made that way.",[175,1784,1785,1788],{},[61,1786,1787],{},"Overloaded emergency procedure."," If half of your changes are emergency changes, the category is meaningless. Tighten the definition.",[175,1790,1791,1794],{},[61,1792,1793],{},"No linkage between ticket and deployment."," The auditor wants to trace from approval to deployed change. Without a link (commit message references, deploy metadata), the chain breaks.",[175,1796,1797,1800],{},[61,1798,1799],{},"Configuration drift."," Systems configured by hand drift away from declared baselines. Configuration monitoring catches this but only if it is deployed.",[175,1802,1803,1806],{},[61,1804,1805],{},"Approver-as-author."," The same person approved and deployed the change. Where possible, require separation. At minimum, document why separation is not feasible.",[32,1808,1453],{"id":1452},[172,1810,1811,1814,1817,1820,1823],{},[175,1812,1813],{},"Turn on branch protection with required reviews and status checks across every repository in scope. Export the settings as evidence.",[175,1815,1816],{},"Use CI\u002FCD pipelines that record who deployed what, when, and against which commit. Retain deploy logs for the full observation period.",[175,1818,1819],{},"Manage infrastructure with code. Manual console changes should be rare, logged, and revisited during quarterly audits.",[175,1821,1822],{},"Write an emergency change procedure before you need it. During an actual emergency is not the time to design the process.",[175,1824,1825],{},"Sample your own change evidence monthly to catch gaps before the auditor does.",[32,1827,1101],{"id":1100},[37,1829,1830,1831,1834,1835,1838],{},"episki maps your existing change management tooling — pull requests, CI\u002FCD pipelines, ticketing systems — to CC8.1 and pulls evidence continuously so the audit trail is always current. ",[44,1832,538],{"href":535,"rel":1833},[537]," or review the broader ",[44,1836,1837],{"href":614},"SOC 2 framework"," to see how change management fits alongside access, monitoring, and incident controls.",{"title":546,"searchDepth":547,"depth":547,"links":1840},[1841,1842,1843,1849,1850,1851,1852,1853,1854],{"id":1543,"depth":547,"text":1544},{"id":1556,"depth":547,"text":1557},{"id":1592,"depth":547,"text":1593,"children":1844},[1845,1846,1847,1848],{"id":1599,"depth":554,"text":1600},{"id":1623,"depth":554,"text":1624},{"id":1630,"depth":554,"text":1631},{"id":1648,"depth":554,"text":1649},{"id":1675,"depth":547,"text":1676},{"id":1716,"depth":547,"text":1717},{"id":1406,"depth":547,"text":1407},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"SOC 2 CC8.1 change management. Approval workflows, production change evidence, and how to avoid exceptions in Type II audits.",{"items":1857},[1858,1861,1864,1867,1870],{"label":1859,"content":1860},"Which SOC 2 criterion covers change management?","Change management is addressed in CC8.1, which requires the entity to authorize, design, develop, configure, document, test, approve, and implement changes to infrastructure, data, software, and procedures. CC6.1 also addresses logical access restrictions that support change controls.",{"label":1862,"content":1863},"Does every code commit require approval for SOC 2?","Not every commit, but every change that reaches production must have evidence of approval or an automated gate that enforces review. Pull request requirements, branch protection rules, and CI\u002FCD approval steps satisfy this for most modern engineering teams.",{"label":1865,"content":1866},"What about emergency changes?","SOC 2 allows emergency change procedures, but they must be documented. Common requirements include post-hoc approval within a defined window, a written justification, and a standing list of authorized emergency approvers.",{"label":1868,"content":1869},"Do configuration changes count under CC8.1?","Yes. Infrastructure-as-code changes, cloud console changes, and configuration updates to production systems are all in scope. Any change that affects the operation of in-scope systems must have an audit trail showing authorization and execution.",{"label":1871,"content":1872},"What evidence do auditors sample for change management?","Auditors typically request a population of changes from the observation period — often pulled from the version control system or CI\u002FCD pipeline — and sample a subset for detailed review, checking approval, testing, and deployment records for each.",{},[1875,1876,1877],"change-management","evidence-collection","audit-trail",[1042,1529,1141],{"title":1880,"description":1881},"SOC 2 Change Management (2026): CC8.1 Controls & Evidence","Build SOC 2 change management under CC8.1. Approval workflows, code review, deployment evidence, and what auditors expect during Type II fieldwork.","5.frameworks\u002Fsoc2\u002Fchange-management","bVL09ezXfNkEgtoU3REimU-aJM0GOoysHiOSAP-mphE",{"id":1885,"title":1886,"body":1887,"description":2573,"extension":578,"faq":1134,"frameworkSlug":631,"lastUpdated":1135,"meta":2574,"navigation":613,"path":444,"relatedTerms":2575,"relatedTopics":2577,"seo":2579,"stem":2582,"__hash__":2583},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fchecklist.md","SOC 2 Compliance Checklist",{"type":29,"value":1888,"toc":2558},[1889,1892,1899,1907,1911,1914,1996,2000,2003,2007,2100,2104,2188,2192,2249,2253,2256,2316,2319,2323,2371,2377,2381,2438,2442,2449,2505,2509,2541,2543],[32,1890,756],{"id":1891},"soc-2-compliance-checklist",[37,1893,1894,1895,1898],{},"Getting ",[44,1896,1897],{"href":614},"SOC 2 compliant"," can feel overwhelming when you look at the full scope of work. Breaking the process into phases makes it manageable. This checklist walks through every major step from initial scoping through audit completion, organized so you can track progress and assign ownership.",[37,1900,1901,1902,96,1904,100],{},"Use this as a reference alongside the detailed ",[44,1903,226],{"href":225},[44,1905,1906],{"href":206},"audit process guide",[32,1908,1910],{"id":1909},"phase-1-scoping-and-planning","Phase 1: Scoping and planning",[37,1912,1913],{},"The foundation of a successful SOC 2 program is clear scoping. Mistakes here ripple through every subsequent phase.",[172,1915,1918,1935,1944,1956,1965,1974,1987],{"className":1916},[1917],"contains-task-list",[175,1919,1922,1926,1927,1930,1931,1934],{"className":1920},[1921],"task-list-item",[1923,1924],"input",{"disabled":613,"type":1925},"checkbox"," ",[61,1928,1929],{},"Define the audit objective"," — decide whether to pursue ",[44,1932,1933],{"href":89},"Type I or Type II"," and set a target completion date.",[175,1936,1938,1926,1940,1943],{"className":1937},[1921],[1923,1939],{"disabled":613,"type":1925},[61,1941,1942],{},"Identify in-scope systems"," — list every application, database, cloud service, and third-party tool that stores, processes, or transmits customer data.",[175,1945,1947,1926,1949,1952,1953,149],{"className":1946},[1921],[1923,1948],{"disabled":613,"type":1925},[61,1950,1951],{},"Select Trust Services Criteria"," — security is mandatory. Evaluate whether availability, processing integrity, confidentiality, or privacy apply based on your service commitments. See the ",[44,1954,1955],{"href":54},"Trust Services Criteria guide",[175,1957,1959,1926,1961,1964],{"className":1958},[1921],[1923,1960],{"disabled":613,"type":1925},[61,1962,1963],{},"Identify subservice organizations"," — document any third-party providers (AWS, Stripe, Datadog) that are part of your service delivery and how they are handled in the audit (inclusive vs. carve-out method).",[175,1966,1968,1926,1970,1973],{"className":1967},[1921],[1923,1969],{"disabled":613,"type":1925},[61,1971,1972],{},"Assign a project owner"," — designate a compliance lead who owns the timeline, coordinates across teams, and serves as the auditor's primary point of contact.",[175,1975,1977,1926,1979,1982,1983,1986],{"className":1976},[1921],[1923,1978],{"disabled":613,"type":1925},[61,1980,1981],{},"Set a budget"," — use the ",[44,1984,1985],{"href":308},"SOC 2 cost guide"," to estimate auditor fees, tooling, and internal labor.",[175,1988,1990,1926,1992,1995],{"className":1989},[1921],[1923,1991],{"disabled":613,"type":1925},[61,1993,1994],{},"Establish a timeline"," — work backward from your target date and build in buffer for remediation.",[32,1997,1999],{"id":1998},"phase-2-gap-analysis-and-remediation","Phase 2: Gap analysis and remediation",[37,2001,2002],{},"This phase determines how much work stands between your current state and audit readiness.",[112,2004,2006],{"id":2005},"policies-and-documentation","Policies and documentation",[172,2008,2010,2019,2028,2037,2046,2055,2064,2073,2082,2091],{"className":2009},[1917],[175,2011,2013,1926,2015,2018],{"className":2012},[1921],[1923,2014],{"disabled":613,"type":1925},[61,2016,2017],{},"Information security policy"," — a foundational document covering the organization's approach to security, roles, and responsibilities.",[175,2020,2022,1926,2024,2027],{"className":2021},[1921],[1923,2023],{"disabled":613,"type":1925},[61,2025,2026],{},"Acceptable use policy"," — define what employees can and cannot do with company systems and data.",[175,2029,2031,1926,2033,2036],{"className":2030},[1921],[1923,2032],{"disabled":613,"type":1925},[61,2034,2035],{},"Access control policy"," — document how access is granted, reviewed, and revoked.",[175,2038,2040,1926,2042,2045],{"className":2039},[1921],[1923,2041],{"disabled":613,"type":1925},[61,2043,2044],{},"Change management policy"," — describe how changes to production systems are proposed, reviewed, approved, and deployed.",[175,2047,2049,1926,2051,2054],{"className":2048},[1921],[1923,2050],{"disabled":613,"type":1925},[61,2052,2053],{},"Incident response plan"," — define how security incidents are detected, reported, contained, and resolved.",[175,2056,2058,1926,2060,2063],{"className":2057},[1921],[1923,2059],{"disabled":613,"type":1925},[61,2061,2062],{},"Business continuity and disaster recovery plan"," — document recovery objectives, procedures, and testing schedules.",[175,2065,2067,1926,2069,2072],{"className":2066},[1921],[1923,2068],{"disabled":613,"type":1925},[61,2070,2071],{},"Vendor management policy"," — describe how third-party risks are assessed and monitored.",[175,2074,2076,1926,2078,2081],{"className":2075},[1921],[1923,2077],{"disabled":613,"type":1925},[61,2079,2080],{},"Data classification policy"," — define sensitivity levels and handling requirements for different data types.",[175,2083,2085,1926,2087,2090],{"className":2084},[1921],[1923,2086],{"disabled":613,"type":1925},[61,2088,2089],{},"Risk assessment procedure"," — document how risks are identified, evaluated, and treated on a regular cadence.",[175,2092,2094,1926,2096,2099],{"className":2093},[1921],[1923,2095],{"disabled":613,"type":1925},[61,2097,2098],{},"Privacy policy"," (if privacy criterion is in scope) — ensure your public privacy notice matches your actual data practices.",[112,2101,2103],{"id":2102},"technical-controls","Technical controls",[172,2105,2107,2116,2125,2134,2143,2152,2161,2170,2179],{"className":2106},[1917],[175,2108,2110,1926,2112,2115],{"className":2109},[1921],[1923,2111],{"disabled":613,"type":1925},[61,2113,2114],{},"Multi-factor authentication"," — enforce MFA on all production systems, cloud consoles, and critical SaaS applications.",[175,2117,2119,1926,2121,2124],{"className":2118},[1921],[1923,2120],{"disabled":613,"type":1925},[61,2122,2123],{},"Single sign-on"," — implement SSO where possible to centralize authentication and simplify access reviews.",[175,2126,2128,1926,2130,2133],{"className":2127},[1921],[1923,2129],{"disabled":613,"type":1925},[61,2131,2132],{},"Endpoint management"," — deploy MDM to enforce disk encryption, screen locks, firewall settings, and OS patching.",[175,2135,2137,1926,2139,2142],{"className":2136},[1921],[1923,2138],{"disabled":613,"type":1925},[61,2140,2141],{},"Centralized logging"," — aggregate logs from applications, infrastructure, and security tools into a central platform.",[175,2144,2146,1926,2148,2151],{"className":2145},[1921],[1923,2147],{"disabled":613,"type":1925},[61,2149,2150],{},"Monitoring and alerting"," — configure alerts for anomalous activity, unauthorized access attempts, and system health metrics.",[175,2153,2155,1926,2157,2160],{"className":2154},[1921],[1923,2156],{"disabled":613,"type":1925},[61,2158,2159],{},"Encryption"," — verify encryption at rest and in transit for all customer data stores and communication channels.",[175,2162,2164,1926,2166,2169],{"className":2163},[1921],[1923,2165],{"disabled":613,"type":1925},[61,2167,2168],{},"Network security"," — configure firewalls, security groups, and network segmentation to restrict access to production environments.",[175,2171,2173,1926,2175,2178],{"className":2172},[1921],[1923,2174],{"disabled":613,"type":1925},[61,2176,2177],{},"Vulnerability management"," — implement automated vulnerability scanning and a process for triaging and remediating findings.",[175,2180,2182,1926,2184,2187],{"className":2181},[1921],[1923,2183],{"disabled":613,"type":1925},[61,2185,2186],{},"Backup and recovery"," — configure automated backups, verify restoration procedures, and document retention schedules.",[112,2189,2191],{"id":2190},"people-and-processes","People and processes",[172,2193,2195,2204,2213,2222,2231,2240],{"className":2194},[1917],[175,2196,2198,1926,2200,2203],{"className":2197},[1921],[1923,2199],{"disabled":613,"type":1925},[61,2201,2202],{},"Background checks"," — perform background checks on new hires, especially those with access to customer data or production systems.",[175,2205,2207,1926,2209,2212],{"className":2206},[1921],[1923,2208],{"disabled":613,"type":1925},[61,2210,2211],{},"Security awareness training"," — deliver annual training covering phishing, social engineering, data handling, and incident reporting. Track completion.",[175,2214,2216,1926,2218,2221],{"className":2215},[1921],[1923,2217],{"disabled":613,"type":1925},[61,2219,2220],{},"Onboarding procedures"," — document how new employees receive access, equipment, and policy acknowledgments.",[175,2223,2225,1926,2227,2230],{"className":2224},[1921],[1923,2226],{"disabled":613,"type":1925},[61,2228,2229],{},"Offboarding procedures"," — document how access is revoked, equipment is recovered, and accounts are deactivated when employees leave.",[175,2232,2234,1926,2236,2239],{"className":2233},[1921],[1923,2235],{"disabled":613,"type":1925},[61,2237,2238],{},"Quarterly access reviews"," — establish a recurring process for reviewing who has access to what and removing stale accounts.",[175,2241,2243,1926,2245,2248],{"className":2242},[1921],[1923,2244],{"disabled":613,"type":1925},[61,2246,2247],{},"Risk assessment"," — conduct a formal risk assessment at least annually and document the results and treatment decisions.",[32,2250,2252],{"id":2251},"phase-3-evidence-collection","Phase 3: Evidence collection",[37,2254,2255],{},"Evidence is the proof that your controls are not just designed but actually operating. Start collecting early — do not wait for the auditor to ask.",[172,2257,2259,2268,2277,2286,2295,2304],{"className":2258},[1917],[175,2260,2262,1926,2264,2267],{"className":2261},[1921],[1923,2263],{"disabled":613,"type":1925},[61,2265,2266],{},"Create an evidence inventory"," — for each control, document what evidence demonstrates it is working (screenshots, exports, logs, tickets).",[175,2269,2271,1926,2273,2276],{"className":2270},[1921],[1923,2272],{"disabled":613,"type":1925},[61,2274,2275],{},"Assign evidence owners"," — each piece of evidence should have a named person responsible for collecting and refreshing it.",[175,2278,2280,1926,2282,2285],{"className":2279},[1921],[1923,2281],{"disabled":613,"type":1925},[61,2283,2284],{},"Set collection cadences"," — some evidence is collected once (policies), while other evidence recurs (quarterly access reviews, monthly vulnerability scans).",[175,2287,2289,1926,2291,2294],{"className":2288},[1921],[1923,2290],{"disabled":613,"type":1925},[61,2292,2293],{},"Establish naming conventions"," — consistent file naming makes it easy for auditors to find what they need.",[175,2296,2298,1926,2300,2303],{"className":2297},[1921],[1923,2299],{"disabled":613,"type":1925},[61,2301,2302],{},"Store evidence securely"," — use a structured evidence locker with access controls, not a shared Google Drive folder.",[175,2305,2307,1926,2309,2312,2313,2315],{"className":2306},[1921],[1923,2308],{"disabled":613,"type":1925},[61,2310,2311],{},"Test evidence completeness"," — before the audit, review your evidence inventory against the ",[44,2314,226],{"href":225}," to identify gaps.",[37,2317,2318],{},"For a Type II engagement, evidence must span the entire observation period. A control that was implemented halfway through the period will result in an exception for the uncovered months.",[32,2320,2322],{"id":2321},"phase-4-auditor-selection-and-engagement","Phase 4: Auditor selection and engagement",[172,2324,2326,2335,2344,2353,2362],{"className":2325},[1917],[175,2327,2329,1926,2331,2334],{"className":2328},[1921],[1923,2330],{"disabled":613,"type":1925},[61,2332,2333],{},"Research CPA firms"," — identify two to four firms with SOC 2 experience relevant to your company size and industry.",[175,2336,2338,1926,2340,2343],{"className":2337},[1921],[1923,2339],{"disabled":613,"type":1925},[61,2341,2342],{},"Request proposals"," — compare scope, pricing, timeline, and communication approach.",[175,2345,2347,1926,2349,2352],{"className":2346},[1921],[1923,2348],{"disabled":613,"type":1925},[61,2350,2351],{},"Check references"," — talk to other companies that have worked with each firm.",[175,2354,2356,1926,2358,2361],{"className":2355},[1921],[1923,2357],{"disabled":613,"type":1925},[61,2359,2360],{},"Negotiate and sign the engagement letter"," — confirm scope, criteria, observation period (for Type II), fees, and timeline.",[175,2363,2365,1926,2367,2370],{"className":2364},[1921],[1923,2366],{"disabled":613,"type":1925},[61,2368,2369],{},"Schedule kickoff"," — align your team's availability with the auditor's timeline.",[37,2372,2373,2374,2376],{},"See the ",[44,2375,1906],{"href":206}," for what to expect during each stage of the engagement.",[32,2378,2380],{"id":2379},"phase-5-audit-execution","Phase 5: Audit execution",[172,2382,2384,2393,2402,2411,2420,2429],{"className":2383},[1917],[175,2385,2387,1926,2389,2392],{"className":2386},[1921],[1923,2388],{"disabled":613,"type":1925},[61,2390,2391],{},"Attend the kickoff meeting"," — review scope, criteria, and the auditor's request list with your team.",[175,2394,2396,1926,2398,2401],{"className":2395},[1921],[1923,2397],{"disabled":613,"type":1925},[61,2399,2400],{},"Fulfill evidence requests"," — respond to auditor requests promptly. Delayed responses are the number one cause of audit timeline slippage.",[175,2403,2405,1926,2407,2410],{"className":2404},[1921],[1923,2406],{"disabled":613,"type":1925},[61,2408,2409],{},"Prepare control owners for interviews"," — auditors will conduct walkthroughs with the people who operate each control. Ensure they can explain what they do and why.",[175,2412,2414,1926,2416,2419],{"className":2413},[1921],[1923,2415],{"disabled":613,"type":1925},[61,2417,2418],{},"Track open items"," — maintain a running list of auditor questions, outstanding requests, and items pending resolution.",[175,2421,2423,1926,2425,2428],{"className":2422},[1921],[1923,2424],{"disabled":613,"type":1925},[61,2426,2427],{},"Review draft findings"," — if the auditor identifies exceptions or gaps, understand the impact and discuss remediation options.",[175,2430,2432,1926,2434,2437],{"className":2431},[1921],[1923,2433],{"disabled":613,"type":1925},[61,2435,2436],{},"Review the draft report"," — check the system description for accuracy and ensure the report reflects your environment correctly.",[32,2439,2441],{"id":2440},"phase-6-post-audit-and-continuous-monitoring","Phase 6: Post-audit and continuous monitoring",[37,2443,2444,2445,2448],{},"The audit is complete, but ",[44,2446,658],{"href":2447},"\u002Fglossary\u002Fsoc2"," is an ongoing commitment.",[172,2450,2452,2460,2469,2478,2487,2496],{"className":2451},[1917],[175,2453,2455,1926,2457,2459],{"className":2454},[1921],[1923,2456],{"disabled":613,"type":1925},[61,2458,1029],{}," — share under NDA with customers and prospects through a trust center or compliance portal.",[175,2461,2463,1926,2465,2468],{"className":2462},[1921],[1923,2464],{"disabled":613,"type":1925},[61,2466,2467],{},"Remediate exceptions"," — address any findings from the audit and document corrective actions.",[175,2470,2472,1926,2474,2477],{"className":2471},[1921],[1923,2473],{"disabled":613,"type":1925},[61,2475,2476],{},"Plan the next period"," — schedule the next observation period to begin immediately after the current one ends to avoid coverage gaps.",[175,2479,2481,1926,2483,2486],{"className":2480},[1921],[1923,2482],{"disabled":613,"type":1925},[61,2484,2485],{},"Maintain continuous monitoring"," — keep collecting evidence, reviewing controls, and updating policies on the cadences you established.",[175,2488,2490,1926,2492,2495],{"className":2489},[1921],[1923,2491],{"disabled":613,"type":1925},[61,2493,2494],{},"Conduct an internal retrospective"," — document what went well, what caused delays, and what to improve for the next cycle.",[175,2497,2499,1926,2501,2504],{"className":2498},[1921],[1923,2500],{"disabled":613,"type":1925},[61,2502,2503],{},"Update risk assessments"," — incorporate lessons learned from the audit and any changes to the business or threat landscape.",[32,2506,2508],{"id":2507},"tips-for-staying-on-track","Tips for staying on track",[210,2510,2511,2517,2523,2529,2535],{},[175,2512,2513,2516],{},[61,2514,2515],{},"Start early"," — give yourself at least three months of preparation time before the audit. Six months is better for a first-time engagement.",[175,2518,2519,2522],{},[61,2520,2521],{},"Assign clear ownership"," — every control, policy, and evidence item should have a named owner, not a team.",[175,2524,2525,2528],{},[61,2526,2527],{},"Automate what you can"," — manual evidence collection is the biggest time sink. Automation reduces errors and frees your team.",[175,2530,2531,2534],{},[61,2532,2533],{},"Communicate broadly"," — SOC 2 is not just a security team project. Engineering, HR, IT, and legal all have roles to play.",[175,2536,2537,2540],{},[61,2538,2539],{},"Use a single source of truth"," — scattered spreadsheets and documents lead to confusion. Centralize everything in one platform.",[32,2542,1101],{"id":1100},[37,2544,2545,2546,2548,2549,2552,2553,2557],{},"episki turns this checklist into a live workspace. Every item above is pre-loaded as an actionable task with ownership, due dates, and linked evidence requirements. The platform maps your controls to ",[44,2547,55],{"href":54}," automatically, tracks evidence freshness, and surfaces gaps before your auditor finds them. Instead of managing SOC 2 in spreadsheets, you get a structured system that keeps your entire team aligned. ",[44,2550,538],{"href":535,"rel":2551},[537]," and see the full SOC 2 checklist in action, or ",[44,2554,2556],{"href":2555},"\u002Fcompare\u002Fsprinto","compare episki to Sprinto"," to see how the approaches differ.",{"title":546,"searchDepth":547,"depth":547,"links":2559},[2560,2561,2562,2567,2568,2569,2570,2571,2572],{"id":1891,"depth":547,"text":756},{"id":1909,"depth":547,"text":1910},{"id":1998,"depth":547,"text":1999,"children":2563},[2564,2565,2566],{"id":2005,"depth":554,"text":2006},{"id":2102,"depth":554,"text":2103},{"id":2190,"depth":554,"text":2191},{"id":2251,"depth":547,"text":2252},{"id":2321,"depth":547,"text":2322},{"id":2379,"depth":547,"text":2380},{"id":2440,"depth":547,"text":2441},{"id":2507,"depth":547,"text":2508},{"id":1100,"depth":547,"text":1101},"An actionable SOC 2 compliance checklist organized by phase, covering everything from scoping through audit completion and continuous monitoring.",{},[631,1138,2576],"isms",[1141,2578,1142],"audit-process",{"title":2580,"description":2581},"SOC 2 Compliance Checklist — Actionable Steps for 2026","Use this phased SOC 2 compliance checklist to go from scoping to audit-ready. Covers policies, technical controls, evidence collection, and audit prep.","5.frameworks\u002Fsoc2\u002Fchecklist","7Pn1WQfPyCT_rxQqS2NkwzXHj2f0VIrdIWfUJuCTV3w",{"id":2585,"title":2586,"body":2587,"description":3034,"extension":578,"faq":3035,"frameworkSlug":631,"lastUpdated":1135,"meta":3052,"navigation":613,"path":147,"relatedTerms":3053,"relatedTopics":3055,"seo":3058,"stem":3061,"__hash__":3062},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fconfidentiality-criteria.md","SOC 2 Confidentiality Criteria",{"type":29,"value":2588,"toc":3014},[2589,2593,2599,2602,2606,2611,2625,2628,2632,2635,2639,2642,2703,2710,2714,2717,2734,2737,2741,2744,2776,2787,2791,2794,2808,2812,2815,2819,2845,2849,2852,2866,2869,2871,2874,2902,2905,2907,2910,2918,2920,2923,2946,2948,2980,2982,3002,3004],[32,2590,2592],{"id":2591},"confidentiality-is-the-criterion-customers-request-but-rarely-understand","Confidentiality is the criterion customers request but rarely understand",[37,2594,2595,2596,2598],{},"The confidentiality Trust Services Criterion is one of the more commonly misunderstood parts of ",[44,2597,658],{"href":614},". Customers ask for it during due diligence — \"we need a report that includes confidentiality\" — without always knowing how it differs from security or privacy. This page clears that up, walks through the C1 series controls, and explains the evidence auditors expect.",[37,2600,2601],{},"Confidentiality applies when information has been designated confidential — by contract, NDA, policy, or regulation. It is distinct from personal information, which falls under the privacy criterion. If your customers entrust you with intellectual property, business plans, negotiation data, source code, or other sensitive non-personal information, the confidentiality criterion belongs in your audit.",[32,2603,2605],{"id":2604},"what-the-confidentiality-criterion-covers","What the confidentiality criterion covers",[37,2607,107,2608,2610],{},[44,2609,55],{"href":54}," define confidentiality as \"information designated as confidential is protected to meet the entity's objectives.\" Confidentiality has two dedicated control categories in the C1 series, plus heavy overlap with the Common Criteria, especially CC6 (access control).",[172,2612,2613,2619],{},[175,2614,2615,2618],{},[61,2616,2617],{},"C1.1"," — The entity identifies and maintains confidential information to meet the entity's objectives related to confidentiality.",[175,2620,2621,2624],{},[61,2622,2623],{},"C1.2"," — The entity disposes of confidential information to meet the entity's objectives related to confidentiality.",[37,2626,2627],{},"These two controls frame the confidentiality lifecycle: identify what is confidential, handle it appropriately, and dispose of it securely when the obligation ends.",[32,2629,2631],{"id":2630},"c11-identification-and-handling-of-confidential-information","C1.1 — Identification and handling of confidential information",[37,2633,2634],{},"C1.1 requires that the organization knows what is confidential and handles it consistently with that designation. The core expectations are classification, access restriction, and protection.",[112,2636,2638],{"id":2637},"data-classification","Data classification",[37,2640,2641],{},"A data classification policy defines the sensitivity tiers used by the organization. A common structure:",[859,2643,2644,2657],{},[862,2645,2646],{},[865,2647,2648,2651,2654],{},[868,2649,2650],{},"Tier",[868,2652,2653],{},"Description",[868,2655,2656],{},"Example",[875,2658,2659,2670,2681,2692],{},[865,2660,2661,2664,2667],{},[880,2662,2663],{},"Public",[880,2665,2666],{},"No restrictions",[880,2668,2669],{},"Marketing material, published documentation",[865,2671,2672,2675,2678],{},[880,2673,2674],{},"Internal",[880,2676,2677],{},"For internal use",[880,2679,2680],{},"Internal policies, team rosters",[865,2682,2683,2686,2689],{},[880,2684,2685],{},"Confidential",[880,2687,2688],{},"Restricted to need-to-know",[880,2690,2691],{},"Customer data, unreleased product plans, source code",[865,2693,2694,2697,2700],{},[880,2695,2696],{},"Highly confidential",[880,2698,2699],{},"Strict access controls and auditing",[880,2701,2702],{},"M&A data, authentication secrets, personal financial data",[37,2704,2705,2706,100],{},"The tiers are not prescribed by SOC 2. What matters is that the policy is documented, tiers have handling requirements, and employees know how to classify their work. See ",[44,2707,2709],{"href":2708},"\u002Fglossary\u002Fdata-classification","data classification",[112,2711,2713],{"id":2712},"access-restrictions-aligned-to-classification","Access restrictions aligned to classification",[37,2715,2716],{},"Access controls must enforce the classification scheme. Typical controls:",[172,2718,2719,2722,2725,2728,2731],{},[175,2720,2721],{},"Role-based access with least-privilege defaults",[175,2723,2724],{},"Additional review or approval for highly confidential data",[175,2726,2727],{},"Periodic access reviews scoped to confidential systems",[175,2729,2730],{},"Logging of access to confidential data",[175,2732,2733],{},"Segmentation or tokenization where possible",[37,2735,2736],{},"These overlap with CC6 access control requirements but must be tested against the classification policy. Auditors may request a sample of users with access to confidential systems and verify that the access aligns with documented roles.",[112,2738,2740],{"id":2739},"technical-protection-of-confidential-data","Technical protection of confidential data",[37,2742,2743],{},"Specific technical controls include:",[172,2745,2746,2752,2758,2764,2770],{},[175,2747,2748,2751],{},[61,2749,2750],{},"Encryption at rest",": confidential data encrypted on storage media, with managed keys",[175,2753,2754,2757],{},[61,2755,2756],{},"Encryption in transit",": TLS for all confidential data moving between systems",[175,2759,2760,2763],{},[61,2761,2762],{},"Key management",": keys rotated, access to key management restricted and audited",[175,2765,2766,2769],{},[61,2767,2768],{},"DLP and monitoring",": detection for unauthorized movement of confidential data",[175,2771,2772,2775],{},[61,2773,2774],{},"Endpoint protections",": disk encryption on devices that may hold confidential data",[37,2777,1352,2778,96,2782,2786],{},[44,2779,2781],{"href":2780},"\u002Fglossary\u002Fencryption","encryption",[44,2783,2785],{"href":2784},"\u002Fglossary\u002Fkey-management","key management"," for related glossary terms.",[112,2788,2790],{"id":2789},"contractual-and-policy-protections","Contractual and policy protections",[37,2792,2793],{},"Technical controls sit on top of policy and contract. The organization must have:",[172,2795,2796,2799,2802,2805],{},[175,2797,2798],{},"Confidentiality agreements with employees",[175,2800,2801],{},"Confidentiality agreements with contractors and vendors",[175,2803,2804],{},"Customer contracts that designate data as confidential and set handling obligations",[175,2806,2807],{},"An acceptable use policy that addresses confidential information",[32,2809,2811],{"id":2810},"c12-secure-disposal-of-confidential-information","C1.2 — Secure disposal of confidential information",[37,2813,2814],{},"C1.2 addresses what happens when confidential information is no longer needed or the confidentiality obligation ends. Secure disposal is often overlooked until audit time.",[112,2816,2818],{"id":2817},"disposal-methods","Disposal methods",[172,2820,2821,2827,2833,2839],{},[175,2822,2823,2826],{},[61,2824,2825],{},"Logical deletion with cryptographic erasure",": encryption keys destroyed so encrypted data becomes unrecoverable",[175,2828,2829,2832],{},[61,2830,2831],{},"Data purging",": secure deletion from databases, storage, and caches",[175,2834,2835,2838],{},[61,2836,2837],{},"Physical destruction",": for media that cannot be sanitized digitally (old disks, paper)",[175,2840,2841,2844],{},[61,2842,2843],{},"Vendor certificates of destruction",": when third parties destroy data on your behalf",[112,2846,2848],{"id":2847},"retention-and-decommissioning-procedures","Retention and decommissioning procedures",[37,2850,2851],{},"Disposal requires that you know when to dispose. Retention schedules specify how long different data types are kept. Decommissioning procedures specify what happens to data when:",[172,2853,2854,2857,2860,2863],{},[175,2855,2856],{},"A customer terminates their contract",[175,2858,2859],{},"An employee leaves the organization",[175,2861,2862],{},"A system is retired",[175,2864,2865],{},"A vendor relationship ends",[37,2867,2868],{},"A decommissioning runbook reduces the risk that confidential data lingers in deprecated systems.",[32,2870,1365],{"id":1364},[37,2872,2873],{},"Confidentiality depends heavily on Common Criteria controls.",[172,2875,2876,2882,2888,2894],{},[175,2877,2878,2881],{},[61,2879,2880],{},"CC6 (access control)"," — classification drives access decisions",[175,2883,2884,2887],{},[61,2885,2886],{},"CC7 (system operations)"," — monitoring detects unauthorized confidentiality events",[175,2889,2890,2893],{},[61,2891,2892],{},"CC9 (risk mitigation)"," — vendor relationships involving confidential data",[175,2895,2896,2898,2899],{},[61,2897,153],{}," — personal data is a subset; controls overlap significantly with ",[44,2900,2901],{"href":159},"privacy criteria",[37,2903,2904],{},"A mature SOC 2 program maps each control to every criterion it satisfies, so a single encryption control contributes to security, confidentiality, and privacy without duplicating work.",[32,2906,1407],{"id":1406},[37,2908,2909],{},"Confidentiality is a natural addition when customers share sensitive data under NDA or when the organization processes intellectual property. It also pairs with the security criterion almost mechanically — most security controls contribute to confidentiality. Adding confidentiality to scope rarely requires dramatic new work; it requires deliberate mapping, classification, and disposal discipline.",[37,2911,2912,2913,2917],{},"The challenge during Type II is demonstrating operation across the observation period. Classification must be applied consistently, access reviews must include confidential systems, and disposal must be documented. See ",[44,2914,2916],{"href":2915},"\u002Fframeworks\u002Fsoc2\u002Fpolicies-and-procedures","policies and procedures"," for how to anchor the program in written commitments.",[32,2919,1676],{"id":1675},[37,2921,2922],{},"Typical fieldwork requests for the confidentiality criterion:",[172,2924,2925,2928,2931,2934,2937,2940,2943],{},[175,2926,2927],{},"Data classification policy and examples of classified assets",[175,2929,2930],{},"Confidentiality agreements (sample of executed NDAs)",[175,2932,2933],{},"Access control configuration for confidential systems",[175,2935,2936],{},"Encryption configuration (algorithms, key management)",[175,2938,2939],{},"Disposal procedures and records of disposals during the period",[175,2941,2942],{},"Customer contract samples showing confidentiality obligations",[175,2944,2945],{},"Vendor contracts with confidentiality clauses where relevant",[32,2947,1417],{"id":1416},[172,2949,2950,2956,2962,2968,2974],{},[175,2951,2952,2955],{},[61,2953,2954],{},"Classification without enforcement."," Policy defines tiers but systems treat everything the same. Auditors will notice.",[175,2957,2958,2961],{},[61,2959,2960],{},"Missing disposal records."," Data is deleted but no record is kept. Without evidence, the disposal did not happen from the audit's perspective.",[175,2963,2964,2967],{},[61,2965,2966],{},"NDA-only approach."," Relying on contracts without technical controls leaves confidential data exposed.",[175,2969,2970,2973],{},[61,2971,2972],{},"Vendor gaps."," Confidential data flows to vendors without corresponding contract language or monitoring.",[175,2975,2976,2979],{},[61,2977,2978],{},"Overly narrow scope."," Confidential data lives in systems that are excluded from SOC 2 scope. Include them.",[32,2981,1453],{"id":1452},[172,2983,2984,2987,2993,2996,2999],{},[175,2985,2986],{},"Classify data in the tools where it lives — databases, document stores, file shares. Centralized classification tags drive downstream controls.",[175,2988,2989,2990,2992],{},"Tie confidentiality to your ",[44,2991,353],{"href":352}," process. High-tier data flows require vetted vendors.",[175,2994,2995],{},"Automate secure deletion when possible. Scheduled jobs that purge expired data produce cleaner evidence than ad hoc deletions.",[175,2997,2998],{},"Include confidentiality acknowledgment in employee onboarding and annual training.",[175,3000,3001],{},"Run a quarterly review of who has access to the most sensitive classification tier. Tighten aggressively.",[32,3003,1101],{"id":1100},[37,3005,3006,3007,3010,3011,3013],{},"episki maps C1.1 and C1.2 controls to your data classification, access, encryption, and disposal tooling, collecting evidence continuously so the confidentiality story is always current. ",[44,3008,538],{"href":535,"rel":3009},[537]," or explore the broader ",[44,3012,1482],{"href":614}," to see how confidentiality integrates with security and privacy.",{"title":546,"searchDepth":547,"depth":547,"links":3015},[3016,3017,3018,3024,3028,3029,3030,3031,3032,3033],{"id":2591,"depth":547,"text":2592},{"id":2604,"depth":547,"text":2605},{"id":2630,"depth":547,"text":2631,"children":3019},[3020,3021,3022,3023],{"id":2637,"depth":554,"text":2638},{"id":2712,"depth":554,"text":2713},{"id":2739,"depth":554,"text":2740},{"id":2789,"depth":554,"text":2790},{"id":2810,"depth":547,"text":2811,"children":3025},[3026,3027],{"id":2817,"depth":554,"text":2818},{"id":2847,"depth":554,"text":2848},{"id":1364,"depth":547,"text":1365},{"id":1406,"depth":547,"text":1407},{"id":1675,"depth":547,"text":1676},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"Deep dive on the SOC 2 Confidentiality Trust Services Criterion. C1 series controls, data classification, NDAs, encryption, and secure disposal.",{"items":3036},[3037,3040,3043,3046,3049],{"label":3038,"content":3039},"When should I include the confidentiality criterion in my SOC 2?","Include confidentiality when you handle information designated as confidential by contract, NDA, or regulation — beyond what the security criterion already covers. Common triggers include processing intellectual property, business plans, M&A data, or competitively sensitive customer data.",{"label":3041,"content":3042},"What is the difference between confidentiality and privacy in SOC 2?","Confidentiality addresses information that the organization has designated as confidential — often non-personal, such as trade secrets. Privacy addresses personal information — data that identifies individuals. A single control (like encryption) may support both criteria, but the scope and legal context differ.",{"label":3044,"content":3045},"Is encryption required for the confidentiality criterion?","The criterion does not mandate specific technologies, but encryption at rest and in transit is the standard expectation. Auditors who find confidential data unencrypted without compensating controls generally flag the gap.",{"label":3047,"content":3048},"Do NDAs satisfy the confidentiality criterion?","NDAs are one part of it. Confidentiality also requires technical controls, data classification, access restrictions, and secure disposal. An NDA without enforcing technical controls is a paper commitment, not a SOC 2 control.",{"label":3050,"content":3051},"What is secure disposal under the confidentiality criterion?","Secure disposal means confidential data is rendered unrecoverable when it is no longer needed or when the confidentiality obligation ends. This includes cryptographic erasure, physical destruction of media, and documented decommissioning procedures.",{},[2637,2781,631,3054],"key-management",[1529,3056,3057],"policies-and-procedures","privacy-criteria",{"title":3059,"description":3060},"SOC 2 Confidentiality Criteria (2026): C1 Controls Deep Dive","Master the SOC 2 Confidentiality criterion. C1.1 identification of confidential information, C1.2 disposal, data classification, and NDAs.","5.frameworks\u002Fsoc2\u002Fconfidentiality-criteria","KpgfmJIQcxxBzNlyBGX0EAxONBAu57e2ELpmcvFlBW8",{"id":3064,"title":3065,"body":3066,"description":3337,"extension":578,"faq":3338,"frameworkSlug":631,"lastUpdated":1135,"meta":3355,"navigation":613,"path":1400,"relatedTerms":3356,"relatedTopics":3358,"seo":3359,"stem":3362,"__hash__":3363},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fcontinuous-monitoring.md","SOC 2 Continuous Monitoring",{"type":29,"value":3067,"toc":3321},[3068,3072,3078,3081,3085,3090,3122,3125,3129,3132,3135,3147,3151,3154,3158,3161,3165,3168,3172,3175,3178,3195,3198,3202,3205,3208,3234,3236,3248,3251,3253,3285,3287,3309,3311],[32,3069,3071],{"id":3070},"continuous-monitoring-is-where-soc-2-type-ii-is-won-or-lost","Continuous monitoring is where SOC 2 Type II is won or lost",[37,3073,3074,3075,3077],{},"Continuous monitoring is the SOC 2 control category that separates programs that pass Type II audits cleanly from those that scramble during fieldwork. A ",[44,3076,658],{"href":614}," Type II engagement tests whether your controls operated effectively across an observation period of three to twelve months. Controls that depend on human attention — someone remembering to check a dashboard, review a log, or investigate an alert — fail consistently without automation. Continuous monitoring fixes this by making detection, logging, and alerting a property of the system rather than a task on someone's to-do list.",[37,3079,3080],{},"Auditors look for evidence that monitoring actually ran throughout the period, not just that tools were installed. That means alert history, triage tickets, incident records, and log retention sufficient to reconstruct what happened on any given day.",[32,3082,3084],{"id":3083},"what-soc-2-means-by-continuous-monitoring","What SOC 2 means by continuous monitoring",[37,3086,107,3087,3089],{},[44,3088,55],{"href":54}," address monitoring across several control categories. The most direct references are in the CC7 series, which covers system operations.",[172,3091,3092,3098,3104,3110,3116],{},[175,3093,3094,3097],{},[61,3095,3096],{},"CC7.1"," — The entity uses detection and monitoring procedures to identify changes to configurations that result in the introduction of new vulnerabilities and susceptibilities to newly discovered vulnerabilities.",[175,3099,3100,3103],{},[61,3101,3102],{},"CC7.2"," — The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity's ability to meet its objectives.",[175,3105,3106,3109],{},[61,3107,3108],{},"CC7.3"," — The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents).",[175,3111,3112,3115],{},[61,3113,3114],{},"CC7.4"," — The entity responds to identified security incidents by executing a defined incident response program.",[175,3117,3118,3121],{},[61,3119,3120],{},"CC7.5"," — The entity identifies, develops, and implements activities to recover from identified security incidents.",[37,3123,3124],{},"CC4 also addresses monitoring activities at a higher level, requiring ongoing evaluations to verify controls are present and functioning. Together these criteria frame continuous monitoring as a closed loop: detect, evaluate, respond, recover, and verify.",[32,3126,3128],{"id":3127},"the-building-blocks-of-a-soc-2-monitoring-program","The building blocks of a SOC 2 monitoring program",[37,3130,3131],{},"A credible continuous monitoring program has four components.",[112,3133,2141],{"id":3134},"centralized-logging",[37,3136,3137,3138,96,3142,3146],{},"All security-relevant logs from infrastructure, applications, identity providers, and endpoints are forwarded to a central system. The central system is typically a SIEM or a log aggregation platform with search and alerting. Auditors expect to see that logs are collected from every in-scope system and retained for the full observation period. See ",[44,3139,3141],{"href":3140},"\u002Fglossary\u002Flog-management","log management",[44,3143,3145],{"href":3144},"\u002Fglossary\u002Fevidence-collection","evidence collection"," for related glossary definitions.",[112,3148,3150],{"id":3149},"alert-definitions","Alert definitions",[37,3152,3153],{},"Alerts are configured to fire when conditions indicate a potential security event — a failed login burst, a privilege escalation, an unusual data export, a change to production made outside the normal pipeline. Alert definitions should be documented and version-controlled so the auditor can see what conditions triggered alerts across the period.",[112,3155,3157],{"id":3156},"triage-and-response","Triage and response",[37,3159,3160],{},"Every alert produces an action. Either it is investigated and closed as a false positive with a note, or it is escalated to an incident. Either outcome must be documented. Auditors sample alerts from across the period and expect to see evidence of triage — a ticket, a comment, a status change.",[112,3162,3164],{"id":3163},"metrics-and-reporting","Metrics and reporting",[37,3166,3167],{},"Coverage metrics answer the question \"how do you know monitoring is working?\" Examples include the percentage of in-scope systems forwarding logs, the mean time to acknowledge alerts, and the volume of incidents declared. Reporting these metrics to leadership demonstrates the monitoring program is real, not a checkbox.",[32,3169,3171],{"id":3170},"automated-evidence-collection","Automated evidence collection",[37,3173,3174],{},"Evidence is the currency of SOC 2. The more you can generate and retain automatically, the less your team scrambles during fieldwork.",[37,3176,3177],{},"Examples of evidence a well-run continuous monitoring program produces without human intervention:",[172,3179,3180,3183,3186,3189,3192],{},[175,3181,3182],{},"Daily log ingestion reports confirming every source is active",[175,3184,3185],{},"Weekly alert summaries with triage disposition",[175,3187,3188],{},"Monthly access anomaly reports",[175,3190,3191],{},"Quarterly vulnerability scan results",[175,3193,3194],{},"Continuous configuration drift alerts against baseline",[37,3196,3197],{},"A compliance automation platform can ingest this evidence on a schedule, tag it to the relevant controls, and make it available to the auditor on request. This is where platforms like episki and its competitors add the most value — removing the manual work of gathering artifacts that already exist elsewhere.",[32,3199,3201],{"id":3200},"alerting-patterns-that-survive-auditor-scrutiny","Alerting patterns that survive auditor scrutiny",[37,3203,3204],{},"Not every alert belongs in SOC 2 scope. Alerts that map to controls and get acted on are valuable. Alerts that are ignored become exceptions.",[37,3206,3207],{},"A practical approach:",[172,3209,3210,3216,3222,3228],{},[175,3211,3212,3215],{},[61,3213,3214],{},"Tier alerts by severity."," High-severity alerts page an on-call engineer. Medium-severity alerts create tickets. Low-severity alerts aggregate into daily reports.",[175,3217,3218,3221],{},[61,3219,3220],{},"Tune for signal."," False positive rates above fifty percent degrade the entire program. Spend the time to filter noise out of the alert stream.",[175,3223,3224,3227],{},[61,3225,3226],{},"Document runbooks."," Every alert should have a runbook describing the expected response. Auditors may ask to see the runbook alongside the alert history.",[175,3229,3230,3233],{},[61,3231,3232],{},"Review alert inventory quarterly."," Systems change. Alerts that made sense a year ago may be stale. A documented review shows auditors the program is being maintained.",[32,3235,1407],{"id":1406},[37,3237,3238,3239,3241,3242,3244,3245,3247],{},"Continuous monitoring is one of the most evidence-rich control areas in the entire SOC 2 audit. It generates continuous artifacts across the observation period, which auditors sample aggressively during Type II testing. Strong monitoring programs often reduce exceptions in adjacent areas: ",[44,3240,375],{"href":374}," is easier when alerts are credible, ",[44,3243,1709],{"href":363}," benefits when unauthorized changes trigger alerts, and ",[44,3246,353],{"href":352}," improves when third-party access is monitored alongside internal systems.",[37,3249,3250],{},"Monitoring also plays directly into the availability criterion when applicable. Capacity alerts, uptime monitoring, and performance thresholds are the backbone of availability controls.",[32,3252,1417],{"id":1416},[172,3254,3255,3261,3267,3273,3279],{},[175,3256,3257,3260],{},[61,3258,3259],{},"Tools without ownership."," A SIEM deployed but not triaged is worse than no SIEM at all. Auditors will ask who owns alert response and expect a clear answer.",[175,3262,3263,3266],{},[61,3264,3265],{},"Missing log sources."," In-scope systems that are not forwarding logs create evidence gaps. Keep an inventory of all systems in scope and verify each is reporting.",[175,3268,3269,3272],{},[61,3270,3271],{},"Insufficient retention."," Logs purged at ninety days do not cover a twelve-month Type II observation period. Verify retention before the period starts, not when the auditor asks.",[175,3274,3275,3278],{},[61,3276,3277],{},"Alert fatigue."," Engineers who ignore alerts will miss real incidents. Invest in tuning before the observation period begins.",[175,3280,3281,3284],{},[61,3282,3283],{},"No link between alerts and incidents."," Auditors look for the connection between an alert firing and an incident ticket. If that chain is broken, the control looks theoretical.",[32,3286,1453],{"id":1452},[172,3288,3289,3292,3295,3298,3301],{},[175,3290,3291],{},"Use your compliance platform to tag each monitoring control with the log source, alert definition, and responsible owner. This single view prevents drift.",[175,3293,3294],{},"Run a quarterly tabletop that traces a simulated incident from alert to resolution. Document the exercise and use it as evidence.",[175,3296,3297],{},"Retain at least thirteen months of security logs to cover a full observation period plus fieldwork.",[175,3299,3300],{},"Pull a sample of alerts monthly and verify each was triaged. Catch gaps before the auditor does.",[175,3302,3303,3304,3308],{},"Map monitoring coverage to your ",[44,3305,3307],{"href":3306},"\u002Fglossary\u002Frisk-register","risk register"," so leadership sees where the program is strongest and weakest.",[32,3310,1101],{"id":1100},[37,3312,3313,3314,3317,3318,3320],{},"episki centralizes continuous monitoring evidence by pulling alert history, triage records, and log coverage metrics from your tools and mapping them to the SOC 2 controls they support. ",[44,3315,538],{"href":535,"rel":3316},[537]," or review the full ",[44,3319,1837],{"href":614}," to see continuous monitoring as part of an end-to-end compliance program.",{"title":546,"searchDepth":547,"depth":547,"links":3322},[3323,3324,3325,3331,3332,3333,3334,3335,3336],{"id":3070,"depth":547,"text":3071},{"id":3083,"depth":547,"text":3084},{"id":3127,"depth":547,"text":3128,"children":3326},[3327,3328,3329,3330],{"id":3134,"depth":554,"text":2141},{"id":3149,"depth":554,"text":3150},{"id":3156,"depth":554,"text":3157},{"id":3163,"depth":554,"text":3164},{"id":3170,"depth":547,"text":3171},{"id":3200,"depth":547,"text":3201},{"id":1406,"depth":547,"text":1407},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"How continuous monitoring satisfies SOC 2 CC7 requirements. Automated evidence collection, alerting patterns, and common pitfalls to avoid.",{"items":3339},[3340,3343,3346,3349,3352],{"label":3341,"content":3342},"What does continuous monitoring mean under SOC 2?","Continuous monitoring under SOC 2 means the ongoing, automated surveillance of systems, access, and controls with real-time detection of anomalies. Auditors examine monitoring for CC7.1 through CC7.5 and expect evidence that alerts were generated, triaged, and acted on throughout the observation period.",{"label":3344,"content":3345},"Which SOC 2 criteria does continuous monitoring satisfy?","Continuous monitoring primarily addresses CC7.1 (detection of anomalies), CC7.2 (monitoring of system components), and CC4 (monitoring activities). It also feeds CC6 access monitoring, CC8 change monitoring, and the availability criterion when applicable.",{"label":3347,"content":3348},"What tools are typically used for SOC 2 continuous monitoring?","Common tools include SIEM platforms (Splunk, Elastic, Datadog), cloud-native logging (CloudWatch, GCP Cloud Logging), endpoint detection (CrowdStrike, SentinelOne), and compliance automation platforms that pull evidence from these sources on a recurring schedule.",{"label":3350,"content":3351},"How long should SOC 2 logs be retained?","SOC 2 does not specify a log retention period, but most auditors expect at least twelve months for Type II engagements with a twelve-month observation period. Many organizations retain security logs for thirteen months to cover a full cycle plus the fieldwork window.",{"label":3353,"content":3354},"Is continuous monitoring required for Type I?","Type I tests control design at a point in time, so continuous operation is not strictly required. However, auditors still expect to see that monitoring tools are configured, alerts are defined, and someone owns triage. Design without implementation will be flagged.",{},[1042,1527,3357,1876],"log-management",[2578,1530,1529],{"title":3360,"description":3361},"SOC 2 Continuous Monitoring (2026): CC7 Controls & Automation","Build continuous monitoring for SOC 2 CC7. Automated evidence collection, alerting, log retention, and auditor expectations for Type II programs.","5.frameworks\u002Fsoc2\u002Fcontinuous-monitoring","_0nKPsSh6GssokRNKYKpZkbyI6nLfsOmignPwEkJbvU",{"id":3365,"title":3366,"body":3367,"description":3863,"extension":578,"faq":1134,"frameworkSlug":631,"lastUpdated":1135,"meta":3864,"navigation":613,"path":308,"relatedTerms":3865,"relatedTopics":3866,"seo":3868,"stem":3871,"__hash__":3872},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fcost.md","How Much Does SOC 2 Cost",{"type":29,"value":3368,"toc":3848},[3369,3373,3380,3383,3387,3391,3394,3430,3433,3462,3466,3469,3515,3527,3531,3534,3566,3569,3573,3576,3636,3639,3643,3646,3650,3696,3699,3703,3745,3749,3801,3805,3808,3834,3836],[32,3370,3372],{"id":3371},"how-much-does-soc-2-really-cost","How much does SOC 2 really cost?",[37,3374,3375,3376,3379],{},"One of the first questions every founder and security leader asks is how much ",[44,3377,3378],{"href":614},"SOC 2 compliance"," will cost. The honest answer: it depends. Total costs for a first-time SOC 2 engagement typically range from $20,000 to $150,000 or more, depending on company size, scope, and how much you need to build from scratch.",[37,3381,3382],{},"This guide breaks down every major cost category so you can budget accurately and avoid surprises.",[32,3384,3386],{"id":3385},"cost-breakdown-by-category","Cost breakdown by category",[112,3388,3390],{"id":3389},"_1-auditor-fees","1. Auditor fees",[37,3392,3393],{},"The CPA firm that performs your SOC 2 audit is usually the single largest line item.",[859,3395,3396,3406],{},[862,3397,3398],{},[865,3399,3400,3403],{},[868,3401,3402],{},"Engagement type",[868,3404,3405],{},"Typical range",[875,3407,3408,3415,3422],{},[865,3409,3410,3412],{},[880,3411,76],{},[880,3413,3414],{},"$15,000 – $40,000",[865,3416,3417,3419],{},[880,3418,82],{},[880,3420,3421],{},"$25,000 – $80,000",[865,3423,3424,3427],{},[880,3425,3426],{},"Combined Type I + Type II (same year)",[880,3428,3429],{},"$35,000 – $90,000",[37,3431,3432],{},"Factors that affect auditor pricing:",[172,3434,3435,3441,3450,3456],{},[175,3436,3437,3440],{},[61,3438,3439],{},"Firm size and reputation",": Big Four firms charge significantly more than boutique or mid-market firms. A regional firm with strong SOC 2 experience often delivers the same quality at a fraction of the cost.",[175,3442,3443,3446,3447,3449],{},[61,3444,3445],{},"Scope complexity",": More Trust Services Criteria, more in-scope systems, and more subservice organizations increase the audit effort. See ",[44,3448,226],{"href":225}," for scoping guidance.",[175,3451,3452,3455],{},[61,3453,3454],{},"Number of exceptions",": If the auditor encounters issues during fieldwork, additional testing and documentation increase the fee.",[175,3457,3458,3461],{},[61,3459,3460],{},"Location",": Some firms adjust pricing by geography, though remote audits have largely leveled this out.",[112,3463,3465],{"id":3464},"_2-compliance-platform-or-tooling","2. Compliance platform or tooling",[37,3467,3468],{},"Most companies use a compliance platform to manage controls, evidence, and policies. Pricing models vary:",[859,3470,3471,3481],{},[862,3472,3473],{},[865,3474,3475,3478],{},[868,3476,3477],{},"Platform type",[868,3479,3480],{},"Typical annual cost",[875,3482,3483,3491,3499,3507],{},[865,3484,3485,3488],{},[880,3486,3487],{},"Enterprise GRC tools (ServiceNow, Archer)",[880,3489,3490],{},"$50,000 – $200,000+",[865,3492,3493,3496],{},[880,3494,3495],{},"Mid-market compliance platforms (Vanta, Drata, Secureframe)",[880,3497,3498],{},"$12,000 – $50,000 per year",[865,3500,3501,3504],{},[880,3502,3503],{},"episki",[880,3505,3506],{},"$500\u002Fmonth ($6,000\u002Fyear), no per-seat charges",[865,3508,3509,3512],{},[880,3510,3511],{},"Spreadsheets and shared drives",[880,3513,3514],{},"$0 (but high hidden cost in labor)",[37,3516,3517,3518,539,3522,3526],{},"The platform you choose has a compounding effect on total cost because it directly impacts how much internal time is required for evidence collection, policy management, and auditor collaboration. A tool that automates repetitive tasks pays for itself quickly. ",[44,3519,3521],{"href":3520},"\u002Fcompare\u002Fvanta","Compare episki to Vanta",[44,3523,3525],{"href":3524},"\u002Fcompare\u002Fdrata","Drata"," to see how pricing and capabilities stack up.",[112,3528,3530],{"id":3529},"_3-internal-time-and-labor","3. Internal time and labor",[37,3532,3533],{},"This is the cost most organizations underestimate. Getting SOC 2 ready requires significant time from multiple teams:",[172,3535,3536,3542,3548,3554,3560],{},[175,3537,3538,3541],{},[61,3539,3540],{},"Security or compliance lead",": 200–500 hours over the first year for project management, gap analysis, control design, and auditor coordination.",[175,3543,3544,3547],{},[61,3545,3546],{},"Engineering",": 50–200 hours for implementing technical controls, configuring monitoring, setting up logging, and providing evidence.",[175,3549,3550,3553],{},[61,3551,3552],{},"IT \u002F DevOps",": 40–100 hours for endpoint management, access reviews, and infrastructure documentation.",[175,3555,3556,3559],{},[61,3557,3558],{},"HR",": 20–40 hours for onboarding\u002Foffboarding procedures, background checks, and training programs.",[175,3561,3562,3565],{},[61,3563,3564],{},"Legal",": 10–30 hours for policy review, vendor contract updates, and privacy notice alignment.",[37,3567,3568],{},"At a blended cost of $75–$150 per hour, internal labor for a first-time SOC 2 can easily reach $30,000–$80,000. This is where the right tooling makes the biggest difference — automating evidence collection and centralizing control management can cut these hours by 40–60%.",[112,3570,3572],{"id":3571},"_4-gap-remediation","4. Gap remediation",[37,3574,3575],{},"If your gap analysis reveals missing controls, you may need to invest in new tools or services:",[859,3577,3578,3588],{},[862,3579,3580],{},[865,3581,3582,3585],{},[868,3583,3584],{},"Remediation area",[868,3586,3587],{},"Typical cost",[875,3589,3590,3598,3606,3614,3621,3628],{},[865,3591,3592,3595],{},[880,3593,3594],{},"MDM \u002F endpoint management",[880,3596,3597],{},"$3–$10 per device\u002Fmonth",[865,3599,3600,3603],{},[880,3601,3602],{},"SIEM or log management",[880,3604,3605],{},"$5,000 – $30,000\u002Fyear",[865,3607,3608,3611],{},[880,3609,3610],{},"Background check service",[880,3612,3613],{},"$30–$100 per check",[865,3615,3616,3618],{},[880,3617,2211],{},[880,3619,3620],{},"$2,000 – $10,000\u002Fyear",[865,3622,3623,3625],{},[880,3624,295],{},[880,3626,3627],{},"$5,000 – $30,000 per engagement",[865,3629,3630,3633],{},[880,3631,3632],{},"Vulnerability scanning",[880,3634,3635],{},"$3,000 – $15,000\u002Fyear",[37,3637,3638],{},"Not every organization needs all of these. Many startups already have adequate tooling in place and only need to formalize processes and documentation.",[112,3640,3642],{"id":3641},"_5-consulting-and-advisory-optional","5. Consulting and advisory (optional)",[37,3644,3645],{},"Some organizations hire a consultant to guide them through the readiness phase. Rates typically range from $150 to $350 per hour, with fixed-fee readiness engagements running $10,000 to $40,000. A good consultant can accelerate your timeline, but this is optional — especially if you use a platform that provides built-in guidance.",[32,3647,3649],{"id":3648},"total-cost-estimates-by-company-stage","Total cost estimates by company stage",[859,3651,3652,3662],{},[862,3653,3654],{},[865,3655,3656,3659],{},[868,3657,3658],{},"Company profile",[868,3660,3661],{},"Estimated first-year cost",[875,3663,3664,3672,3680,3688],{},[865,3665,3666,3669],{},[880,3667,3668],{},"Seed-stage startup (10–25 employees, cloud-native)",[880,3670,3671],{},"$20,000 – $50,000",[865,3673,3674,3677],{},[880,3675,3676],{},"Series A\u002FB (25–100 employees, moderate complexity)",[880,3678,3679],{},"$40,000 – $100,000",[865,3681,3682,3685],{},[880,3683,3684],{},"Growth-stage (100–500 employees, multiple products)",[880,3686,3687],{},"$80,000 – $150,000+",[865,3689,3690,3693],{},[880,3691,3692],{},"Enterprise (500+ employees, complex environments)",[880,3694,3695],{},"$150,000 – $300,000+",[37,3697,3698],{},"Renewal years are typically 30–50% less expensive because controls, policies, and processes are already established.",[32,3700,3702],{"id":3701},"factors-that-increase-cost","Factors that increase cost",[172,3704,3705,3711,3717,3723,3729,3735],{},[175,3706,3707,3710],{},[61,3708,3709],{},"Adding optional Trust Services Criteria"," beyond security",[175,3712,3713,3716],{},[61,3714,3715],{},"Large number of in-scope systems"," and subservice organizations",[175,3718,3719,3722],{},[61,3720,3721],{},"Poor documentation"," requiring significant policy and procedure development",[175,3724,3725,3728],{},[61,3726,3727],{},"Manual evidence collection"," that consumes engineering time every audit cycle",[175,3730,3731,3734],{},[61,3732,3733],{},"Scope changes mid-audit"," that require additional auditor testing",[175,3736,3737,3744],{},[61,3738,3739,3740,3743],{},"Choosing a ",[44,3741,3742],{"href":89},"Type II"," first"," without a readiness baseline (Type I first can reduce total cost)",[32,3746,3748],{"id":3747},"practical-ways-to-reduce-soc-2-cost","Practical ways to reduce SOC 2 cost",[210,3750,3751,3760,3766,3772,3778,3784,3795],{},[175,3752,3753,3756,3757,3759],{},[61,3754,3755],{},"Right-size your scope",": Only include the Trust Services Criteria and systems that are relevant. Over-scoping is the fastest way to inflate costs. Review the ",[44,3758,1141],{"href":225}," carefully.",[175,3761,3762,3765],{},[61,3763,3764],{},"Start with Type I",": A Type I engagement validates your control design at lower cost, identifies issues early, and builds auditor familiarity before the longer Type II period.",[175,3767,3768,3771],{},[61,3769,3770],{},"Automate evidence collection",": Every hour saved on screenshots, access review exports, and configuration checks is an hour your team spends on product work instead. This is the highest-ROI investment you can make.",[175,3773,3774,3777],{},[61,3775,3776],{},"Choose a right-sized auditor",": A mid-market CPA firm with deep SOC 2 experience often provides better service and lower fees than a Big Four firm for companies under 500 employees.",[175,3779,3780,3783],{},[61,3781,3782],{},"Use a purpose-built compliance platform",": Spreadsheet-based compliance programs cost less in software but far more in labor. A good platform pays for itself in the first audit cycle.",[175,3785,3786,3789,3790,539,3792,3794],{},[61,3787,3788],{},"Leverage framework overlap",": If you also need ",[44,3791,393],{"href":392},[44,3793,402],{"href":401},", map controls once and reuse evidence across frameworks. This amortizes the cost of compliance work across multiple requirements.",[175,3796,3797,3800],{},[61,3798,3799],{},"Build a compliance culture",": When control owners understand their responsibilities and collect evidence as part of their daily workflow, the incremental cost of each audit cycle drops significantly.",[32,3802,3804],{"id":3803},"the-cost-of-not-getting-soc-2","The cost of not getting SOC 2",[37,3806,3807],{},"While SOC 2 costs real money, the cost of not having it can be higher:",[172,3809,3810,3816,3822,3828],{},[175,3811,3812,3815],{},[61,3813,3814],{},"Lost deals",": Enterprise buyers increasingly require SOC 2 reports before signing contracts. A missing report can stall or kill a sale.",[175,3817,3818,3821],{},[61,3819,3820],{},"Longer sales cycles",": Without a SOC 2 report, security reviews become bespoke questionnaire exercises that consume weeks of back-and-forth.",[175,3823,3824,3827],{},[61,3825,3826],{},"Higher insurance premiums",": Some cyber insurance carriers offer better terms to organizations with a current SOC 2 report.",[175,3829,3830,3833],{},[61,3831,3832],{},"Incident costs",": The controls you implement for SOC 2 reduce the likelihood and severity of security incidents.",[32,3835,1101],{"id":1100},[37,3837,3838,3839,3842,3843,3847],{},"episki is designed to minimize the total cost of SOC 2 compliance. At $500\u002Fmonth with no per-seat charges, the platform cost is a fraction of alternatives. More importantly, episki reduces the internal labor component — the largest and most variable cost category — through pre-mapped control libraries, structured evidence collection, automated review cadences, and an auditor collaboration portal that eliminates email-based back-and-forth. Organizations using episki report cutting preparation time by up to 45 days. ",[44,3840,538],{"href":535,"rel":3841},[537]," to see how much time and money you can save, or ",[44,3844,3846],{"href":3845},"\u002Fcompare\u002Fsecureframe","compare episki to Secureframe"," for a detailed feature comparison.",{"title":546,"searchDepth":547,"depth":547,"links":3849},[3850,3851,3858,3859,3860,3861,3862],{"id":3371,"depth":547,"text":3372},{"id":3385,"depth":547,"text":3386,"children":3852},[3853,3854,3855,3856,3857],{"id":3389,"depth":554,"text":3390},{"id":3464,"depth":554,"text":3465},{"id":3529,"depth":554,"text":3530},{"id":3571,"depth":554,"text":3572},{"id":3641,"depth":554,"text":3642},{"id":3648,"depth":547,"text":3649},{"id":3701,"depth":547,"text":3702},{"id":3747,"depth":547,"text":3748},{"id":3803,"depth":547,"text":3804},{"id":1100,"depth":547,"text":1101},"A transparent breakdown of SOC 2 costs including auditor fees, compliance tooling, internal time, and factors that influence total spend.",{},[631,1138],[2578,3867,1141],"checklist",{"title":3869,"description":3870},"How Much Does SOC 2 Cost in 2026 — Full Cost Breakdown","SOC 2 costs range from $20K to $150K+. Get a transparent breakdown of auditor fees, tooling, internal time, and practical ways to reduce spend.","5.frameworks\u002Fsoc2\u002Fcost","TKZqVnKfYHxEAdY00RgH5EUl-GdWTOh38Ctp7yNatF4",{"id":3874,"title":3875,"body":3876,"description":4168,"extension":578,"faq":4169,"frameworkSlug":631,"lastUpdated":1135,"meta":4186,"navigation":613,"path":374,"relatedTerms":4187,"relatedTopics":4189,"seo":4190,"stem":4193,"__hash__":4194},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fincident-response.md","SOC 2 Incident Response",{"type":29,"value":3877,"toc":4151},[3878,3882,3885,3893,3897,3900,3905,3910,3915,3918,3922,3925,3929,3932,3961,3965,3968,3972,3978,3982,3985,4014,4017,4021,4027,4031,4034,4036,4049,4052,4054,4057,4080,4083,4085,4121,4123,4140,4142],[32,3879,3881],{"id":3880},"incident-response-is-where-soc-2-moves-from-theory-to-practice","Incident response is where SOC 2 moves from theory to practice",[37,3883,3884],{},"Every SOC 2 program has an incident response plan. Auditors see hundreds of them. What separates a program that passes Type II cleanly from one that collects exceptions is whether the plan is actually executed when something happens — and whether there is evidence the team can produce six months later.",[37,3886,73,3887,3889,3890,3892],{},[44,3888,658],{"href":614}," Type II audit tests operating effectiveness. Incident response is one of the most operationally demanding control areas because it requires coordinated action across engineering, security, legal, and leadership, often under time pressure. The controls that matter are CC7.3 (evaluation of security events), CC7.4 (response execution), and CC7.5 (recovery) in the ",[44,3891,55],{"href":54},". Each generates evidence that auditors will sample and test.",[32,3894,3896],{"id":3895},"what-cc73-through-cc75-expect","What CC7.3 through CC7.5 expect",[37,3898,3899],{},"The CC7 series defines a closed loop from detection through recovery.",[37,3901,3902,3904],{},[61,3903,3108],{}," — The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents). This requires that detected events are triaged and classified, not just logged. Auditors look for evidence that events were evaluated — not every alert becomes an incident, but every alert should have a disposition.",[37,3906,3907,3909],{},[61,3908,3114],{}," — The entity responds to identified security incidents by executing a defined incident response program that includes assigned roles, containment, remediation, communication, and documentation. This requires a written plan, trained responders, and evidence that real or simulated incidents followed it.",[37,3911,3912,3914],{},[61,3913,3120],{}," — The entity identifies, develops, and implements activities to recover from identified security incidents. Recovery includes restoring systems, verifying integrity, and applying lessons learned.",[37,3916,3917],{},"CC2.2 and CC9 also touch incident response — internal and external communication during an incident and risk mitigation through incident learnings.",[32,3919,3921],{"id":3920},"components-of-a-soc-2-ready-incident-response-program","Components of a SOC 2-ready incident response program",[37,3923,3924],{},"A program that passes auditor scrutiny has six components.",[112,3926,3928],{"id":3927},"_1-a-written-incident-response-plan","1. A written incident response plan",[37,3930,3931],{},"The plan should be approved by leadership, reviewed annually, and specific enough that a new team member could follow it. Required elements include:",[172,3933,3934,3937,3940,3943,3946,3949,3952,3955,3958],{},[175,3935,3936],{},"Definition of a security incident",[175,3938,3939],{},"Severity classifications (for example, P1 through P4)",[175,3941,3942],{},"Roles and responsibilities (incident commander, communications lead, technical lead)",[175,3944,3945],{},"Detection and reporting channels",[175,3947,3948],{},"Triage and classification process",[175,3950,3951],{},"Containment, eradication, and recovery procedures",[175,3953,3954],{},"Internal and external communication requirements",[175,3956,3957],{},"Post-incident review expectations",[175,3959,3960],{},"Regulatory and contractual notification obligations",[112,3962,3964],{"id":3963},"_2-runbooks-for-common-scenarios","2. Runbooks for common scenarios",[37,3966,3967],{},"The plan covers the framework; runbooks cover the specifics. Typical runbooks address credential compromise, ransomware, data exfiltration, DDoS, vendor compromise, insider threat, and lost or stolen device. Runbooks reduce decision latency when an incident is active and demonstrate maturity to auditors.",[112,3969,3971],{"id":3970},"_3-defined-detection-and-escalation-paths","3. Defined detection and escalation paths",[37,3973,3974,3975,3977],{},"Alerts from ",[44,3976,1401],{"href":1400}," tools must flow into a triage process. Each alert is either dismissed with a note or escalated to an incident with a severity rating. Auditors look for the linkage between detection and incident records — if the chain is unclear, the control appears theoretical.",[112,3979,3981],{"id":3980},"_4-documented-incidents","4. Documented incidents",[37,3983,3984],{},"Every real incident during the observation period must have a record. Minimum fields:",[172,3986,3987,3990,3993,3996,3999,4002,4005,4008,4011],{},[175,3988,3989],{},"Incident ID and title",[175,3991,3992],{},"Detection time and source",[175,3994,3995],{},"Severity at declaration and revision history",[175,3997,3998],{},"Timeline of actions taken",[175,4000,4001],{},"Systems, data, and individuals affected",[175,4003,4004],{},"Containment and remediation steps",[175,4006,4007],{},"Communications sent (internal, customers, regulators, law enforcement)",[175,4009,4010],{},"Root cause",[175,4012,4013],{},"Lessons learned and assigned remediation items",[37,4015,4016],{},"The system of record can be a dedicated incident platform, a ticketing system, or a structured document repository. What matters is consistency across incidents.",[112,4018,4020],{"id":4019},"_5-tabletop-exercises","5. Tabletop exercises",[37,4022,4023,4024,4026],{},"If no real incidents occur during the observation period, tabletop exercises demonstrate the plan works. A tabletop walks a team through a simulated scenario, capturing decisions and timing. At minimum, conduct one tabletop annually covering a realistic scenario. Mature programs run them quarterly. See ",[44,4025,3145],{"href":3144}," for how to document.",[112,4028,4030],{"id":4029},"_6-post-incident-review","6. Post-incident review",[37,4032,4033],{},"Every declared incident above a threshold severity should produce a post-incident review (PIR) or retrospective. The PIR captures the root cause, contributing factors, and remediation items with owners and due dates. Auditors may request to see PIRs for a sample of incidents from the observation period.",[32,4035,1407],{"id":1406},[37,4037,4038,4039,4041,4042,4044,4045,4048],{},"Incident response is tightly coupled to other SOC 2 control areas. ",[44,4040,1043],{"href":1400}," feeds the detection engine. ",[44,4043,364],{"href":363}," failures sometimes manifest as incidents. ",[44,4046,4047],{"href":352},"Vendor management"," governs how you respond when a third party is compromised. Strong incident response also supports the availability criterion when applicable — outage response is an incident response subset with its own RTO and RPO targets.",[37,4050,4051],{},"Auditors often use incident records to validate controls elsewhere. An incident that required access to production shows up in access control logs. A change that caused an incident shows up in change management records. Inconsistencies between these artifacts create findings.",[32,4053,1232],{"id":1231},[37,4055,4056],{},"During fieldwork, the auditor will typically request:",[172,4058,4059,4062,4065,4068,4071,4074,4077],{},[175,4060,4061],{},"The current incident response plan with approval evidence",[175,4063,4064],{},"Runbooks for common scenarios",[175,4066,4067],{},"A list of incidents declared during the observation period",[175,4069,4070],{},"Full documentation for a sampled subset of those incidents",[175,4072,4073],{},"Evidence of tabletop exercises during the observation period",[175,4075,4076],{},"Evidence of incident response training for relevant staff",[175,4078,4079],{},"Breach notification templates and examples if any notifications were sent",[37,4081,4082],{},"If no incidents occurred, the auditor relies heavily on tabletop and training evidence. Skipping these is a red flag.",[32,4084,1417],{"id":1416},[172,4086,4087,4093,4099,4105,4111],{},[175,4088,4089,4092],{},[61,4090,4091],{},"Plan without practice."," A polished document that no one follows creates more audit risk than a simple plan that is actually used. Test it.",[175,4094,4095,4098],{},[61,4096,4097],{},"Severity drift."," Teams reclassify incidents down to avoid paperwork. Auditors notice when severity distributions do not match the alert volume.",[175,4100,4101,4104],{},[61,4102,4103],{},"Missing communication records."," Incidents often require customer or regulatory notifications. If communications happened verbally with no record, the evidence is gone.",[175,4106,4107,4110],{},[61,4108,4109],{},"No lessons learned."," Running an incident and not capturing what to improve shows the program is reactive, not mature.",[175,4112,4113,4116,4117,100],{},[61,4114,4115],{},"Breach notification as an afterthought."," Regulatory timelines (GDPR 72 hours, some state laws 30 to 60 days) apply whether or not your plan accounts for them. See ",[44,4118,4120],{"href":4119},"\u002Fglossary\u002Fbreach-notification","breach notification",[32,4122,1453],{"id":1452},[172,4124,4125,4128,4131,4134,4137],{},[175,4126,4127],{},"Keep the incident response plan in version control. Each approved version should be dated and linked to a leadership review.",[175,4129,4130],{},"Integrate your alerting tool with your ticketing system so every escalated alert creates an incident record automatically.",[175,4132,4133],{},"Use a consistent template for post-incident reviews so comparisons across incidents are possible.",[175,4135,4136],{},"Run one tabletop per quarter, rotating scenarios. Capture the output as a PDF and store it with the other SOC 2 evidence.",[175,4138,4139],{},"Train all employees annually on how to report a suspected incident. The earliest detection often comes from a non-security team member.",[32,4141,1101],{"id":1100},[37,4143,4144,4145,3317,4148,4150],{},"episki provides templates for incident response plans, runbooks, and post-incident reviews mapped to CC7.3 through CC7.5, along with evidence collection for tabletop exercises and training. ",[44,4146,538],{"href":535,"rel":4147},[537],[44,4149,1482],{"href":614}," to see how incident response integrates with monitoring, change management, and vendor controls.",{"title":546,"searchDepth":547,"depth":547,"links":4152},[4153,4154,4155,4163,4164,4165,4166,4167],{"id":3880,"depth":547,"text":3881},{"id":3895,"depth":547,"text":3896},{"id":3920,"depth":547,"text":3921,"children":4156},[4157,4158,4159,4160,4161,4162],{"id":3927,"depth":554,"text":3928},{"id":3963,"depth":554,"text":3964},{"id":3970,"depth":554,"text":3971},{"id":3980,"depth":554,"text":3981},{"id":4019,"depth":554,"text":4020},{"id":4029,"depth":554,"text":4030},{"id":1406,"depth":547,"text":1407},{"id":1231,"depth":547,"text":1232},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"How to build a SOC 2 incident response program that satisfies CC7.3 and CC7.4. Playbooks, evidence expectations, and what auditors look for during fieldwork.",{"items":4170},[4171,4174,4177,4180,4183],{"label":4172,"content":4173},"Which SOC 2 criteria cover incident response?","Incident response maps to CC7.3 (evaluation of security events), CC7.4 (response to identified incidents), and CC7.5 (recovery from incidents). CC2.2 also covers internal and external communication about incidents, which includes breach notification.",{"label":4175,"content":4176},"Do I need to have had a real incident to pass SOC 2?","No. Auditors look for a documented incident response program, tested procedures, and evidence of how alerts are triaged. If real incidents occurred, the auditor will examine those. If not, tabletop exercises can demonstrate the process works.",{"label":4178,"content":4179},"How often should incident response plans be tested?","At minimum annually. Many mature SOC 2 programs conduct quarterly tabletop exercises covering different scenarios (data exfiltration, ransomware, insider threat, vendor compromise). Evidence of testing is a common auditor request.",{"label":4181,"content":4182},"What counts as a security incident under SOC 2?","Any event that could affect the security, availability, integrity, confidentiality, or privacy of the system. This includes confirmed breaches, attempted intrusions, policy violations, malware detections, and unauthorized access attempts — not just successful compromises.",{"label":4184,"content":4185},"Does SOC 2 require breach notification?","SOC 2 requires defined procedures for communicating about incidents to affected parties. Specific notification timelines come from external obligations (GDPR, HIPAA, state breach laws, customer contracts), but SOC 2 auditors will verify that your process incorporates those timelines.",{},[1530,4188,1527,1876],"breach-notification",[1042,1529,2578],{"title":4191,"description":4192},"SOC 2 Incident Response (2026): CC7.3\u002F7.4 Requirements","SOC 2 incident response under CC7.3 and CC7.4. Playbooks, runbooks, tabletop exercises, and the evidence auditors expect during Type II fieldwork.","5.frameworks\u002Fsoc2\u002Fincident-response","1H5HP7ZTDnMHccFEfaOpF40qzXBuvKiCdVMSHqaC--4",{"id":4196,"title":4197,"body":4198,"description":4719,"extension":578,"faq":4720,"frameworkSlug":631,"lastUpdated":1135,"meta":4737,"navigation":613,"path":2915,"relatedTerms":4738,"relatedTopics":4739,"seo":4741,"stem":4744,"__hash__":4745},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fpolicies-and-procedures.md","SOC 2 Policies and Procedures",{"type":29,"value":4199,"toc":4702},[4200,4204,4210,4213,4217,4222,4239,4242,4246,4249,4397,4400,4404,4407,4411,4414,4437,4441,4444,4493,4497,4511,4516,4520,4523,4540,4543,4546,4563,4567,4570,4589,4592,4594,4606,4612,4614,4617,4634,4637,4639,4671,4673,4690,4692],[32,4201,4203],{"id":4202},"policies-are-where-soc-2-programs-set-their-own-ceiling","Policies are where SOC 2 programs set their own ceiling",[37,4205,4206,4207,4209],{},"Policies define what your organization has committed to. Every other ",[44,4208,658],{"href":614}," control is, in some sense, testing whether you do what you said you would. Weak policies create a weak foundation for the entire program — auditors cannot test adherence to commitments that are not written down, unclear, or inconsistent with practice. Strong policies make the rest of the audit easier because they anchor the conversation in documented expectations.",[37,4211,4212],{},"This is also where many first-time programs overcorrect. Teams buy a template library, rubber-stamp the whole set, and discover during fieldwork that the auditor is testing against policies nobody read. The fix is not more policy — it is fewer, sharper policies that match how the team actually operates.",[32,4214,4216],{"id":4215},"what-soc-2-expects-from-policies","What SOC 2 expects from policies",[37,4218,107,4219,4221],{},[44,4220,55],{"href":54}," reference policies and procedures throughout, most directly in CC1.4, CC2.2, CC5.1, CC5.3, and CC6.1. Together these require that the entity:",[172,4223,4224,4227,4230,4233,4236],{},[175,4225,4226],{},"Establishes structures, reporting lines, authorities, and responsibilities",[175,4228,4229],{},"Develops and implements controls through policies and procedures",[175,4231,4232],{},"Communicates policies to internal and external parties as relevant",[175,4234,4235],{},"Demonstrates commitment to competence, including training on policies",[175,4237,4238],{},"Restricts access based on documented criteria",[37,4240,4241],{},"Policies must be approved, communicated, followed, and periodically reviewed. Each of those verbs generates evidence.",[32,4243,4245],{"id":4244},"the-baseline-soc-2-policy-set","The baseline SOC 2 policy set",[37,4247,4248],{},"There is no mandated list, but most SOC 2 programs maintain a baseline of policies that map to the Common Criteria and any additional Trust Services Criteria selected.",[859,4250,4251,4264],{},[862,4252,4253],{},[865,4254,4255,4258,4261],{},[868,4256,4257],{},"Policy",[868,4259,4260],{},"Purpose",[868,4262,4263],{},"Primary Criteria",[875,4265,4266,4277,4288,4299,4310,4321,4332,4343,4354,4365,4376,4387],{},[865,4267,4268,4271,4274],{},[880,4269,4270],{},"Information Security Policy",[880,4272,4273],{},"Defines the overall security program, roles, and authorities",[880,4275,4276],{},"CC1, CC2",[865,4278,4279,4282,4285],{},[880,4280,4281],{},"Acceptable Use Policy",[880,4283,4284],{},"Governs employee behavior on company systems",[880,4286,4287],{},"CC2.3, CC6",[865,4289,4290,4293,4296],{},[880,4291,4292],{},"Access Control Policy",[880,4294,4295],{},"Defines provisioning, review, and removal of access",[880,4297,4298],{},"CC6",[865,4300,4301,4304,4307],{},[880,4302,4303],{},"Change Management Policy",[880,4305,4306],{},"Governs changes to infrastructure, code, and configuration",[880,4308,4309],{},"CC8.1",[865,4311,4312,4315,4318],{},[880,4313,4314],{},"Incident Response Policy",[880,4316,4317],{},"Defines how security incidents are detected and handled",[880,4319,4320],{},"CC7.3–CC7.5",[865,4322,4323,4326,4329],{},[880,4324,4325],{},"Vendor Management Policy",[880,4327,4328],{},"Defines how third parties are assessed and monitored",[880,4330,4331],{},"CC9.2",[865,4333,4334,4337,4340],{},[880,4335,4336],{},"Risk Assessment Policy",[880,4338,4339],{},"Defines how risks are identified, evaluated, and treated",[880,4341,4342],{},"CC3",[865,4344,4345,4348,4351],{},[880,4346,4347],{},"Business Continuity and DR Policy",[880,4349,4350],{},"Defines recovery objectives and testing",[880,4352,4353],{},"CC9.1, Availability",[865,4355,4356,4359,4362],{},[880,4357,4358],{},"Data Classification Policy",[880,4360,4361],{},"Defines data sensitivity tiers and handling requirements",[880,4363,4364],{},"CC6, Confidentiality",[865,4366,4367,4370,4373],{},[880,4368,4369],{},"HR Security Policy",[880,4371,4372],{},"Covers hiring, training, termination, confidentiality",[880,4374,4375],{},"CC1.4, CC2.3",[865,4377,4378,4381,4384],{},[880,4379,4380],{},"System Monitoring Policy",[880,4382,4383],{},"Defines logging, alerting, and review obligations",[880,4385,4386],{},"CC7.1, CC7.2",[865,4388,4389,4392,4395],{},[880,4390,4391],{},"Privacy Policy",[880,4393,4394],{},"Covers handling of personal information (if privacy in scope)",[880,4396,153],{},[37,4398,4399],{},"Some organizations split these into more granular documents; others combine them. Either is acceptable if the content is comprehensive and consistent.",[32,4401,4403],{"id":4402},"anatomy-of-a-soc-2-ready-policy","Anatomy of a SOC 2-ready policy",[37,4405,4406],{},"Auditors quickly identify thin or template-only policies. A policy that passes scrutiny has consistent structure and real operational content.",[112,4408,4410],{"id":4409},"required-metadata","Required metadata",[37,4412,4413],{},"Every policy should include:",[172,4415,4416,4419,4422,4425,4428,4431,4434],{},[175,4417,4418],{},"Title and version number",[175,4420,4421],{},"Date of last review",[175,4423,4424],{},"Owner (role, not name)",[175,4426,4427],{},"Approver (leadership role)",[175,4429,4430],{},"Approval date",[175,4432,4433],{},"Scope of applicability",[175,4435,4436],{},"Next scheduled review date",[112,4438,4440],{"id":4439},"required-sections","Required sections",[37,4442,4443],{},"At minimum, a complete SOC 2 policy covers:",[210,4445,4446,4451,4457,4463,4469,4475,4481,4487],{},[175,4447,4448,4450],{},[61,4449,4260],{}," — why the policy exists",[175,4452,4453,4456],{},[61,4454,4455],{},"Scope"," — who and what it applies to",[175,4458,4459,4462],{},[61,4460,4461],{},"Roles and responsibilities"," — who does what",[175,4464,4465,4468],{},[61,4466,4467],{},"Policy statements"," — the rules themselves, in directive language",[175,4470,4471,4474],{},[61,4472,4473],{},"Procedures or references"," — how the policy is executed",[175,4476,4477,4480],{},[61,4478,4479],{},"Exceptions process"," — how deviations are approved and tracked",[175,4482,4483,4486],{},[61,4484,4485],{},"Enforcement and consequences"," — what happens if the policy is violated",[175,4488,4489,4492],{},[61,4490,4491],{},"Review cadence"," — when and how the policy is updated",[112,4494,4496],{"id":4495},"language-that-survives-audit","Language that survives audit",[172,4498,4499,4502,4505,4508],{},[175,4500,4501],{},"Use \"shall\" or \"must\" for required actions; \"should\" for recommended",[175,4503,4504],{},"Avoid aspirational language that cannot be tested",[175,4506,4507],{},"Name the system, team, or artifact by role rather than by product (so policies survive tool changes)",[175,4509,4510],{},"Reference other policies rather than duplicating content",[37,4512,1352,4513,4515],{},[44,4514,3145],{"href":3144}," for how policy adherence becomes auditable.",[32,4517,4519],{"id":4518},"version-control-and-approval-workflow","Version control and approval workflow",[37,4521,4522],{},"Policies must be controlled documents. Auditors typically verify:",[172,4524,4525,4528,4531,4534,4537],{},[175,4526,4527],{},"Current version is the approved version",[175,4529,4530],{},"Historical versions are retained",[175,4532,4533],{},"Approvals are documented with approver, date, and method",[175,4535,4536],{},"Changes between versions can be traced",[175,4538,4539],{},"Distribution to affected parties is evidenced",[37,4541,4542],{},"Practical options range from a policy management tool to a Git repository with signed commits and a documented pull request workflow. What matters is traceability, not the specific tool.",[37,4544,4545],{},"The approval workflow should specify:",[172,4547,4548,4551,4554,4557,4560],{},[175,4549,4550],{},"Who can propose changes",[175,4552,4553],{},"Who reviews before approval",[175,4555,4556],{},"Who approves (usually leadership for any material change)",[175,4558,4559],{},"How approval is recorded",[175,4561,4562],{},"How approved policies are published and communicated",[32,4564,4566],{"id":4565},"policies-versus-procedures-versus-standards","Policies versus procedures versus standards",[37,4568,4569],{},"SOC 2 does not require a specific document hierarchy, but clarity helps.",[172,4571,4572,4577,4583],{},[175,4573,4574,4576],{},[61,4575,4257],{}," — a high-level commitment that rarely changes. \"All employees must use multi-factor authentication on company accounts.\"",[175,4578,4579,4582],{},[61,4580,4581],{},"Standard"," — a specific requirement that supports a policy. \"Multi-factor authentication must use either a hardware token or a TOTP app; SMS is not permitted.\"",[175,4584,4585,4588],{},[61,4586,4587],{},"Procedure"," — the operational steps to implement the policy and standard. \"To enroll a hardware token: log in to the identity provider, navigate to security, click add device...\"",[37,4590,4591],{},"Auditors may test against any layer. Separating them keeps policies stable while allowing procedures to evolve with operational reality.",[32,4593,1407],{"id":1406},[37,4595,4596,4597,418,4599,418,4601,422,4603,4605],{},"Policies feed every other SOC 2 control area. ",[44,4598,364],{"href":363},[44,4600,375],{"href":374},[44,4602,353],{"href":352},[44,4604,1401],{"href":1400}," all reference policy requirements, and auditors often start a control area by asking to see the policy before testing adherence.",[37,4607,4608,4609,4611],{},"Policies are also central to ",[44,4610,221],{"href":220},". A common finding during readiness is that informal practices exist but are not documented. The fix is to write what the team already does — not to invent new procedures — and then evolve the policy as practice matures.",[32,4613,1676],{"id":1675},[37,4615,4616],{},"For each policy, auditors may request:",[172,4618,4619,4622,4625,4628,4631],{},[175,4620,4621],{},"Current version of the policy document",[175,4623,4624],{},"Evidence of approval (signed approval, workflow record, metadata)",[175,4626,4627],{},"Evidence of last annual review",[175,4629,4630],{},"Distribution evidence (email, portal acknowledgment, training completion)",[175,4632,4633],{},"Evidence of adherence across the observation period",[37,4635,4636],{},"For a Type II audit, adherence evidence is the most demanding category. A change management policy is only as strong as the changes that followed it.",[32,4638,1417],{"id":1416},[172,4640,4641,4647,4653,4659,4665],{},[175,4642,4643,4646],{},[61,4644,4645],{},"Template tourism."," Teams adopt templates without tailoring. Auditors recognize generic language immediately.",[175,4648,4649,4652],{},[61,4650,4651],{},"Policy-practice gap."," Written policy diverges from actual practice. Walkthroughs expose this fast.",[175,4654,4655,4658],{},[61,4656,4657],{},"Stale reviews."," Policies with \"last reviewed\" dates more than a year old signal neglect.",[175,4660,4661,4664],{},[61,4662,4663],{},"Missing approval."," No documented sign-off from leadership. A committed policy with no approval trail rarely passes review.",[175,4666,4667,4670],{},[61,4668,4669],{},"No communication evidence."," Policy exists but employees cannot confirm they have seen it.",[32,4672,1453],{"id":1452},[172,4674,4675,4678,4681,4684,4687],{},[175,4676,4677],{},"Start with the baseline set above and resist the urge to create more. Every policy is future audit burden.",[175,4679,4680],{},"Pair every policy with a procedure or runbook that shows how it is executed. The pair is stronger than either alone.",[175,4682,4683],{},"Review and re-approve all policies annually on a fixed schedule — for example, every February. Document the cycle.",[175,4685,4686],{},"Collect policy acknowledgment during employee onboarding and annually thereafter. Acknowledgment is inexpensive evidence.",[175,4688,4689],{},"Keep an exceptions log. A policy with no exceptions is either perfectly followed or poorly understood; exceptions tell you which.",[32,4691,1101],{"id":1100},[37,4693,4694,4695,4698,4699,4701],{},"episki ships with a SOC 2 policy template library — covering the baseline set above — mapped to the Trust Services Criteria, with approval workflow, version history, and acknowledgment tracking built in. ",[44,4696,538],{"href":535,"rel":4697},[537]," or review the ",[44,4700,1482],{"href":614}," to see how policy management integrates with the rest of the audit program.",{"title":546,"searchDepth":547,"depth":547,"links":4703},[4704,4705,4706,4707,4712,4713,4714,4715,4716,4717,4718],{"id":4202,"depth":547,"text":4203},{"id":4215,"depth":547,"text":4216},{"id":4244,"depth":547,"text":4245},{"id":4402,"depth":547,"text":4403,"children":4708},[4709,4710,4711],{"id":4409,"depth":554,"text":4410},{"id":4439,"depth":554,"text":4440},{"id":4495,"depth":554,"text":4496},{"id":4518,"depth":547,"text":4519},{"id":4565,"depth":547,"text":4566},{"id":1406,"depth":547,"text":1407},{"id":1675,"depth":547,"text":1676},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"The policies required for SOC 2. Templates, version control, approval workflow, and how auditors test policy adherence during fieldwork.",{"items":4721},[4722,4725,4728,4731,4734],{"label":4723,"content":4724},"What policies are required for SOC 2?","There is no prescribed list, but most SOC 2 programs have at least twelve policies covering information security, access control, change management, incident response, vendor management, acceptable use, data classification, business continuity, risk management, HR security, system monitoring, and privacy (if the privacy criterion is in scope).",{"label":4726,"content":4727},"Are policy templates acceptable for SOC 2?","Templates are an acceptable starting point, but the final policy must reflect how your organization actually operates. Auditors look for alignment between written policy and observed practice. A template never tailored to your environment usually fails walkthroughs.",{"label":4729,"content":4730},"How often should SOC 2 policies be reviewed?","At least annually. Many organizations review policies more frequently when significant changes occur — reorganizations, new products, regulatory changes. Each review should be documented with a reviewer, date, and any changes made.",{"label":4732,"content":4733},"Who must approve SOC 2 policies?","Policies typically require leadership approval — CEO, CTO, CISO, or equivalent. The approver should be documented on the policy itself. A policy without evidence of formal approval is a common source of audit findings.",{"label":4735,"content":4736},"How do auditors test policies?","Auditors review the policy itself, check approval and review history, and then test whether the policy is followed through walkthroughs and evidence sampling. A policy that says one thing while the team does another is flagged as a design-versus-operating-effectiveness issue.",{},[631,1138,2576,1876],[1141,4740,2578],"readiness-assessment",{"title":4742,"description":4743},"SOC 2 Policies & Procedures (2026): Required Docs & Templates","Every policy a SOC 2 audit expects. Templates, version control, leadership approval, and the difference between policy on paper and policy in practice.","5.frameworks\u002Fsoc2\u002Fpolicies-and-procedures","vTsNDGzErpsuzja0X79iu8h767Qjr1SAJbnemh3OH-U",{"id":4747,"title":4748,"body":4749,"description":5367,"extension":578,"faq":5368,"frameworkSlug":631,"lastUpdated":1135,"meta":5385,"navigation":613,"path":159,"relatedTerms":5386,"relatedTopics":5387,"seo":5389,"stem":5392,"__hash__":5393},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fprivacy-criteria.md","SOC 2 Privacy Criteria",{"type":29,"value":4750,"toc":5325},[4751,4755,4761,4764,4768,4773,4851,4854,4857,4860,4862,4879,4881,4892,4895,4898,4900,4917,4919,4930,4933,4936,4938,4955,4957,4968,4971,4974,4977,4994,4997,5011,5014,5017,5020,5037,5040,5051,5054,5057,5060,5077,5080,5094,5099,5102,5105,5108,5125,5128,5139,5142,5145,5148,5165,5168,5182,5184,5187,5221,5224,5226,5235,5238,5240,5243,5261,5263,5295,5297,5314,5316],[32,4752,4754],{"id":4753},"privacy-is-the-most-demanding-soc-2-criterion","Privacy is the most demanding SOC 2 criterion",[37,4756,4757,4758,4760],{},"Privacy has eight control categories — P1 through P8 — which is more than any other ",[44,4759,658],{"href":614}," Trust Services Criterion. It touches every team that handles personal information and requires operational discipline across the full data lifecycle: notice, choice, collection, use, retention, disclosure, access, and monitoring. For organizations adding the privacy criterion to an existing SOC 2, the scope expansion is substantial. For those starting fresh with privacy in scope, the readiness effort is significant.",[37,4762,4763],{},"The privacy criterion applies when the organization collects and processes personal information — data that can identify an individual. It aligns closely with regulations like GDPR, CCPA, PIPEDA, and other data protection laws, though SOC 2 Privacy attests to controls, not regulatory compliance. Buyers often request it as operational assurance that privacy commitments are not theoretical.",[32,4765,4767],{"id":4766},"the-eight-privacy-categories","The eight privacy categories",[37,4769,107,4770,4772],{},[44,4771,55],{"href":54}," organize the privacy criterion into eight control categories. Each maps to a principle in the AICPA's generally accepted privacy principles.",[859,4774,4775,4785],{},[862,4776,4777],{},[865,4778,4779,4782],{},[868,4780,4781],{},"Category",[868,4783,4784],{},"Focus",[875,4786,4787,4795,4803,4811,4819,4827,4835,4843],{},[865,4788,4789,4792],{},[880,4790,4791],{},"P1 — Notice",[880,4793,4794],{},"Providing notice about privacy practices",[865,4796,4797,4800],{},[880,4798,4799],{},"P2 — Choice and consent",[880,4801,4802],{},"Obtaining informed consent",[865,4804,4805,4808],{},[880,4806,4807],{},"P3 — Collection",[880,4809,4810],{},"Collecting only what is needed",[865,4812,4813,4816],{},[880,4814,4815],{},"P4 — Use, retention, and disposal",[880,4817,4818],{},"Using data for stated purposes; retaining and disposing appropriately",[865,4820,4821,4824],{},[880,4822,4823],{},"P5 — Access",[880,4825,4826],{},"Providing data subjects access to their personal information",[865,4828,4829,4832],{},[880,4830,4831],{},"P6 — Disclosure and notification",[880,4833,4834],{},"Disclosing to third parties and notifying of breaches",[865,4836,4837,4840],{},[880,4838,4839],{},"P7 — Quality",[880,4841,4842],{},"Maintaining accurate and complete personal information",[865,4844,4845,4848],{},[880,4846,4847],{},"P8 — Monitoring and enforcement",[880,4849,4850],{},"Monitoring privacy practices and enforcing commitments",[37,4852,4853],{},"Each category has specific points of focus. Below, we summarize the operational controls for each.",[32,4855,4791],{"id":4856},"p1-notice",[37,4858,4859],{},"P1 requires that the organization provide notice about its privacy practices. The notice must be readily available, describe the entity's practices clearly, and be updated when practices change.",[112,4861,1208],{"id":1207},[172,4863,4864,4867,4870,4873,4876],{},[175,4865,4866],{},"Published privacy notice on the company website",[175,4868,4869],{},"Notice at the point of data collection where relevant",[175,4871,4872],{},"Version history with effective dates",[175,4874,4875],{},"Procedures for updating and re-communicating notice when practices change",[175,4877,4878],{},"Internal policy on when notice updates are required",[112,4880,1232],{"id":1231},[172,4882,4883,4886,4889],{},[175,4884,4885],{},"Current notice document",[175,4887,4888],{},"Prior versions with effective dates",[175,4890,4891],{},"Records of material changes during the observation period",[32,4893,4799],{"id":4894},"p2-choice-and-consent",[37,4896,4897],{},"P2 addresses how individuals exercise choice over their personal information. This includes opt-in, opt-out, and consent mechanisms.",[112,4899,1208],{"id":1259},[172,4901,4902,4905,4908,4911,4914],{},[175,4903,4904],{},"Consent management platform or equivalent",[175,4906,4907],{},"Opt-in and opt-out workflows aligned to applicable law",[175,4909,4910],{},"Consent records with timestamp, scope, and method",[175,4912,4913],{},"Procedures for responding to revoked consent",[175,4915,4916],{},"Cookie consent and tracking preferences where relevant",[112,4918,1232],{"id":1285},[172,4920,4921,4924,4927],{},[175,4922,4923],{},"Consent configuration",[175,4925,4926],{},"Sample consent records",[175,4928,4929],{},"Revocation handling evidence",[32,4931,4807],{"id":4932},"p3-collection",[37,4934,4935],{},"P3 requires that personal information be collected for specified purposes and limited to what is necessary. This is the data minimization principle.",[112,4937,1208],{"id":1315},[172,4939,4940,4943,4946,4949,4952],{},[175,4941,4942],{},"Documented purposes for each data element collected",[175,4944,4945],{},"Data inventory or data map",[175,4947,4948],{},"Review of collection forms and API endpoints for minimization",[175,4950,4951],{},"Controls preventing collection of unrelated or unnecessary data",[175,4953,4954],{},"Purpose limitation during new feature design",[112,4956,1232],{"id":1335},[172,4958,4959,4962,4965],{},[175,4960,4961],{},"Data map or inventory",[175,4963,4964],{},"Privacy impact assessments for new data flows",[175,4966,4967],{},"Collection forms reviewed against documented purposes",[32,4969,4815],{"id":4970},"p4-use-retention-and-disposal",[37,4972,4973],{},"P4 addresses how personal information is used after collection and what happens when it is no longer needed.",[112,4975,1208],{"id":4976},"typical-controls-3",[172,4978,4979,4982,4985,4988,4991],{},[175,4980,4981],{},"Purpose limitation enforced through access controls and code review",[175,4983,4984],{},"Data retention schedule with defined periods per data type",[175,4986,4987],{},"Automated or tracked deletion when retention expires",[175,4989,4990],{},"Disposal procedures for physical and logical data",[175,4992,4993],{},"Documentation of exceptions and legal holds",[112,4995,1232],{"id":4996},"evidence-expectations-3",[172,4998,4999,5002,5005,5008],{},[175,5000,5001],{},"Retention schedule",[175,5003,5004],{},"Evidence of automated deletion (job logs, records)",[175,5006,5007],{},"Disposal records for the observation period",[175,5009,5010],{},"Examples of purpose limitation (access restrictions tied to purpose)",[32,5012,4823],{"id":5013},"p5-access",[37,5015,5016],{},"P5 requires procedures for providing data subjects with access to their personal information, including correction or deletion rights.",[112,5018,1208],{"id":5019},"typical-controls-4",[172,5021,5022,5025,5028,5031,5034],{},[175,5023,5024],{},"Subject access request (SAR) intake process",[175,5026,5027],{},"Identity verification procedures",[175,5029,5030],{},"Response timelines aligned to applicable law",[175,5032,5033],{},"Procedures for correction, deletion, and objection requests",[175,5035,5036],{},"SAR tracking system with full audit trail",[112,5038,1232],{"id":5039},"evidence-expectations-4",[172,5041,5042,5045,5048],{},[175,5043,5044],{},"SAR policy and procedure",[175,5046,5047],{},"Sample SAR cases closed during the period",[175,5049,5050],{},"Response timeline metrics",[32,5052,4831],{"id":5053},"p6-disclosure-and-notification",[37,5055,5056],{},"P6 covers how personal information is shared with third parties and how breaches are handled.",[112,5058,1208],{"id":5059},"typical-controls-5",[172,5061,5062,5065,5068,5071,5074],{},[175,5063,5064],{},"Data processing agreements with all processors",[175,5066,5067],{},"Subprocessor notification procedures",[175,5069,5070],{},"Breach detection and notification procedures",[175,5072,5073],{},"Notification templates for regulators and data subjects",[175,5075,5076],{},"Records of disclosures for accounting purposes",[112,5078,1232],{"id":5079},"evidence-expectations-5",[172,5081,5082,5085,5088,5091],{},[175,5083,5084],{},"DPA templates and executed DPAs",[175,5086,5087],{},"Subprocessor list",[175,5089,5090],{},"Breach response procedures",[175,5092,5093],{},"Notification records if any occurred during the period",[37,5095,1352,5096,5098],{},[44,5097,4120],{"href":4119}," for related glossary.",[32,5100,4839],{"id":5101},"p7-quality",[37,5103,5104],{},"P7 addresses maintaining accurate, complete, and current personal information. This intersects with both P5 (correction rights) and operational data quality.",[112,5106,1208],{"id":5107},"typical-controls-6",[172,5109,5110,5113,5116,5119,5122],{},[175,5111,5112],{},"Data quality checks at collection and processing",[175,5114,5115],{},"Procedures for correcting inaccurate information",[175,5117,5118],{},"Periodic data quality reviews",[175,5120,5121],{},"Deduplication processes",[175,5123,5124],{},"Customer-facing update flows",[112,5126,1232],{"id":5127},"evidence-expectations-6",[172,5129,5130,5133,5136],{},[175,5131,5132],{},"Data quality policy and reviews",[175,5134,5135],{},"Evidence of corrections handled during the period",[175,5137,5138],{},"Sample of updated records",[32,5140,4847],{"id":5141},"p8-monitoring-and-enforcement",[37,5143,5144],{},"P8 closes the loop by requiring that privacy practices are monitored and enforced across the organization.",[112,5146,1208],{"id":5147},"typical-controls-7",[172,5149,5150,5153,5156,5159,5162],{},[175,5151,5152],{},"Privacy training for staff",[175,5154,5155],{},"Periodic privacy compliance reviews",[175,5157,5158],{},"Investigation and remediation of privacy complaints",[175,5160,5161],{},"Privacy metrics reported to leadership",[175,5163,5164],{},"Enforcement actions (disciplinary procedures for violations)",[112,5166,1232],{"id":5167},"evidence-expectations-7",[172,5169,5170,5173,5176,5179],{},[175,5171,5172],{},"Training completion records",[175,5174,5175],{},"Privacy reviews or assessments",[175,5177,5178],{},"Complaint log and resolutions",[175,5180,5181],{},"Metric reports to leadership",[32,5183,1365],{"id":1364},[37,5185,5186],{},"Privacy pulls heavily from the Common Criteria and often overlaps with confidentiality.",[172,5188,5189,5194,5200,5206,5213],{},[175,5190,5191,5193],{},[61,5192,2880],{}," — access restrictions on personal data",[175,5195,5196,5199],{},[61,5197,5198],{},"CC7 (monitoring)"," — detection of privacy events",[175,5201,5202,5205],{},[61,5203,5204],{},"CC9 (risk)"," — privacy risk assessment and vendor oversight",[175,5207,5208,5212],{},[61,5209,5210],{},[44,5211,141],{"href":147}," — technical controls like encryption apply to both",[175,5214,5215,5220],{},[61,5216,5217],{},[44,5218,5219],{"href":54},"Security"," — the foundation of privacy",[37,5222,5223],{},"A well-mapped control inventory lets a single encryption, access, or disposal control support multiple criteria simultaneously.",[32,5225,1407],{"id":1406},[37,5227,5228,5229,5231,5232,5234],{},"Privacy is often the last criterion added because of its scope. Organizations typically pursue security first, add availability or confidentiality based on customer commitments, and layer privacy on top when GDPR, CCPA, or enterprise privacy expectations demand it. Because privacy spans the entire data lifecycle, it benefits from strong ",[44,5230,2916],{"href":2915}," and a mature ",[44,5233,353],{"href":352}," program.",[37,5236,5237],{},"Buyers who request a SOC 2 report with privacy in scope are usually asking about operational discipline, not legal compliance. Pair SOC 2 Privacy with explicit GDPR or CCPA programs, DPAs, and regulatory filings for a complete privacy story.",[32,5239,1676],{"id":1675},[37,5241,5242],{},"Beyond the category-specific evidence listed above, auditors typically request:",[172,5244,5245,5248,5250,5252,5255,5258],{},[175,5246,5247],{},"Data map or inventory spanning the observation period",[175,5249,4964],{},[175,5251,5172],{},[175,5253,5254],{},"Executed DPAs and subprocessor lists",[175,5256,5257],{},"Full SAR case logs for the period",[175,5259,5260],{},"Breach response records if applicable",[32,5262,1417],{"id":1416},[172,5264,5265,5271,5277,5283,5289],{},[175,5266,5267,5270],{},[61,5268,5269],{},"Privacy policy without practice."," A published notice that does not reflect actual data flows fails walkthroughs fast.",[175,5272,5273,5276],{},[61,5274,5275],{},"No data map."," Without a data inventory, it is impossible to demonstrate P3 (collection limited to purpose) or P4 (retention by type).",[175,5278,5279,5282],{},[61,5280,5281],{},"Manual SAR handling with no audit trail."," Responses happen but nothing is logged. Auditors need the record.",[175,5284,5285,5288],{},[61,5286,5287],{},"Subprocessor gaps."," Vendors that process personal data without DPAs are a P6 finding.",[175,5290,5291,5294],{},[61,5292,5293],{},"Training as a checkbox."," Annual training that nobody actually completes is a P8 weakness.",[32,5296,1453],{"id":1452},[172,5298,5299,5302,5305,5308,5311],{},[175,5300,5301],{},"Build the data map first. Every privacy control depends on knowing what personal data exists, where, and why.",[175,5303,5304],{},"Treat consent as a system of record, not a form. A consent management platform that produces auditable records is far stronger than email trails.",[175,5306,5307],{},"Automate retention. Scheduled deletion jobs are cleaner evidence than manual cleanup.",[175,5309,5310],{},"Run a quarterly privacy review covering new data flows, new subprocessors, and any incidents. Document it.",[175,5312,5313],{},"Align SOC 2 Privacy work with your GDPR and CCPA programs so artifacts are reused.",[32,5315,1101],{"id":1100},[37,5317,5318,5319,1479,5322,5324],{},"episki maps the P1 through P8 control categories to operational workflows — consent management, SAR tracking, data inventory, subprocessor management — and collects evidence continuously. ",[44,5320,538],{"href":535,"rel":5321},[537],[44,5323,1482],{"href":614}," to see how privacy integrates with security, confidentiality, and the rest of the Trust Services Criteria.",{"title":546,"searchDepth":547,"depth":547,"links":5326},[5327,5328,5329,5333,5337,5341,5345,5349,5353,5357,5361,5362,5363,5364,5365,5366],{"id":4753,"depth":547,"text":4754},{"id":4766,"depth":547,"text":4767},{"id":4856,"depth":547,"text":4791,"children":5330},[5331,5332],{"id":1207,"depth":554,"text":1208},{"id":1231,"depth":554,"text":1232},{"id":4894,"depth":547,"text":4799,"children":5334},[5335,5336],{"id":1259,"depth":554,"text":1208},{"id":1285,"depth":554,"text":1232},{"id":4932,"depth":547,"text":4807,"children":5338},[5339,5340],{"id":1315,"depth":554,"text":1208},{"id":1335,"depth":554,"text":1232},{"id":4970,"depth":547,"text":4815,"children":5342},[5343,5344],{"id":4976,"depth":554,"text":1208},{"id":4996,"depth":554,"text":1232},{"id":5013,"depth":547,"text":4823,"children":5346},[5347,5348],{"id":5019,"depth":554,"text":1208},{"id":5039,"depth":554,"text":1232},{"id":5053,"depth":547,"text":4831,"children":5350},[5351,5352],{"id":5059,"depth":554,"text":1208},{"id":5079,"depth":554,"text":1232},{"id":5101,"depth":547,"text":4839,"children":5354},[5355,5356],{"id":5107,"depth":554,"text":1208},{"id":5127,"depth":554,"text":1232},{"id":5141,"depth":547,"text":4847,"children":5358},[5359,5360],{"id":5147,"depth":554,"text":1208},{"id":5167,"depth":554,"text":1232},{"id":1364,"depth":547,"text":1365},{"id":1406,"depth":547,"text":1407},{"id":1675,"depth":547,"text":1676},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"Deep dive on the SOC 2 Privacy Trust Services Criterion. The P1 through P8 series covering notice, choice, collection, use, access, disclosure, and quality.",{"items":5369},[5370,5373,5376,5379,5382],{"label":5371,"content":5372},"When should I include the privacy criterion in my SOC 2?","Include privacy when you collect and process personal information and want to demonstrate your privacy program to customers, regulators, or partners. Privacy is also common when buyers ask about GDPR, CCPA, or similar regulatory compliance and want independent attestation.",{"label":5374,"content":5375},"How does SOC 2 Privacy relate to GDPR and CCPA?","SOC 2 Privacy controls align closely with the principles in GDPR and CCPA — notice, consent, data subject rights, minimization, retention. A SOC 2 Privacy report is often used as evidence of operational discipline in these areas but does not itself demonstrate legal compliance with any specific regulation.",{"label":5377,"content":5378},"Is privacy the most demanding SOC 2 criterion?","Typically yes. Privacy has eight categories (P1 through P8), the most extensive control set, and touches every team that handles personal information. Adding privacy to an existing SOC 2 scope usually adds significant evidence and process work.",{"label":5380,"content":5381},"Do I need a separate privacy audit if I have SOC 2 Privacy?","The SOC 2 Privacy criterion is not a substitute for regulatory compliance. Many organizations use SOC 2 Privacy as operational evidence and maintain separate privacy impact assessments, DPAs, and regulatory filings as required by specific laws.",{"label":5383,"content":5384},"What is a Subject Access Request under the privacy criterion?","A Subject Access Request (SAR) is a request from an individual to access, correct, or delete their personal information. Under P5, the organization must have procedures to handle SARs within a reasonable time, verify identity, and document the response.",{},[2637,4188,631,1876],[1529,5388,3056],"confidentiality-criteria",{"title":5390,"description":5391},"SOC 2 Privacy Criteria (2026): P1-P8 Series Deep Dive","Master the SOC 2 Privacy criterion. P1 notice, P2 choice, P3 collection, P4 use and retention, P5 access, P6 disclosure, P7 quality, P8 monitoring.","5.frameworks\u002Fsoc2\u002Fprivacy-criteria","SEAT5ForhomAbzrVxFRrpZL2bYX8BNfJZTMyOg8eIYY",{"id":5395,"title":5396,"body":5397,"description":5775,"extension":578,"faq":5776,"frameworkSlug":631,"lastUpdated":1135,"meta":5793,"navigation":613,"path":220,"relatedTerms":5794,"relatedTopics":5795,"seo":5796,"stem":5799,"__hash__":5800},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Freadiness-assessment.md","SOC 2 Readiness Assessment",{"type":29,"value":5398,"toc":5759},[5399,5403,5409,5415,5419,5422,5426,5429,5459,5462,5466,5469,5489,5495,5499,5502,5516,5519,5568,5572,5575,5595,5601,5605,5608,5619,5628,5632,5635,5654,5656,5659,5665,5669,5672,5692,5695,5697,5729,5731,5748,5750],[32,5400,5402],{"id":5401},"readiness-is-the-single-highest-leverage-phase-of-soc-2","Readiness is the single highest-leverage phase of SOC 2",[37,5404,5405,5406,5408],{},"A well-run ",[44,5407,658],{"href":614}," readiness assessment saves more time and money than any other activity in the compliance program. Skip it and you enter fieldwork with unknown gaps, triggering remediation mid-audit, extending timelines, and burning goodwill with your CPA firm. Do it properly and you arrive at the audit knowing exactly where you stand, with a clean, prioritized punch list already worked.",[37,5410,5411,5412,5414],{},"Readiness is not a dress rehearsal. It is a structured gap analysis that compares your current controls against the ",[44,5413,55],{"href":54}," you have selected and outputs a remediation plan. The plan — with owners, due dates, and evidence requirements — becomes the roadmap for the weeks or months before fieldwork begins.",[32,5416,5418],{"id":5417},"what-a-readiness-assessment-covers","What a readiness assessment covers",[37,5420,5421],{},"A SOC 2 readiness assessment has five components. Skipping any of them weakens the value of the output.",[112,5423,5425],{"id":5424},"_1-scoping","1. Scoping",[37,5427,5428],{},"Scoping defines what the audit will cover. This includes:",[172,5430,5431,5437,5442,5448,5454],{},[175,5432,5433,5436],{},[61,5434,5435],{},"Systems in scope",": the applications, infrastructure, databases, and third-party services that store, process, or transmit customer data",[175,5438,5439,5441],{},[61,5440,55],{},": security is required; availability, processing integrity, confidentiality, and privacy are optional and selected based on commitments",[175,5443,5444,5447],{},[61,5445,5446],{},"Locations",": physical offices or data centers in scope",[175,5449,5450,5453],{},[61,5451,5452],{},"Entities",": if the company has subsidiaries or separate business units, decide which are covered",[175,5455,5456,5458],{},[61,5457,989],{}," (for Type II): the start and end dates the auditor will test against",[37,5460,5461],{},"Scoping decisions made during readiness typically carry through to the audit contract. Changing scope mid-engagement is expensive.",[112,5463,5465],{"id":5464},"_2-control-inventory","2. Control inventory",[37,5467,5468],{},"Catalog every control currently in place that could contribute to SOC 2 coverage. Sources include:",[172,5470,5471,5474,5477,5480,5483,5486],{},[175,5472,5473],{},"Existing information security policy",[175,5475,5476],{},"Identity and access management configuration",[175,5478,5479],{},"Infrastructure and application security tooling",[175,5481,5482],{},"HR processes (onboarding, offboarding, training)",[175,5484,5485],{},"Vendor management practices",[175,5487,5488],{},"Incident response and business continuity plans",[37,5490,5491,5492,5494],{},"The output is a control inventory mapped to the categories of the ",[44,5493,226],{"href":225},". It does not need to be exhaustive — the goal is to understand what exists, not perfect it.",[112,5496,5498],{"id":5497},"_3-gap-analysis","3. Gap analysis",[37,5500,5501],{},"With scope and inventory defined, compare what you have against what the Trust Services Criteria require. For every point of focus, answer:",[172,5503,5504,5507,5510,5513],{},[175,5505,5506],{},"Is there a control in place?",[175,5508,5509],{},"Is the control documented?",[175,5511,5512],{},"Is the control operating?",[175,5514,5515],{},"Is there evidence the control operated over time (for Type II)?",[37,5517,5518],{},"Gaps fall into three categories.",[859,5520,5521,5533],{},[862,5522,5523],{},[865,5524,5525,5528,5530],{},[868,5526,5527],{},"Gap Type",[868,5529,2653],{},[868,5531,5532],{},"Typical Effort",[875,5534,5535,5546,5557],{},[865,5536,5537,5540,5543],{},[880,5538,5539],{},"Missing control",[880,5541,5542],{},"No control exists for the criterion",[880,5544,5545],{},"High — design and implement",[865,5547,5548,5551,5554],{},[880,5549,5550],{},"Undocumented control",[880,5552,5553],{},"Control exists but is not written down",[880,5555,5556],{},"Low — document what you do",[865,5558,5559,5562,5565],{},[880,5560,5561],{},"No evidence",[880,5563,5564],{},"Control exists but generates no auditable evidence",[880,5566,5567],{},"Medium — instrument evidence generation",[112,5569,5571],{"id":5570},"_4-remediation-planning","4. Remediation planning",[37,5573,5574],{},"Each gap becomes a remediation item with:",[172,5576,5577,5580,5583,5586,5589,5592],{},[175,5578,5579],{},"Description of what is missing",[175,5581,5582],{},"Owner (named individual or team)",[175,5584,5585],{},"Priority (must-fix before audit vs nice-to-have)",[175,5587,5588],{},"Estimated effort",[175,5590,5591],{},"Due date aligned to the audit timeline",[175,5593,5594],{},"Evidence requirement after remediation",[37,5596,5597,5598,5600],{},"Prioritize gaps that are likely to be tested first and gaps that take the longest to close. Examples of items that frequently need the most lead time: centralized logging deployment, MFA rollout to all in-scope systems, policy set formalization, and vendor assessments. See ",[44,5599,2916],{"href":2915}," for the policy baseline most SOC 2 programs need.",[112,5602,5604],{"id":5603},"_5-evidence-catalog","5. Evidence catalog",[37,5606,5607],{},"For every control — existing or newly created — identify the evidence the auditor will request. Evidence may be:",[172,5609,5610,5613,5616],{},[175,5611,5612],{},"Static documents (policies, agreements, plans)",[175,5614,5615],{},"Snapshots (access review exports, configuration screenshots)",[175,5617,5618],{},"Continuous artifacts (logs, tickets, alerts) for Type II",[37,5620,5621,5622,96,5624,100],{},"The catalog prevents the scramble during fieldwork when auditors send their first request list and the team realizes half the evidence is not where it needs to be. Related glossary: ",[44,5623,3145],{"href":3144},[44,5625,5627],{"href":5626},"\u002Fglossary\u002Fremediation","remediation",[32,5629,5631],{"id":5630},"how-readiness-connects-to-type-i-and-type-ii","How readiness connects to Type I and Type II",[37,5633,5634],{},"Readiness is typically the first stop on the path to a SOC 2 report.",[172,5636,5637,5646,5651],{},[175,5638,5639,5640,5643,5644,100],{},"If your next report will be ",[61,5641,5642],{},"Type I",", readiness identifies gaps to close so control design passes. Remediation must be complete before the Type I reporting date. See ",[44,5645,90],{"href":89},[175,5647,5639,5648,5650],{},[61,5649,3742],{},", readiness closes gaps so controls can operate cleanly across the observation period. Any remediation that happens during the observation period creates risk that the auditor will see control failure earlier in the period.",[175,5652,5653],{},"If you plan to skip Type I and go straight to Type II, readiness is even more important because there is no point-in-time checkpoint to catch design flaws before the observation clock starts.",[32,5655,1407],{"id":1406},[37,5657,5658],{},"Readiness is not a Trust Services Criterion itself but supports CC3 (risk assessment) and CC4 (monitoring activities). The readiness output becomes evidence that the organization assessed control adequacy and took action. Many auditors ask to see the readiness assessment or equivalent gap analysis during fieldwork as an indicator of program maturity.",[37,5660,5661,5662,100],{},"Readiness also informs scoping conversations with the CPA firm. Sharing your gap analysis with a prospective auditor during the selection process demonstrates seriousness and can help estimate fieldwork effort accurately. This in turn affects the ",[44,5663,5664],{"href":308},"cost estimate",[32,5666,5668],{"id":5667},"deliverables-of-a-good-readiness-assessment","Deliverables of a good readiness assessment",[37,5670,5671],{},"By the end of readiness, you should have:",[172,5673,5674,5677,5680,5683,5686,5689],{},[175,5675,5676],{},"A written scope statement (systems, criteria, observation period)",[175,5678,5679],{},"A control inventory mapped to the Trust Services Criteria",[175,5681,5682],{},"A gap analysis document",[175,5684,5685],{},"A remediation plan with owners and due dates",[175,5687,5688],{},"An evidence catalog listing required artifacts per control",[175,5690,5691],{},"A refined understanding of likely audit cost and timeline",[37,5693,5694],{},"These artifacts are worth maintaining after readiness ends — they become the operating system of the SOC 2 program through the audit and beyond.",[32,5696,1417],{"id":1416},[172,5698,5699,5705,5711,5717,5723],{},[175,5700,5701,5704],{},[61,5702,5703],{},"Scoping too broadly."," Including criteria you have no customer commitment for adds work without adding value. Start tight.",[175,5706,5707,5710],{},[61,5708,5709],{},"Skipping evidence planning."," Identifying gaps without identifying how evidence will be produced leads to scrambling later.",[175,5712,5713,5716],{},[61,5714,5715],{},"No owner on remediation items."," Items without owners stall. Every gap needs a name attached.",[175,5718,5719,5722],{},[61,5720,5721],{},"Treating readiness as a document exercise."," Readiness is an operational sprint, not a report. The goal is to close gaps, not just describe them.",[175,5724,5725,5728],{},[61,5726,5727],{},"Using readiness as a substitute for Type I."," Some buyers ask for Type I specifically. Readiness is not an auditor's opinion and does not satisfy that request.",[32,5730,1453],{"id":1452},[172,5732,5733,5736,5739,5742,5745],{},[175,5734,5735],{},"Start readiness at least three months before you want to begin fieldwork for Type I, or before the observation period begins for Type II.",[175,5737,5738],{},"Use your compliance platform to run the gap analysis rather than a spreadsheet. The platform becomes the living record after readiness ends.",[175,5740,5741],{},"Involve engineering, IT, HR, and legal from day one. SOC 2 is cross-functional, and single-team readiness misses gaps.",[175,5743,5744],{},"Review the readiness output with your prospective auditor before signing the engagement letter. They may flag scoping issues or evidence expectations.",[175,5746,5747],{},"Re-run readiness annually or whenever scope changes. The program is never done.",[32,5749,1101],{"id":1100},[37,5751,5752,5753,3317,5756,5758],{},"episki ships with a pre-mapped SOC 2 control library, scoping wizard, gap analysis engine, and remediation tracker — turning readiness from a multi-week consulting engagement into a workflow your team can run in-house. ",[44,5754,538],{"href":535,"rel":5755},[537],[44,5757,1482],{"href":614}," to see how readiness connects to the rest of the audit lifecycle.",{"title":546,"searchDepth":547,"depth":547,"links":5760},[5761,5762,5769,5770,5771,5772,5773,5774],{"id":5401,"depth":547,"text":5402},{"id":5417,"depth":547,"text":5418,"children":5763},[5764,5765,5766,5767,5768],{"id":5424,"depth":554,"text":5425},{"id":5464,"depth":554,"text":5465},{"id":5497,"depth":554,"text":5498},{"id":5570,"depth":554,"text":5571},{"id":5603,"depth":554,"text":5604},{"id":5630,"depth":547,"text":5631},{"id":1406,"depth":547,"text":1407},{"id":5667,"depth":547,"text":5668},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"How to run a SOC 2 readiness assessment. Gap analysis, scoping, remediation planning, and preparing for Type I fieldwork.",{"items":5777},[5778,5781,5784,5787,5790],{"label":5779,"content":5780},"What is a SOC 2 readiness assessment?","A SOC 2 readiness assessment is an internal or consultant-led review that compares your current controls against the Trust Services Criteria you intend to audit. The output is a gap analysis and a prioritized remediation plan for closing gaps before fieldwork begins.",{"label":5782,"content":5783},"Do I need a consultant to run a readiness assessment?","No. Many teams run readiness internally using the Trust Services Criteria and a compliance platform. Consultants can accelerate the process and bring benchmarking data, but the work is not so specialized that you cannot do it in-house.",{"label":5785,"content":5786},"How long does a readiness assessment take?","Typically two to six weeks for the assessment itself, depending on the size of the environment and the number of criteria in scope. Remediation of identified gaps usually takes an additional four to twelve weeks.",{"label":5788,"content":5789},"Can I skip readiness and go straight to the audit?","Technically yes, but organizations that skip readiness usually discover significant gaps during fieldwork, which is expensive and extends the timeline. Readiness is cheaper insurance.",{"label":5791,"content":5792},"What is the difference between a readiness assessment and the Type I audit?","Readiness is internal and non-binding. The Type I audit is performed by a licensed CPA firm and produces an official opinion. Readiness identifies gaps; Type I attests that controls are designed correctly as of a specific date.",{},[631,1138,1876,5627],[2578,1140,3056],{"title":5797,"description":5798},"SOC 2 Readiness Assessment (2026): Gap Analysis & Scoping","Run a SOC 2 readiness assessment that actually prepares you for Type I. Scoping, gap analysis, remediation prioritization, and timeline planning.","5.frameworks\u002Fsoc2\u002Freadiness-assessment","LXYZZpTRaWcjLeZ5NifO3NYIccKPVRAiyQhEg7LwuCw",{"id":5802,"title":5803,"body":5804,"description":6205,"extension":578,"faq":1134,"frameworkSlug":631,"lastUpdated":1135,"meta":6206,"navigation":613,"path":225,"relatedTerms":6207,"relatedTopics":6208,"seo":6209,"stem":6212,"__hash__":6213},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Frequirements.md","SOC 2 Requirements",{"type":29,"value":5805,"toc":6191},[5806,5810,5816,5822,5824,5827,5831,5834,5890,5893,5897,5900,5917,5920,5924,5927,5944,5947,5951,5954,5970,5973,5977,5980,5997,6000,6004,6007,6089,6096,6100,6103,6140,6146,6148,6179,6181],[32,5807,5809],{"id":5808},"what-are-the-soc-2-requirements","What are the SOC 2 requirements?",[37,5811,5812,5813,5815],{},"SOC 2 is not a prescriptive checklist like ",[44,5814,411],{"href":410},". Instead, it is a principles-based framework built around the AICPA's Trust Services Criteria. That flexibility is powerful, but it also means organizations must interpret the criteria and design controls that fit their specific environment.",[37,5817,5818,5819,5821],{},"At its core, ",[44,5820,3378],{"href":614}," requires that an organization demonstrate it has designed and implemented controls that satisfy the applicable Trust Services Criteria. Security is mandatory for every SOC 2 engagement. The remaining four criteria — availability, processing integrity, confidentiality, and privacy — are selected based on the services the organization provides and the commitments it makes to customers.",[32,5823,104],{"id":103},[37,5825,5826],{},"Each criterion contains a set of points of focus that auditors use to evaluate whether controls are suitably designed and operating effectively. Below is a summary of what each criterion requires.",[112,5828,5830],{"id":5829},"_1-security-common-criteria-required","1. Security (Common Criteria) — required",[37,5832,5833],{},"Security is the foundation of every SOC 2 report. It addresses whether the system is protected against unauthorized access, both physical and logical. The Common Criteria map closely to the COSO framework and cover nine broad categories:",[172,5835,5836,5842,5848,5854,5860,5866,5872,5878,5884],{},[175,5837,5838,5841],{},[61,5839,5840],{},"CC1 — Control environment",": Governance structures, board oversight, organizational accountability, and ethical values.",[175,5843,5844,5847],{},[61,5845,5846],{},"CC2 — Communication and information",": Internal and external communication about policies, objectives, and responsibilities.",[175,5849,5850,5853],{},[61,5851,5852],{},"CC3 — Risk assessment",": Identifying and analyzing risks to achieving objectives, including fraud risk.",[175,5855,5856,5859],{},[61,5857,5858],{},"CC4 — Monitoring activities",": Ongoing evaluations to verify controls are present and functioning.",[175,5861,5862,5865],{},[61,5863,5864],{},"CC5 — Control activities",": Policies and procedures that mitigate identified risks, including technology general controls.",[175,5867,5868,5871],{},[61,5869,5870],{},"CC6 — Logical and physical access",": Restrictions on system access, credential management, encryption, and physical security.",[175,5873,5874,5877],{},[61,5875,5876],{},"CC7 — System operations",": Monitoring infrastructure for anomalies, incident detection, and response procedures.",[175,5879,5880,5883],{},[61,5881,5882],{},"CC8 — Change management",": Controls over changes to infrastructure, software, and configurations.",[175,5885,5886,5889],{},[61,5887,5888],{},"CC9 — Risk mitigation",": Identifying, selecting, and developing activities that address risks from business disruptions and vendor relationships.",[37,5891,5892],{},"Most startups find that CC6, CC7, and CC8 demand the most effort because they require tangible technical controls and ongoing evidence.",[112,5894,5896],{"id":5895},"_2-availability","2. Availability",[37,5898,5899],{},"The availability criterion applies when the organization has made commitments about system uptime or disaster recovery. Requirements include:",[172,5901,5902,5905,5908,5911,5914],{},[175,5903,5904],{},"Defined and communicated availability commitments (SLAs, status pages)",[175,5906,5907],{},"Capacity planning and performance monitoring",[175,5909,5910],{},"Disaster recovery and business continuity plans that are tested regularly",[175,5912,5913],{},"Incident response procedures for availability-impacting events",[175,5915,5916],{},"Backup and restoration processes with documented recovery point and recovery time objectives",[37,5918,5919],{},"If your product has an SLA in customer contracts, availability is almost certainly in scope.",[112,5921,5923],{"id":5922},"_3-processing-integrity","3. Processing integrity",[37,5925,5926],{},"Processing integrity focuses on whether the system processes data completely, accurately, and in a timely manner. This is relevant for platforms that perform calculations, transactions, or data transformations. Requirements include:",[172,5928,5929,5932,5935,5938,5941],{},[175,5930,5931],{},"Input validation and error handling",[175,5933,5934],{},"Processing monitoring and reconciliation",[175,5936,5937],{},"Output reviews and quality assurance",[175,5939,5940],{},"Defined processing objectives and tolerances",[175,5942,5943],{},"Procedures for handling processing errors and exceptions",[37,5945,5946],{},"Fintech companies, data pipelines, and billing platforms commonly include this criterion.",[112,5948,5950],{"id":5949},"_4-confidentiality","4. Confidentiality",[37,5952,5953],{},"Confidentiality applies to information designated as confidential, such as intellectual property, business plans, or data shared under NDA. Requirements include:",[172,5955,5956,5959,5961,5964,5967],{},[175,5957,5958],{},"Classification and labeling of confidential information",[175,5960,2713],{},[175,5962,5963],{},"Encryption in transit and at rest for confidential data",[175,5965,5966],{},"Secure disposal procedures when confidentiality obligations expire",[175,5968,5969],{},"Monitoring for unauthorized disclosure",[37,5971,5972],{},"Many organizations choose confidentiality in addition to security because customer contracts explicitly reference confidential data handling.",[112,5974,5976],{"id":5975},"_5-privacy","5. Privacy",[37,5978,5979],{},"Privacy addresses personal information collected, used, retained, disclosed, and disposed of in accordance with the organization's privacy notice. It is closely aligned with regulations like GDPR and CCPA. Requirements include:",[172,5981,5982,5985,5988,5991,5994],{},[175,5983,5984],{},"A published privacy notice that describes data practices",[175,5986,5987],{},"Consent mechanisms and choice management",[175,5989,5990],{},"Data minimization and purpose limitation",[175,5992,5993],{},"Subject access, correction, and deletion processes",[175,5995,5996],{},"Breach notification procedures",[37,5998,5999],{},"If your organization processes personal data and has a public privacy policy, auditors will evaluate whether your practices match your stated commitments.",[32,6001,6003],{"id":6002},"common-controls-that-satisfy-soc-2-requirements","Common controls that satisfy SOC 2 requirements",[37,6005,6006],{},"While every organization's control set is different, certain controls appear in nearly every SOC 2 environment:",[859,6008,6009,6019],{},[862,6010,6011],{},[865,6012,6013,6016],{},[868,6014,6015],{},"Control area",[868,6017,6018],{},"Examples",[875,6020,6021,6029,6037,6044,6051,6059,6066,6073,6081],{},[865,6022,6023,6026],{},[880,6024,6025],{},"Access management",[880,6027,6028],{},"SSO with MFA, role-based access, quarterly access reviews",[865,6030,6031,6034],{},[880,6032,6033],{},"Endpoint security",[880,6035,6036],{},"MDM enrollment, disk encryption, automated patching",[865,6038,6039,6041],{},[880,6040,2168],{},[880,6042,6043],{},"Firewalls, segmentation, intrusion detection",[865,6045,6046,6048],{},[880,6047,364],{},[880,6049,6050],{},"Pull request reviews, CI\u002FCD pipelines, rollback procedures",[865,6052,6053,6056],{},[880,6054,6055],{},"Logging and monitoring",[880,6057,6058],{},"Centralized log aggregation, alerting on anomalies, SIEM",[865,6060,6061,6063],{},[880,6062,1765],{},[880,6064,6065],{},"Documented IR plan, tabletop exercises, post-mortems",[865,6067,6068,6070],{},[880,6069,4047],{},[880,6071,6072],{},"Third-party risk assessments, contract reviews, ongoing monitoring",[865,6074,6075,6078],{},[880,6076,6077],{},"HR security",[880,6079,6080],{},"Background checks, security awareness training, offboarding checklists",[865,6082,6083,6086],{},[880,6084,6085],{},"Data protection",[880,6087,6088],{},"Encryption at rest and in transit, key management, backup verification",[37,6090,6091,6092,6095],{},"The key is not just having these controls in place but being able to demonstrate they are operating consistently. That evidence collection burden is where most teams struggle, especially during a ",[44,6093,6094],{"href":89},"SOC 2 Type II audit"," that examines an extended observation period.",[32,6097,6099],{"id":6098},"scoping-your-soc-2-requirements","Scoping your SOC 2 requirements",[37,6101,6102],{},"Before you start building controls, define your scope carefully:",[210,6104,6105,6110,6115,6121,6130],{},[175,6106,6107,6109],{},[61,6108,1942],{}," — which applications, infrastructure, and third-party services touch customer data.",[175,6111,6112,6114],{},[61,6113,1951],{}," — start with security and add criteria that align with customer commitments and contractual obligations.",[175,6116,6117,6120],{},[61,6118,6119],{},"Map existing controls"," — many organizations already satisfy 40-60% of SOC 2 requirements through existing security practices.",[175,6122,6123,6126,6127,6129],{},[61,6124,6125],{},"Perform a gap analysis"," — compare current state against the ",[44,6128,55],{"href":54}," to identify missing or immature controls.",[175,6131,6132,6135,6136,6139],{},[61,6133,6134],{},"Prioritize remediation"," — address high-risk gaps first, then work through lower-priority items before the ",[44,6137,6138],{"href":206},"audit"," begins.",[37,6141,6142,6143,6145],{},"A well-scoped audit reduces ",[44,6144,1142],{"href":308}," and avoids scope creep that delays the timeline.",[32,6147,1417],{"id":1416},[172,6149,6150,6156,6162,6173],{},[175,6151,6152,6155],{},[61,6153,6154],{},"Over-scoping",": Including systems or criteria that are not relevant increases evidence requirements and audit complexity.",[175,6157,6158,6161],{},[61,6159,6160],{},"Under-documenting",": Controls exist but lack written policies, procedures, or evidence. Auditors need proof, not assertions.",[175,6163,6164,6167,6168,6172],{},[61,6165,6166],{},"Ignoring the human element",": Technical controls are important, but ",[44,6169,6171],{"href":6170},"\u002Fglossary\u002Fgrc","GRC"," programs also require training, awareness, and accountability.",[175,6174,6175,6178],{},[61,6176,6177],{},"Treating SOC 2 as a one-time project",": SOC 2 is an ongoing commitment. Controls must operate continuously, not just during audit prep.",[32,6180,1101],{"id":1100},[37,6182,6183,6184,539,6186,6190],{},"episki maps every Trust Services Criteria point of focus to actionable controls with suggested narratives, testing procedures, and evidence requirements. Instead of building your control matrix in a spreadsheet, you get a structured workspace where controls are linked to owners, evidence, and review cadences from day one. Pre-loaded templates cover the most common control patterns, and the platform highlights gaps so you know exactly what needs attention before your auditor arrives. ",[44,6185,3521],{"href":3520},[44,6187,6189],{"href":535,"rel":6188},[537],"start a free trial"," to see the full SOC 2 control library.",{"title":546,"searchDepth":547,"depth":547,"links":6192},[6193,6194,6201,6202,6203,6204],{"id":5808,"depth":547,"text":5809},{"id":103,"depth":547,"text":104,"children":6195},[6196,6197,6198,6199,6200],{"id":5829,"depth":554,"text":5830},{"id":5895,"depth":554,"text":5896},{"id":5922,"depth":554,"text":5923},{"id":5949,"depth":554,"text":5950},{"id":5975,"depth":554,"text":5976},{"id":6002,"depth":547,"text":6003},{"id":6098,"depth":547,"text":6099},{"id":1416,"depth":547,"text":1417},{"id":1100,"depth":547,"text":1101},"A detailed breakdown of SOC 2 requirements across the five Trust Services Criteria, including what auditors expect, common controls, and how to scope your audit.",{},[631,1138,2576],[1529,3867,2578],{"title":6210,"description":6211},"SOC 2 Requirements Explained — What You Need to Know","Understand SOC 2 requirements across all five Trust Services Criteria. Learn what auditors expect, common controls, and how to scope your audit effectively.","5.frameworks\u002Fsoc2\u002Frequirements","MXHlQl2PdzvSq1w0Cnjvgqf6-Xsq-1noyoweHPR3Gfw",{"id":6215,"title":6216,"body":6217,"description":6703,"extension":578,"faq":6704,"frameworkSlug":631,"lastUpdated":1135,"meta":6721,"navigation":613,"path":6722,"relatedTerms":6723,"relatedTopics":6727,"seo":6728,"stem":6731,"__hash__":6732},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fsoc1-vs-soc2.md","SOC 1 vs SOC 2 vs SOC 3",{"type":29,"value":6218,"toc":6679},[6219,6223,6229,6232,6236,6360,6364,6367,6371,6394,6398,6405,6408,6425,6429,6432,6436,6442,6446,6449,6469,6473,6476,6490,6494,6505,6509,6512,6516,6519,6523,6534,6537,6541,6544,6548,6551,6554,6583,6589,6593,6596,6616,6619,6621,6647,6649,6667,6669],[32,6220,6222],{"id":6221},"soc-1-soc-2-and-soc-3-solve-different-problems","SOC 1, SOC 2, and SOC 3 solve different problems",[37,6224,6225,6226,6228],{},"The \"SOC\" in SOC 1, SOC 2, and SOC 3 stands for System and Organization Controls — a reporting suite from the AICPA for service organizations. The three reports share a common heritage in the ",[44,6227,47],{"href":46}," attestation standard, but they address different audiences and different kinds of controls. Choosing the right report is a strategic decision that depends on what your company does, who your buyers are, and what those buyers need for their own compliance and risk programs.",[37,6230,6231],{},"This page compares the three at a practical level, including when each applies and how they interact in organizations that maintain more than one.",[32,6233,6235],{"id":6234},"the-three-reports-at-a-glance","The three reports at a glance",[859,6237,6238,6253],{},[862,6239,6240],{},[865,6241,6242,6245,6248,6250],{},[868,6243,6244],{},"Dimension",[868,6246,6247],{},"SOC 1",[868,6249,658],{},[868,6251,6252],{},"SOC 3",[875,6254,6255,6270,6285,6301,6315,6330,6344],{},[865,6256,6257,6261,6264,6267],{},[880,6258,6259],{},[61,6260,4784],{},[880,6262,6263],{},"Controls over financial reporting",[880,6265,6266],{},"Security, availability, integrity, confidentiality, privacy",[880,6268,6269],{},"Same criteria as SOC 2",[865,6271,6272,6277,6280,6283],{},[880,6273,6274],{},[61,6275,6276],{},"Framework",[880,6278,6279],{},"SSAE 18 — control objectives",[880,6281,6282],{},"SSAE 18 — Trust Services Criteria",[880,6284,6282],{},[865,6286,6287,6292,6295,6298],{},[880,6288,6289],{},[61,6290,6291],{},"Audience",[880,6293,6294],{},"Customer auditors, finance teams",[880,6296,6297],{},"Customer security, procurement, risk teams",[880,6299,6300],{},"General public, marketing",[865,6302,6303,6308,6311,6313],{},[880,6304,6305],{},[61,6306,6307],{},"Distribution",[880,6309,6310],{},"Restricted (NDA)",[880,6312,6310],{},[880,6314,2663],{},[865,6316,6317,6322,6325,6327],{},[880,6318,6319],{},[61,6320,6321],{},"Contents",[880,6323,6324],{},"Detailed system description, controls, tests, opinion",[880,6326,6324],{},[880,6328,6329],{},"Short summary with auditor opinion",[865,6331,6332,6336,6339,6341],{},[880,6333,6334],{},[61,6335,1933],{},[880,6337,6338],{},"Both exist",[880,6340,6338],{},[880,6342,6343],{},"Effectively Type II only",[865,6345,6346,6351,6354,6357],{},[880,6347,6348],{},[61,6349,6350],{},"Typical pursuer",[880,6352,6353],{},"Payroll, billing, financial service providers",[880,6355,6356],{},"SaaS companies, cloud service providers",[880,6358,6359],{},"Companies wanting public assurance",[32,6361,6363],{"id":6362},"soc-1-in-depth","SOC 1 in depth",[37,6365,6366],{},"SOC 1 reports on a service organization's controls that are relevant to customer financial reporting. The standard applies when a service organization performs functions that, if controlled weakly, could lead to misstatements in the customer's financial statements.",[112,6368,6370],{"id":6369},"when-soc-1-applies","When SOC 1 applies",[172,6372,6373,6376,6379,6382,6385,6388,6391],{},[175,6374,6375],{},"Payroll service providers whose processing affects customer payroll liabilities",[175,6377,6378],{},"Benefits administrators",[175,6380,6381],{},"Claims processing for insurance",[175,6383,6384],{},"Transaction processing for banks and fintechs",[175,6386,6387],{},"Billing or invoicing platforms that record customer revenue",[175,6389,6390],{},"Fund administrators and asset management services",[175,6392,6393],{},"ERP-adjacent services that feed customer accounting systems",[112,6395,6397],{"id":6396},"what-soc-1-tests","What SOC 1 tests",[37,6399,6400,6401,6404],{},"SOC 1 is organized around ",[61,6402,6403],{},"control objectives"," defined by the service organization based on the financial statement impact of their services. The auditor evaluates whether controls are designed (Type I) or operating effectively (Type II) to achieve those objectives.",[37,6406,6407],{},"Typical control objectives in a SOC 1 report might cover:",[172,6409,6410,6413,6416,6419,6422],{},[175,6411,6412],{},"Transaction processing accuracy and completeness",[175,6414,6415],{},"Timely recording of transactions",[175,6417,6418],{},"Authorization of processing changes",[175,6420,6421],{},"Access restrictions to financial systems",[175,6423,6424],{},"Protection of financial data",[112,6426,6428],{"id":6427},"who-reads-soc-1","Who reads SOC 1",[37,6430,6431],{},"The primary audience is the customer's financial statement auditor. Under PCAOB and AICPA standards, customer auditors must understand and, in some cases, test controls at service organizations that affect their audit. A service organization that produces a SOC 1 gives customer auditors a ready-made reference they can rely on.",[32,6433,6435],{"id":6434},"soc-2-in-depth","SOC 2 in depth",[37,6437,6438,6439,6441],{},"SOC 2 reports on controls aligned to the ",[44,6440,55],{"href":54}," — security (required), availability, processing integrity, confidentiality, and privacy. Unlike SOC 1, which is oriented around financial reporting, SOC 2 is oriented around how a service organization protects and manages customer data.",[112,6443,6445],{"id":6444},"when-soc-2-applies","When SOC 2 applies",[37,6447,6448],{},"SOC 2 applies broadly to any service organization that handles customer data. Common pursuers include:",[172,6450,6451,6454,6457,6460,6463,6466],{},[175,6452,6453],{},"B2B SaaS platforms",[175,6455,6456],{},"Cloud infrastructure and managed service providers",[175,6458,6459],{},"Data analytics and processing companies",[175,6461,6462],{},"CRM, marketing automation, and customer success platforms",[175,6464,6465],{},"Fintech platforms (often in combination with SOC 1)",[175,6467,6468],{},"Healthcare technology (often in combination with HIPAA)",[112,6470,6472],{"id":6471},"what-soc-2-tests","What SOC 2 tests",[37,6474,6475],{},"SOC 2 tests controls against the applicable Trust Services Criteria. Security is required in every SOC 2 engagement; additional criteria are selected based on customer commitments. The auditor assesses:",[172,6477,6478,6481,6484,6487],{},[175,6479,6480],{},"Design of controls (Type I) or design plus operating effectiveness (Type II)",[175,6482,6483],{},"Evidence produced across the observation period (for Type II)",[175,6485,6486],{},"Coverage of every point of focus in the selected criteria",[175,6488,6489],{},"Exceptions or deficiencies identified during testing",[112,6491,6493],{"id":6492},"who-reads-soc-2","Who reads SOC 2",[37,6495,6496,6497,6500,6501,6504],{},"The primary audience is the customer's security, risk, or procurement team. SOC 2 is requested during vendor due diligence, security questionnaires, and contract negotiations. See ",[44,6498,6499],{"href":89},"type 1 vs type 2"," and the ",[44,6502,6503],{"href":94},"SOC 2 Type 2 glossary entry"," for more.",[32,6506,6508],{"id":6507},"soc-3-in-depth","SOC 3 in depth",[37,6510,6511],{},"SOC 3 is a short-form public report based on the same Trust Services Criteria as SOC 2. It produces an auditor's opinion without the detailed system description or control testing results that fill a SOC 2 report.",[112,6513,6515],{"id":6514},"when-soc-3-applies","When SOC 3 applies",[37,6517,6518],{},"SOC 3 is optional. Organizations produce it when they want a public-facing assurance document — often to display on a trust page or use in marketing materials. The report can be freely distributed and does not require an NDA.",[112,6520,6522],{"id":6521},"what-soc-3-contains","What SOC 3 contains",[172,6524,6525,6528,6531],{},[175,6526,6527],{},"Company description and services covered",[175,6529,6530],{},"Auditor's opinion on whether controls met the criteria",[175,6532,6533],{},"Management's assertion about its system",[37,6535,6536],{},"SOC 3 does not contain the control descriptions, testing procedures, or results that are standard in SOC 2. Enterprise buyers generally do not accept SOC 3 in lieu of SOC 2.",[112,6538,6540],{"id":6539},"who-reads-soc-3","Who reads SOC 3",[37,6542,6543],{},"The general public — prospects browsing your trust page, press researching your security posture, smaller buyers who do not have a formal vendor assessment process. For buyers with mature procurement, SOC 3 is a marketing artifact and SOC 2 is the substantive document.",[32,6545,6547],{"id":6546},"how-this-fits-into-the-broader-compliance-picture","How this fits into the broader compliance picture",[37,6549,6550],{},"SOC 2 is the most common report and the default starting point for B2B SaaS. SOC 1 is added when the organization touches financial reporting. SOC 3 is added for public-facing assurance.",[37,6552,6553],{},"Related frameworks that buyers may ask about alongside SOC:",[172,6555,6556,6563,6570,6577],{},[175,6557,6558,6562],{},[61,6559,6560],{},[44,6561,393],{"href":392}," — international security certification; complements SOC 2 in global markets",[175,6564,6565,6569],{},[61,6566,6567],{},[44,6568,402],{"href":401}," — US healthcare law; SOC 2 controls cover many HIPAA safeguards",[175,6571,6572,6576],{},[61,6573,6574],{},[44,6575,411],{"href":410}," — payment card industry standard; applies when cardholder data is handled",[175,6578,6579,6582],{},[61,6580,6581],{},"NIST CSF"," — US government-adjacent framework; maps well to SOC 2 security",[37,6584,6585,6586,100],{},"For tooling comparisons, see ",[44,6587,6588],{"href":432},"Vanta vs Drata",[32,6590,6592],{"id":6591},"can-you-pursue-multiple-soc-reports","Can you pursue multiple SOC reports?",[37,6594,6595],{},"Yes. Many service organizations maintain both SOC 1 and SOC 2, and add SOC 3 for public assurance.",[172,6597,6598,6604,6610],{},[175,6599,6600,6603],{},[61,6601,6602],{},"SOC 1 + SOC 2"," is common for fintech and billing platforms. The same CPA firm can usually perform both audits in the same cycle with shared walkthroughs where controls overlap.",[175,6605,6606,6609],{},[61,6607,6608],{},"SOC 2 + SOC 3"," is common for SaaS companies that want public assurance. The SOC 3 is often produced from the same underlying engagement as a companion deliverable.",[175,6611,6612,6615],{},[61,6613,6614],{},"SOC 1 + SOC 2 + SOC 3"," is rare but possible for companies with diverse customer bases.",[37,6617,6618],{},"The cost of an additional report is typically less than the cost of a standalone engagement because controls, evidence, and walkthroughs are shared.",[32,6620,1417],{"id":1416},[172,6622,6623,6629,6635,6641],{},[175,6624,6625,6628],{},[61,6626,6627],{},"Pursuing SOC 1 when SOC 2 is what buyers want."," SOC 1 is irrelevant to most security questionnaires. Verify with your sales team which report prospects are asking for.",[175,6630,6631,6634],{},[61,6632,6633],{},"Assuming SOC 3 replaces SOC 2."," Enterprise buyers will still ask for SOC 2. Use SOC 3 as a complement, not a substitute.",[175,6636,6637,6640],{},[61,6638,6639],{},"Single auditor for all reports without shared evidence."," If you engage one CPA firm for multiple reports, insist on shared walkthroughs and evidence where possible. This is one of the main reasons to use one firm.",[175,6642,6643,6646],{},[61,6644,6645],{},"Missing the financial reporting link."," If customers' auditors request information about your controls during their audit, you probably need SOC 1. Listen for this signal.",[32,6648,1453],{"id":1452},[172,6650,6651,6654,6661,6664],{},[175,6652,6653],{},"Before starting any SOC report, confirm with your top customers and prospects which report they want.",[175,6655,6656,6657,6660],{},"If you may eventually need both SOC 1 and SOC 2, scope them together during ",[44,6658,6659],{"href":220},"readiness"," so the control inventory covers both.",[175,6662,6663],{},"Treat SOC 3 as a marketing project once SOC 2 is in place. It is inexpensive to add.",[175,6665,6666],{},"Renew each report annually to maintain continuous coverage. Gaps between reports can block deals.",[32,6668,1101],{"id":1100},[37,6670,6671,6672,6675,6676,6678],{},"episki supports SOC 1 and SOC 2 programs in the same workspace. Controls tagged to financial reporting objectives feed SOC 1, and controls tagged to Trust Services Criteria feed SOC 2 — with shared evidence when controls satisfy both. ",[44,6673,538],{"href":535,"rel":6674},[537]," or see the broader ",[44,6677,1482],{"href":614}," to learn how multi-report programs run together.",{"title":546,"searchDepth":547,"depth":547,"links":6680},[6681,6682,6683,6688,6693,6698,6699,6700,6701,6702],{"id":6221,"depth":547,"text":6222},{"id":6234,"depth":547,"text":6235},{"id":6362,"depth":547,"text":6363,"children":6684},[6685,6686,6687],{"id":6369,"depth":554,"text":6370},{"id":6396,"depth":554,"text":6397},{"id":6427,"depth":554,"text":6428},{"id":6434,"depth":547,"text":6435,"children":6689},[6690,6691,6692],{"id":6444,"depth":554,"text":6445},{"id":6471,"depth":554,"text":6472},{"id":6492,"depth":554,"text":6493},{"id":6507,"depth":547,"text":6508,"children":6694},[6695,6696,6697],{"id":6514,"depth":554,"text":6515},{"id":6521,"depth":554,"text":6522},{"id":6539,"depth":554,"text":6540},{"id":6546,"depth":547,"text":6547},{"id":6591,"depth":547,"text":6592},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"The differences between SOC 1, SOC 2, and SOC 3 reports. When each applies, which buyers request which, and how to choose the right report for your company.",{"items":6705},[6706,6709,6712,6715,6718],{"label":6707,"content":6708},"What is the difference between SOC 1 and SOC 2?","SOC 1 reports on controls relevant to financial reporting — typically for service organizations that affect customer financial statements. SOC 2 reports on controls relevant to security, availability, integrity, confidentiality, or privacy. The audit standards differ, and buyers request each for different reasons.",{"label":6710,"content":6711},"Is SOC 3 the same as SOC 2?","SOC 3 is based on the same Trust Services Criteria as SOC 2, but the report is a public-use summary rather than a detailed restricted-distribution document. Companies sometimes produce both — a SOC 2 Type II for buyer due diligence and a SOC 3 for marketing.",{"label":6713,"content":6714},"Do I need both SOC 1 and SOC 2?","Most SaaS companies only need SOC 2. SOC 1 is specifically for organizations whose services affect customer financial reporting — payroll, billing, financial processing. If customers' auditors ask about your impact on their financial statements, you likely need SOC 1.",{"label":6716,"content":6717},"Can SOC 3 replace SOC 2?","No. SOC 3 does not contain the detailed system description, control testing results, or auditor opinion that enterprise buyers examine. It is a public summary, not a substitute. Enterprise procurement will still ask for SOC 2.",{"label":6719,"content":6720},"Which report do I get first?","Almost always SOC 2. It is what B2B SaaS buyers request by default. SOC 1 comes into play only when you affect customer financial reporting. SOC 3, if produced, usually follows an existing SOC 2 program.",{},"\u002Fframeworks\u002Fsoc2\u002Fsoc1-vs-soc2",[631,6724,6725,6726],"soc2-type-2","ssae-18","service-auditor",[1529,1140,2578],{"title":6729,"description":6730},"SOC 1 vs SOC 2 vs SOC 3 (2026): Differences & Which to Choose","SOC 1, SOC 2, and SOC 3 reports compared. Scope, audience, testing approach, and decision framework for which report fits your company and buyers.","5.frameworks\u002Fsoc2\u002Fsoc1-vs-soc2","aEt_rFaPiXobUOoB5VBnHl0jWJaAshW0Vft7Ggsc4DY",{"id":6734,"title":55,"body":6735,"description":7340,"extension":578,"faq":1134,"frameworkSlug":631,"lastUpdated":1135,"meta":7341,"navigation":613,"path":54,"relatedTerms":7342,"relatedTopics":7343,"seo":7344,"stem":7347,"__hash__":7348},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Ftrust-services-criteria.md",{"type":29,"value":6736,"toc":7319},[6737,6741,6747,6753,6755,6758,6761,6764,6769,6783,6789,6792,6795,6799,6810,6815,6818,6821,6825,6839,6844,6847,6850,6854,6865,6870,6873,6876,6880,6891,6896,6899,6902,6906,6920,6925,6928,6931,6935,6949,6954,6957,6960,6964,6978,6983,6986,6989,6993,7004,7009,7011,7014,7018,7032,7036,7054,7060,7062,7065,7069,7086,7090,7110,7115,7117,7120,7124,7140,7144,7164,7169,7171,7174,7178,7207,7211,7237,7242,7246,7249,7291,7294,7298,7301,7307,7309],[32,6738,6740],{"id":6739},"what-are-the-trust-services-criteria","What are the Trust Services Criteria?",[37,6742,6743,6744,6746],{},"The Trust Services Criteria (TSC) are the foundation of every ",[44,6745,658],{"href":614}," audit. Developed by the AICPA, they define the principles an organization must satisfy to demonstrate it manages customer data responsibly. There are five criteria: security, availability, processing integrity, confidentiality, and privacy.",[37,6748,6749,6750,6752],{},"Security — also called the Common Criteria — is required for every SOC 2 engagement. The remaining four are optional and selected based on the services you provide and the commitments you make to customers. Choosing the right criteria is a critical scoping decision that affects audit ",[44,6751,1142],{"href":308},", timeline, and the relevance of your report to buyers.",[32,6754,115],{"id":114},[37,6756,6757],{},"Security is the only mandatory criterion. It addresses whether the system is protected against unauthorized access — both logical and physical. The Common Criteria are organized into nine categories that map to the COSO internal control framework.",[112,6759,5840],{"id":6760},"cc1-control-environment",[37,6762,6763],{},"The control environment sets the tone for the organization's approach to security and risk. Auditors evaluate governance structures, management philosophy, and accountability.",[37,6765,6766],{},[61,6767,6768],{},"Points of focus:",[172,6770,6771,6774,6777,6780],{},[175,6772,6773],{},"Board or management oversight of security objectives",[175,6775,6776],{},"Organizational structure with defined roles and reporting lines",[175,6778,6779],{},"Commitment to competence through hiring and development",[175,6781,6782],{},"Accountability for internal control responsibilities",[37,6784,6785,6788],{},[61,6786,6787],{},"Common controls:"," Security governance charter, defined CISO or security lead role, annual security objectives reviewed by leadership.",[112,6790,5846],{"id":6791},"cc2-communication-and-information",[37,6793,6794],{},"This category ensures relevant information is communicated internally and externally to support the control environment.",[37,6796,6797],{},[61,6798,6768],{},[172,6800,6801,6804,6807],{},[175,6802,6803],{},"Internal communication of policies, objectives, and responsibilities",[175,6805,6806],{},"External communication about system boundaries, commitments, and changes",[175,6808,6809],{},"Channels for reporting security concerns",[37,6811,6812,6814],{},[61,6813,6787],{}," Employee policy acknowledgment process, external security documentation, whistleblower or anonymous reporting mechanism.",[112,6816,5852],{"id":6817},"cc3-risk-assessment",[37,6819,6820],{},"Organizations must identify and analyze risks that could prevent them from achieving their objectives.",[37,6822,6823],{},[61,6824,6768],{},[172,6826,6827,6830,6833,6836],{},[175,6828,6829],{},"Identification of risks to security objectives",[175,6831,6832],{},"Analysis of risk likelihood and impact",[175,6834,6835],{},"Assessment of fraud risk",[175,6837,6838],{},"Identification of significant changes that could affect controls",[37,6840,6841,6843],{},[61,6842,6787],{}," Annual risk assessment process, risk register with likelihood and impact ratings, change management triggers for risk reassessment.",[112,6845,5858],{"id":6846},"cc4-monitoring-activities",[37,6848,6849],{},"Ongoing and periodic evaluations verify that controls are present and functioning.",[37,6851,6852],{},[61,6853,6768],{},[172,6855,6856,6859,6862],{},[175,6857,6858],{},"Ongoing monitoring through automated tools and management oversight",[175,6860,6861],{},"Periodic evaluations (internal audits, self-assessments)",[175,6863,6864],{},"Communication and remediation of identified deficiencies",[37,6866,6867,6869],{},[61,6868,6787],{}," Continuous monitoring dashboards, quarterly control self-assessments, remediation tracking for identified issues.",[112,6871,5864],{"id":6872},"cc5-control-activities",[37,6874,6875],{},"These are the specific policies and procedures that mitigate identified risks.",[37,6877,6878],{},[61,6879,6768],{},[172,6881,6882,6885,6888],{},[175,6883,6884],{},"Selection and development of control activities",[175,6886,6887],{},"Technology general controls (ITGC)",[175,6889,6890],{},"Deployment through policies and procedures",[37,6892,6893,6895],{},[61,6894,6787],{}," Documented security policies, technology controls mapped to risks, procedures for key processes like access provisioning and incident response.",[112,6897,5870],{"id":6898},"cc6-logical-and-physical-access",[37,6900,6901],{},"This is often the most evidence-intensive category. It covers how access to systems and facilities is restricted and managed.",[37,6903,6904],{},[61,6905,6768],{},[172,6907,6908,6911,6914,6917],{},[175,6909,6910],{},"Logical access security (authentication, authorization)",[175,6912,6913],{},"Credential management and password policies",[175,6915,6916],{},"Restrictions on physical access to facilities and hardware",[175,6918,6919],{},"Encryption and key management",[37,6921,6922,6924],{},[61,6923,6787],{}," SSO with MFA enforced, role-based access control, quarterly access reviews, disk and database encryption, visitor logs for physical facilities.",[112,6926,5876],{"id":6927},"cc7-system-operations",[37,6929,6930],{},"System operations controls ensure infrastructure is monitored and incidents are detected and responded to.",[37,6932,6933],{},[61,6934,6768],{},[172,6936,6937,6940,6943,6946],{},[175,6938,6939],{},"Detection of anomalies and security events",[175,6941,6942],{},"Monitoring of system components",[175,6944,6945],{},"Incident response procedures",[175,6947,6948],{},"Recovery from incidents",[37,6950,6951,6953],{},[61,6952,6787],{}," SIEM or centralized log analysis, alerting rules for anomalous activity, documented incident response plan, post-incident reviews.",[112,6955,5882],{"id":6956},"cc8-change-management",[37,6958,6959],{},"Controls over changes to infrastructure, software, and configurations help prevent unauthorized or untested modifications from affecting the production environment.",[37,6961,6962],{},[61,6963,6768],{},[172,6965,6966,6969,6972,6975],{},[175,6967,6968],{},"Authorization of changes before implementation",[175,6970,6971],{},"Testing of changes in non-production environments",[175,6973,6974],{},"Approval and documentation of change deployment",[175,6976,6977],{},"Emergency change procedures",[37,6979,6980,6982],{},[61,6981,6787],{}," Pull request review requirements, CI\u002FCD pipeline with automated testing, change approval workflows, rollback procedures.",[112,6984,5888],{"id":6985},"cc9-risk-mitigation",[37,6987,6988],{},"This category addresses how the organization mitigates risks from business disruptions and vendor relationships.",[37,6990,6991],{},[61,6992,6768],{},[172,6994,6995,6998,7001],{},[175,6996,6997],{},"Risk mitigation through business continuity planning",[175,6999,7000],{},"Vendor and third-party risk management",[175,7002,7003],{},"Risk acceptance decisions and ongoing monitoring",[37,7005,7006,7008],{},[61,7007,6787],{}," Business continuity and disaster recovery plans, vendor risk assessments, annual BCP\u002FDR testing exercises.",[32,7010,122],{"id":121},[37,7012,7013],{},"The availability criterion applies when an organization commits to specific uptime levels or recovery capabilities. If your customer contracts include SLAs, or if your product's availability is critical to customer operations, include this criterion.",[37,7015,7016],{},[61,7017,6768],{},[172,7019,7020,7023,7026,7029],{},[175,7021,7022],{},"Defined availability commitments and system performance standards",[175,7024,7025],{},"Environmental protections (redundancy, failover, capacity planning)",[175,7027,7028],{},"Disaster recovery and business continuity capabilities",[175,7030,7031],{},"Incident management for availability-impacting events",[37,7033,7034],{},[61,7035,6787],{},[172,7037,7038,7041,7043,7046,7048,7051],{},[175,7039,7040],{},"Published SLAs and status page",[175,7042,1264],{},[175,7044,7045],{},"Auto-scaling and capacity monitoring",[175,7047,1320],{},[175,7049,7050],{},"Regular DR testing with documented results",[175,7052,7053],{},"Incident communication procedures for outages",[37,7055,7056,7059],{},[61,7057,7058],{},"When to include it:"," Your service has published uptime commitments, customers depend on continuous availability, or your contracts include SLA terms with financial penalties.",[32,7061,134],{"id":133},[37,7063,7064],{},"Processing integrity focuses on whether the system processes data completely, validly, accurately, timely, and with proper authorization. This criterion is especially relevant for platforms that perform calculations, financial transactions, or data transformations.",[37,7066,7067],{},[61,7068,6768],{},[172,7070,7071,7074,7077,7080,7083],{},[175,7072,7073],{},"Defined processing objectives and quality standards",[175,7075,7076],{},"Input validation and completeness checks",[175,7078,7079],{},"Processing accuracy and timeliness monitoring",[175,7081,7082],{},"Error handling and exception management",[175,7084,7085],{},"Output reviews and reconciliation",[37,7087,7088],{},[61,7089,6787],{},[172,7091,7092,7095,7098,7101,7104,7107],{},[175,7093,7094],{},"Input validation rules at application and API layers",[175,7096,7097],{},"Automated reconciliation for financial transactions",[175,7099,7100],{},"Processing monitoring with alerting on anomalies",[175,7102,7103],{},"Error queues with manual review procedures",[175,7105,7106],{},"Audit trails for data transformations",[175,7108,7109],{},"End-to-end transaction testing",[37,7111,7112,7114],{},[61,7113,7058],{}," Your platform processes financial transactions, performs calculations that customers rely on, transforms customer data, or generates reports used for decision-making.",[32,7116,141],{"id":140},[37,7118,7119],{},"Confidentiality addresses information that is designated as confidential — distinct from personal information, which falls under privacy. This includes intellectual property, business plans, financial data shared under NDA, and other sensitive non-personal information.",[37,7121,7122],{},[61,7123,6768],{},[172,7125,7126,7129,7132,7135,7138],{},[175,7127,7128],{},"Identification and classification of confidential information",[175,7130,7131],{},"Access restrictions aligned to data classification",[175,7133,7134],{},"Protection of confidential information during processing, storage, and transmission",[175,7136,7137],{},"Secure disposal when confidentiality obligations end",[175,7139,5969],{},[37,7141,7142],{},[61,7143,6787],{},[172,7145,7146,7149,7152,7155,7158,7161],{},[175,7147,7148],{},"Data classification policy with defined sensitivity levels",[175,7150,7151],{},"Access controls that enforce classification-based restrictions",[175,7153,7154],{},"Encryption at rest and in transit for confidential data",[175,7156,7157],{},"Secure deletion procedures and verification",[175,7159,7160],{},"DLP monitoring for sensitive data exfiltration",[175,7162,7163],{},"Confidentiality agreements with employees and contractors",[37,7165,7166,7168],{},[61,7167,7058],{}," You handle customer data classified as confidential beyond what security alone covers, your contracts include confidentiality obligations, or you process intellectual property on behalf of clients.",[32,7170,153],{"id":152},[37,7172,7173],{},"The privacy criterion applies to personal information — data that can identify an individual. It evaluates whether the organization's data practices match its stated privacy commitments. This criterion aligns closely with regulations like GDPR, CCPA, and other data protection laws.",[37,7175,7176],{},[61,7177,6768],{},[172,7179,7180,7183,7186,7189,7192,7195,7198,7201,7204],{},[175,7181,7182],{},"Notice and communication of privacy practices",[175,7184,7185],{},"Choice and consent mechanisms",[175,7187,7188],{},"Collection limited to stated purposes",[175,7190,7191],{},"Use, retention, and disposal aligned to the privacy notice",[175,7193,7194],{},"Access and correction rights for data subjects",[175,7196,7197],{},"Disclosure and sharing controls",[175,7199,7200],{},"Security of personal information",[175,7202,7203],{},"Quality and accuracy of personal data",[175,7205,7206],{},"Monitoring and enforcement of privacy commitments",[37,7208,7209],{},[61,7210,6787],{},[172,7212,7213,7216,7219,7222,7225,7228,7231,7234],{},[175,7214,7215],{},"Published privacy notice that accurately describes data practices",[175,7217,7218],{},"Consent management platform for collecting and recording consent",[175,7220,7221],{},"Data inventory mapping personal information flows",[175,7223,7224],{},"Data retention schedule with automated enforcement",[175,7226,7227],{},"Subject access request (SAR) handling procedure",[175,7229,7230],{},"Data processing agreements with subprocessors",[175,7232,7233],{},"Privacy impact assessments for new features or data uses",[175,7235,7236],{},"Breach notification procedures and templates",[37,7238,7239,7241],{},[61,7240,7058],{}," Your organization collects and processes personal information, you have a public privacy policy, customers or regulators expect demonstrated privacy controls, or you are subject to GDPR, CCPA, or similar regulations.",[32,7243,7245],{"id":7244},"choosing-the-right-criteria-for-your-audit","Choosing the right criteria for your audit",[37,7247,7248],{},"Selecting criteria is a strategic decision, not just a compliance exercise. Consider:",[210,7250,7251,7257,7263,7272,7282],{},[175,7252,7253,7256],{},[61,7254,7255],{},"Customer commitments"," — review your contracts, SLAs, and data processing agreements. What have you promised?",[175,7258,7259,7262],{},[61,7260,7261],{},"Buyer expectations"," — ask your sales team what security and compliance questions come up during deals.",[175,7264,7265,7268,7269,7271],{},[61,7266,7267],{},"Regulatory environment"," — if you operate in healthcare, consider ",[44,7270,402],{"href":401}," alignment. Financial services may require processing integrity.",[175,7273,7274,7277,7278,7281],{},[61,7275,7276],{},"Cost and effort"," — each additional criterion adds scope, evidence requirements, and ",[44,7279,7280],{"href":308},"audit cost",". Only include what is relevant.",[175,7283,7284,7287,7288,7290],{},[61,7285,7286],{},"Framework overlap"," — if you also pursue ",[44,7289,393],{"href":392},", many controls overlap with the security criterion. Leveraging this overlap reduces total effort.",[37,7292,7293],{},"Most first-time SOC 2 organizations start with security alone or security plus one to two additional criteria. You can always expand scope in future audit periods as your program matures.",[32,7295,7297],{"id":7296},"how-the-criteria-relate-to-each-other","How the criteria relate to each other",[37,7299,7300],{},"The five criteria are not isolated. Security underpins all of them — you cannot meaningfully address availability, processing integrity, confidentiality, or privacy without a solid security foundation. Many controls satisfy multiple criteria simultaneously. For example, encryption at rest satisfies elements of security (CC6), confidentiality, and privacy.",[37,7302,7303,7304,7306],{},"A well-designed ",[44,7305,6171],{"href":6170}," program maps controls to criteria once and tracks coverage across all applicable requirements, avoiding duplicate effort.",[32,7308,1101],{"id":1100},[37,7310,7311,7312,539,7315,7318],{},"episki provides a complete Trust Services Criteria library with every point of focus mapped to actionable controls. When you select your criteria during onboarding, the platform generates a tailored control set with suggested narratives, testing procedures, and evidence requirements. Controls that satisfy multiple criteria are linked automatically, so you maintain one control with visibility into all the criteria it covers. As your program matures and you add criteria in future audit periods, episki highlights what you already have in place and what is new — making scope expansion straightforward. ",[44,7313,538],{"href":535,"rel":7314},[537],[44,7316,7317],{"href":3524},"compare episki to Drata"," to see the full criteria mapping in action.",{"title":546,"searchDepth":547,"depth":547,"links":7320},[7321,7322,7333,7334,7335,7336,7337,7338,7339],{"id":6739,"depth":547,"text":6740},{"id":114,"depth":547,"text":115,"children":7323},[7324,7325,7326,7327,7328,7329,7330,7331,7332],{"id":6760,"depth":554,"text":5840},{"id":6791,"depth":554,"text":5846},{"id":6817,"depth":554,"text":5852},{"id":6846,"depth":554,"text":5858},{"id":6872,"depth":554,"text":5864},{"id":6898,"depth":554,"text":5870},{"id":6927,"depth":554,"text":5876},{"id":6956,"depth":554,"text":5882},{"id":6985,"depth":554,"text":5888},{"id":121,"depth":547,"text":122},{"id":133,"depth":547,"text":134},{"id":140,"depth":547,"text":141},{"id":152,"depth":547,"text":153},{"id":7244,"depth":547,"text":7245},{"id":7296,"depth":547,"text":7297},{"id":1100,"depth":547,"text":1101},"A comprehensive guide to the five SOC 2 Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy — with points of focus and control examples.",{},[631,1138,2576],[1141,2578,1140],{"title":7345,"description":7346},"SOC 2 Trust Services Criteria — Complete Guide With Control Examples","Deep dive into all five SOC 2 Trust Services Criteria. Understand points of focus, common controls, and how to select the right criteria for your audit.","5.frameworks\u002Fsoc2\u002Ftrust-services-criteria","ePAvLL3toSrL2KyyxVTFxtOGJpVYpI_7RGxTARqPa0c",{"id":7350,"title":90,"body":7351,"description":7841,"extension":578,"faq":7842,"frameworkSlug":631,"lastUpdated":1135,"meta":7859,"navigation":613,"path":89,"relatedTerms":7860,"relatedTopics":7861,"seo":7862,"stem":7865,"__hash__":7866},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Ftype-1-vs-type-2.md",{"type":29,"value":7352,"toc":7809},[7353,7357,7363,7366,7370,7379,7383,7397,7401,7412,7415,7419,7426,7429,7443,7446,7450,7569,7575,7579,7582,7586,7589,7593,7596,7600,7603,7607,7610,7614,7618,7621,7625,7628,7632,7635,7639,7642,7646,7649,7685,7688,7691,7706,7710,7713,7739,7742,7746,7749,7769,7772,7776,7780,7783,7787,7790,7794,7797,7799],[32,7354,7356],{"id":7355},"soc-2-type-i-vs-type-ii-what-is-the-difference","SOC 2 Type I vs Type II: what is the difference?",[37,7358,7359,7360,7362],{},"The distinction between SOC 2 Type I and Type II is one of the most common questions organizations face when beginning their ",[44,7361,3378],{"href":614}," journey. Both produce an auditor's report from a licensed CPA firm, but they evaluate different things and serve different purposes.",[37,7364,7365],{},"Understanding the differences helps you choose the right starting point, set realistic timelines, and communicate effectively with buyers who request your report.",[32,7367,7369],{"id":7368},"type-i-point-in-time-assessment","Type I: point-in-time assessment",[37,7371,7372,7373,7376,7377,100],{},"A SOC 2 Type I report evaluates whether your controls are ",[61,7374,7375],{},"suitably designed and implemented as of a specific date",". The auditor examines your control environment at a single point in time and provides an opinion on whether the controls, as designed, would reasonably meet the applicable ",[44,7378,55],{"href":54},[112,7380,7382],{"id":7381},"what-the-auditor-tests","What the auditor tests",[172,7384,7385,7388,7391,7394],{},[175,7386,7387],{},"Are written policies and procedures in place?",[175,7389,7390],{},"Are technical controls configured and active?",[175,7392,7393],{},"Are roles and responsibilities defined?",[175,7395,7396],{},"Does the control design address the relevant criteria?",[112,7398,7400],{"id":7399},"what-the-auditor-does-not-test","What the auditor does not test",[172,7402,7403,7406,7409],{},[175,7404,7405],{},"Whether controls operated consistently over time",[175,7407,7408],{},"Whether exceptions occurred during normal operations",[175,7410,7411],{},"Whether evidence was collected throughout a period",[37,7413,7414],{},"Think of Type I as a design review — it confirms your blueprint is sound but does not verify the building stands up under real conditions.",[32,7416,7418],{"id":7417},"type-ii-operating-effectiveness-over-time","Type II: operating effectiveness over time",[37,7420,7421,7422,7425],{},"A SOC 2 Type II report evaluates whether your controls ",[61,7423,7424],{},"operated effectively over a defined observation period",", typically three to twelve months. The auditor tests not just design but execution, sampling evidence from across the period to verify controls functioned as intended.",[112,7427,7382],{"id":7428},"what-the-auditor-tests-1",[172,7430,7431,7434,7437,7440],{},[175,7432,7433],{},"Everything from Type I (design and implementation)",[175,7435,7436],{},"Evidence that controls operated consistently throughout the period",[175,7438,7439],{},"Samples of transactions, access reviews, change approvals, and incident responses",[175,7441,7442],{},"Whether exceptions occurred and how they were handled",[37,7444,7445],{},"Type II is the standard that most enterprise buyers expect because it demonstrates sustained operational discipline, not just a snapshot.",[32,7447,7449],{"id":7448},"side-by-side-comparison","Side-by-side comparison",[859,7451,7452,7462],{},[862,7453,7454],{},[865,7455,7456,7458,7460],{},[868,7457,6244],{},[868,7459,5642],{},[868,7461,3742],{},[875,7463,7464,7477,7490,7503,7516,7530,7543,7556],{},[865,7465,7466,7471,7474],{},[880,7467,7468],{},[61,7469,7470],{},"What it evaluates",[880,7472,7473],{},"Control design and implementation",[880,7475,7476],{},"Control operating effectiveness over time",[865,7478,7479,7484,7487],{},[880,7480,7481],{},[61,7482,7483],{},"Time frame",[880,7485,7486],{},"Single point in time (a specific date)",[880,7488,7489],{},"Observation period (3–12 months)",[865,7491,7492,7497,7500],{},[880,7493,7494],{},[61,7495,7496],{},"Evidence requirements",[880,7498,7499],{},"Current-state documentation and configurations",[880,7501,7502],{},"Evidence collected throughout the observation period",[865,7504,7505,7510,7513],{},[880,7506,7507],{},[61,7508,7509],{},"Typical audit duration",[880,7511,7512],{},"3–6 weeks of fieldwork",[880,7514,7515],{},"Observation period + 4–8 weeks of fieldwork",[865,7517,7518,7524,7527],{},[880,7519,7520,7523],{},[61,7521,7522],{},"Total timeline"," (including prep)",[880,7525,7526],{},"3–6 months",[880,7528,7529],{},"6–18 months",[865,7531,7532,7537,7540],{},[880,7533,7534],{},[61,7535,7536],{},"Cost",[880,7538,7539],{},"$15,000 – $40,000 (auditor fees)",[880,7541,7542],{},"$25,000 – $80,000 (auditor fees)",[865,7544,7545,7550,7553],{},[880,7546,7547],{},[61,7548,7549],{},"Buyer acceptance",[880,7551,7552],{},"Acceptable for early-stage companies and initial deals",[880,7554,7555],{},"Required by most enterprise and mid-market buyers",[865,7557,7558,7563,7566],{},[880,7559,7560],{},[61,7561,7562],{},"Report validity",[880,7564,7565],{},"Generally useful for 6–12 months",[880,7567,7568],{},"Covers the observation period; new report needed for the next period",[37,7570,7571,7572,100],{},"For a detailed cost breakdown across all categories, see ",[44,7573,7574],{"href":308},"How much does SOC 2 cost",[32,7576,7578],{"id":7577},"when-to-choose-type-i","When to choose Type I",[37,7580,7581],{},"A Type I report makes sense in several scenarios:",[112,7583,7585],{"id":7584},"you-need-a-report-quickly","You need a report quickly",[37,7587,7588],{},"Type I can be completed in as little as three months from the start of preparation. If a deal is on the line and the buyer will accept a Type I, it is the fastest path to a report.",[112,7590,7592],{"id":7591},"you-are-building-your-program-from-scratch","You are building your program from scratch",[37,7594,7595],{},"Type I validates your control design before you commit to a multi-month observation period. If the auditor finds design issues during a Type I, you can fix them before starting the Type II clock — which is far cheaper than discovering problems during a Type II fieldwork phase.",[112,7597,7599],{"id":7598},"your-buyers-explicitly-accept-type-i","Your buyers explicitly accept Type I",[37,7601,7602],{},"Some buyers, particularly in the SMB and mid-market segments, accept Type I reports as sufficient proof of a security program. Ask your prospects what they need before assuming Type II is required.",[112,7604,7606],{"id":7605},"you-want-to-build-auditor-familiarity","You want to build auditor familiarity",[37,7608,7609],{},"A Type I engagement is a lower-stakes way to establish a working relationship with your CPA firm. You learn their process, they learn your environment, and the Type II that follows benefits from that shared context.",[32,7611,7613],{"id":7612},"when-to-choose-type-ii","When to choose Type II",[112,7615,7617],{"id":7616},"enterprise-buyers-require-it","Enterprise buyers require it",[37,7619,7620],{},"Most enterprise procurement and security teams require a Type II report. Their security questionnaires and vendor assessment processes are designed around the expectation of operating effectiveness evidence.",[112,7622,7624],{"id":7623},"you-are-in-a-regulated-industry","You are in a regulated industry",[37,7626,7627],{},"Companies serving financial services, healthcare, or government clients almost always need Type II. These buyers understand the difference and will not accept a point-in-time assessment.",[112,7629,7631],{"id":7630},"you-are-renewing-an-existing-report","You are renewing an existing report",[37,7633,7634],{},"After your first SOC 2 cycle, subsequent reports are almost always Type II. The initial program build is done, and the focus shifts to demonstrating ongoing operational maturity.",[112,7636,7638],{"id":7637},"you-want-maximum-market-credibility","You want maximum market credibility",[37,7640,7641],{},"A Type II report is the gold standard for demonstrating security posture to customers, partners, investors, and insurance carriers. It signals that your controls are not just theoretical — they work in practice.",[32,7643,7645],{"id":7644},"the-type-i-to-type-ii-pathway","The Type I to Type II pathway",[37,7647,7648],{},"Many organizations follow a staged approach:",[210,7650,7651,7661,7667,7673,7679],{},[175,7652,7653,7656,7657,7660],{},[61,7654,7655],{},"Months 1–3",": Readiness assessment, gap remediation, and control implementation. Use the ",[44,7658,7659],{"href":444},"SOC 2 checklist"," to track progress.",[175,7662,7663,7666],{},[61,7664,7665],{},"Months 3–5",": Type I audit. The auditor validates control design and identifies any remaining issues.",[175,7668,7669,7672],{},[61,7670,7671],{},"Months 5–6",": Remediate any findings from the Type I report.",[175,7674,7675,7678],{},[61,7676,7677],{},"Months 6–12",": Type II observation period begins. Controls operate and evidence is collected continuously.",[175,7680,7681,7684],{},[61,7682,7683],{},"Months 12–14",": Type II fieldwork and report delivery.",[37,7686,7687],{},"This pathway means you can have a Type I report in hand within five months while building toward the more comprehensive Type II. The Type I report satisfies near-term buyer requests, and the Type II demonstrates long-term maturity.",[37,7689,7690],{},"Some organizations skip Type I entirely and go straight to Type II. This works well when:",[172,7692,7693,7696,7699],{},[175,7694,7695],{},"The organization already has a mature security program",[175,7697,7698],{},"There is no immediate buyer pressure for a report",[175,7700,7701,7702,539,7704],{},"The team has experience with compliance frameworks like ",[44,7703,393],{"href":392},[44,7705,402],{"href":401},[32,7707,7709],{"id":7708},"what-buyers-actually-care-about","What buyers actually care about",[37,7711,7712],{},"Understanding buyer expectations helps you prioritize:",[172,7714,7715,7721,7727,7733],{},[175,7716,7717,7720],{},[61,7718,7719],{},"Startup and SMB buyers",": Often accept Type I or even a completed security questionnaire. They want to know you take security seriously.",[175,7722,7723,7726],{},[61,7724,7725],{},"Mid-market buyers",": Increasingly request Type II but may accept Type I if you can show a Type II is in progress with a projected completion date.",[175,7728,7729,7732],{},[61,7730,7731],{},"Enterprise buyers",": Almost universally require Type II. Their vendor risk management programs are built around reviewing observation-period evidence.",[175,7734,7735,7738],{},[61,7736,7737],{},"Regulated industry buyers",": Require Type II and may also request specific Trust Services Criteria (availability for SaaS, processing integrity for fintech).",[37,7740,7741],{},"If you are unsure what your target market expects, ask your sales team what security questions come up most frequently during the deal cycle. That data will tell you whether Type I is sufficient or Type II is table stakes.",[32,7743,7745],{"id":7744},"observation-period-considerations-for-type-ii","Observation period considerations for Type II",[37,7747,7748],{},"The observation period length affects both cost and credibility:",[172,7750,7751,7757,7763],{},[175,7752,7753,7756],{},[61,7754,7755],{},"3 months",": The minimum. Acceptable for a first Type II but some buyers may view it as insufficient.",[175,7758,7759,7762],{},[61,7760,7761],{},"6 months",": A common choice for first-time Type II reports. Balances credibility with timeline.",[175,7764,7765,7768],{},[61,7766,7767],{},"12 months",": The gold standard. Demonstrates a full year of operating effectiveness and aligns with annual renewal cycles.",[37,7770,7771],{},"After your first Type II, most organizations standardize on a 12-month observation period that aligns with their fiscal year, creating a predictable annual rhythm.",[32,7773,7775],{"id":7774},"common-questions","Common questions",[112,7777,7779],{"id":7778},"can-i-have-both-type-i-and-type-ii","Can I have both Type I and Type II?",[37,7781,7782],{},"Yes. Many organizations obtain a Type I first and then transition to Type II. You can also have a current Type II that supersedes a previous Type I.",[112,7784,7786],{"id":7785},"does-type-ii-replace-type-i","Does Type II replace Type I?",[37,7788,7789],{},"Effectively, yes. A Type II report covers everything a Type I does plus operating effectiveness. Once you have a Type II, there is no reason to go back to Type I.",[112,7791,7793],{"id":7792},"how-often-do-i-need-a-new-type-ii-report","How often do I need a new Type II report?",[37,7795,7796],{},"Most organizations produce a new Type II report annually. The observation period for each new report should begin immediately after the previous one ends to maintain continuous coverage.",[32,7798,1101],{"id":1100},[37,7800,7801,7802,7804,7805,7808],{},"episki supports both Type I and Type II workflows with purpose-built tools for each phase. For Type I readiness, the platform maps your controls to ",[44,7803,226],{"href":225}," and flags design gaps. For Type II, continuous evidence collection with ownership tracking and automated reminders ensures your observation period is covered end to end. The auditor collaboration portal works the same way for both engagement types, giving your CPA firm structured access to everything they need. ",[44,7806,538],{"href":535,"rel":7807},[537]," to build your SOC 2 program with the right report type from day one.",{"title":546,"searchDepth":547,"depth":547,"links":7810},[7811,7812,7816,7819,7820,7826,7832,7833,7834,7835,7840],{"id":7355,"depth":547,"text":7356},{"id":7368,"depth":547,"text":7369,"children":7813},[7814,7815],{"id":7381,"depth":554,"text":7382},{"id":7399,"depth":554,"text":7400},{"id":7417,"depth":547,"text":7418,"children":7817},[7818],{"id":7428,"depth":554,"text":7382},{"id":7448,"depth":547,"text":7449},{"id":7577,"depth":547,"text":7578,"children":7821},[7822,7823,7824,7825],{"id":7584,"depth":554,"text":7585},{"id":7591,"depth":554,"text":7592},{"id":7598,"depth":554,"text":7599},{"id":7605,"depth":554,"text":7606},{"id":7612,"depth":547,"text":7613,"children":7827},[7828,7829,7830,7831],{"id":7616,"depth":554,"text":7617},{"id":7623,"depth":554,"text":7624},{"id":7630,"depth":554,"text":7631},{"id":7637,"depth":554,"text":7638},{"id":7644,"depth":547,"text":7645},{"id":7708,"depth":547,"text":7709},{"id":7744,"depth":547,"text":7745},{"id":7774,"depth":547,"text":7775,"children":7836},[7837,7838,7839],{"id":7778,"depth":554,"text":7779},{"id":7785,"depth":554,"text":7786},{"id":7792,"depth":554,"text":7793},{"id":1100,"depth":547,"text":1101},"A clear comparison of SOC 2 Type I and Type II reports, including differences in scope, timeline, cost, and which buyers require each type.",{"items":7843},[7844,7847,7850,7853,7856],{"label":7845,"content":7846},"What is the difference between SOC 2 Type 1 and Type 2?","SOC 2 Type 1 evaluates whether your controls are suitably designed and implemented as of a specific date. Type 2 evaluates whether those controls operated effectively over a period of time (typically 3–12 months). Type 2 is the standard most enterprise buyers require.",{"label":7848,"content":7849},"How long does a SOC 2 Type 2 audit take?","The observation period is typically 3–12 months, followed by 4–8 weeks of auditor fieldwork. Including preparation, most organizations complete their first Type 2 report in 6–18 months from the start of the program.",{"label":7851,"content":7852},"Can I skip Type 1 and go straight to Type 2?","Yes. Organizations with mature security programs or experience with other frameworks like ISO 27001 often skip Type 1 and go directly to Type 2. However, Type 1 can be useful for validating control design before committing to a longer observation period.",{"label":7854,"content":7855},"How much does a SOC 2 Type 2 audit cost?","SOC 2 Type 2 auditor fees typically range from $25,000 to $80,000, depending on the complexity of your environment and the scope of Trust Services Criteria. Type 1 audits are generally less expensive, ranging from $15,000 to $40,000.",{"label":7857,"content":7858},"Do enterprise buyers accept SOC 2 Type 1 reports?","Most enterprise procurement teams require Type 2 reports. Mid-market buyers may accept Type 1 if you can show a Type 2 is in progress. Startup and SMB buyers are more likely to accept Type 1 as sufficient.",{},[631,1138],[2578,1141,1142],{"title":7863,"description":7864},"SOC 2 Type 1 vs Type 2 (2026): Differences, Costs & Which to Get First","SOC 2 Type I vs Type II compared — scope, timelines, costs, and buyer expectations. Includes decision framework for which report to pursue first.","5.frameworks\u002Fsoc2\u002Ftype-1-vs-type-2","LrW6Kqj3E-bir6a6ZrGagmdSRnan7ay3JM_Fb3mQF0A",{"id":7868,"title":7869,"body":7870,"description":8201,"extension":578,"faq":8202,"frameworkSlug":631,"lastUpdated":1135,"meta":8219,"navigation":613,"path":352,"relatedTerms":8220,"relatedTopics":8224,"seo":8225,"stem":8228,"__hash__":8229},"frameworkTopics\u002F5.frameworks\u002Fsoc2\u002Fvendor-management.md","SOC 2 Vendor Management",{"type":29,"value":7871,"toc":8186},[7872,7876,7881,7884,7888,7891,7911,7914,7918,7921,7925,7928,7948,7951,7955,7958,8005,8008,8012,8015,8032,8041,8045,8048,8068,8071,8075,8078,8081,8098,8100,8115,8118,8120,8155,8157,8174,8176],[32,7873,7875],{"id":7874},"vendor-risk-is-where-soc-2-programs-often-get-caught-off-guard","Vendor risk is where SOC 2 programs often get caught off guard",[37,7877,73,7878,7880],{},[44,7879,658],{"href":614}," audit does not stop at your firewall. If a vendor has access to your systems, handles your customer data, or provides critical infrastructure, their control failures can create your exceptions. CC9.2 — the Trust Services Criteria control for vendor and business partner risk — is consistently one of the higher-effort categories in first-time SOC 2 engagements. Organizations that treat vendor management as a procurement task rather than a security control usually underestimate what the auditor expects.",[37,7882,7883],{},"A mature SOC 2 vendor management program answers four questions at any moment: who are our vendors, what risk do they pose, what assessments have we done, and what are we doing to monitor them between assessments.",[32,7885,7887],{"id":7886},"what-cc92-requires","What CC9.2 requires",[37,7889,7890],{},"CC9.2 is the direct Trust Services Criteria reference for vendor management. The criterion requires that the entity \"assesses and manages risks associated with vendors and business partners.\" The points of focus expand this into concrete expectations.",[172,7892,7893,7896,7899,7902,7905,7908],{},[175,7894,7895],{},"Establish requirements for vendor and business partner engagements",[175,7897,7898],{},"Assess vendor and business partner risks",[175,7900,7901],{},"Assign responsibility and accountability for managing vendor relationships",[175,7903,7904],{},"Establish communication protocols for vendors",[175,7906,7907],{},"Address risks through vendor selection, contracting, and monitoring",[175,7909,7910],{},"Implement procedures for terminating vendor relationships",[37,7912,7913],{},"CC6 is also relevant — if a vendor has logical access to your systems, that access is in scope for access management controls. CC9.1 addresses business continuity, which extends to vendors that provide critical services.",[32,7915,7917],{"id":7916},"the-five-elements-of-a-soc-2-vendor-management-program","The five elements of a SOC 2 vendor management program",[37,7919,7920],{},"A vendor management program that holds up to auditor scrutiny has five elements. Each generates evidence that maps to CC9.2 and adjacent controls.",[112,7922,7924],{"id":7923},"_1-vendor-inventory","1. Vendor inventory",[37,7926,7927],{},"The inventory is the foundation. It lists every third party that has access to systems, data, or services in your SOC 2 scope. Each entry should capture:",[172,7929,7930,7933,7936,7939,7942,7945],{},[175,7931,7932],{},"Vendor name and primary service",[175,7934,7935],{},"Data the vendor handles (customer data, PII, credentials, none)",[175,7937,7938],{},"Criticality to operations",[175,7940,7941],{},"Assigned risk tier",[175,7943,7944],{},"Contract status and renewal date",[175,7946,7947],{},"Owner inside your organization",[37,7949,7950],{},"A common mistake is to keep a procurement list and call it a vendor inventory. Procurement usually misses contractors, free tools, and shadow SaaS. Sync the inventory with identity provider data, expense reports, and DNS records to catch gaps.",[112,7952,7954],{"id":7953},"_2-risk-tiering","2. Risk tiering",[37,7956,7957],{},"Not every vendor requires the same scrutiny. Most programs use three tiers.",[859,7959,7960,7970],{},[862,7961,7962],{},[865,7963,7964,7966,7968],{},[868,7965,2650],{},[868,7967,2653],{},[868,7969,2656],{},[875,7971,7972,7983,7994],{},[865,7973,7974,7977,7980],{},[880,7975,7976],{},"High",[880,7978,7979],{},"Hosts customer data, has production access, or is critical to uptime",[880,7981,7982],{},"Cloud infrastructure, primary database host, authentication provider",[865,7984,7985,7988,7991],{},[880,7986,7987],{},"Medium",[880,7989,7990],{},"Holds sensitive internal data or supports core operations",[880,7992,7993],{},"CRM, HRIS, code repository, payroll",[865,7995,7996,7999,8002],{},[880,7997,7998],{},"Low",[880,8000,8001],{},"Limited access, no sensitive data, easily replaceable",[880,8003,8004],{},"Marketing tools, scheduling apps, static hosting",[37,8006,8007],{},"Tiering drives the depth of assessment and the frequency of reassessment. High-risk vendors warrant a full security review, a current SOC 2 or equivalent report, and annual reassessment. Low-risk vendors may only need basic documentation.",[112,8009,8011],{"id":8010},"_3-assessment-process","3. Assessment process",[37,8013,8014],{},"For each in-scope vendor, document the assessment you performed. Typical artifacts include:",[172,8016,8017,8020,8023,8026,8029],{},[175,8018,8019],{},"The vendor's current SOC 2 Type II report",[175,8021,8022],{},"ISO 27001 certificate or other attestations",[175,8024,8025],{},"Completed security questionnaire (SIG, CAIQ, or proprietary)",[175,8027,8028],{},"Data processing agreement (DPA) if PII is involved",[175,8030,8031],{},"Subprocessor lists with locations",[37,8033,8034,8035,96,8039,100],{},"Auditors sample vendor assessments from across the observation period. If an assessment was performed before the period began, that is fine — but reassessments during the period must have documentation. For related definitions, see ",[44,8036,8038],{"href":8037},"\u002Fglossary\u002Fthird-party-risk","third-party risk",[44,8040,3307],{"href":3306},[112,8042,8044],{"id":8043},"_4-contractual-controls","4. Contractual controls",[37,8046,8047],{},"Security requirements belong in the contract. Standard clauses include:",[172,8049,8050,8053,8056,8059,8062,8065],{},[175,8051,8052],{},"Confidentiality and data handling obligations",[175,8054,8055],{},"Breach notification timelines",[175,8057,8058],{},"Right to audit or to receive attestation reports",[175,8060,8061],{},"Subprocessor notification requirements",[175,8063,8064],{},"Data return and destruction on termination",[175,8066,8067],{},"Security minimums (encryption, MFA, logging)",[37,8069,8070],{},"The auditor may review a sample of executed contracts and look for consistent application of these clauses. Contracts signed before your SOC 2 program existed may be grandfathered, but new vendors should follow the current template.",[112,8072,8074],{"id":8073},"_5-ongoing-monitoring","5. Ongoing monitoring",[37,8076,8077],{},"Between assessments, vendors change. New subprocessors are added. Breaches happen. Certifications lapse. Monitoring catches these events without waiting for the next annual review.",[37,8079,8080],{},"Practical monitoring activities:",[172,8082,8083,8086,8089,8092,8095],{},[175,8084,8085],{},"Subscribe to vendor status pages and security advisories",[175,8087,8088],{},"Track SOC 2 and ISO 27001 certificate expiration dates",[175,8090,8091],{},"Review vendor breach disclosures and public incident reports",[175,8093,8094],{},"Monitor for changes in subprocessor lists",[175,8096,8097],{},"Revisit risk tier when the vendor adds new features or data flows",[32,8099,1407],{"id":1406},[37,8101,8102,8103,8105,8106,8108,8109,8111,8112,8114],{},"Vendor management generates some of the most audit-ready evidence in a SOC 2 program. Assessments, contracts, and monitoring artifacts are naturally documented and easy to produce on request. It also connects to several other ",[44,8104,55],{"href":54}," domains: ",[44,8107,1401],{"href":1400}," extends to vendor-related alerts, ",[44,8110,375],{"href":374}," includes vendor-initiated incidents, and ",[44,8113,1709],{"href":363}," covers changes to vendor integrations.",[37,8116,8117],{},"Weak vendor management often surfaces as exceptions in CC6 (access control) when offboarded vendors still hold credentials, or in CC9 (risk mitigation) when a vendor incident affected customer data and the response was unstructured.",[32,8119,1417],{"id":1416},[172,8121,8122,8128,8134,8140,8146],{},[175,8123,8124,8127],{},[61,8125,8126],{},"Procurement list as inventory."," Procurement tracks contracts. It misses tools added via expense reports, personal credit cards, or free tiers. Reconcile against identity provider and network data.",[175,8129,8130,8133],{},[61,8131,8132],{},"One-time assessments."," The vendor you assessed last year may have changed. Without a reassessment cadence, the evidence goes stale.",[175,8135,8136,8139],{},[61,8137,8138],{},"Missing DPAs."," If a vendor processes personal data, a DPA is usually required by GDPR, CCPA, or equivalent. Auditors may not enforce this but your regulators will.",[175,8141,8142,8145],{},[61,8143,8144],{},"No offboarding."," Vendors whose contracts expired still hold access or data. Build a decommissioning checklist and use it.",[175,8147,8148,8151,8152,8154],{},[61,8149,8150],{},"Ignoring subprocessors."," Your vendor's vendors may also be in scope. Enterprise buyers will ask about them, and some ",[44,8153,402],{"href":401}," contexts require it.",[32,8156,1453],{"id":1452},[172,8158,8159,8162,8165,8168,8171],{},[175,8160,8161],{},"Build the vendor inventory once and treat it as a living system of record. Update it on every new contract signing and offboarding.",[175,8163,8164],{},"Use risk tier to drive process. A high-risk vendor triggers a full assessment; a low-risk vendor triggers a lightweight check. Tiered processes scale.",[175,8166,8167],{},"Require a SOC 2 or ISO 27001 report as part of procurement for any vendor that handles customer data. This shifts the security burden upstream.",[175,8169,8170],{},"Centralize vendor evidence in one place. Contracts, assessments, and monitoring reports should all be linked to the vendor record.",[175,8172,8173],{},"Revisit the vendor inventory quarterly with owners to catch drift.",[32,8175,1101],{"id":1100},[37,8177,8178,8179,8182,8183,8185],{},"episki manages the vendor inventory, risk tiering, assessment workflows, and contract repository in a single workspace mapped directly to CC9.2 and related SOC 2 controls. ",[44,8180,538],{"href":535,"rel":8181},[537]," or explore the full ",[44,8184,1482],{"href":614}," to see how vendor management fits into the broader program.",{"title":546,"searchDepth":547,"depth":547,"links":8187},[8188,8189,8190,8197,8198,8199,8200],{"id":7874,"depth":547,"text":7875},{"id":7886,"depth":547,"text":7887},{"id":7916,"depth":547,"text":7917,"children":8191},[8192,8193,8194,8195,8196],{"id":7923,"depth":554,"text":7924},{"id":7953,"depth":554,"text":7954},{"id":8010,"depth":554,"text":8011},{"id":8043,"depth":554,"text":8044},{"id":8073,"depth":554,"text":8074},{"id":1406,"depth":547,"text":1407},{"id":1416,"depth":547,"text":1417},{"id":1452,"depth":547,"text":1453},{"id":1100,"depth":547,"text":1101},"How to build a SOC 2 vendor management program. CC9.2 requirements, third-party risk assessments, and monitoring subprocessors across the observation period.",{"items":8203},[8204,8207,8210,8213,8216],{"label":8205,"content":8206},"Which SOC 2 criterion covers vendor management?","Vendor management is primarily addressed by CC9.2, which requires the entity to assess and manage risks associated with vendors and business partners. CC9.1 (business continuity) and CC6 (access control) are also relevant when vendors hold customer data or have system access.",{"label":8208,"content":8209},"Do I need a SOC 2 report from every vendor?","No. You need to assess every in-scope vendor, but the depth of assessment should be tiered to the risk. A vendor that processes customer data warrants a SOC 2 or equivalent report. A vendor that hosts a static marketing site does not.",{"label":8211,"content":8212},"How often should vendors be reassessed?","Most SOC 2 programs reassess high-risk vendors annually. Medium-risk vendors are typically reviewed every eighteen to twenty-four months. The key is that reassessments are documented and tied to risk tier, not performed ad hoc.",{"label":8214,"content":8215},"What counts as a vendor for SOC 2 purposes?","Any third party that has access to your systems, handles customer data, or provides services that support your in-scope environment. This includes SaaS tools, cloud infrastructure providers, contractors with production access, and managed service providers.",{"label":8217,"content":8218},"What evidence do auditors expect for vendor management?","Auditors typically review a vendor inventory with risk ratings, completed assessments for a sample of vendors, executed contracts with security clauses, evidence of ongoing monitoring, and the process for onboarding and offboarding vendors.",{},[8221,8222,8223],"third-party-risk","vendor-risk-management","risk-register",[1529,2578,4740],{"title":8226,"description":8227},"SOC 2 Vendor Management (2026): CC9.2 Third-Party Risk","Build a SOC 2 vendor management program. Inventory, risk tiering, assessments, contracts, and ongoing monitoring that satisfy CC9.2 requirements.","5.frameworks\u002Fsoc2\u002Fvendor-management","H5ORMSYE7908_bIi_HypIdDT7pQNGxY6jJSzIToHjXk",[8231,8785,9014,9257,9536,9753,9963,10163,10374,10489,10607,10844,10962,11503,11630,12154,12286,12407,12528,12665,12812,12935,13190,13475,14083,14319,14526,14659,14803,14971,15140,15361,15502,15680,16281,16456,16591],{"id":8232,"title":8233,"body":8234,"description":546,"extension":578,"lastUpdated":1135,"meta":8768,"navigation":613,"path":8769,"relatedFrameworks":8770,"relatedTerms":8776,"seo":8779,"slug":8782,"stem":8783,"term":8239,"__hash__":8784},"glossary\u002F8.glossary\u002Faccess-control.md","Access Control",{"type":29,"value":8235,"toc":8754},[8236,8240,8243,8247,8250,8276,8280,8286,8292,8298,8304,8308,8311,8317,8334,8339,8353,8359,8370,8374,8377,8425,8429,8432,8446,8450,8453,8476,8480,8483,8530,8534,8537,8651,8654,8657,8686,8690,8696,8699,8734,8737,8740,8743,8747],[32,8237,8239],{"id":8238},"what-is-access-control","What is Access Control?",[37,8241,8242],{},"Access control is the set of policies, procedures, and technical mechanisms that regulate who can access systems, data, and resources within an organization. It ensures that only authorized individuals can view, modify, or interact with sensitive information and critical systems. Access control is one of the most fundamental and universally required security controls across every major compliance framework.",[112,8244,8246],{"id":8245},"what-are-the-core-principles-of-access-control","What are the core principles of access control?",[37,8248,8249],{},"Access control is built on several foundational principles:",[172,8251,8252,8258,8264,8270],{},[175,8253,8254,8257],{},[61,8255,8256],{},"Least privilege"," — users are granted only the minimum access necessary to perform their job functions",[175,8259,8260,8263],{},[61,8261,8262],{},"Separation of duties"," — critical tasks are divided among multiple individuals to prevent any single person from having unchecked authority",[175,8265,8266,8269],{},[61,8267,8268],{},"Need to know"," — access to information is restricted to those who require it for a specific purpose",[175,8271,8272,8275],{},[61,8273,8274],{},"Default deny"," — access is denied by default unless explicitly granted",[112,8277,8279],{"id":8278},"what-are-the-types-of-access-control","What are the types of access control?",[37,8281,8282,8285],{},[61,8283,8284],{},"Role-Based Access Control (RBAC)"," — access is determined by the user's role within the organization. Roles are defined with specific permissions, and users are assigned to roles. This is the most common model in enterprise environments.",[37,8287,8288,8291],{},[61,8289,8290],{},"Attribute-Based Access Control (ABAC)"," — access decisions are based on attributes of the user, the resource, and the environment (e.g., department, location, time of day, device type).",[37,8293,8294,8297],{},[61,8295,8296],{},"Discretionary Access Control (DAC)"," — resource owners decide who can access their resources. Common in file systems where owners set permissions.",[37,8299,8300,8303],{},[61,8301,8302],{},"Mandatory Access Control (MAC)"," — access is controlled by the system based on security labels and clearance levels. Common in government and military environments.",[112,8305,8307],{"id":8306},"what-are-access-control-components","What are access control components?",[37,8309,8310],{},"A complete access control program addresses:",[37,8312,8313,8316],{},[61,8314,8315],{},"Authentication"," — verifying the identity of users:",[172,8318,8319,8322,8325,8328,8331],{},[175,8320,8321],{},"Passwords and passphrases",[175,8323,8324],{},"Multi-factor authentication (MFA)",[175,8326,8327],{},"Single sign-on (SSO)",[175,8329,8330],{},"Biometric authentication",[175,8332,8333],{},"Certificate-based authentication",[37,8335,8336,8338],{},[61,8337,1727],{}," — determining what authenticated users can do:",[172,8340,8341,8344,8347,8350],{},[175,8342,8343],{},"Permission assignments",[175,8345,8346],{},"Role definitions",[175,8348,8349],{},"Access control lists",[175,8351,8352],{},"Policy enforcement points",[37,8354,8355,8358],{},[61,8356,8357],{},"Access lifecycle management"," — managing access throughout the user lifecycle:",[172,8360,8361,8364,8367],{},[175,8362,8363],{},"Provisioning (granting access when hired or role changes)",[175,8365,8366],{},"Review (periodic access certification)",[175,8368,8369],{},"Deprovisioning (revoking access upon termination or role change)",[112,8371,8373],{"id":8372},"how-do-compliance-frameworks-address-access-control","How do compliance frameworks address access control?",[37,8375,8376],{},"Every major framework requires access control:",[172,8378,8379,8386,8398,8410,8417],{},[175,8380,8381,8385],{},[61,8382,8383],{},[44,8384,658],{"href":614}," — CC6.1 through CC6.8 cover logical and physical access controls",[175,8387,8388,8392,8393,8397],{},[61,8389,8390],{},[44,8391,393],{"href":392}," — ",[44,8394,8396],{"href":8395},"\u002Fglossary\u002Fannex-a","Annex A"," controls A.5.15 through A.5.18 and A.8.2 through A.8.5 address access management",[175,8399,8400,8404,8405,8409],{},[61,8401,8402],{},[44,8403,402],{"href":401}," — the ",[44,8406,8408],{"href":8407},"\u002Fframeworks\u002Fhipaa\u002Fsecurity-rule","Security Rule"," requires access controls for ePHI (45 CFR 164.312(a))",[175,8411,8412,8416],{},[61,8413,8414],{},[44,8415,411],{"href":410}," — Requirements 7 and 8 address access restriction and user identification",[175,8418,8419,8424],{},[61,8420,8421],{},[44,8422,6581],{"href":8423},"\u002Fframeworks\u002Fnistcsf"," — PR.AC covers identity management, authentication, and access control",[112,8426,8428],{"id":8427},"what-are-access-reviews","What are access reviews?",[37,8430,8431],{},"Regular access reviews (also called access certifications) are a critical control:",[172,8433,8434,8437,8440,8443],{},[175,8435,8436],{},"Review user access rights periodically (quarterly is common for sensitive systems)",[175,8438,8439],{},"Verify that access aligns with current job responsibilities",[175,8441,8442],{},"Identify and remove excessive or unnecessary access",[175,8444,8445],{},"Document review results and remediation actions",[112,8447,8449],{"id":8448},"what-are-common-access-control-weaknesses","What are common access control weaknesses?",[37,8451,8452],{},"Even well-designed access control programs can degrade over time without ongoing attention. Watch for these common issues:",[172,8454,8455,8458,8461,8464,8467,8470,8473],{},[175,8456,8457],{},"Excessive permissions that accumulate over time (privilege creep)",[175,8459,8460],{},"Shared or generic accounts that prevent individual accountability",[175,8462,8463],{},"Delayed deprovisioning when employees leave or change roles",[175,8465,8466],{},"Lack of MFA on critical systems and remote access paths",[175,8468,8469],{},"Inconsistent access review processes with no documented remediation",[175,8471,8472],{},"Service accounts with standing privileged access and no rotation schedule",[175,8474,8475],{},"Lack of visibility into SaaS application access outside the corporate IdP",[112,8477,8479],{"id":8478},"how-do-you-implement-access-control-in-practice","How do you implement access control in practice?",[37,8481,8482],{},"Effective access control programs start with planning and build toward automation. The following steps provide a practical roadmap for organizations at any maturity level:",[210,8484,8485,8491,8497,8503,8509,8515,8524],{},[175,8486,8487,8490],{},[61,8488,8489],{},"Map your environment"," — inventory all systems, applications, and data repositories that require access controls. You cannot protect what you have not identified. Include SaaS applications, cloud infrastructure, on-premises servers, databases, file shares, and third-party integrations.",[175,8492,8493,8496],{},[61,8494,8495],{},"Define roles based on job functions"," — create roles that reflect organizational responsibilities, not individual users. Align roles to the principle of least privilege so each role includes only the permissions required for that function. Review role definitions annually and whenever organizational structure changes.",[175,8498,8499,8502],{},[61,8500,8501],{},"Centralize authentication with SSO"," — implement single sign-on using SAML 2.0 or OpenID Connect (OIDC) to unify identity across cloud and on-premises systems. Centralized authentication reduces password sprawl and gives security teams a single point of enforcement. Ensure all business-critical applications are integrated with your SSO provider before considering the rollout complete.",[175,8504,8505,8508],{},[61,8506,8507],{},"Layer MFA on all critical systems"," — require multi-factor authentication for remote access, privileged accounts, email, cloud consoles, and any system that touches sensitive data. Phishing-resistant methods such as FIDO2 hardware keys are preferred over SMS-based codes. At a minimum, enforce MFA on identity providers, admin consoles, and VPN access.",[175,8510,8511,8514],{},[61,8512,8513],{},"Automate provisioning and deprovisioning"," — connect your HR system to your identity provider (IdP) and use SCIM or directory sync to automate account creation, role assignment, and account removal. When an employee is terminated in the HR system, access should be revoked within minutes, not days. Automation eliminates the human error that leads to orphaned accounts and privilege creep.",[175,8516,8517,8520,8521,8523],{},[61,8518,8519],{},"Build an access request and approval workflow"," — establish a formal process where users request access with documented business justification, managers approve, and the request is logged for audit. This creates an ",[44,8522,1713],{"href":1712}," that satisfies compliance requirements.",[175,8525,8526,8529],{},[61,8527,8528],{},"Monitor and log access events"," — collect authentication and authorization logs centrally. Monitor for anomalies such as failed login attempts, access from unusual locations, and privilege escalation. Logs are essential for incident response and audit evidence.",[112,8531,8533],{"id":8532},"what-are-the-access-control-requirements","What are the access control requirements?",[37,8535,8536],{},"Different frameworks address the same access control concepts with different control references. The table below maps common requirements to their framework-specific identifiers:",[859,8538,8539,8556],{},[862,8540,8541],{},[865,8542,8543,8546,8548,8550,8552,8554],{},[868,8544,8545],{},"Requirement",[868,8547,658],{},[868,8549,393],{},[868,8551,402],{},[868,8553,411],{},[868,8555,6581],{},[875,8557,8558,8578,8597,8617,8634],{},[865,8559,8560,8563,8566,8569,8572,8575],{},[880,8561,8562],{},"Unique user IDs",[880,8564,8565],{},"CC6.1",[880,8567,8568],{},"A.5.16",[880,8570,8571],{},"§164.312(a)(2)(i)",[880,8573,8574],{},"Req 8.2.1",[880,8576,8577],{},"PR.AC-1",[865,8579,8580,8583,8585,8588,8591,8594],{},[880,8581,8582],{},"MFA",[880,8584,8565],{},[880,8586,8587],{},"A.8.5",[880,8589,8590],{},"Addressable",[880,8592,8593],{},"Req 8.4",[880,8595,8596],{},"PR.AC-7",[865,8598,8599,8602,8605,8608,8611,8614],{},[880,8600,8601],{},"Access reviews",[880,8603,8604],{},"CC6.2",[880,8606,8607],{},"A.5.18",[880,8609,8610],{},"§164.312(a)(1)",[880,8612,8613],{},"Req 7.2",[880,8615,8616],{},"PR.AC-4",[865,8618,8619,8621,8624,8627,8629,8632],{},[880,8620,8256],{},[880,8622,8623],{},"CC6.3",[880,8625,8626],{},"A.5.15",[880,8628,8610],{},[880,8630,8631],{},"Req 7.1",[880,8633,8616],{},[865,8635,8636,8639,8641,8643,8646,8649],{},[880,8637,8638],{},"Deprovisioning",[880,8640,8604],{},[880,8642,8607],{},[880,8644,8645],{},"§164.312(a)(2)(ii)",[880,8647,8648],{},"Req 8.2.6",[880,8650,8577],{},[37,8652,8653],{},"Organizations subject to multiple frameworks can use this mapping to build a unified access control program that satisfies overlapping requirements without duplicating effort.",[37,8655,8656],{},"A few notes on framework-specific nuances:",[172,8658,8659,8664,8672,8679],{},[175,8660,8661,8663],{},[61,8662,402],{}," treats MFA as an \"addressable\" implementation specification, meaning covered entities must implement it or document why an equivalent alternative is reasonable. In practice, most organizations implement MFA because the risk of not doing so is difficult to justify.",[175,8665,8666,8671],{},[61,8667,8668,8670],{},[44,8669,411],{"href":410}," v4.0"," expanded MFA requirements (Req 8.4) to include all access into the cardholder data environment, not just remote access. Organizations processing card data should verify their MFA coverage meets the updated scope.",[175,8673,8674,8678],{},[61,8675,8676],{},[44,8677,658],{"href":614}," does not prescribe specific technologies but evaluates whether the controls in place are suitably designed and operating effectively. Auditors will look for evidence that access control policies are enforced consistently.",[175,8680,8681,8685],{},[61,8682,8683],{},[44,8684,6581],{"href":8423}," provides a flexible, risk-based approach. The PR.AC subcategory identifiers map to more detailed controls in NIST SP 800-53, which organizations can reference for implementation guidance.",[112,8687,8689],{"id":8688},"how-does-zero-trust-relate-to-access-control","How does zero trust relate to access control?",[37,8691,8692,8693,100],{},"Traditional access control models assume that users inside the network perimeter can be trusted. Zero trust architecture rejects that assumption entirely: ",[61,8694,8695],{},"never trust, always verify",[37,8697,8698],{},"In a zero trust model, every access request is authenticated, authorized, and encrypted regardless of where it originates. Key principles include:",[172,8700,8701,8707,8713,8722,8728],{},[175,8702,8703,8706],{},[61,8704,8705],{},"Continuous verification"," — access decisions are re-evaluated throughout a session, not just at login. Changes in user behavior, location, or risk score can trigger step-up authentication or session termination.",[175,8708,8709,8712],{},[61,8710,8711],{},"Micro-segmentation"," — network resources are divided into small, isolated zones so that compromising one segment does not grant lateral access to others.",[175,8714,8715,8718,8719,8721],{},[61,8716,8717],{},"Device posture checks"," — the security state of the connecting device (patch level, endpoint protection status, disk ",[44,8720,2781],{"href":2780},") is evaluated before access is granted.",[175,8723,8724,8727],{},[61,8725,8726],{},"Identity-centric perimeter"," — the network perimeter is replaced by identity as the primary security boundary. Every user, device, and workload must prove its identity before accessing any resource.",[175,8729,8730,8733],{},[61,8731,8732],{},"Least privilege enforcement at the session level"," — access grants are scoped to the specific resource and action needed, and they expire when the session ends or conditions change.",[37,8735,8736],{},"NIST SP 800-207 defines the zero trust architecture and provides guidance on implementation. Many compliance frameworks are increasingly aligning their access control requirements with zero trust principles, making it a forward-looking strategy for organizations building or modernizing their access control programs.",[37,8738,8739],{},"Zero trust is not a single product but an architectural approach that spans identity, network, endpoints, and data.",[37,8741,8742],{},"Adopting zero trust does not require replacing your existing access control infrastructure overnight. Most organizations begin by enforcing MFA universally, segmenting their most sensitive assets, and adding device posture checks to their conditional access policies. Over time, these incremental improvements compound into a mature zero trust posture.",[112,8744,8746],{"id":8745},"how-does-episki-help-with-access-control","How does episki help with access control?",[37,8748,8749,8750,100],{},"episki tracks access control policies, monitors review schedules, and documents access provisioning and deprovisioning activities. The platform sends reminders for periodic access reviews and maintains evidence for auditors. Learn more on our ",[44,8751,8753],{"href":8752},"\u002Fframeworks","compliance platform",{"title":546,"searchDepth":547,"depth":547,"links":8755},[8756],{"id":8238,"depth":547,"text":8239,"children":8757},[8758,8759,8760,8761,8762,8763,8764,8765,8766,8767],{"id":8245,"depth":554,"text":8246},{"id":8278,"depth":554,"text":8279},{"id":8306,"depth":554,"text":8307},{"id":8372,"depth":554,"text":8373},{"id":8427,"depth":554,"text":8428},{"id":8448,"depth":554,"text":8449},{"id":8478,"depth":554,"text":8479},{"id":8532,"depth":554,"text":8533},{"id":8688,"depth":554,"text":8689},{"id":8745,"depth":554,"text":8746},{},"\u002Fglossary\u002Faccess-control",[8771,631,8772,8773,8774,8775],"cmmc","iso27001","hipaa","pci","nistcsf",[8777,1877,2781,8778],"minimum-necessary-rule","user-entity-controls",{"title":8780,"description":8781},"Access Control in Compliance: RBAC, MFA & Least Privilege","Access control restricts system and data access to authorized users. Learn RBAC, MFA, least privilege, and requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","access-control","8.glossary\u002Faccess-control","06FHtOe5hEs65vhNnMjZcNgPP9NXCQTnLD9llz_jEjM",{"id":8786,"title":8787,"body":8788,"description":546,"extension":578,"lastUpdated":1135,"meta":9006,"navigation":613,"path":1712,"relatedFrameworks":9007,"relatedTerms":9008,"seo":9009,"slug":1877,"stem":9012,"term":8793,"__hash__":9013},"glossary\u002F8.glossary\u002Faudit-trail.md","Audit Trail",{"type":29,"value":8789,"toc":8996},[8790,8794,8797,8801,8804,8842,8845,8865,8869,8872,8894,8898,8901,8945,8949,8952,8966,8970,8987,8991],[32,8791,8793],{"id":8792},"what-is-an-audit-trail","What is an Audit Trail?",[37,8795,8796],{},"An audit trail is a chronological record of activities, events, and changes within a system or process that provides documentary evidence of the sequence of actions performed. Audit trails answer the fundamental questions: who did what, when did they do it, where did it happen, and what was the result. They are essential for security monitoring, incident investigation, compliance demonstration, and accountability.",[112,8798,8800],{"id":8799},"what-do-audit-trails-capture","What do audit trails capture?",[37,8802,8803],{},"Effective audit trails typically record:",[172,8805,8806,8812,8818,8824,8830,8836],{},[175,8807,8808,8811],{},[61,8809,8810],{},"User actions"," — logins, logouts, data access, data modifications, privilege changes",[175,8813,8814,8817],{},[61,8815,8816],{},"System events"," — configuration changes, service starts and stops, errors, failures",[175,8819,8820,8823],{},[61,8821,8822],{},"Administrative actions"," — user account creation and deletion, permission changes, policy updates",[175,8825,8826,8829],{},[61,8827,8828],{},"Data changes"," — creation, modification, and deletion of records, including before and after values where applicable",[175,8831,8832,8835],{},[61,8833,8834],{},"Access attempts"," — both successful and failed authentication and authorization attempts",[175,8837,8838,8841],{},[61,8839,8840],{},"Security events"," — firewall rule changes, intrusion detection alerts, malware detections",[37,8843,8844],{},"Each audit trail entry should include:",[172,8846,8847,8850,8853,8856,8859,8862],{},[175,8848,8849],{},"Timestamp (synchronized across systems)",[175,8851,8852],{},"User or system identity",[175,8854,8855],{},"Action performed",[175,8857,8858],{},"Target resource or data",[175,8860,8861],{},"Outcome (success or failure)",[175,8863,8864],{},"Source (IP address, device, or location)",[112,8866,8868],{"id":8867},"what-are-the-audit-trail-requirements","What are the audit trail requirements?",[37,8870,8871],{},"Multiple compliance frameworks require audit trails:",[172,8873,8874,8879,8884,8889],{},[175,8875,8876,8878],{},[61,8877,658],{}," — CC7.2 requires monitoring of system components for anomalies, and CC6.1 requires logical access controls with logging",[175,8880,8881,8883],{},[61,8882,393],{}," — control A.8.15 addresses logging, and A.8.17 addresses clock synchronization for accurate audit trails",[175,8885,8886,8888],{},[61,8887,402],{}," — the Security Rule requires audit controls that record and examine activity in systems containing ePHI (45 CFR 164.312(b))",[175,8890,8891,8893],{},[61,8892,411],{}," — Requirement 10 mandates logging and monitoring all access to network resources and cardholder data",[112,8895,8897],{"id":8896},"how-do-you-implement-audit-trails","How do you implement audit trails?",[37,8899,8900],{},"To implement effective audit trails:",[210,8902,8903,8909,8915,8921,8927,8933,8939],{},[175,8904,8905,8908],{},[61,8906,8907],{},"Enable logging"," — activate audit logging on all in-scope systems including applications, databases, operating systems, and network devices",[175,8910,8911,8914],{},[61,8912,8913],{},"Centralize logs"," — aggregate logs into a central platform (SIEM) for correlation and analysis",[175,8916,8917,8920],{},[61,8918,8919],{},"Protect integrity"," — ensure logs cannot be modified or deleted by users, including administrators",[175,8922,8923,8926],{},[61,8924,8925],{},"Synchronize time"," — use NTP to ensure timestamps are consistent across all systems",[175,8928,8929,8932],{},[61,8930,8931],{},"Define retention"," — establish retention periods aligned with compliance and business requirements",[175,8934,8935,8938],{},[61,8936,8937],{},"Monitor actively"," — review audit trails for suspicious activity, not just for compliance evidence",[175,8940,8941,8944],{},[61,8942,8943],{},"Automate alerts"," — configure alerts for critical events such as failed login attempts, privilege escalation, and unauthorized access",[112,8946,8948],{"id":8947},"how-long-should-audit-trails-be-retained","How long should audit trails be retained?",[37,8950,8951],{},"Retention requirements vary by framework and jurisdiction:",[172,8953,8954,8957,8960,8963],{},[175,8955,8956],{},"PCI DSS requires at least 12 months of audit trail history, with the most recent 3 months immediately available",[175,8958,8959],{},"HIPAA requires documentation retention for 6 years",[175,8961,8962],{},"ISO 27001 does not specify a fixed period but requires organizations to define and follow their own retention policy",[175,8964,8965],{},"SOC 2 audit periods typically require evidence covering the observation period",[112,8967,8969],{"id":8968},"what-are-common-pitfalls-with-audit-trails","What are common pitfalls with audit trails?",[172,8971,8972,8975,8978,8981,8984],{},[175,8973,8974],{},"Insufficient logging — missing critical events or systems",[175,8976,8977],{},"Log overload — logging too much without meaningful analysis",[175,8979,8980],{},"No log protection — allowing administrators to modify or delete logs",[175,8982,8983],{},"Inconsistent timestamps — making it impossible to correlate events across systems",[175,8985,8986],{},"No review process — collecting logs but never analyzing them",[112,8988,8990],{"id":8989},"how-does-episki-help-with-audit-trails","How does episki help with audit trails?",[37,8992,8993,8994,100],{},"episki integrates with your logging infrastructure to track compliance-relevant events, maintain audit trail records, and demonstrate continuous monitoring to auditors. The platform maps audit trail capabilities to framework requirements and flags gaps in coverage. Learn more on our ",[44,8995,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":8997},[8998],{"id":8792,"depth":547,"text":8793,"children":8999},[9000,9001,9002,9003,9004,9005],{"id":8799,"depth":554,"text":8800},{"id":8867,"depth":554,"text":8868},{"id":8896,"depth":554,"text":8897},{"id":8947,"depth":554,"text":8948},{"id":8968,"depth":554,"text":8969},{"id":8989,"depth":554,"text":8990},{},[631,8772,8773,8774],[1876,8782,1042,1530],{"title":9010,"description":9011},"What is an Audit Trail? Definition & Compliance Guide","An audit trail is a chronological record of system activities that provides evidence of who did what, when, and where for security and compliance purposes.","8.glossary\u002Faudit-trail","wGJCFb9Xcb1bQvrLNHVniHH6roxZCmzstztRki0-h68",{"id":9015,"title":9016,"body":9017,"description":546,"extension":578,"lastUpdated":1135,"meta":9248,"navigation":613,"path":1708,"relatedFrameworks":9249,"relatedTerms":9250,"seo":9252,"slug":1875,"stem":9255,"term":9022,"__hash__":9256},"glossary\u002F8.glossary\u002Fchange-management.md","Change Management",{"type":29,"value":9018,"toc":9237},[9019,9023,9026,9030,9033,9050,9054,9057,9063,9082,9088,9102,9107,9118,9124,9135,9141,9152,9156,9173,9177,9197,9201,9204,9208,9211,9228,9232],[32,9020,9022],{"id":9021},"what-is-change-management","What is Change Management?",[37,9024,9025],{},"Change management is the structured process of planning, approving, implementing, and reviewing changes to an organization's information systems, infrastructure, and applications. The goal is to ensure that changes are made in a controlled manner, minimizing the risk of unintended disruptions, security vulnerabilities, or compliance violations.",[112,9027,9029],{"id":9028},"why-does-change-management-matter","Why does change management matter?",[37,9031,9032],{},"Uncontrolled changes are a leading cause of system outages, security incidents, and compliance failures. Without a formal change management process:",[172,9034,9035,9038,9041,9044,9047],{},[175,9036,9037],{},"Untested changes can introduce bugs or vulnerabilities",[175,9039,9040],{},"Unauthorized modifications can compromise security controls",[175,9042,9043],{},"Conflicting changes can cause system instability",[175,9045,9046],{},"Auditors cannot verify that changes were properly authorized and tested",[175,9048,9049],{},"Troubleshooting becomes difficult without a record of what changed",[112,9051,9053],{"id":9052},"what-are-the-components-of-a-change-management-process","What are the components of a change management process?",[37,9055,9056],{},"An effective change management program includes:",[37,9058,9059,9062],{},[61,9060,9061],{},"Change request"," — a formal submission describing the proposed change, including:",[172,9064,9065,9068,9071,9073,9076,9079],{},[175,9066,9067],{},"Description of the change",[175,9069,9070],{},"Business justification",[175,9072,2247],{},[175,9074,9075],{},"Rollback plan",[175,9077,9078],{},"Testing plan",[175,9080,9081],{},"Implementation timeline",[37,9083,9084,9087],{},[61,9085,9086],{},"Review and approval"," — changes are reviewed by appropriate stakeholders:",[172,9089,9090,9093,9096,9099],{},[175,9091,9092],{},"Technical review for feasibility and impact",[175,9094,9095],{},"Security review for potential risks",[175,9097,9098],{},"Management approval based on risk and priority",[175,9100,9101],{},"Change Advisory Board (CAB) review for significant changes",[37,9103,9104,9106],{},[61,9105,840],{}," — changes are tested in a non-production environment before deployment:",[172,9108,9109,9112,9115],{},[175,9110,9111],{},"Functional testing to verify the change works as intended",[175,9113,9114],{},"Regression testing to confirm existing functionality is not broken",[175,9116,9117],{},"Security testing when the change affects security-relevant systems",[37,9119,9120,9123],{},[61,9121,9122],{},"Implementation"," — changes are deployed following the approved plan:",[172,9125,9126,9129,9132],{},[175,9127,9128],{},"During designated maintenance windows when appropriate",[175,9130,9131],{},"With monitoring for unexpected issues",[175,9133,9134],{},"With rollback procedures ready if problems occur",[37,9136,9137,9140],{},[61,9138,9139],{},"Post-implementation review"," — after deployment, verify:",[172,9142,9143,9146,9149],{},[175,9144,9145],{},"The change achieved its intended outcome",[175,9147,9148],{},"No unintended side effects occurred",[175,9150,9151],{},"Documentation is updated to reflect the change",[112,9153,9155],{"id":9154},"how-do-compliance-frameworks-address-change-management","How do compliance frameworks address change management?",[172,9157,9158,9163,9168],{},[175,9159,9160,9162],{},[61,9161,658],{}," — CC8.1 requires that changes to infrastructure, data, software, and procedures are authorized, designed, developed, configured, documented, tested, approved, and implemented",[175,9164,9165,9167],{},[61,9166,393],{}," — control A.8.32 addresses change management, requiring that changes to information processing facilities and systems be subject to change management procedures",[175,9169,9170,9172],{},[61,9171,411],{}," — Requirement 6.5 requires change control processes for all system components in the cardholder data environment",[112,9174,9176],{"id":9175},"what-are-the-types-of-changes-in-change-management","What are the types of changes in change management?",[172,9178,9179,9185,9191],{},[175,9180,9181,9184],{},[61,9182,9183],{},"Standard changes"," — pre-approved, low-risk, routine changes that follow a documented procedure (e.g., updating a standard software package)",[175,9186,9187,9190],{},[61,9188,9189],{},"Normal changes"," — changes that require the full change management process including review and approval",[175,9192,9193,9196],{},[61,9194,9195],{},"Emergency changes"," — urgent changes needed to resolve incidents or critical issues, typically with streamlined approval followed by retrospective documentation",[112,9198,9200],{"id":9199},"how-does-separation-of-duties-apply-to-change-management","How does separation of duties apply to change management?",[37,9202,9203],{},"A key control within change management is separation of duties — the person who develops a change should not be the same person who approves or deploys it to production. This prevents unauthorized or untested changes from reaching production systems.",[112,9205,9207],{"id":9206},"what-change-management-evidence-do-auditors-look-for","What change management evidence do auditors look for?",[37,9209,9210],{},"Auditors reviewing change management look for:",[172,9212,9213,9216,9219,9222,9225],{},[175,9214,9215],{},"Change request records with documented approvals",[175,9217,9218],{},"Evidence of testing before production deployment",[175,9220,9221],{},"Separation of duties between development, approval, and deployment",[175,9223,9224],{},"Rollback plans for significant changes",[175,9226,9227],{},"Post-implementation reviews",[112,9229,9231],{"id":9230},"how-does-episki-help-with-change-management","How does episki help with change management?",[37,9233,9234,9235,100],{},"episki tracks change management activities, integrates with ticketing and CI\u002FCD systems, and maintains audit-ready evidence of change approvals, testing, and deployment. The platform maps change management controls to SOC 2, ISO 27001, and PCI DSS requirements. Learn more on our ",[44,9236,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":9238},[9239],{"id":9021,"depth":547,"text":9022,"children":9240},[9241,9242,9243,9244,9245,9246,9247],{"id":9028,"depth":554,"text":9029},{"id":9052,"depth":554,"text":9053},{"id":9154,"depth":554,"text":9155},{"id":9175,"depth":554,"text":9176},{"id":9199,"depth":554,"text":9200},{"id":9206,"depth":554,"text":9207},{"id":9230,"depth":554,"text":9231},{},[8771,631,8772,8774],[1877,8782,1876,9251],"control-objectives",{"title":9253,"description":9254},"What is Change Management? Definition & Compliance Guide","Change management is the process of controlling modifications to systems and infrastructure to prevent unauthorized changes and maintain security and stability.","8.glossary\u002Fchange-management","xeecemxPeYwPVCVxeZ0eZXpmSOlKMkCLQoUsX4dbaQA",{"id":9258,"title":9259,"body":9260,"description":546,"extension":578,"lastUpdated":1135,"meta":9526,"navigation":613,"path":9527,"relatedFrameworks":9528,"relatedTerms":9529,"seo":9531,"slug":1042,"stem":9534,"term":9265,"__hash__":9535},"glossary\u002F8.glossary\u002Fcontinuous-monitoring.md","Continuous Monitoring",{"type":29,"value":9261,"toc":9515},[9262,9266,9269,9273,9276,9296,9300,9303,9308,9322,9327,9341,9346,9357,9362,9376,9380,9403,9407,9462,9466,9469,9482,9485,9489,9506,9510],[32,9263,9265],{"id":9264},"what-is-continuous-monitoring","What is Continuous Monitoring?",[37,9267,9268],{},"Continuous monitoring is the practice of maintaining ongoing awareness of an organization's security posture, vulnerabilities, and threats through automated and manual observation of systems, controls, and processes. Rather than assessing security at periodic intervals, continuous monitoring provides real-time or near-real-time visibility into the effectiveness of security controls and the current threat landscape.",[112,9270,9272],{"id":9271},"why-does-continuous-monitoring-matter","Why does continuous monitoring matter?",[37,9274,9275],{},"Traditional point-in-time assessments (such as annual audits or quarterly scans) provide snapshots of security posture but miss what happens between assessments. Continuous monitoring fills this gap by:",[172,9277,9278,9281,9284,9287,9290,9293],{},[175,9279,9280],{},"Detecting threats and vulnerabilities as they emerge, not months later",[175,9282,9283],{},"Verifying that controls remain effective on an ongoing basis",[175,9285,9286],{},"Identifying configuration drift and unauthorized changes",[175,9288,9289],{},"Providing evidence of sustained compliance for auditors",[175,9291,9292],{},"Enabling faster response to security incidents",[175,9294,9295],{},"Reducing the risk of surprises during audit cycles",[112,9297,9299],{"id":9298},"what-should-you-monitor-continuously","What should you monitor continuously?",[37,9301,9302],{},"Continuous monitoring spans multiple domains:",[37,9304,9305],{},[61,9306,9307],{},"Security controls:",[172,9309,9310,9313,9316,9319],{},[175,9311,9312],{},"Are access controls still properly configured?",[175,9314,9315],{},"Are encryption mechanisms active and using current standards?",[175,9317,9318],{},"Are security policies being followed?",[175,9320,9321],{},"Are patches being applied within defined timeframes?",[37,9323,9324],{},[61,9325,9326],{},"Systems and infrastructure:",[172,9328,9329,9332,9335,9338],{},[175,9330,9331],{},"Are systems operating normally?",[175,9333,9334],{},"Are there unauthorized configuration changes?",[175,9336,9337],{},"Are there new vulnerabilities affecting your environment?",[175,9339,9340],{},"Are all endpoints protected with current security agents?",[37,9342,9343],{},[61,9344,9345],{},"User activity:",[172,9347,9348,9351,9354],{},[175,9349,9350],{},"Are there unusual access patterns or privilege escalations?",[175,9352,9353],{},"Are terminated users' accounts being deactivated promptly?",[175,9355,9356],{},"Are there failed authentication attempts indicating brute-force attacks?",[37,9358,9359],{},[61,9360,9361],{},"Compliance status:",[172,9363,9364,9367,9370,9373],{},[175,9365,9366],{},"Are all required controls implemented and operating?",[175,9368,9369],{},"Is evidence being collected on schedule?",[175,9371,9372],{},"Are policy reviews and updates happening as planned?",[175,9374,9375],{},"Are vendor assessments current?",[112,9377,9379],{"id":9378},"how-do-compliance-frameworks-address-continuous-monitoring","How do compliance frameworks address continuous monitoring?",[172,9381,9382,9387,9392,9397],{},[175,9383,9384,9386],{},[61,9385,658],{}," — CC4.1 and CC4.2 require ongoing monitoring of the internal control system and evaluation of deficiencies",[175,9388,9389,9391],{},[61,9390,393],{}," — clause 9 (Performance evaluation) requires monitoring, measurement, analysis, and evaluation of the ISMS",[175,9393,9394,9396],{},[61,9395,6581],{}," — DE.CM (Continuous Monitoring) specifically addresses monitoring information systems and assets for cybersecurity events",[175,9398,9399,9402],{},[61,9400,9401],{},"NIST SP 800-137"," provides detailed guidance on Information Security Continuous Monitoring (ISCM)",[112,9404,9406],{"id":9405},"how-do-you-implement-continuous-monitoring","How do you implement continuous monitoring?",[210,9408,9409,9415,9438,9444,9450,9456],{},[175,9410,9411,9414],{},[61,9412,9413],{},"Define monitoring objectives"," — determine what needs to be monitored based on risk assessment and compliance requirements",[175,9416,9417,9420,9421],{},[61,9418,9419],{},"Select monitoring tools"," — deploy appropriate technologies:\n",[172,9422,9423,9426,9429,9432,9435],{},[175,9424,9425],{},"SIEM (Security Information and Event Management) for log aggregation and correlation",[175,9427,9428],{},"EDR (Endpoint Detection and Response) for endpoint monitoring",[175,9430,9431],{},"Vulnerability scanners for continuous vulnerability assessment",[175,9433,9434],{},"Configuration management tools for drift detection",[175,9436,9437],{},"GRC platforms for compliance monitoring",[175,9439,9440,9443],{},[61,9441,9442],{},"Establish baselines"," — define normal operating parameters so deviations can be detected",[175,9445,9446,9449],{},[61,9447,9448],{},"Configure alerts"," — set meaningful alert thresholds to balance detection with alert fatigue",[175,9451,9452,9455],{},[61,9453,9454],{},"Define response procedures"," — establish processes for responding to monitoring alerts",[175,9457,9458,9461],{},[61,9459,9460],{},"Review and improve"," — regularly assess monitoring effectiveness and adjust as needed",[112,9463,9465],{"id":9464},"what-is-the-difference-between-continuous-monitoring-and-continuous-compliance","What is the difference between continuous monitoring and continuous compliance?",[37,9467,9468],{},"While related, these concepts differ:",[172,9470,9471,9476],{},[175,9472,9473,9475],{},[61,9474,1043],{}," focuses on security — detecting threats, vulnerabilities, and anomalies in real time",[175,9477,9478,9481],{},[61,9479,9480],{},"Continuous compliance"," focuses on maintaining compliance posture — ensuring controls remain effective and evidence stays current",[37,9483,9484],{},"An effective program addresses both. Security monitoring feeds compliance evidence, and compliance monitoring ensures security controls do not degrade.",[112,9486,9488],{"id":9487},"what-are-common-challenges-with-continuous-monitoring","What are common challenges with continuous monitoring?",[172,9490,9491,9494,9497,9500,9503],{},[175,9492,9493],{},"Alert fatigue from too many low-priority notifications",[175,9495,9496],{},"Gaps in monitoring coverage across all systems",[175,9498,9499],{},"Insufficient resources to investigate and respond to alerts",[175,9501,9502],{},"Monitoring tools that generate data but lack actionable insights",[175,9504,9505],{},"Difficulty correlating events across disparate systems",[112,9507,9509],{"id":9508},"how-does-episki-help-with-continuous-monitoring","How does episki help with continuous monitoring?",[37,9511,9512,9513,100],{},"episki provides continuous compliance monitoring by tracking control effectiveness, evidence collection status, and policy review schedules. The platform integrates with security tools to pull monitoring data into your compliance program and alerts you when controls need attention. Learn more on our ",[44,9514,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":9516},[9517],{"id":9264,"depth":547,"text":9265,"children":9518},[9519,9520,9521,9522,9523,9524,9525],{"id":9271,"depth":554,"text":9272},{"id":9298,"depth":554,"text":9299},{"id":9378,"depth":554,"text":9379},{"id":9405,"depth":554,"text":9406},{"id":9464,"depth":554,"text":9465},{"id":9487,"depth":554,"text":9488},{"id":9508,"depth":554,"text":9509},{},"\u002Fglossary\u002Fcontinuous-monitoring",[8771,631,8772,8775],[1876,1877,1530,5627,9530],"control-framework",{"title":9532,"description":9533},"Continuous Monitoring for Compliance: Tools & Best Practices","Continuous monitoring tracks security controls in real time to detect threats and verify compliance. Learn how to implement it for SOC 2, ISO 27001, and NIST CSF.","8.glossary\u002Fcontinuous-monitoring","YFq0Sck1IHoKfMLlSRFboyiO1yOmbJP8o3dmYFvhgGk",{"id":9537,"title":9538,"body":9539,"description":546,"extension":578,"lastUpdated":1135,"meta":9743,"navigation":613,"path":9744,"relatedFrameworks":9745,"relatedTerms":9746,"seo":9748,"slug":9530,"stem":9751,"term":9544,"__hash__":9752},"glossary\u002F8.glossary\u002Fcontrol-framework.md","Control Framework",{"type":29,"value":9540,"toc":9733},[9541,9545,9548,9552,9555,9587,9591,9594,9632,9636,9639,9671,9675,9678,9681,9685,9688,9724,9728],[32,9542,9544],{"id":9543},"what-is-a-control-framework","What is a Control Framework?",[37,9546,9547],{},"A control framework is a structured collection of security controls, guidelines, and best practices that organizations use to design, implement, and evaluate their information security programs. Control frameworks provide a systematic approach to managing security risks by defining what controls should exist and how they should be organized.",[112,9549,9551],{"id":9550},"why-do-control-frameworks-matter","Why do control frameworks matter?",[37,9553,9554],{},"Without a framework, security programs tend to develop organically — addressing risks as they arise without a cohesive structure. This leads to gaps in coverage, duplicated efforts, and difficulty demonstrating security posture to stakeholders. Control frameworks provide:",[172,9556,9557,9563,9569,9575,9581],{},[175,9558,9559,9562],{},[61,9560,9561],{},"Comprehensiveness"," — a complete catalog of controls spanning all relevant security domains",[175,9564,9565,9568],{},[61,9566,9567],{},"Structure"," — logical organization of controls into categories and domains",[175,9570,9571,9574],{},[61,9572,9573],{},"Common language"," — standardized terminology for discussing security with auditors, customers, and partners",[175,9576,9577,9580],{},[61,9578,9579],{},"Benchmarking"," — a reference point for measuring maturity and identifying gaps",[175,9582,9583,9586],{},[61,9584,9585],{},"Compliance alignment"," — mapping to regulatory and contractual requirements",[112,9588,9590],{"id":9589},"what-are-common-control-frameworks","What are common control frameworks?",[37,9592,9593],{},"Several widely adopted control frameworks exist, each with a different focus:",[172,9595,9596,9602,9608,9614,9620,9626],{},[175,9597,9598,9601],{},[61,9599,9600],{},"SOC 2 Trust Services Criteria"," — evaluates controls across security, availability, processing integrity, confidentiality, and privacy for service organizations",[175,9603,9604,9607],{},[61,9605,9606],{},"ISO 27001 Annex A"," — provides 93 controls across organizational, people, physical, and technological themes for information security management",[175,9609,9610,9613],{},[61,9611,9612],{},"NIST Cybersecurity Framework (CSF)"," — organizes security activities into five functions: Identify, Protect, Detect, Respond, and Recover",[175,9615,9616,9619],{},[61,9617,9618],{},"NIST SP 800-53"," — a comprehensive catalog of security and privacy controls used primarily by US federal agencies and their contractors",[175,9621,9622,9625],{},[61,9623,9624],{},"CIS Controls"," — a prioritized set of actions (18 controls) that form a practical starting point for cybersecurity defense",[175,9627,9628,9631],{},[61,9629,9630],{},"COBIT"," — a framework for IT governance and management",[112,9633,9635],{"id":9634},"how-do-you-choose-a-control-framework","How do you choose a control framework?",[37,9637,9638],{},"The right framework depends on your organization's needs:",[172,9640,9641,9647,9653,9659,9665],{},[175,9642,9643,9646],{},[61,9644,9645],{},"Customer requirements"," — if customers require SOC 2 reports, the Trust Services Criteria will be your primary framework",[175,9648,9649,9652],{},[61,9650,9651],{},"Certification goals"," — if you need ISO 27001 certification, Annex A is the relevant control set",[175,9654,9655,9658],{},[61,9656,9657],{},"Industry"," — some industries have specific frameworks (HITRUST for healthcare, PCI DSS for payment cards)",[175,9660,9661,9664],{},[61,9662,9663],{},"Maturity level"," — organizations early in their security journey may start with CIS Controls, while more mature programs adopt NIST SP 800-53",[175,9666,9667,9670],{},[61,9668,9669],{},"Geography"," — ISO 27001 is globally recognized, while some frameworks are more region-specific",[112,9672,9674],{"id":9673},"how-do-you-map-controls-across-multiple-frameworks","How do you map controls across multiple frameworks?",[37,9676,9677],{},"Many organizations must comply with multiple frameworks simultaneously. Cross-framework mapping identifies where controls overlap, allowing a single control to satisfy requirements from multiple frameworks. For example, an access control policy might satisfy SOC 2 CC6.1, ISO 27001 A.5.15, and NIST CSF PR.AC-1.",[37,9679,9680],{},"Effective multi-framework mapping reduces duplication and helps organizations manage compliance efficiently.",[112,9682,9684],{"id":9683},"how-do-you-implement-a-control-framework","How do you implement a control framework?",[37,9686,9687],{},"Implementation typically follows these phases:",[210,9689,9690,9696,9702,9708,9713,9718],{},[175,9691,9692,9695],{},[61,9693,9694],{},"Gap assessment"," — compare current controls against the framework to identify gaps",[175,9697,9698,9701],{},[61,9699,9700],{},"Prioritization"," — rank gaps by risk impact and effort required",[175,9703,9704,9707],{},[61,9705,9706],{},"Control design"," — design controls to address identified gaps",[175,9709,9710,9712],{},[61,9711,9122],{}," — deploy controls through policies, processes, and technology",[175,9714,9715,9717],{},[61,9716,828],{}," — establish processes to collect and maintain compliance evidence",[175,9719,9720,9723],{},[61,9721,9722],{},"Monitoring and review"," — continuously assess control effectiveness and address changes",[112,9725,9727],{"id":9726},"how-does-episki-help-with-control-frameworks","How does episki help with control frameworks?",[37,9729,9730,9731,100],{},"episki supports multiple control frameworks out of the box with pre-built mappings between them. The platform lets you manage a single set of controls that maps to SOC 2, ISO 27001, NIST CSF, and other frameworks simultaneously, eliminating duplicate effort. Learn more on our ",[44,9732,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":9734},[9735],{"id":9543,"depth":547,"text":9544,"children":9736},[9737,9738,9739,9740,9741,9742],{"id":9550,"depth":554,"text":9551},{"id":9589,"depth":554,"text":9590},{"id":9634,"depth":554,"text":9635},{"id":9673,"depth":554,"text":9674},{"id":9683,"depth":554,"text":9684},{"id":9726,"depth":554,"text":9727},{},"\u002Fglossary\u002Fcontrol-framework",[631,8772,8775],[9251,8223,1138,1529,9747],"annex-a",{"title":9749,"description":9750},"What is a Control Framework? Definition & Compliance Guide","A control framework is a structured set of security controls and guidelines that organizations use to build and evaluate their security programs.","8.glossary\u002Fcontrol-framework","l51hViZJUNfZhxJcG_3gNPwVkEmK97R6TuCyFHlE8rs",{"id":9754,"title":9755,"body":9756,"description":546,"extension":578,"lastUpdated":1135,"meta":9953,"navigation":613,"path":9954,"relatedFrameworks":9955,"relatedTerms":9956,"seo":9958,"slug":9251,"stem":9961,"term":9761,"__hash__":9962},"glossary\u002F8.glossary\u002Fcontrol-objectives.md","Control Objectives",{"type":29,"value":9757,"toc":9942},[9758,9762,9765,9769,9772,9794,9798,9801,9815,9818,9822,9825,9857,9861,9864,9884,9888,9891,9923,9926,9930,9933,9937],[32,9759,9761],{"id":9760},"what-are-control-objectives","What are Control Objectives?",[37,9763,9764],{},"Control objectives are the specific goals or outcomes that a security control is designed to achieve. They define what a control should accomplish rather than how it should be implemented. Control objectives serve as the bridge between high-level security requirements and the specific controls an organization puts in place.",[112,9766,9768],{"id":9767},"what-role-do-control-objectives-play-in-compliance-frameworks","What role do control objectives play in compliance frameworks?",[37,9770,9771],{},"Control objectives appear across multiple compliance frameworks:",[172,9773,9774,9779,9784,9789],{},[175,9775,9776,9778],{},[61,9777,658],{}," — control objectives are aligned to Trust Services Criteria points. Each criterion defines an objective, and the organization implements controls to meet that objective.",[175,9780,9781,9783],{},[61,9782,393],{}," — Annex A contains control objectives organized into categories such as access control, cryptography, and operations security. Each objective has one or more associated controls.",[175,9785,9786,9788],{},[61,9787,411],{}," — requirements are organized around objectives like protecting cardholder data, maintaining secure systems, and implementing access controls.",[175,9790,9791,9793],{},[61,9792,6581],{}," — functions (Identify, Protect, Detect, Respond, Recover) represent high-level objectives, with categories and subcategories providing more specific objectives.",[112,9795,9797],{"id":9796},"what-is-the-difference-between-control-objectives-and-controls","What is the difference between control objectives and controls?",[37,9799,9800],{},"It is important to distinguish between control objectives and the controls themselves:",[172,9802,9803,9809],{},[175,9804,73,9805,9808],{},[61,9806,9807],{},"control objective"," states the desired outcome (e.g., \"ensure that access to systems is restricted to authorized users\")",[175,9810,73,9811,9814],{},[61,9812,9813],{},"control"," is the specific mechanism that achieves the objective (e.g., \"multi-factor authentication is required for all user logins\")",[37,9816,9817],{},"Multiple controls may support a single objective, and a single control may contribute to multiple objectives. This many-to-many relationship is why control mapping is essential for compliance management.",[112,9819,9821],{"id":9820},"how-do-you-write-effective-control-objectives","How do you write effective control objectives?",[37,9823,9824],{},"Well-written control objectives share several characteristics:",[172,9826,9827,9833,9839,9845,9851],{},[175,9828,9829,9832],{},[61,9830,9831],{},"Specific"," — clearly state what should be achieved without ambiguity",[175,9834,9835,9838],{},[61,9836,9837],{},"Measurable"," — define success in terms that can be tested or verified",[175,9840,9841,9844],{},[61,9842,9843],{},"Aligned to risk"," — address identified risks and threats relevant to the organization",[175,9846,9847,9850],{},[61,9848,9849],{},"Framework-referenced"," — map to applicable regulatory or framework requirements",[175,9852,9853,9856],{},[61,9854,9855],{},"Outcome-focused"," — describe the desired state rather than prescribing implementation details",[112,9858,9860],{"id":9859},"what-are-examples-of-control-objectives","What are examples of control objectives?",[37,9862,9863],{},"Common control objectives include:",[172,9865,9866,9869,9872,9875,9878,9881],{},[175,9867,9868],{},"Access to production systems is restricted to authorized personnel based on job function",[175,9870,9871],{},"Changes to production systems follow an approved change management process",[175,9873,9874],{},"Security events are logged, monitored, and responded to in a timely manner",[175,9876,9877],{},"Sensitive data is encrypted in transit and at rest",[175,9879,9880],{},"Employees receive security awareness training upon hire and annually thereafter",[175,9882,9883],{},"Vendor security is assessed before engagement and periodically during the relationship",[112,9885,9887],{"id":9886},"how-do-you-map-controls-to-objectives","How do you map controls to objectives?",[37,9889,9890],{},"The process of mapping controls to objectives involves:",[210,9892,9893,9899,9905,9911,9917],{},[175,9894,9895,9898],{},[61,9896,9897],{},"Identify applicable objectives"," — determine which control objectives are relevant based on your framework scope and risk assessment",[175,9900,9901,9904],{},[61,9902,9903],{},"Inventory existing controls"," — document current controls, processes, and tools",[175,9906,9907,9910],{},[61,9908,9909],{},"Map controls to objectives"," — link each control to the objectives it supports",[175,9912,9913,9916],{},[61,9914,9915],{},"Identify gaps"," — find objectives that lack sufficient supporting controls",[175,9918,9919,9922],{},[61,9920,9921],{},"Implement new controls"," — design and deploy controls to close identified gaps",[37,9924,9925],{},"This mapping exercise is fundamental to audit preparation and demonstrates to auditors that your control environment is comprehensive and well-organized.",[112,9927,9929],{"id":9928},"why-do-control-objectives-matter","Why do control objectives matter?",[37,9931,9932],{},"Control objectives provide structure and purpose to a compliance program. Without clear objectives, organizations risk implementing controls haphazardly — either missing critical areas or over-investing in low-risk areas. Well-defined objectives ensure that every control exists for a reason and contributes to the overall security posture.",[112,9934,9936],{"id":9935},"how-does-episki-help-with-control-objectives","How does episki help with control objectives?",[37,9938,9939,9940,100],{},"episki provides pre-defined control objectives mapped to SOC 2, ISO 27001, and other frameworks. The platform lets you link your controls to objectives, visualize coverage, and identify gaps. When auditors review your program, the objective-to-control mapping demonstrates a mature, structured approach. Learn more on our ",[44,9941,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":9943},[9944],{"id":9760,"depth":547,"text":9761,"children":9945},[9946,9947,9948,9949,9950,9951,9952],{"id":9767,"depth":554,"text":9768},{"id":9796,"depth":554,"text":9797},{"id":9820,"depth":554,"text":9821},{"id":9859,"depth":554,"text":9860},{"id":9886,"depth":554,"text":9887},{"id":9928,"depth":554,"text":9929},{"id":9935,"depth":554,"text":9936},{},"\u002Fglossary\u002Fcontrol-objectives",[631,8772],[1529,9530,9747,9957],"statement-of-applicability",{"title":9959,"description":9960},"What are Control Objectives? Definition & Compliance Guide","Control objectives define the specific goals a security control is designed to achieve. Learn how they apply across SOC 2, ISO 27001, and other frameworks.","8.glossary\u002Fcontrol-objectives","SpnIlD6HDVFEkmxROjZuChf2JX-l2Yxt87Vg5QUxGAg",{"id":9964,"title":2159,"body":9965,"description":546,"extension":578,"lastUpdated":1135,"meta":10152,"navigation":613,"path":2780,"relatedFrameworks":10153,"relatedTerms":10154,"seo":10158,"slug":2781,"stem":10161,"term":9970,"__hash__":10162},"glossary\u002F8.glossary\u002Fencryption.md",{"type":29,"value":9966,"toc":10141},[9967,9971,9974,9978,9984,9990,9996,10000,10003,10006,10020,10024,10027,10029,10046,10050,10053,10085,10089,10111,10115,10132,10136],[32,9968,9970],{"id":9969},"what-is-encryption","What is Encryption?",[37,9972,9973],{},"Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and a key. Only authorized parties with the correct decryption key can convert the ciphertext back to plaintext. Encryption is one of the most important technical controls for protecting the confidentiality of sensitive data and is required by virtually every compliance framework.",[112,9975,9977],{"id":9976},"what-are-the-types-of-encryption","What are the types of encryption?",[37,9979,9980,9983],{},[61,9981,9982],{},"Symmetric encryption"," — uses the same key for both encryption and decryption. It is fast and efficient for large volumes of data. Common algorithms include AES-256 (the current standard) and AES-128.",[37,9985,9986,9989],{},[61,9987,9988],{},"Asymmetric encryption"," — uses a pair of keys: a public key for encryption and a private key for decryption. It is used for key exchange, digital signatures, and scenarios where parties cannot share a secret key in advance. Common algorithms include RSA and elliptic curve cryptography (ECC).",[37,9991,9992,9995],{},[61,9993,9994],{},"Hashing"," — technically not encryption (it is one-way and cannot be reversed), but often discussed alongside encryption. Hashing produces a fixed-length output from any input, used for password storage and data integrity verification. Common algorithms include SHA-256 and bcrypt.",[112,9997,9999],{"id":9998},"what-is-encryption-at-rest","What is encryption at rest?",[37,10001,10002],{},"Encryption at rest protects data stored in databases, file systems, backups, and storage media. If a storage device is stolen or improperly decommissioned, encryption prevents unauthorized access to the data.",[37,10004,10005],{},"Common implementations include:",[172,10007,10008,10011,10014,10017],{},[175,10009,10010],{},"Full disk encryption (BitLocker, FileVault, LUKS)",[175,10012,10013],{},"Database encryption (Transparent Data Encryption)",[175,10015,10016],{},"File-level encryption",[175,10018,10019],{},"Cloud storage encryption (most cloud providers offer encryption at rest by default)",[112,10021,10023],{"id":10022},"what-is-encryption-in-transit","What is encryption in transit?",[37,10025,10026],{},"Encryption in transit protects data as it moves between systems over networks. It prevents eavesdropping, man-in-the-middle attacks, and data interception.",[37,10028,10005],{},[172,10030,10031,10034,10037,10040,10043],{},[175,10032,10033],{},"TLS 1.2 or 1.3 for web traffic (HTTPS)",[175,10035,10036],{},"TLS for email (SMTP with STARTTLS)",[175,10038,10039],{},"VPN tunnels for site-to-site or remote access connections",[175,10041,10042],{},"SSH for administrative access",[175,10044,10045],{},"IPsec for network-level encryption",[112,10047,10049],{"id":10048},"how-does-key-management-support-encryption","How does key management support encryption?",[37,10051,10052],{},"Encryption is only as strong as its key management. Poor key management undermines the protection encryption provides. Key management best practices include:",[172,10054,10055,10061,10067,10073,10079],{},[175,10056,10057,10060],{},[61,10058,10059],{},"Key generation"," — use cryptographically secure random number generators",[175,10062,10063,10066],{},[61,10064,10065],{},"Key storage"," — store keys separately from the data they protect, using hardware security modules (HSMs) or key management services",[175,10068,10069,10072],{},[61,10070,10071],{},"Key rotation"," — rotate keys periodically to limit exposure if a key is compromised",[175,10074,10075,10078],{},[61,10076,10077],{},"Key access control"," — restrict key access to authorized personnel and systems",[175,10080,10081,10084],{},[61,10082,10083],{},"Key destruction"," — securely destroy keys when no longer needed",[112,10086,10088],{"id":10087},"what-are-the-encryption-requirements","What are the encryption requirements?",[172,10090,10091,10096,10101,10106],{},[175,10092,10093,10095],{},[61,10094,658],{}," — CC6.1 and CC6.7 address protection of data through encryption and other mechanisms",[175,10097,10098,10100],{},[61,10099,393],{}," — control A.8.24 addresses use of cryptography",[175,10102,10103,10105],{},[61,10104,402],{}," — encryption is an addressable implementation specification for ePHI at rest (45 CFR 164.312(a)(2)(iv)) and a requirement for ePHI in transit (45 CFR 164.312(e)(1))",[175,10107,10108,10110],{},[61,10109,411],{}," — Requirement 3 requires encryption of stored PAN, and Requirement 4 requires encryption of PAN in transit over open networks",[112,10112,10114],{"id":10113},"what-are-common-mistakes-with-encryption","What are common mistakes with encryption?",[172,10116,10117,10120,10123,10126,10129],{},[175,10118,10119],{},"Using outdated algorithms (DES, 3DES, RC4, SSL, TLS 1.0\u002F1.1)",[175,10121,10122],{},"Storing encryption keys alongside encrypted data",[175,10124,10125],{},"Failing to encrypt backups",[175,10127,10128],{},"Not encrypting data in transit within internal networks",[175,10130,10131],{},"Hardcoding keys in application source code",[112,10133,10135],{"id":10134},"how-does-episki-help-with-encryption","How does episki help with encryption?",[37,10137,10138,10139,100],{},"episki tracks your encryption implementations across systems, monitors certificate expirations, and documents encryption policies and key management practices for audit evidence. Learn more on our ",[44,10140,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":10142},[10143],{"id":9969,"depth":547,"text":9970,"children":10144},[10145,10146,10147,10148,10149,10150,10151],{"id":9976,"depth":554,"text":9977},{"id":9998,"depth":554,"text":9999},{"id":10022,"depth":554,"text":10023},{"id":10048,"depth":554,"text":10049},{"id":10087,"depth":554,"text":10088},{"id":10113,"depth":554,"text":10114},{"id":10134,"depth":554,"text":10135},{},[8771,631,8772,8773,8774],[10155,10156,10157,8782,2637],"pan","phi","tokenization",{"title":10159,"description":10160},"What is Encryption? Definition & Compliance Guide","Encryption transforms data into unreadable ciphertext to protect confidentiality. Learn about encryption at rest, in transit, and compliance requirements.","8.glossary\u002Fencryption","8HTAhzLPBjGJKnlguz6mBT1ob6J8h2KVZGzAJtWJEHM",{"id":10164,"title":10165,"body":10166,"description":546,"extension":578,"lastUpdated":1135,"meta":10366,"navigation":613,"path":3144,"relatedFrameworks":10367,"relatedTerms":10368,"seo":10369,"slug":1876,"stem":10372,"term":10171,"__hash__":10373},"glossary\u002F8.glossary\u002Fevidence-collection.md","Evidence Collection",{"type":29,"value":10167,"toc":10356},[10168,10172,10175,10179,10182,10196,10200,10203,10253,10257,10260,10266,10272,10278,10282,10326,10330,10347,10351],[32,10169,10171],{"id":10170},"what-is-evidence-collection","What is Evidence Collection?",[37,10173,10174],{},"Evidence collection is the systematic process of gathering, organizing, and maintaining documentation that demonstrates security controls are implemented and operating effectively. It is a critical activity for any compliance program — without evidence, an organization cannot prove to auditors, customers, or regulators that its controls actually work.",[112,10176,10178],{"id":10177},"why-does-evidence-collection-matter","Why does evidence collection matter?",[37,10180,10181],{},"Controls that exist only in policy documents are insufficient. Auditors and assessors require proof that controls are executed consistently. Evidence collection bridges the gap between \"we have a policy\" and \"we follow the policy.\" Without organized evidence:",[172,10183,10184,10187,10190,10193],{},[175,10185,10186],{},"Audits take longer and cost more due to scrambling for documentation",[175,10188,10189],{},"Control gaps go undetected until audit time",[175,10191,10192],{},"Audit opinions may be qualified due to insufficient evidence",[175,10194,10195],{},"Customer trust erodes when security claims cannot be substantiated",[112,10197,10199],{"id":10198},"what-are-the-types-of-evidence-in-compliance-audits","What are the types of evidence in compliance audits?",[37,10201,10202],{},"Evidence takes many forms depending on the control being demonstrated:",[172,10204,10205,10211,10217,10223,10229,10235,10241,10247],{},[175,10206,10207,10210],{},[61,10208,10209],{},"Screenshots"," — system configurations, access control settings, dashboard views",[175,10212,10213,10216],{},[61,10214,10215],{},"Logs"," — audit logs, access logs, change management logs, security event logs",[175,10218,10219,10222],{},[61,10220,10221],{},"Documents"," — policies, procedures, meeting minutes, training records",[175,10224,10225,10228],{},[61,10226,10227],{},"Tickets"," — change management tickets, incident response tickets, access request tickets",[175,10230,10231,10234],{},[61,10232,10233],{},"Reports"," — vulnerability scan reports, penetration test reports, risk assessment reports",[175,10236,10237,10240],{},[61,10238,10239],{},"Certifications"," — employee training certificates, vendor SOC 2 reports, compliance attestations",[175,10242,10243,10246],{},[61,10244,10245],{},"Configurations"," — infrastructure-as-code files, system configuration exports",[175,10248,10249,10252],{},[61,10250,10251],{},"Interviews"," — auditor interviews with control owners (for live audits)",[112,10254,10256],{"id":10255},"what-are-common-evidence-collection-approaches","What are common evidence collection approaches?",[37,10258,10259],{},"Organizations typically use one of three approaches:",[37,10261,10262,10265],{},[61,10263,10264],{},"Manual collection"," — control owners manually gather screenshots, exports, and documents on a scheduled basis. This is the most common starting point but is labor-intensive and error-prone.",[37,10267,10268,10271],{},[61,10269,10270],{},"Semi-automated collection"," — integrations with key systems (cloud providers, identity providers, ticketing systems) automatically pull evidence, supplemented by manual collection for controls without integration support.",[37,10273,10274,10277],{},[61,10275,10276],{},"Continuous automated collection"," — deep integrations with infrastructure and applications automatically collect and organize evidence on an ongoing basis, with minimal manual intervention.",[112,10279,10281],{"id":10280},"what-are-best-practices-for-evidence-collection","What are best practices for evidence collection?",[172,10283,10284,10290,10296,10302,10308,10314,10320],{},[175,10285,10286,10289],{},[61,10287,10288],{},"Define evidence requirements upfront"," — for each control, specify what evidence is needed, how often it should be collected, and who is responsible",[175,10291,10292,10295],{},[61,10293,10294],{},"Collect continuously, not just before audits"," — evidence collected throughout the period is more credible than evidence gathered in a rush before the audit",[175,10297,10298,10301],{},[61,10299,10300],{},"Timestamp everything"," — evidence must demonstrate when the control was operating, not just that it exists",[175,10303,10304,10307],{},[61,10305,10306],{},"Organize by control"," — structure evidence so it maps directly to controls and framework requirements",[175,10309,10310,10313],{},[61,10311,10312],{},"Maintain chain of custody"," — ensure evidence cannot be tampered with after collection",[175,10315,10316,10319],{},[61,10317,10318],{},"Review evidence quality"," — periodically verify that collected evidence actually demonstrates the control is working",[175,10321,10322,10325],{},[61,10323,10324],{},"Retain evidence appropriately"," — keep evidence for the required retention period (typically matching the audit cycle plus any regulatory requirements)",[112,10327,10329],{"id":10328},"what-are-common-challenges-with-evidence-collection","What are common challenges with evidence collection?",[172,10331,10332,10335,10338,10341,10344],{},[175,10333,10334],{},"Evidence collection is distributed across many teams and systems",[175,10336,10337],{},"Control owners forget to collect on schedule",[175,10339,10340],{},"Evidence quality varies — screenshots may be unclear or incomplete",[175,10342,10343],{},"Evidence becomes stale if not collected at the right frequency",[175,10345,10346],{},"Storing and organizing large volumes of evidence is difficult without proper tooling",[112,10348,10350],{"id":10349},"how-does-episki-help-with-evidence-collection","How does episki help with evidence collection?",[37,10352,10353,10354,100],{},"episki automates evidence collection through integrations with cloud providers, identity systems, and development tools. The platform assigns collection tasks to control owners, sends reminders, validates evidence quality, and organizes everything by control and framework. When audit time arrives, evidence is already collected and organized. Learn more on our ",[44,10355,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":10357},[10358],{"id":10170,"depth":547,"text":10171,"children":10359},[10360,10361,10362,10363,10364,10365],{"id":10177,"depth":554,"text":10178},{"id":10198,"depth":554,"text":10199},{"id":10255,"depth":554,"text":10256},{"id":10280,"depth":554,"text":10281},{"id":10328,"depth":554,"text":10329},{"id":10349,"depth":554,"text":10350},{},[631,8772,8773,8774],[1877,6724,1042,9251],{"title":10370,"description":10371},"What is Evidence Collection? Definition & Compliance Guide","Evidence collection is the process of gathering documentation that proves security controls are implemented and operating effectively for compliance audits.","8.glossary\u002Fevidence-collection","-4Die8_TxT3p7plrS5QfBm3mjx6_FZQa79Sl58zqSnw",{"id":10375,"title":6276,"body":10376,"description":546,"extension":578,"lastUpdated":1135,"meta":10479,"navigation":613,"path":10480,"relatedFrameworks":10481,"relatedTerms":10482,"seo":10483,"slug":10486,"stem":10487,"term":10381,"__hash__":10488},"glossary\u002F8.glossary\u002Fframework.md",{"type":29,"value":10377,"toc":10471},[10378,10382,10385,10389,10416,10420,10423,10441,10445,10448,10462,10466],[32,10379,10381],{"id":10380},"what-is-a-framework","What is a Framework?",[37,10383,10384],{},"A framework is a structured set of guidelines, controls, and best practices that organizations follow to manage security, risk, and compliance. Frameworks provide a common language and systematic approach for identifying risks, implementing safeguards, and demonstrating due diligence to auditors, customers, and regulators.",[112,10386,10388],{"id":10387},"what-are-common-compliance-frameworks","What are common compliance frameworks?",[172,10390,10391,10396,10401,10406,10411],{},[175,10392,10393,10395],{},[61,10394,393],{}," — an international standard for information security management systems (ISMS) with a risk-based approach to protecting information assets.",[175,10397,10398,10400],{},[61,10399,658],{}," — a reporting framework developed by the AICPA based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy.",[175,10402,10403,10405],{},[61,10404,402],{}," — a US law that sets requirements for protecting health information, including the Security Rule and Privacy Rule.",[175,10407,10408,10410],{},[61,10409,411],{}," — a set of security standards for organizations that handle payment card data.",[175,10412,10413,10415],{},[61,10414,6581],{}," — a voluntary framework published by the National Institute of Standards and Technology that provides a common taxonomy for managing cybersecurity risk.",[112,10417,10419],{"id":10418},"what-is-the-difference-between-a-framework-a-standard-and-a-regulation","What is the difference between a framework, a standard, and a regulation?",[37,10421,10422],{},"These terms are often used interchangeably but have important distinctions:",[172,10424,10425,10430,10435],{},[175,10426,10427,10429],{},[61,10428,6276],{}," — a flexible structure of guidelines that can be adapted to an organization's context (e.g., NIST CSF).",[175,10431,10432,10434],{},[61,10433,4581],{}," — a more prescriptive set of requirements that can be certified against (e.g., ISO 27001).",[175,10436,10437,10440],{},[61,10438,10439],{},"Regulation"," — a legally binding requirement enforced by a governing body (e.g., HIPAA, GDPR).",[112,10442,10444],{"id":10443},"how-do-you-choose-a-framework","How do you choose a framework?",[37,10446,10447],{},"When selecting a framework, consider:",[172,10449,10450,10453,10456,10459],{},[175,10451,10452],{},"Customer and market requirements — enterprise buyers often require SOC 2 or ISO 27001",[175,10454,10455],{},"Industry regulations — healthcare organizations must comply with HIPAA; payment processors with PCI DSS",[175,10457,10458],{},"Geographic scope — GDPR for organizations handling EU data",[175,10460,10461],{},"Organizational maturity — NIST CSF is often a good starting point for organizations new to formal security programs",[112,10463,10465],{"id":10464},"how-does-episki-help-with-compliance-frameworks","How does episki help with compliance frameworks?",[37,10467,10468,10469,100],{},"episki supports multiple frameworks in a single workspace, allowing organizations to map controls across standards and reuse evidence. Learn more on our ",[44,10470,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":10472},[10473],{"id":10380,"depth":547,"text":10381,"children":10474},[10475,10476,10477,10478],{"id":10387,"depth":554,"text":10388},{"id":10418,"depth":554,"text":10419},{"id":10443,"depth":554,"text":10444},{"id":10464,"depth":554,"text":10465},{},"\u002Fglossary\u002Fframework",[631,8772,8773,8774,8775],[9530,9251,1138],{"title":10484,"description":10485},"What is a Framework? Definition & Compliance Guide","A framework is a structured set of guidelines and controls organizations follow to manage security and compliance. Common examples include ISO 27001, SOC 2, and NIST CSF.","framework","8.glossary\u002Fframework","CdMCpQrbry3zSa1fdtsyViYMvkP88wOS8pALWkyZ5Mo",{"id":10490,"title":10491,"body":10492,"description":546,"extension":578,"lastUpdated":1135,"meta":10599,"navigation":613,"path":6170,"relatedFrameworks":10600,"relatedTerms":10601,"seo":10602,"slug":1138,"stem":10605,"term":10497,"__hash__":10606},"glossary\u002F8.glossary\u002Fgrc.md","Grc",{"type":29,"value":10493,"toc":10590},[10494,10498,10505,10509,10512,10526,10530,10533,10547,10551,10562,10566,10569,10583,10587],[32,10495,10497],{"id":10496},"what-is-grc","What is GRC?",[37,10499,10500,10501,10504],{},"GRC stands for ",[61,10502,10503],{},"governance, risk, and compliance"," — a coordinated approach to aligning IT and security practices with business objectives, managing risk, and meeting regulatory requirements.",[112,10506,10508],{"id":10507},"what-is-governance-in-grc","What is governance in GRC?",[37,10510,10511],{},"Governance defines the policies, roles, and decision-making structures that guide how an organization operates. In a security context, governance includes:",[172,10513,10514,10517,10520,10523],{},[175,10515,10516],{},"Establishing security policies and standards",[175,10518,10519],{},"Assigning ownership for controls and programs",[175,10521,10522],{},"Setting risk appetite and tolerance levels",[175,10524,10525],{},"Board-level oversight of security posture",[112,10527,10529],{"id":10528},"what-is-risk-management-in-grc","What is risk management in GRC?",[37,10531,10532],{},"Risk management is the process of identifying, assessing, and treating threats that could affect the organization. Common activities include:",[172,10534,10535,10538,10541,10544],{},[175,10536,10537],{},"Maintaining a risk register with likelihood and impact scores",[175,10539,10540],{},"Prioritizing remediation based on business impact",[175,10542,10543],{},"Tracking treatment plans with owners and deadlines",[175,10545,10546],{},"Reviewing risk posture on a recurring schedule",[112,10548,10550],{"id":10549},"what-is-compliance-in-grc","What is compliance in GRC?",[37,10552,10553,10554,418,10556,418,10558,422,10560,100],{},"Compliance means meeting the requirements of external standards, regulations, and contractual obligations. Common compliance frameworks include ",[44,10555,658],{"href":614},[44,10557,393],{"href":392},[44,10559,402],{"href":401},[44,10561,411],{"href":410},[112,10563,10565],{"id":10564},"why-does-grc-matter","Why does GRC matter?",[37,10567,10568],{},"Without a coordinated approach, organizations end up with fragmented policies, duplicated controls, and gaps between what auditors expect and what teams actually do. A GRC program brings these disciplines together so that:",[172,10570,10571,10574,10577,10580],{},[175,10572,10573],{},"Controls are mapped once and reused across frameworks",[175,10575,10576],{},"Risk decisions inform which controls get priority",[175,10578,10579],{},"Evidence is collected continuously rather than scrambled before audits",[175,10581,10582],{},"Leadership has visibility into security posture and compliance status",[112,10584,10586],{"id":10585},"what-is-grc-software","What is GRC software?",[37,10588,10589],{},"GRC platforms like episki centralize controls, evidence, risk registers, and auditor collaboration in one workspace. Instead of managing compliance in spreadsheets, teams can assign owners, track evidence, and run programs across multiple frameworks simultaneously.",{"title":546,"searchDepth":547,"depth":547,"links":10591},[10592],{"id":10496,"depth":547,"text":10497,"children":10593},[10594,10595,10596,10597,10598],{"id":10507,"depth":554,"text":10508},{"id":10528,"depth":554,"text":10529},{"id":10549,"depth":554,"text":10550},{"id":10564,"depth":554,"text":10565},{"id":10585,"depth":554,"text":10586},{},[631,8772,8773,8774,8775],[8223,9530,1877,1876],{"title":10603,"description":10604},"What is GRC? Governance, Risk, and Compliance Explained","GRC stands for governance, risk, and compliance. Learn how GRC programs help organizations manage risk, meet regulatory requirements, and align security with business goals.","8.glossary\u002Fgrc","6r8Pzm3RtrpbRSlELLbyQ2mEbI0Rv-73CiQlZaZiv9g",{"id":10608,"title":10609,"body":10610,"description":546,"extension":578,"lastUpdated":1135,"meta":10835,"navigation":613,"path":10836,"relatedFrameworks":10837,"relatedTerms":10838,"seo":10839,"slug":1530,"stem":10842,"term":10615,"__hash__":10843},"glossary\u002F8.glossary\u002Fincident-response.md","Incident Response",{"type":29,"value":10611,"toc":10825},[10612,10616,10619,10623,10626,10631,10651,10656,10673,10678,10695,10700,10717,10721,10724,10762,10766,10788,10792,10795,10799,10816,10820],[32,10613,10615],{"id":10614},"what-is-incident-response","What is Incident Response?",[37,10617,10618],{},"Incident response (IR) is the organized approach to detecting, managing, and recovering from security incidents such as data breaches, malware infections, unauthorized access, and denial-of-service attacks. An effective incident response program minimizes damage, reduces recovery time, and preserves evidence for investigation and compliance purposes.",[112,10620,10622],{"id":10621},"what-is-the-incident-response-lifecycle","What is the incident response lifecycle?",[37,10624,10625],{},"Most incident response programs follow the NIST SP 800-61 framework, which defines four phases:",[37,10627,10628],{},[61,10629,10630],{},"1. Preparation",[172,10632,10633,10636,10639,10642,10645,10648],{},[175,10634,10635],{},"Develop and document the incident response plan",[175,10637,10638],{},"Establish the incident response team and define roles",[175,10640,10641],{},"Deploy detection and monitoring tools",[175,10643,10644],{},"Conduct training and tabletop exercises",[175,10646,10647],{},"Establish communication channels and escalation procedures",[175,10649,10650],{},"Prepare forensic tools and evidence collection procedures",[37,10652,10653],{},[61,10654,10655],{},"2. Detection and analysis",[172,10657,10658,10661,10664,10667,10670],{},[175,10659,10660],{},"Monitor systems for indicators of compromise (IOCs)",[175,10662,10663],{},"Triage alerts to distinguish real incidents from false positives",[175,10665,10666],{},"Determine the scope, severity, and impact of the incident",[175,10668,10669],{},"Classify the incident (data breach, malware, unauthorized access, etc.)",[175,10671,10672],{},"Document findings and initial assessment",[37,10674,10675],{},[61,10676,10677],{},"3. Containment, eradication, and recovery",[172,10679,10680,10683,10686,10689,10692],{},[175,10681,10682],{},"Contain the incident to prevent further damage (short-term and long-term containment)",[175,10684,10685],{},"Eradicate the root cause (remove malware, close vulnerabilities, revoke compromised credentials)",[175,10687,10688],{},"Recover affected systems to normal operations",[175,10690,10691],{},"Verify that systems are clean and functioning properly",[175,10693,10694],{},"Monitor for signs of recurring activity",[37,10696,10697],{},[61,10698,10699],{},"4. Post-incident activity",[172,10701,10702,10705,10708,10711,10714],{},[175,10703,10704],{},"Conduct a lessons-learned review",[175,10706,10707],{},"Document the incident timeline, actions taken, and outcomes",[175,10709,10710],{},"Identify improvements to prevent similar incidents",[175,10712,10713],{},"Update the incident response plan based on lessons learned",[175,10715,10716],{},"Fulfill any regulatory notification requirements",[112,10718,10720],{"id":10719},"who-should-be-on-the-incident-response-team","Who should be on the incident response team?",[37,10722,10723],{},"An incident response team typically includes:",[172,10725,10726,10732,10738,10744,10750,10756],{},[175,10727,10728,10731],{},[61,10729,10730],{},"Incident commander"," — leads the response effort and makes key decisions",[175,10733,10734,10737],{},[61,10735,10736],{},"Security analysts"," — perform technical investigation and containment",[175,10739,10740,10743],{},[61,10741,10742],{},"IT operations"," — support system recovery and infrastructure changes",[175,10745,10746,10749],{},[61,10747,10748],{},"Legal counsel"," — advise on regulatory obligations and liability",[175,10751,10752,10755],{},[61,10753,10754],{},"Communications"," — manage internal and external communications",[175,10757,10758,10761],{},[61,10759,10760],{},"Executive sponsor"," — provides management authority and resources",[112,10763,10765],{"id":10764},"how-do-compliance-frameworks-address-incident-response","How do compliance frameworks address incident response?",[172,10767,10768,10773,10778,10783],{},[175,10769,10770,10772],{},[61,10771,658],{}," — CC7.3 and CC7.4 require procedures for responding to identified security events and recovering from incidents",[175,10774,10775,10777],{},[61,10776,393],{}," — controls A.5.24 through A.5.28 address incident management planning, assessment, response, and learning",[175,10779,10780,10782],{},[61,10781,402],{}," — the Security Rule requires security incident procedures (45 CFR 164.308(a)(6)), and the Breach Notification Rule mandates notification following PHI breaches",[175,10784,10785,10787],{},[61,10786,6581],{}," — the Respond function (RS) addresses response planning, communications, analysis, mitigation, and improvements",[112,10789,10791],{"id":10790},"what-is-an-incident-response-tabletop-exercise","What is an incident response tabletop exercise?",[37,10793,10794],{},"Regular tabletop exercises test the incident response plan in a low-pressure setting. The team walks through a hypothetical scenario, discussing decisions and actions at each stage. Tabletop exercises help identify gaps in the plan, clarify roles, and build team readiness without the stress of a real incident.",[112,10796,10798],{"id":10797},"what-are-common-pitfalls-with-incident-response","What are common pitfalls with incident response?",[172,10800,10801,10804,10807,10810,10813],{},[175,10802,10803],{},"No documented incident response plan",[175,10805,10806],{},"Team members unsure of their roles during an incident",[175,10808,10809],{},"Failure to preserve evidence for investigation",[175,10811,10812],{},"Delayed or incomplete regulatory notification",[175,10814,10815],{},"Not conducting post-incident reviews",[112,10817,10819],{"id":10818},"how-does-episki-help-with-incident-response","How does episki help with incident response?",[37,10821,10822,10823,100],{},"episki provides incident response plan templates, tracks tabletop exercises, and maintains documentation for compliance evidence. The platform includes breach notification workflows with timeline tracking to ensure regulatory deadlines are met. Learn more on our ",[44,10824,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":10826},[10827],{"id":10614,"depth":547,"text":10615,"children":10828},[10829,10830,10831,10832,10833,10834],{"id":10621,"depth":554,"text":10622},{"id":10719,"depth":554,"text":10720},{"id":10764,"depth":554,"text":10765},{"id":10790,"depth":554,"text":10791},{"id":10797,"depth":554,"text":10798},{"id":10818,"depth":554,"text":10819},{},"\u002Fglossary\u002Fincident-response",[8771,631,8772,8773,8775],[4188,1877,5627,1525,1526],{"title":10840,"description":10841},"What is Incident Response? Definition & Compliance Guide","Incident response is the organized process of detecting, containing, and recovering from security incidents. Learn the phases, team roles, and compliance needs.","8.glossary\u002Fincident-response","3d1Zo1hC_y8Yl5qVJHyBrOH6lbXC5sqShRom8maKwxc",{"id":10845,"title":10846,"body":10847,"description":546,"extension":578,"lastUpdated":1135,"meta":10952,"navigation":613,"path":10953,"relatedFrameworks":10954,"relatedTerms":10955,"seo":10956,"slug":10959,"stem":10960,"term":10852,"__hash__":10961},"glossary\u002F8.glossary\u002Fjob-separation.md","Job Separation",{"type":29,"value":10848,"toc":10943},[10849,10853,10856,10860,10863,10867,10892,10896,10913,10917,10920,10934,10938],[32,10850,10852],{"id":10851},"what-is-job-separation","What is Job Separation?",[37,10854,10855],{},"Job separation, also known as segregation of duties (SoD), is the practice of dividing critical responsibilities among multiple people to reduce the risk of fraud, error, or abuse of privilege. The principle ensures that no single individual has end-to-end control over a sensitive process.",[112,10857,10859],{"id":10858},"why-does-job-separation-matter","Why does job separation matter?",[37,10861,10862],{},"When one person controls an entire workflow — such as approving and executing financial transactions, or deploying code and managing production access — the risk of undetected mistakes or intentional misuse increases significantly. Segregation of duties creates natural checkpoints where different individuals must independently verify or authorize actions.",[112,10864,10866],{"id":10865},"what-are-common-examples-of-job-separation","What are common examples of job separation?",[172,10868,10869,10875,10880,10886],{},[175,10870,10871,10874],{},[61,10872,10873],{},"Financial controls"," — the person who requests a purchase should not be the same person who approves payment",[175,10876,10877,10879],{},[61,10878,364],{}," — developers who write code should not be the same people who approve and deploy it to production",[175,10881,10882,10885],{},[61,10883,10884],{},"User access management"," — the person who requests access should not be the one who grants it",[175,10887,10888,10891],{},[61,10889,10890],{},"Audit and review"," — internal auditors should be independent of the processes they audit",[112,10893,10895],{"id":10894},"how-do-compliance-frameworks-address-job-separation","How do compliance frameworks address job separation?",[172,10897,10898,10903,10908],{},[175,10899,10900,10902],{},[61,10901,658],{}," — CC5.2 and CC6.1 address segregation of duties as part of control activities and access controls",[175,10904,10905,10907],{},[61,10906,393],{}," — A.5.3 requires segregation of duties to reduce opportunities for unauthorized modification or misuse",[175,10909,10910,10912],{},[61,10911,411],{}," — Requirement 6.5.6 addresses separation of development, testing, and production environments",[112,10914,10916],{"id":10915},"what-compensating-controls-apply-when-job-separation-is-not-possible","What compensating controls apply when job separation is not possible?",[37,10918,10919],{},"In smaller organizations where strict separation is not always feasible, compensating controls can help:",[172,10921,10922,10925,10928,10931],{},[175,10923,10924],{},"Detailed audit logging of all actions",[175,10926,10927],{},"Regular management review of activity logs",[175,10929,10930],{},"Automated alerts for high-risk activities",[175,10932,10933],{},"Periodic access reviews to verify role appropriateness",[112,10935,10937],{"id":10936},"how-does-episki-help-with-job-separation","How does episki help with job separation?",[37,10939,10940,10941,100],{},"episki maps segregation of duties requirements across frameworks, tracks who has access to what, and provides evidence trails for auditors. Learn more on our ",[44,10942,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":10944},[10945],{"id":10851,"depth":547,"text":10852,"children":10946},[10947,10948,10949,10950,10951],{"id":10858,"depth":554,"text":10859},{"id":10865,"depth":554,"text":10866},{"id":10894,"depth":554,"text":10895},{"id":10915,"depth":554,"text":10916},{"id":10936,"depth":554,"text":10937},{},"\u002Fglossary\u002Fjob-separation",[631,8772,8774],[8782,8223,9251],{"title":10957,"description":10958},"What is Job Separation? Definition & Compliance Guide","Job separation (segregation of duties) is the practice of dividing critical responsibilities among multiple people to reduce the risk of fraud or error.","job-separation","8.glossary\u002Fjob-separation","NGlRTvMi7wGdE1a4aqRDvGWJqatS66pV0ZpUqXQPEGI",{"id":10963,"title":10964,"body":10965,"description":546,"extension":578,"lastUpdated":1135,"meta":11495,"navigation":613,"path":2784,"relatedFrameworks":11496,"relatedTerms":11497,"seo":11498,"slug":3054,"stem":11501,"term":10970,"__hash__":11502},"glossary\u002F8.glossary\u002Fkey-management.md","Key Management",{"type":29,"value":10966,"toc":11483},[10967,10971,10974,10978,11015,11019,11022,11025,11051,11054,11058,11061,11066,11069,11095,11103,11106,11110,11113,11139,11142,11161,11164,11168,11171,11185,11188,11199,11206,11217,11221,11224,11318,11323,11350,11354,11357,11407,11411,11453,11457,11474,11478],[32,10968,10970],{"id":10969},"what-is-key-management","What is Key Management?",[37,10972,10973],{},"Key management is the process of creating, storing, distributing, rotating, and retiring cryptographic keys used to protect encrypted data. Effective key management ensures that encryption actually delivers the confidentiality and integrity it promises — poorly managed keys can render even strong encryption useless.",[112,10975,10977],{"id":10976},"what-are-the-stages-of-the-key-lifecycle","What are the stages of the key lifecycle?",[172,10979,10980,10986,10991,10997,11003,11009],{},[175,10981,10982,10985],{},[61,10983,10984],{},"Generation"," — creating keys using cryptographically secure methods with appropriate key lengths",[175,10987,10988,10990],{},[61,10989,6307],{}," — securely delivering keys to authorized systems or users",[175,10992,10993,10996],{},[61,10994,10995],{},"Storage"," — protecting keys at rest using hardware security modules (HSMs), key vaults, or other secure storage",[175,10998,10999,11002],{},[61,11000,11001],{},"Rotation"," — periodically replacing keys to limit the impact of a potential compromise",[175,11004,11005,11008],{},[61,11006,11007],{},"Revocation"," — disabling keys that are no longer trusted or have been compromised",[175,11010,11011,11014],{},[61,11012,11013],{},"Destruction"," — securely deleting keys that are no longer needed, ensuring they cannot be recovered",[112,11016,11018],{"id":11017},"why-does-key-management-matter-for-security","Why does key management matter for security?",[37,11020,11021],{},"Encryption is only as strong as the key management behind it. A 256-bit AES key offers no protection if it's stored in the same database as the data it encrypts — an attacker who compromises the database gets both the ciphertext and the key to decrypt it. This is not a theoretical concern; it's one of the most common encryption failures found in penetration tests and compliance assessments.",[37,11023,11024],{},"Key management failures create several categories of risk:",[172,11026,11027,11033,11039,11045],{},[175,11028,11029,11032],{},[61,11030,11031],{},"Exposure of historical data"," — Without regular key rotation, a single key compromise exposes every record encrypted with that key, potentially spanning years of sensitive data. Rotating keys limits the blast radius of any individual compromise.",[175,11034,11035,11038],{},[61,11036,11037],{},"Insider threats"," — If one administrator holds all key material with no split knowledge or dual control, that person can access every encrypted record in the organization. Proper key management distributes trust across multiple individuals.",[175,11040,11041,11044],{},[61,11042,11043],{},"Compliance failures"," — Auditors don't just check that encryption is enabled. They verify that keys are managed according to documented procedures, rotated on schedule, and protected with controls proportional to the sensitivity of the data they protect.",[175,11046,11047,11050],{},[61,11048,11049],{},"Incident response gaps"," — Organizations that lack documented key management procedures often cannot determine which data was exposed during a breach, which keys need emergency rotation, or how to restore encrypted backups after a key custodian leaves the company.",[37,11052,11053],{},"The bottom line: encryption without proper key management is security theater. It checks a box on a checklist without actually reducing risk. Organizations that invest in strong encryption algorithms but neglect key management are protecting data with a lock and then leaving the key under the doormat.",[112,11055,11057],{"id":11056},"what-are-common-key-management-architectures","What are common key management architectures?",[37,11059,11060],{},"There are three primary approaches to key management, each suited to different risk profiles, compliance requirements, and operational maturity levels. The right choice depends on what data you're protecting, which frameworks you're subject to, and how much operational complexity you can absorb.",[11062,11063,11065],"h4",{"id":11064},"cloud-kms","Cloud KMS",[37,11067,11068],{},"Cloud key management services — including AWS KMS, Azure Key Vault, and GCP Cloud KMS — are the most common starting point for organizations running workloads in the cloud. These services provide:",[172,11070,11071,11077,11083,11089],{},[175,11072,11073,11076],{},[61,11074,11075],{},"Envelope encryption"," — Data is encrypted with a data encryption key (DEK), and the DEK itself is encrypted with a key encryption key (KEK) managed by the cloud provider. This limits the number of calls to the KMS while keeping the master key material protected.",[175,11078,11079,11082],{},[61,11080,11081],{},"Customer-managed keys (CMK)"," — You control key rotation schedules, access policies, and deletion. The cloud provider manages the underlying infrastructure but cannot use the key without your authorization.",[175,11084,11085,11088],{},[61,11086,11087],{},"Provider-managed keys"," — The cloud provider handles all key management automatically. Simpler to operate, but offers less control and may not satisfy compliance requirements that mandate customer-controlled keys.",[175,11090,11091,11094],{},[61,11092,11093],{},"Bring Your Own Key (BYOK)"," — You generate keys in your own environment (often an on-premises HSM) and import them into the cloud KMS. This satisfies requirements for key generation in a controlled environment while still leveraging cloud-native encryption integration.",[37,11096,11097,11098,539,11100,11102],{},"Cloud KMS is appropriate for most SaaS applications, internal systems, and workloads where the cloud provider is already part of the trust boundary. For organizations subject to ",[44,11099,411],{"href":410},[44,11101,658],{"href":614},", cloud KMS with customer-managed keys typically satisfies key management requirements when combined with proper access policies and rotation schedules.",[37,11104,11105],{},"Most cloud KMS services also provide detailed audit logs of every key operation, which simplifies compliance evidence collection during assessments.",[11062,11107,11109],{"id":11108},"hardware-security-modules-hsms","Hardware Security Modules (HSMs)",[37,11111,11112],{},"HSMs are dedicated hardware devices designed to generate, store, and manage cryptographic keys in a tamper-resistant environment. They are validated against FIPS 140-2 or FIPS 140-3 standards at various levels:",[172,11114,11115,11121,11127,11133],{},[175,11116,11117,11120],{},[61,11118,11119],{},"Level 1"," — Basic security requirements, no physical tamper resistance",[175,11122,11123,11126],{},[61,11124,11125],{},"Level 2"," — Tamper-evident coatings or seals, role-based authentication",[175,11128,11129,11132],{},[61,11130,11131],{},"Level 3"," — Tamper-resistant with active response mechanisms (e.g., zeroization of keys upon detection of physical intrusion)",[175,11134,11135,11138],{},[61,11136,11137],{},"Level 4"," — Full physical security envelope with environmental failure protection",[37,11140,11141],{},"HSMs are required or strongly recommended in several contexts:",[172,11143,11144,11149,11155],{},[175,11145,11146,11148],{},[61,11147,411],{}," — Strongly recommended for protecting cardholder data encryption keys, and effectively required for PIN-based transaction processing",[175,11150,11151,11154],{},[61,11152,11153],{},"Government and defense"," — CMMC, FedRAMP, and similar frameworks often require FIPS 140-2 Level 3 or higher for cryptographic key storage",[175,11156,11157,11160],{},[61,11158,11159],{},"Certificate authorities"," — Root and intermediate CA private keys must be stored in HSMs per industry standards",[37,11162,11163],{},"Cloud-based HSM options (AWS CloudHSM, Azure Dedicated HSM, GCP Cloud HSM) provide FIPS 140-2 Level 3 validated hardware in cloud data centers, bridging the gap between on-premises HSM security and cloud operational convenience.",[11062,11165,11167],{"id":11166},"software-based-key-stores","Software-based key stores",[37,11169,11170],{},"Software-based solutions like HashiCorp Vault, CyberArk Conjur, or application-level key management provide flexibility without dedicated hardware. These tools offer:",[172,11172,11173,11176,11179,11182],{},[175,11174,11175],{},"Centralized secret and key management across multiple applications and environments",[175,11177,11178],{},"Dynamic secrets that are generated on demand and automatically revoked after use",[175,11180,11181],{},"Audit logging of all key access and operations",[175,11183,11184],{},"Integration with identity providers for policy-based access control",[37,11186,11187],{},"Software key stores are appropriate when:",[172,11189,11190,11193,11196],{},[175,11191,11192],{},"Compliance requirements do not mandate HSMs",[175,11194,11195],{},"You need to manage secrets and keys across hybrid or multi-cloud environments",[175,11197,11198],{},"Your threat model does not include sophisticated physical or hardware-level attacks",[37,11200,11201,11202,11205],{},"They are ",[61,11203,11204],{},"not"," appropriate when:",[172,11207,11208,11211,11214],{},[175,11209,11210],{},"Regulations explicitly require hardware-based key protection (e.g., PCI PIN security, certain government classifications)",[175,11212,11213],{},"Your risk assessment identifies nation-state or advanced persistent threats targeting cryptographic material",[175,11215,11216],{},"You need to provide cryptographic proof that keys have never been exposed to software",[112,11218,11220],{"id":11219},"what-are-the-key-management-requirements","What are the key management requirements?",[37,11222,11223],{},"Different compliance frameworks impose different key management requirements. Understanding these differences is critical when an organization is subject to multiple frameworks simultaneously — which is increasingly common. The following table provides a practical comparison across five major frameworks:",[859,11225,11226,11242],{},[862,11227,11228],{},[865,11229,11230,11232,11234,11236,11238,11240],{},[868,11231,8545],{},[868,11233,411],{},[868,11235,393],{},[868,11237,402],{},[868,11239,658],{},[868,11241,425],{},[875,11243,11244,11262,11281,11300],{},[865,11245,11246,11249,11252,11255,11257,11259],{},[880,11247,11248],{},"Documented key management procedures",[880,11250,11251],{},"Req 3.6",[880,11253,11254],{},"A.8.24",[880,11256,8590],{},[880,11258,8565],{},[880,11260,11261],{},"SC.L2-3.13.10",[865,11263,11264,11267,11270,11273,11276,11278],{},[880,11265,11266],{},"Key rotation schedule",[880,11268,11269],{},"Annual minimum",[880,11271,11272],{},"Risk-based",[880,11274,11275],{},"Not specified",[880,11277,11272],{},[880,11279,11280],{},"Per NIST 800-171",[865,11282,11283,11286,11289,11292,11294,11297],{},[880,11284,11285],{},"Split knowledge \u002F dual control",[880,11287,11288],{},"Required for manual keys",[880,11290,11291],{},"Recommended",[880,11293,11275],{},[880,11295,11296],{},"Expected",[880,11298,11299],{},"Required",[865,11301,11302,11305,11308,11310,11313,11315],{},[880,11303,11304],{},"HSM or equivalent",[880,11306,11307],{},"Strongly recommended",[880,11309,11272],{},[880,11311,11312],{},"Not required",[880,11314,11272],{},[880,11316,11317],{},"Varies by level",[37,11319,11320],{},[61,11321,11322],{},"Reading this table:",[172,11324,11325,11330,11335,11340,11345],{},[175,11326,11327,11329],{},[61,11328,411],{}," is the most prescriptive. Requirement 3.6 specifies exactly what key management procedures must include, from key generation through destruction. Annual key rotation is a minimum baseline, and split knowledge\u002Fdual control is mandatory whenever keys are managed manually.",[175,11331,11332,11334],{},[61,11333,393],{}," takes a risk-based approach. Annex A control A.8.24 requires a policy on the use of cryptographic controls including key management, but the specific controls depend on your risk assessment and Statement of Applicability.",[175,11336,11337,11339],{},[61,11338,402],{}," is the least prescriptive on key management specifically. Encryption of ePHI is an \"addressable\" implementation specification, meaning organizations must implement it or document why an equivalent alternative is appropriate. Key management requirements follow from the encryption decision.",[175,11341,11342,11344],{},[61,11343,658],{}," addresses key management through the Common Criteria, particularly CC6.1 (logical access) and CC6.7 (data transmission). The specific expectations depend on the trust services criteria in scope and the auditor's interpretation.",[175,11346,11347,11349],{},[61,11348,425],{}," references NIST SP 800-171 for key management requirements. At Level 2, control SC.L2-3.13.10 requires establishing and managing cryptographic keys when cryptography is employed. Higher levels add additional requirements.",[112,11351,11353],{"id":11352},"what-are-common-key-management-mistakes","What are common key management mistakes?",[37,11355,11356],{},"Even organizations with mature security programs make key management errors. These mistakes are found repeatedly in audit findings, penetration test reports, and breach post-mortems. The most frequent include:",[172,11358,11359,11365,11371,11377,11383,11389,11395,11401],{},[175,11360,11361,11364],{},[61,11362,11363],{},"Storing keys alongside encrypted data"," — Placing encryption keys in the same database, file system, or backup as the data they protect. If an attacker gains access to the data store, they get the keys too. Keys must be stored in a separate system with independent access controls.",[175,11366,11367,11370],{},[61,11368,11369],{},"Hardcoding keys in source code"," — Embedding encryption keys, API keys, or other secrets directly in application code. These keys end up in version control history, CI\u002FCD logs, and developer laptops. Use a secrets manager or environment variable injection instead.",[175,11372,11373,11376],{},[61,11374,11375],{},"No key rotation policy"," — Using the same encryption keys indefinitely. Without rotation, a single compromise exposes all data ever encrypted with that key. Define rotation schedules based on data sensitivity and framework requirements.",[175,11378,11379,11382],{},[61,11380,11381],{},"Single person with all key access"," — Concentrating key custody in one individual with no split knowledge or dual control. This creates both a security risk (insider threat) and an operational risk (key unavailability if that person is unreachable).",[175,11384,11385,11388],{},[61,11386,11387],{},"No documented recovery procedures"," — Failing to plan for key loss, corruption, or custodian departure. Organizations discover this gap during an incident, when they cannot decrypt backups or rotate compromised keys because the procedure was never written down or tested.",[175,11390,11391,11394],{},[61,11392,11393],{},"Using weak or predictable key generation"," — Generating keys with insufficient entropy, predictable seeds, or non-cryptographic random number generators. Always use cryptographically secure random number generators (CSPRNGs) and key lengths appropriate for the algorithm and data sensitivity.",[175,11396,11397,11400],{},[61,11398,11399],{},"Ignoring key state tracking"," — Not maintaining an inventory of which keys are active, retired, or compromised. Without a key inventory, organizations cannot answer basic questions during an audit or incident: how many keys exist, who has access, and when they were last rotated.",[175,11402,11403,11406],{},[61,11404,11405],{},"Failing to test key recovery"," — Having a documented recovery procedure that has never been exercised. Recovery procedures degrade over time as infrastructure changes, personnel rotate, and backup systems are modified. Regular testing is the only way to ensure recovery will work when it matters.",[112,11408,11410],{"id":11409},"how-do-compliance-frameworks-address-key-management","How do compliance frameworks address key management?",[172,11412,11413,11424,11433,11443],{},[175,11414,11415,11419,11420],{},[61,11416,11417],{},[44,11418,411],{"href":410}," — Requirement 3.5 and 3.6 detail specific key management procedures for protecting ",[44,11421,11423],{"href":11422},"\u002Fglossary\u002Fpan","cardholder data (PAN)",[175,11425,11426,8392,11430,11432],{},[61,11427,11428],{},[44,11429,393],{"href":392},[44,11431,8396],{"href":8395}," control A.8.24 covers the use of cryptography including key management policies",[175,11434,11435,11439,11440,11442],{},[61,11436,11437],{},[44,11438,402],{"href":401}," — the Security Rule requires ",[44,11441,2781],{"href":2780}," of ePHI, which implies proper key management",[175,11444,11445,11449,11450],{},[61,11446,11447],{},[44,11448,658],{"href":614}," — CC6.1 and CC6.7 address encryption and key management as part of logical ",[44,11451,11452],{"href":8769},"access controls",[112,11454,11456],{"id":11455},"what-are-best-practices-for-key-management","What are best practices for key management?",[172,11458,11459,11462,11465,11468,11471],{},[175,11460,11461],{},"Use hardware security modules (HSMs) or cloud key management services (AWS KMS, Azure Key Vault, GCP Cloud KMS) rather than storing keys in application code or configuration files",[175,11463,11464],{},"Enforce separation of duties so that key custodians cannot access the data those keys protect",[175,11466,11467],{},"Document key rotation schedules and automate rotation where possible",[175,11469,11470],{},"Maintain an inventory of all cryptographic keys, their owners, and their expiration dates",[175,11472,11473],{},"Test key recovery procedures regularly",[112,11475,11477],{"id":11476},"how-does-episki-help-with-key-management","How does episki help with key management?",[37,11479,11480,11481,100],{},"episki tracks key management policies, links them to encryption controls, and monitors rotation schedules to ensure cryptographic practices stay compliant. Learn more on our ",[44,11482,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":11484},[11485],{"id":10969,"depth":547,"text":10970,"children":11486},[11487,11488,11489,11490,11491,11492,11493,11494],{"id":10976,"depth":554,"text":10977},{"id":11017,"depth":554,"text":11018},{"id":11056,"depth":554,"text":11057},{"id":11219,"depth":554,"text":11220},{"id":11352,"depth":554,"text":11353},{"id":11409,"depth":554,"text":11410},{"id":11455,"depth":554,"text":11456},{"id":11476,"depth":554,"text":11477},{},[8771,631,8772,8774,8773],[2781,2637,8782],{"title":11499,"description":11500},"Key Management: What It Is & Why Compliance Requires It","Key management covers creating, storing, rotating, and retiring cryptographic keys. Learn requirements across SOC 2, ISO 27001, HIPAA, and PCI DSS.","8.glossary\u002Fkey-management","1dvRJIXp6Ctc7SOVhg5O-XyVT22CTyhIb0o8RWTqqng",{"id":11504,"title":11505,"body":11506,"description":546,"extension":578,"lastUpdated":1135,"meta":11620,"navigation":613,"path":11621,"relatedFrameworks":11622,"relatedTerms":11623,"seo":11624,"slug":11627,"stem":11628,"term":11511,"__hash__":11629},"glossary\u002F8.glossary\u002Fleast-privilege.md","Least Privilege",{"type":29,"value":11507,"toc":11612},[11508,11512,11515,11519,11522,11536,11540,11572,11576,11603,11607],[32,11509,11511],{"id":11510},"what-is-least-privilege","What is Least Privilege?",[37,11513,11514],{},"Least privilege is a security principle that limits user, application, and system access to only the resources and permissions necessary to perform a specific function — nothing more. By minimizing the access footprint, organizations reduce the potential damage from compromised accounts, insider threats, and accidental misuse.",[112,11516,11518],{"id":11517},"why-does-least-privilege-matter","Why does least privilege matter?",[37,11520,11521],{},"Excessive permissions are one of the most common security weaknesses. When users have more access than they need:",[172,11523,11524,11527,11530,11533],{},[175,11525,11526],{},"A compromised account gives attackers a wider attack surface",[175,11528,11529],{},"Accidental changes to sensitive systems become more likely",[175,11531,11532],{},"Insider threats are harder to detect and contain",[175,11534,11535],{},"Audit findings for excessive access are common compliance gaps",[112,11537,11539],{"id":11538},"how-do-you-implement-least-privilege","How do you implement least privilege?",[172,11541,11542,11548,11554,11560,11566],{},[175,11543,11544,11547],{},[61,11545,11546],{},"Start with zero access"," — new accounts should have no permissions by default, with access granted based on documented role requirements",[175,11549,11550,11553],{},[61,11551,11552],{},"Use role-based access control (RBAC)"," — define roles with specific permission sets rather than assigning permissions individually",[175,11555,11556,11559],{},[61,11557,11558],{},"Conduct regular access reviews"," — quarterly reviews of user permissions help identify and remove access that is no longer needed",[175,11561,11562,11565],{},[61,11563,11564],{},"Remove access promptly"," — revoke permissions immediately when employees change roles or leave the organization",[175,11567,11568,11571],{},[61,11569,11570],{},"Apply to systems and applications too"," — service accounts, APIs, and automated processes should also follow least privilege",[112,11573,11575],{"id":11574},"how-do-compliance-frameworks-address-least-privilege","How do compliance frameworks address least privilege?",[172,11577,11578,11583,11588,11593,11598],{},[175,11579,11580,11582],{},[61,11581,658],{}," — CC6.1 through CC6.3 require logical access controls based on least privilege",[175,11584,11585,11587],{},[61,11586,393],{}," — A.5.15 (access control) and A.8.2 (privileged access rights) explicitly reference least privilege",[175,11589,11590,11592],{},[61,11591,402],{}," — the minimum necessary standard (45 CFR 164.502(b)) is the healthcare equivalent of least privilege",[175,11594,11595,11597],{},[61,11596,411],{}," — Requirement 7 restricts access to cardholder data on a need-to-know basis",[175,11599,11600,11602],{},[61,11601,6581],{}," — PR.AC-4 addresses access permissions based on least privilege",[112,11604,11606],{"id":11605},"how-does-episki-help-with-least-privilege","How does episki help with least privilege?",[37,11608,11609,11610,100],{},"episki tracks access control policies, schedules periodic access reviews, and documents evidence of least privilege enforcement for auditors. Learn more on our ",[44,11611,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":11613},[11614],{"id":11510,"depth":547,"text":11511,"children":11615},[11616,11617,11618,11619],{"id":11517,"depth":554,"text":11518},{"id":11538,"depth":554,"text":11539},{"id":11574,"depth":554,"text":11575},{"id":11605,"depth":554,"text":11606},{},"\u002Fglossary\u002Fleast-privilege",[8771,631,8772,8773,8774,8775],[8782,10959,8778],{"title":11625,"description":11626},"What is Least Privilege? Definition & Compliance Guide","Least privilege is a security principle that limits user access to only what they need to perform their job — nothing more.","least-privilege","8.glossary\u002Fleast-privilege","BuEghGm4HKbs1Es9DQ4mpHlellA4mL_s5KedD9Qs9_s",{"id":11631,"title":11632,"body":11633,"description":546,"extension":578,"lastUpdated":1135,"meta":12146,"navigation":613,"path":3140,"relatedFrameworks":12147,"relatedTerms":12148,"seo":12149,"slug":3357,"stem":12152,"term":11638,"__hash__":12153},"glossary\u002F8.glossary\u002Flog-management.md","Log Management",{"type":29,"value":11634,"toc":12134},[11635,11639,11642,11646,11649,11685,11689,11692,11696,11699,11737,11741,11744,11776,11780,11783,11809,11813,11816,11842,11846,11849,11914,11917,11921,11924,11928,11942,11946,11960,11964,11978,11982,11996,12000,12023,12027,12030,12074,12078,12104,12108,12125,12129],[32,11636,11638],{"id":11637},"what-is-log-management","What is Log Management?",[37,11640,11641],{},"Log management is the process of collecting, storing, analyzing, and retaining system activity records to detect security incidents, troubleshoot issues, and support compliance audits. Logs provide a chronological record of events across servers, applications, network devices, and security tools.",[112,11643,11645],{"id":11644},"what-gets-logged-in-a-log-management-program","What gets logged in a log management program?",[37,11647,11648],{},"Effective log management covers:",[172,11650,11651,11657,11663,11668,11674,11680],{},[175,11652,11653,11656],{},[61,11654,11655],{},"Authentication events"," — successful and failed login attempts, password changes, MFA challenges",[175,11658,11659,11662],{},[61,11660,11661],{},"Authorization events"," — access grants, denials, privilege escalations",[175,11664,11665,11667],{},[61,11666,8816],{}," — configuration changes, service starts and stops, errors",[175,11669,11670,11673],{},[61,11671,11672],{},"Network events"," — firewall decisions, DNS queries, connection attempts",[175,11675,11676,11679],{},[61,11677,11678],{},"Application events"," — user actions, API calls, data access patterns",[175,11681,11682,11684],{},[61,11683,8840],{}," — malware detections, vulnerability scan results, intrusion alerts",[112,11686,11688],{"id":11687},"what-is-log-management-architecture","What is log management architecture?",[37,11690,11691],{},"A mature log management program combines multiple components into a pipeline that moves raw event data from source to searchable, retained storage.",[11062,11693,11695],{"id":11694},"log-sources","Log sources",[37,11697,11698],{},"Logs originate from every layer of the technology stack:",[172,11700,11701,11707,11713,11719,11725,11731],{},[175,11702,11703,11706],{},[61,11704,11705],{},"Servers and operating systems"," — Linux auth logs, Windows Event Log, macOS Unified Log",[175,11708,11709,11712],{},[61,11710,11711],{},"Cloud platforms"," — AWS CloudTrail, Azure Activity Log, GCP Admin Activity audit logs",[175,11714,11715,11718],{},[61,11716,11717],{},"SaaS applications"," — Microsoft 365 Unified Audit Log, Google Workspace audit logs, Salesforce event monitoring",[175,11720,11721,11724],{},[61,11722,11723],{},"Endpoints"," — EDR telemetry, local application logs, mobile device management events",[175,11726,11727,11730],{},[61,11728,11729],{},"Network devices"," — firewalls, routers, switches, load balancers, VPN concentrators",[175,11732,11733,11736],{},[61,11734,11735],{},"Security tools"," — IDS\u002FIPS alerts, vulnerability scanners, DLP engines, email gateways",[11062,11738,11740],{"id":11739},"collection-methods","Collection methods",[37,11742,11743],{},"Getting logs from source to a central platform requires reliable collection mechanisms:",[172,11745,11746,11752,11758,11764,11770],{},[175,11747,11748,11751],{},[61,11749,11750],{},"Agents"," — lightweight forwarders installed on hosts (Fluentd, Filebeat, NXLog, Splunk Universal Forwarder) that ship logs in near real time",[175,11753,11754,11757],{},[61,11755,11756],{},"Syslog"," — the legacy standard (RFC 5424) still widely used by network devices; syslog-ng and rsyslog add filtering and reliable delivery",[175,11759,11760,11763],{},[61,11761,11762],{},"API polling"," — scheduled calls to SaaS and cloud provider APIs to pull audit logs (e.g., Microsoft Graph API, AWS CloudTrail Lake queries)",[175,11765,11766,11769],{},[61,11767,11768],{},"Cloud-native streams"," — managed pipelines like AWS Kinesis Data Firehose, Azure Event Hubs, or GCP Pub\u002FSub that deliver logs without managing agents",[175,11771,11772,11775],{},[61,11773,11774],{},"Webhooks"," — event-driven push from SaaS applications that support real-time notification (Slack audit API, GitHub audit log streaming)",[11062,11777,11779],{"id":11778},"centralization","Centralization",[37,11781,11782],{},"Logs are only useful when they are searchable in one place:",[172,11784,11785,11791,11797,11803],{},[175,11786,11787,11790],{},[61,11788,11789],{},"Commercial SIEM"," — Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar provide correlation, detection rules, and case management",[175,11792,11793,11796],{},[61,11794,11795],{},"Cloud-native logging"," — AWS CloudWatch Logs, Azure Monitor, Google Cloud Logging offer tight integration with their respective platforms",[175,11798,11799,11802],{},[61,11800,11801],{},"Open-source stacks"," — the Elastic Stack (Elasticsearch, Logstash, Kibana), Grafana Loki, and OpenSearch provide cost-effective alternatives with community-driven detection content",[175,11804,11805,11808],{},[61,11806,11807],{},"Security data lakes"," — Snowflake, Amazon Security Lake, and similar platforms store massive volumes at low cost using the Open Cybersecurity Schema Framework (OCSF) for normalization",[11062,11810,11812],{"id":11811},"storage-tiers","Storage tiers",[37,11814,11815],{},"Log storage strategies balance search speed against cost and compliance retention:",[172,11817,11818,11824,11830,11836],{},[175,11819,11820,11823],{},[61,11821,11822],{},"Hot storage"," — fully indexed, real-time searchable data for active investigations and alerting (typically 30–90 days)",[175,11825,11826,11829],{},[61,11827,11828],{},"Warm storage"," — recent history available for on-demand search with slightly slower query times (typically 90 days to 12 months)",[175,11831,11832,11835],{},[61,11833,11834],{},"Cold storage"," — compressed, archived logs in object storage (S3, Azure Blob, GCS) retained for compliance and forensic purposes (1–7 years depending on framework requirements)",[175,11837,11838,11841],{},[61,11839,11840],{},"Immutable storage"," — write-once, read-many storage that prevents tampering, critical for audit trail integrity and legal hold requirements",[112,11843,11845],{"id":11844},"what-are-the-log-retention-requirements","What are the log retention requirements?",[37,11847,11848],{},"Different compliance frameworks set varying expectations for how long logs must be kept. The table below summarizes key requirements:",[859,11850,11851,11863],{},[862,11852,11853],{},[865,11854,11855,11857,11860],{},[868,11856,6276],{},[868,11858,11859],{},"Minimum retention",[868,11861,11862],{},"Key requirements",[875,11864,11865,11875,11885,11894,11904],{},[865,11866,11867,11869,11872],{},[880,11868,411],{},[880,11870,11871],{},"12 months (3 months immediately available)",[880,11873,11874],{},"Req 10.7 — retain audit trail history",[865,11876,11877,11879,11882],{},[880,11878,658],{},[880,11880,11881],{},"Based on risk assessment",[880,11883,11884],{},"CC7.2 — monitor system components",[865,11886,11887,11889,11891],{},[880,11888,393],{},[880,11890,11881],{},[880,11892,11893],{},"A.8.15 — log retention policy required",[865,11895,11896,11898,11901],{},[880,11897,402],{},[880,11899,11900],{},"6 years for policies; log retention not specified but implied",[880,11902,11903],{},"Audit controls for ePHI access",[865,11905,11906,11908,11911],{},[880,11907,6581],{},[880,11909,11910],{},"Based on organizational needs",[880,11912,11913],{},"DE.CM — continuous monitoring",[37,11915,11916],{},"Organizations subject to multiple frameworks should align retention to the most stringent requirement. For most companies handling payment card data alongside health information, a 12-month hot\u002Fwarm retention period with 6-year cold archival provides adequate coverage.",[112,11918,11920],{"id":11919},"what-should-you-alert-on-in-log-management","What should you alert on in log management?",[37,11922,11923],{},"Collecting logs without monitoring them defeats the purpose. Effective alerting focuses on high-fidelity signals across several categories:",[11062,11925,11927],{"id":11926},"authentication-anomalies","Authentication anomalies",[172,11929,11930,11933,11936,11939],{},[175,11931,11932],{},"Brute-force attempts — multiple failed logins against the same account within a short window",[175,11934,11935],{},"Impossible travel — successful logins from geographically distant locations within an implausible time frame",[175,11937,11938],{},"New device or location — first-time access from an unrecognized device, IP range, or country",[175,11940,11941],{},"Credential stuffing patterns — failed logins across many accounts from a small set of source IPs",[11062,11943,11945],{"id":11944},"privilege-escalation","Privilege escalation",[172,11947,11948,11951,11954,11957],{},[175,11949,11950],{},"Sudo or run-as usage outside of expected maintenance windows",[175,11952,11953],{},"Admin role assignments or membership changes in identity providers (Azure AD, Okta, Google Workspace)",[175,11955,11956],{},"Permission changes on sensitive resources — S3 bucket policies, database grants, file share ACLs",[175,11958,11959],{},"Service account creation or key generation",[11062,11961,11963],{"id":11962},"data-exfiltration-signals","Data exfiltration signals",[172,11965,11966,11969,11972,11975],{},[175,11967,11968],{},"Unusual download volumes — user downloading significantly more data than their baseline",[175,11970,11971],{},"Access outside business hours — especially to sensitive repositories, databases, or file shares",[175,11973,11974],{},"Mass file access — sequential reads across large numbers of records in short succession",[175,11976,11977],{},"Outbound data transfers to uncommon destinations — cloud storage services, personal email, file-sharing sites",[11062,11979,11981],{"id":11980},"configuration-changes","Configuration changes",[172,11983,11984,11987,11990,11993],{},[175,11985,11986],{},"Firewall rule modifications — new allow rules, disabled security groups, removed deny entries",[175,11988,11989],{},"Security group changes in cloud environments — opening ports, widening IP ranges",[175,11991,11992],{},"IAM policy changes — new inline policies, permission boundary modifications, role trust policy updates",[175,11994,11995],{},"DNS changes — new records, zone transfers, nameserver modifications",[11062,11997,11999],{"id":11998},"compliance-specific-events","Compliance-specific events",[172,12001,12002,12010,12017,12020],{},[175,12003,12004,12005,12009],{},"Access to ",[44,12006,12008],{"href":12007},"\u002Fglossary\u002Fpci-dss","cardholder data"," environments — any read, write, or copy operation",[175,12011,12012,12013,12016],{},"PHI access in ",[44,12014,402],{"href":12015},"\u002Fglossary\u002Fhipaa","-regulated systems — views, exports, or modifications of protected health information",[175,12018,12019],{},"Encryption key operations — key creation, rotation, deletion, or export",[175,12021,12022],{},"Audit log access or modification attempts — anyone trying to read, delete, or alter the logs themselves",[112,12024,12026],{"id":12025},"what-are-common-log-management-mistakes","What are common log management mistakes?",[37,12028,12029],{},"Even organizations that invest in logging often fall into patterns that undermine the value of their program:",[210,12031,12032,12038,12044,12050,12056,12062,12068],{},[175,12033,12034,12037],{},[61,12035,12036],{},"Logging too much"," — capturing every debug-level event creates massive storage costs and drowns analysts in noise. Focus on security-relevant events and tune verbosity by source.",[175,12039,12040,12043],{},[61,12041,12042],{},"Logging too little"," — the opposite problem is equally dangerous. Missing authentication events, not capturing cloud control plane activity, or skipping DNS logs leaves blind spots that attackers exploit.",[175,12045,12046,12049],{},[61,12047,12048],{},"Not protecting log integrity"," — if an attacker can delete or modify logs, they can cover their tracks. Logs should be forwarded to a separate system with immutable storage, and access to log management platforms should be tightly controlled.",[175,12051,12052,12055],{},[61,12053,12054],{},"No correlation across sources"," — reviewing logs from individual systems in isolation misses the bigger picture. A failed VPN login followed by a successful cloud console login from the same IP tells a story that neither log tells alone.",[175,12057,12058,12061],{},[61,12059,12060],{},"Alert fatigue from untuned rules"," — deploying default SIEM detection rules without tuning them to the environment generates hundreds of false positives per day. Analysts stop investigating, and real incidents get buried.",[175,12063,12064,12067],{},[61,12065,12066],{},"Not testing log pipeline reliability"," — log collection silently fails more often than most teams realize. Agents crash, API tokens expire, syslog forwarding breaks after a network change. Regularly validate that expected log sources are still delivering data.",[175,12069,12070,12073],{},[61,12071,12072],{},"Ignoring time synchronization"," — logs from systems with drifting clocks are nearly impossible to correlate during incident response. Enforce NTP across all log sources and normalize timestamps to UTC.",[112,12075,12077],{"id":12076},"how-do-compliance-frameworks-address-log-management","How do compliance frameworks address log management?",[172,12079,12080,12085,12090,12095,12099],{},[175,12081,12082,12084],{},[61,12083,658],{}," — CC7.1 through CC7.4 require monitoring, detection, and response capabilities that depend on logging",[175,12086,12087,12089],{},[61,12088,393],{}," — A.8.15 (logging) and A.8.16 (monitoring activities) address log collection and analysis",[175,12091,12092,12094],{},[61,12093,402],{}," — the Security Rule requires audit controls to record and examine activity in systems containing ePHI",[175,12096,12097,8893],{},[61,12098,411],{},[175,12100,12101,12103],{},[61,12102,6581],{}," — DE.CM (continuous monitoring) and DE.AE (anomaly detection) rely on log data",[112,12105,12107],{"id":12106},"what-are-best-practices-for-log-management","What are best practices for log management?",[172,12109,12110,12113,12116,12119,12122],{},[175,12111,12112],{},"Centralize logs in a SIEM or log aggregation platform for correlation and analysis",[175,12114,12115],{},"Set retention periods that meet both compliance requirements and operational needs (typically 90 days to one year)",[175,12117,12118],{},"Protect log integrity with immutable storage or tamper-evident mechanisms",[175,12120,12121],{},"Establish alerting rules for high-risk events like failed authentication spikes or unauthorized access attempts",[175,12123,12124],{},"Regularly review and tune logging to ensure coverage without excessive noise",[112,12126,12128],{"id":12127},"how-does-episki-help-with-log-management","How does episki help with log management?",[37,12130,12131,12132,100],{},"episki documents log management policies, tracks retention schedules, and links logging controls to evidence for audit readiness. Learn more on our ",[44,12133,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":12135},[12136],{"id":11637,"depth":547,"text":11638,"children":12137},[12138,12139,12140,12141,12142,12143,12144,12145],{"id":11644,"depth":554,"text":11645},{"id":11687,"depth":554,"text":11688},{"id":11844,"depth":554,"text":11845},{"id":11919,"depth":554,"text":11920},{"id":12025,"depth":554,"text":12026},{"id":12076,"depth":554,"text":12077},{"id":12106,"depth":554,"text":12107},{"id":12127,"depth":554,"text":12128},{},[8771,631,8772,8773,8774,8775],[1877,1042,1530],{"title":12150,"description":12151},"What is Log Management? Definition & Compliance Guide","Log management is the process of collecting, storing, and analyzing system activity records to detect security incidents and support compliance audits.","8.glossary\u002Flog-management","B9IH1ixHXCqDKqAdQBwGDpwLFnfLwuxW5KyltQCbFmk",{"id":12155,"title":12156,"body":12157,"description":546,"extension":578,"lastUpdated":1135,"meta":12275,"navigation":613,"path":12276,"relatedFrameworks":12277,"relatedTerms":12278,"seo":12280,"slug":12283,"stem":12284,"term":12162,"__hash__":12285},"glossary\u002F8.glossary\u002Fmalware.md","Malware",{"type":29,"value":12158,"toc":12267},[12159,12163,12166,12170,12208,12212,12234,12238,12258,12262],[32,12160,12162],{"id":12161},"what-is-malware","What is Malware?",[37,12164,12165],{},"Malware (malicious software) is any software intentionally designed to damage, disrupt, or gain unauthorized access to computer systems, networks, or data. Malware is one of the most persistent threats organizations face and a primary driver behind many compliance requirements for endpoint protection and monitoring.",[112,12167,12169],{"id":12168},"what-are-the-types-of-malware","What are the types of malware?",[172,12171,12172,12178,12184,12190,12196,12202],{},[175,12173,12174,12177],{},[61,12175,12176],{},"Viruses"," — attach to legitimate programs and spread when the infected program runs",[175,12179,12180,12183],{},[61,12181,12182],{},"Ransomware"," — encrypts data and demands payment for the decryption key",[175,12185,12186,12189],{},[61,12187,12188],{},"Trojans"," — disguise themselves as legitimate software to trick users into installation",[175,12191,12192,12195],{},[61,12193,12194],{},"Spyware"," — silently collects information about user activity and sends it to an attacker",[175,12197,12198,12201],{},[61,12199,12200],{},"Worms"," — self-replicate across networks without requiring user interaction",[175,12203,12204,12207],{},[61,12205,12206],{},"Rootkits"," — hide deep within the operating system to maintain persistent, undetected access",[112,12209,12211],{"id":12210},"how-do-compliance-frameworks-address-malware-protection","How do compliance frameworks address malware protection?",[172,12213,12214,12219,12224,12229],{},[175,12215,12216,12218],{},[61,12217,658],{}," — CC6.8 requires controls to prevent and detect malicious software",[175,12220,12221,12223],{},[61,12222,393],{}," — A.8.7 addresses protection against malware",[175,12225,12226,12228],{},[61,12227,411],{}," — Requirement 5 mandates deploying anti-malware solutions on all commonly affected systems",[175,12230,12231,12233],{},[61,12232,6581],{}," — DE.CM-4 specifically addresses malicious code detection",[112,12235,12237],{"id":12236},"what-are-common-malware-defense-strategies","What are common malware defense strategies?",[172,12239,12240,12243,12246,12249,12252,12255],{},[175,12241,12242],{},"Deploy endpoint detection and response (EDR) tools across all endpoints",[175,12244,12245],{},"Keep operating systems and applications patched and up to date",[175,12247,12248],{},"Implement email filtering to block phishing and malicious attachments",[175,12250,12251],{},"Restrict administrative privileges to reduce malware installation risk",[175,12253,12254],{},"Train employees to recognize social engineering and phishing attempts",[175,12256,12257],{},"Maintain tested backup and recovery procedures to mitigate ransomware impact",[112,12259,12261],{"id":12260},"how-does-episki-help-with-malware","How does episki help with malware?",[37,12263,12264,12265,100],{},"episki tracks anti-malware controls, monitors policy compliance, and documents endpoint protection evidence for auditors. Learn more on our ",[44,12266,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":12268},[12269],{"id":12161,"depth":547,"text":12162,"children":12270},[12271,12272,12273,12274],{"id":12168,"depth":554,"text":12169},{"id":12210,"depth":554,"text":12211},{"id":12236,"depth":554,"text":12237},{"id":12260,"depth":554,"text":12261},{},"\u002Fglossary\u002Fmalware",[8771,631,8772,8774,8775],[1530,12279,1042],"penetration-testing",{"title":12281,"description":12282},"What is Malware? Definition & Compliance Guide","Malware is malicious software designed to damage, disrupt, or gain unauthorized access to systems. It includes viruses, ransomware, spyware, and trojans.","malware","8.glossary\u002Fmalware","YC-GrrHk9-an6NjJOaLQttw4tAbXovhasUaJzWZ9d-4",{"id":12287,"title":12288,"body":12289,"description":546,"extension":578,"lastUpdated":1135,"meta":12398,"navigation":613,"path":12399,"relatedFrameworks":12400,"relatedTerms":12401,"seo":12402,"slug":1527,"stem":12405,"term":12294,"__hash__":12406},"glossary\u002F8.glossary\u002Fmonitoring.md","Monitoring",{"type":29,"value":12290,"toc":12390},[12291,12295,12298,12302,12334,12338,12360,12364,12381,12385],[32,12292,12294],{"id":12293},"what-is-monitoring","What is Monitoring?",[37,12296,12297],{},"Monitoring is the continuous observation of systems, networks, and controls to detect threats, unusual activity, or compliance gaps in real time. In a security and compliance context, monitoring goes beyond uptime checks — it encompasses the processes and tools that ensure an organization's security posture remains effective over time.",[112,12299,12301],{"id":12300},"what-are-the-types-of-monitoring","What are the types of monitoring?",[172,12303,12304,12310,12316,12322,12328],{},[175,12305,12306,12309],{},[61,12307,12308],{},"Security monitoring"," — detecting threats, intrusions, and malicious activity through SIEM tools, IDS\u002FIPS, and endpoint detection",[175,12311,12312,12315],{},[61,12313,12314],{},"Compliance monitoring"," — tracking whether controls are operating effectively and whether the organization remains aligned with framework requirements",[175,12317,12318,12321],{},[61,12319,12320],{},"Infrastructure monitoring"," — observing system health, performance, and availability across servers, networks, and cloud services",[175,12323,12324,12327],{},[61,12325,12326],{},"User activity monitoring"," — tracking user behavior to detect insider threats, policy violations, or compromised accounts",[175,12329,12330,12333],{},[61,12331,12332],{},"Vulnerability monitoring"," — continuously scanning for known vulnerabilities across the technology stack",[112,12335,12337],{"id":12336},"how-do-compliance-frameworks-address-monitoring","How do compliance frameworks address monitoring?",[172,12339,12340,12345,12350,12355],{},[175,12341,12342,12344],{},[61,12343,658],{}," — CC7.1 requires the use of detection and monitoring activities to identify anomalies",[175,12346,12347,12349],{},[61,12348,393],{}," — A.8.16 covers monitoring activities across networks and systems",[175,12351,12352,12354],{},[61,12353,411],{}," — Requirement 10 and 11 address logging, monitoring, and regular security testing",[175,12356,12357,12359],{},[61,12358,6581],{}," — the Detect function (DE.CM, DE.AE) is entirely focused on continuous monitoring and anomaly detection",[112,12361,12363],{"id":12362},"what-are-best-practices-for-monitoring","What are best practices for monitoring?",[172,12365,12366,12369,12372,12375,12378],{},[175,12367,12368],{},"Define clear thresholds and alerting rules to minimize alert fatigue",[175,12370,12371],{},"Centralize monitoring data for correlation across systems",[175,12373,12374],{},"Establish escalation procedures so alerts lead to timely investigation",[175,12376,12377],{},"Review and tune monitoring rules regularly as the environment changes",[175,12379,12380],{},"Document monitoring coverage and gaps as part of risk assessments",[112,12382,12384],{"id":12383},"how-does-episki-help-with-monitoring","How does episki help with monitoring?",[37,12386,12387,12388,100],{},"episki tracks monitoring controls, documents coverage, and links monitoring evidence to framework requirements for continuous audit readiness. Learn more on our ",[44,12389,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":12391},[12392],{"id":12293,"depth":547,"text":12294,"children":12393},[12394,12395,12396,12397],{"id":12300,"depth":554,"text":12301},{"id":12336,"depth":554,"text":12337},{"id":12362,"depth":554,"text":12363},{"id":12383,"depth":554,"text":12384},{},"\u002Fglossary\u002Fmonitoring",[8771,631,8772,8774,8775],[1042,3357,1530],{"title":12403,"description":12404},"What is Monitoring? Definition & Compliance Guide","Monitoring is the continuous observation of systems and controls to detect threats, unusual activity, or compliance gaps in real time.","8.glossary\u002Fmonitoring","QXZ4W_vuU7Y88VE8xwlReLlBVCa0cNFk0XPiqgd_4bc",{"id":12408,"title":12409,"body":12410,"description":546,"extension":578,"lastUpdated":1135,"meta":12518,"navigation":613,"path":12519,"relatedFrameworks":12520,"relatedTerms":12521,"seo":12522,"slug":12525,"stem":12526,"term":12415,"__hash__":12527},"glossary\u002F8.glossary\u002Fmulti-factor-authentication.md","Multi Factor Authentication",{"type":29,"value":12411,"toc":12510},[12412,12416,12419,12423,12426,12446,12450,12453,12480,12484,12501,12505],[32,12413,12415],{"id":12414},"what-is-multi-factor-authentication","What is Multi-Factor Authentication?",[37,12417,12418],{},"Multi-Factor Authentication (MFA) is a security mechanism that requires users to verify their identity using two or more independent factors before gaining access to a system or application. By combining multiple factors, MFA significantly reduces the risk of unauthorized access even if one factor (such as a password) is compromised.",[112,12420,12422],{"id":12421},"what-are-the-authentication-factors-used-in-mfa","What are the authentication factors used in MFA?",[37,12424,12425],{},"MFA combines factors from different categories:",[172,12427,12428,12434,12440],{},[175,12429,12430,12433],{},[61,12431,12432],{},"Something you know"," — passwords, PINs, security questions",[175,12435,12436,12439],{},[61,12437,12438],{},"Something you have"," — mobile phones (SMS or authenticator apps), hardware tokens, smart cards",[175,12441,12442,12445],{},[61,12443,12444],{},"Something you are"," — biometrics such as fingerprints, facial recognition, or iris scans",[112,12447,12449],{"id":12448},"how-do-compliance-frameworks-address-mfa","How do compliance frameworks address MFA?",[37,12451,12452],{},"MFA is required or strongly recommended across all major frameworks:",[172,12454,12455,12460,12465,12470,12475],{},[175,12456,12457,12459],{},[61,12458,658],{}," — CC6.1 requires multi-factor authentication for access to sensitive systems",[175,12461,12462,12464],{},[61,12463,393],{}," — A.8.5 addresses secure authentication including multi-factor methods",[175,12466,12467,12469],{},[61,12468,402],{}," — while not explicitly mandating MFA, the Security Rule requires access controls that effectively necessitate it for ePHI systems",[175,12471,12472,12474],{},[61,12473,411],{}," — Requirement 8.3 mandates MFA for all remote access to the cardholder data environment",[175,12476,12477,12479],{},[61,12478,6581],{}," — PR.AC-7 recommends multi-factor authentication as part of identity management",[112,12481,12483],{"id":12482},"what-are-implementation-best-practices","What are implementation best practices?",[172,12485,12486,12489,12492,12495,12498],{},[175,12487,12488],{},"Require MFA for all user accounts, not just administrators",[175,12490,12491],{},"Prefer authenticator apps or hardware tokens over SMS-based codes (which are vulnerable to SIM swapping)",[175,12493,12494],{},"Implement MFA on VPN, cloud console, email, and any system containing sensitive data",[175,12496,12497],{},"Provide backup recovery methods (recovery codes, backup devices) to prevent lockouts",[175,12499,12500],{},"Monitor and alert on MFA bypass attempts or disabled MFA",[112,12502,12504],{"id":12503},"how-does-episki-help-with-mfa","How does episki help with MFA?",[37,12506,12507,12508,100],{},"episki tracks MFA policies, monitors enforcement across systems, and documents MFA evidence for compliance audits. Learn more on our ",[44,12509,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":12511},[12512],{"id":12414,"depth":547,"text":12415,"children":12513},[12514,12515,12516,12517],{"id":12421,"depth":554,"text":12422},{"id":12448,"depth":554,"text":12449},{"id":12482,"depth":554,"text":12483},{"id":12503,"depth":554,"text":12504},{},"\u002Fglossary\u002Fmulti-factor-authentication",[8771,631,8772,8773,8774,8775],[8782,11627,2781],{"title":12523,"description":12524},"What is Multi-Factor Authentication (MFA)? Definition & Compliance Guide","Multi-Factor Authentication (MFA) is a login method that requires users to verify their identity using two or more factors, such as a password plus a code sent to their phone.","multi-factor-authentication","8.glossary\u002Fmulti-factor-authentication","UJQZ8l9dqE7trtvjUWb1iVTulmNQa1j2-kVTUOaUB34",{"id":12529,"title":12530,"body":12531,"description":546,"extension":578,"lastUpdated":1135,"meta":12654,"navigation":613,"path":12655,"relatedFrameworks":12656,"relatedTerms":12657,"seo":12659,"slug":12662,"stem":12663,"term":12536,"__hash__":12664},"glossary\u002F8.glossary\u002Fnetwork-security.md","Network Security",{"type":29,"value":12532,"toc":12646},[12533,12537,12540,12544,12582,12586,12608,12612,12637,12641],[32,12534,12536],{"id":12535},"what-is-network-security","What is Network Security?",[37,12538,12539],{},"Network security refers to the tools, policies, and practices used to protect the integrity, confidentiality, and availability of a computer network and its data. It encompasses both hardware and software technologies as well as the processes organizations use to prevent unauthorized access, misuse, and disruption of network resources.",[112,12541,12543],{"id":12542},"what-are-the-core-components-of-network-security","What are the core components of network security?",[172,12545,12546,12552,12558,12564,12570,12576],{},[175,12547,12548,12551],{},[61,12549,12550],{},"Firewalls"," — filter traffic between trusted and untrusted networks based on security rules",[175,12553,12554,12557],{},[61,12555,12556],{},"Intrusion detection and prevention systems (IDS\u002FIPS)"," — monitor network traffic for suspicious activity and can automatically block threats",[175,12559,12560,12563],{},[61,12561,12562],{},"Network segmentation"," — divides the network into isolated zones to contain breaches and limit lateral movement",[175,12565,12566,12569],{},[61,12567,12568],{},"Virtual private networks (VPN)"," — encrypt traffic between remote users and the corporate network",[175,12571,12572,12575],{},[61,12573,12574],{},"Network access control (NAC)"," — enforces policies about which devices and users can connect to the network",[175,12577,12578,12581],{},[61,12579,12580],{},"DNS security"," — protects against DNS-based attacks like spoofing and cache poisoning",[112,12583,12585],{"id":12584},"how-do-compliance-frameworks-address-network-security","How do compliance frameworks address network security?",[172,12587,12588,12593,12598,12603],{},[175,12589,12590,12592],{},[61,12591,411],{}," — Requirements 1 and 2 address firewall configuration and secure network architecture",[175,12594,12595,12597],{},[61,12596,393],{}," — A.8.20 (network security), A.8.21 (security of network services), and A.8.22 (segregation of networks)",[175,12599,12600,12602],{},[61,12601,658],{}," — CC6.6 requires security controls for network boundaries",[175,12604,12605,12607],{},[61,12606,6581],{}," — PR.AC and PR.PT cover network access control and protective technology",[112,12609,12611],{"id":12610},"what-are-best-practices-for-network-security","What are best practices for network security?",[172,12613,12614,12617,12620,12623,12626,12629],{},[175,12615,12616],{},"Implement defense in depth with multiple layers of network controls",[175,12618,12619],{},"Regularly scan for open ports and unnecessary services",[175,12621,12622],{},"Encrypt data in transit using TLS\u002FSSL",[175,12624,12625],{},"Monitor network traffic for anomalies and potential intrusions",[175,12627,12628],{},"Document network architecture and maintain up-to-date network diagrams",[175,12630,12631,12632,12636],{},"Conduct regular ",[44,12633,12635],{"href":12634},"\u002Fglossary\u002Fpenetration-testing","penetration testing"," to identify network vulnerabilities",[112,12638,12640],{"id":12639},"how-does-episki-help-with-network-security","How does episki help with network security?",[37,12642,12643,12644,100],{},"episki tracks network security controls, links them to framework requirements, and documents evidence like network diagrams and firewall reviews for auditors. Learn more on our ",[44,12645,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":12647},[12648],{"id":12535,"depth":547,"text":12536,"children":12649},[12650,12651,12652,12653],{"id":12542,"depth":554,"text":12543},{"id":12584,"depth":554,"text":12585},{"id":12610,"depth":554,"text":12611},{"id":12639,"depth":554,"text":12640},{},"\u002Fglossary\u002Fnetwork-security",[8771,631,8772,8774,8775],[12658,8782,2781,12279],"firewall",{"title":12660,"description":12661},"What is Network Security? Definition & Compliance Guide","Network security refers to the tools, policies, and practices used to protect the integrity and confidentiality of a computer network and its data.","network-security","8.glossary\u002Fnetwork-security","X-GwLwvpQPWv1-bV4i1pW3X_eNNKctzmhG2CWCYFOe8",{"id":12666,"title":12667,"body":12668,"description":546,"extension":578,"lastUpdated":1135,"meta":12802,"navigation":613,"path":12803,"relatedFrameworks":12804,"relatedTerms":12805,"seo":12806,"slug":12809,"stem":12810,"term":12673,"__hash__":12811},"glossary\u002F8.glossary\u002Foffboarding.md","Offboarding",{"type":29,"value":12669,"toc":12793},[12670,12674,12677,12681,12684,12698,12702,12740,12744,12766,12770,12784,12788],[32,12671,12673],{"id":12672},"what-is-offboarding","What is Offboarding?",[37,12675,12676],{},"Offboarding is the formal process of revoking an employee's or contractor's access to systems, applications, and data when they leave an organization or change roles. A well-executed offboarding process is critical for preventing unauthorized access after separation and is a key control auditors review during compliance assessments.",[112,12678,12680],{"id":12679},"why-does-offboarding-matter","Why does offboarding matter?",[37,12682,12683],{},"Delayed or incomplete offboarding creates significant security risks:",[172,12685,12686,12689,12692,12695],{},[175,12687,12688],{},"Former employees retaining access to sensitive systems and data",[175,12690,12691],{},"Orphaned accounts that attackers can discover and exploit",[175,12693,12694],{},"Shared credentials that remain active after a team member departs",[175,12696,12697],{},"Compliance findings for inadequate access termination procedures",[112,12699,12701],{"id":12700},"what-are-the-key-offboarding-activities","What are the key offboarding activities?",[172,12703,12704,12710,12716,12722,12728,12734],{},[175,12705,12706,12709],{},[61,12707,12708],{},"Disable user accounts"," — immediately deactivate accounts in identity providers (SSO, Active Directory) to cascade access revocation",[175,12711,12712,12715],{},[61,12713,12714],{},"Revoke application access"," — remove access to SaaS applications, cloud consoles, code repositories, and internal tools",[175,12717,12718,12721],{},[61,12719,12720],{},"Recover assets"," — collect laptops, mobile devices, badges, hardware tokens, and other company property",[175,12723,12724,12727],{},[61,12725,12726],{},"Transfer ownership"," — reassign shared resources, documents, and project ownership",[175,12729,12730,12733],{},[61,12731,12732],{},"Remove from communication channels"," — remove from email distribution lists, Slack channels, and shared drives",[175,12735,12736,12739],{},[61,12737,12738],{},"Review privileged access"," — ensure any administrative or elevated access is fully revoked",[112,12741,12743],{"id":12742},"how-do-compliance-frameworks-address-offboarding","How do compliance frameworks address offboarding?",[172,12745,12746,12751,12756,12761],{},[175,12747,12748,12750],{},[61,12749,658],{}," — CC6.2 requires timely revocation of access when personnel leave",[175,12752,12753,12755],{},[61,12754,393],{}," — A.6.5 covers responsibilities after termination or change of employment",[175,12757,12758,12760],{},[61,12759,402],{}," — the Security Rule requires procedures for terminating access to ePHI when employment ends",[175,12762,12763,12765],{},[61,12764,411],{}," — Requirement 8.1.3 mandates immediate revocation of access for terminated users",[112,12767,12769],{"id":12768},"what-are-best-practices-for-offboarding","What are best practices for offboarding?",[172,12771,12772,12775,12778,12781],{},[175,12773,12774],{},"Automate offboarding checklists triggered by HR termination events",[175,12776,12777],{},"Set a target of same-day access revocation for all departures",[175,12779,12780],{},"Conduct post-offboarding audits to verify no residual access remains",[175,12782,12783],{},"Document the offboarding process and retain evidence for audit review",[112,12785,12787],{"id":12786},"how-does-episki-help-with-offboarding","How does episki help with offboarding?",[37,12789,12790,12791,100],{},"episki tracks offboarding policies, links them to access control evidence, and provides checklists to ensure complete access revocation. Learn more on our ",[44,12792,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":12794},[12795],{"id":12672,"depth":547,"text":12673,"children":12796},[12797,12798,12799,12800,12801],{"id":12679,"depth":554,"text":12680},{"id":12700,"depth":554,"text":12701},{"id":12742,"depth":554,"text":12743},{"id":12768,"depth":554,"text":12769},{"id":12786,"depth":554,"text":12787},{},"\u002Fglossary\u002Foffboarding",[631,8772,8773,8774],[8782,11627,10959],{"title":12807,"description":12808},"What is Offboarding? Definition & Compliance Guide","Offboarding is the formal process of revoking an employee's or contractor's access to systems and data when they leave an organization.","offboarding","8.glossary\u002Foffboarding","Rz5QFRP5_SeeZAbasnNVFWLvYnrzwxu8rDWO1Kpf4lI",{"id":12813,"title":12814,"body":12815,"description":546,"extension":578,"lastUpdated":1135,"meta":12924,"navigation":613,"path":12925,"relatedFrameworks":12926,"relatedTerms":12927,"seo":12929,"slug":12932,"stem":12933,"term":12820,"__hash__":12934},"glossary\u002F8.glossary\u002Foperational-risk.md","Operational Risk",{"type":29,"value":12816,"toc":12916},[12817,12821,12824,12828,12853,12857,12874,12878,12907,12911],[32,12818,12820],{"id":12819},"what-is-operational-risk","What is Operational Risk?",[37,12822,12823],{},"Operational risk is the potential for loss, disruption, or harm caused by failures in internal processes, people, systems, or external events. Unlike market or credit risk, operational risk arises from the day-to-day functioning of an organization and includes everything from human errors and system outages to fraud and natural disasters.",[112,12825,12827],{"id":12826},"what-are-the-sources-of-operational-risk","What are the sources of operational risk?",[172,12829,12830,12836,12842,12847],{},[175,12831,12832,12835],{},[61,12833,12834],{},"People"," — human error, insufficient training, insider threats, key person dependencies",[175,12837,12838,12841],{},[61,12839,12840],{},"Processes"," — poorly designed workflows, lack of documentation, inadequate controls",[175,12843,12844,12846],{},[61,12845,680],{}," — hardware failures, software bugs, cybersecurity incidents, integration breakdowns",[175,12848,12849,12852],{},[61,12850,12851],{},"External events"," — natural disasters, supply chain disruptions, regulatory changes, third-party failures",[112,12854,12856],{"id":12855},"how-do-compliance-frameworks-address-operational-risk","How do compliance frameworks address operational risk?",[172,12858,12859,12864,12869],{},[175,12860,12861,12863],{},[61,12862,658],{}," — CC3.1 through CC3.4 address risk assessment and management, including operational risks",[175,12865,12866,12868],{},[61,12867,393],{}," — clauses 6.1 and 8.2 require organizations to identify and treat information security risks, many of which are operational",[175,12870,12871,12873],{},[61,12872,6581],{}," — the Identify function (ID.RA) covers risk assessment including operational risk factors",[112,12875,12877],{"id":12876},"how-do-you-manage-operational-risk","How do you manage operational risk?",[172,12879,12880,12886,12893,12901,12904],{},[175,12881,12882,12883,12885],{},"Maintain a ",[44,12884,3307],{"href":3306}," that captures identified operational risks with likelihood and impact ratings",[175,12887,12888,12889],{},"Implement controls proportional to the risk level and document them in a ",[44,12890,12892],{"href":12891},"\u002Fglossary\u002Frisk-treatment-plan","risk treatment plan",[175,12894,12895,12896,96,12898,12900],{},"Establish ",[44,12897,1356],{"href":1355},[44,12899,1360],{"href":1359}," plans for high-impact scenarios",[175,12902,12903],{},"Conduct regular risk assessments to identify new or changing risks",[175,12905,12906],{},"Monitor key risk indicators (KRIs) to detect emerging operational issues",[112,12908,12910],{"id":12909},"how-does-episki-help-with-operational-risk","How does episki help with operational risk?",[37,12912,12913,12914,100],{},"episki provides risk registers, links risks to controls, and tracks risk treatment plans to help organizations manage operational risk systematically. Learn more on our ",[44,12915,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":12917},[12918],{"id":12819,"depth":547,"text":12820,"children":12919},[12920,12921,12922,12923],{"id":12826,"depth":554,"text":12827},{"id":12855,"depth":554,"text":12856},{"id":12876,"depth":554,"text":12877},{"id":12909,"depth":554,"text":12910},{},"\u002Fglossary\u002Foperational-risk",[631,8772,8775],[8223,12928,1525,1526],"risk-treatment-plan",{"title":12930,"description":12931},"What is Operational Risk? Definition & Compliance Guide","Operational risk is the potential for loss or disruption caused by failed internal processes, human errors, system failures, or external events.","operational-risk","8.glossary\u002Foperational-risk","FHa7St6ZxdXS6nN4A99Zbld2Kt8WzJLlE0DHI0np8_o",{"id":12936,"title":12937,"body":12938,"description":546,"extension":578,"lastUpdated":1135,"meta":13181,"navigation":613,"path":12634,"relatedFrameworks":13182,"relatedTerms":13183,"seo":13185,"slug":12279,"stem":13188,"term":12943,"__hash__":13189},"glossary\u002F8.glossary\u002Fpenetration-testing.md","Penetration Testing",{"type":29,"value":12939,"toc":13171},[12940,12944,12947,12951,12954,12959,13003,13008,13028,13032,13035,13085,13089,13092,13114,13118,13138,13142,13145,13162,13166],[32,12941,12943],{"id":12942},"what-is-penetration-testing","What is Penetration Testing?",[37,12945,12946],{},"Penetration testing (pen testing) is a controlled, simulated cyberattack conducted by security professionals to identify vulnerabilities and weaknesses in an organization's systems, networks, and applications before malicious actors can exploit them. Unlike automated vulnerability scanning, penetration testing involves manual techniques, creative thinking, and the ability to chain multiple findings together to demonstrate real-world attack scenarios.",[112,12948,12950],{"id":12949},"what-are-the-types-of-penetration-testing","What are the types of penetration testing?",[37,12952,12953],{},"Penetration tests are categorized by scope and approach:",[37,12955,12956],{},[61,12957,12958],{},"By target:",[172,12960,12961,12967,12973,12979,12985,12991,12997],{},[175,12962,12963,12966],{},[61,12964,12965],{},"External testing"," — targets internet-facing assets such as web applications, APIs, email servers, and firewalls",[175,12968,12969,12972],{},[61,12970,12971],{},"Internal testing"," — simulates an attacker who has gained access to the internal network",[175,12974,12975,12978],{},[61,12976,12977],{},"Web application testing"," — focuses specifically on web application vulnerabilities (injection, authentication flaws, etc.)",[175,12980,12981,12984],{},[61,12982,12983],{},"API testing"," — evaluates the security of application programming interfaces",[175,12986,12987,12990],{},[61,12988,12989],{},"Mobile application testing"," — assesses mobile apps for security weaknesses",[175,12992,12993,12996],{},[61,12994,12995],{},"Wireless testing"," — tests wireless network security",[175,12998,12999,13002],{},[61,13000,13001],{},"Social engineering"," — tests human vulnerabilities through phishing, pretexting, or physical access attempts",[37,13004,13005],{},[61,13006,13007],{},"By knowledge level:",[172,13009,13010,13016,13022],{},[175,13011,13012,13015],{},[61,13013,13014],{},"Black box"," — the tester has no prior knowledge of the target environment, simulating an external attacker",[175,13017,13018,13021],{},[61,13019,13020],{},"White box"," — the tester has full access to source code, architecture documentation, and credentials",[175,13023,13024,13027],{},[61,13025,13026],{},"Gray box"," — the tester has partial knowledge, such as user-level credentials or limited documentation",[112,13029,13031],{"id":13030},"what-is-the-penetration-testing-process","What is the penetration testing process?",[37,13033,13034],{},"A professional penetration test follows a structured methodology:",[210,13036,13037,13043,13049,13055,13061,13067,13073,13079],{},[175,13038,13039,13042],{},[61,13040,13041],{},"Scoping"," — define the targets, objectives, rules of engagement, and testing window",[175,13044,13045,13048],{},[61,13046,13047],{},"Reconnaissance"," — gather information about the target through passive and active techniques",[175,13050,13051,13054],{},[61,13052,13053],{},"Vulnerability identification"," — discover potential weaknesses using automated tools and manual analysis",[175,13056,13057,13060],{},[61,13058,13059],{},"Exploitation"," — attempt to exploit identified vulnerabilities to demonstrate real-world impact",[175,13062,13063,13066],{},[61,13064,13065],{},"Post-exploitation"," — if access is gained, assess how far an attacker could go (lateral movement, data access, privilege escalation)",[175,13068,13069,13072],{},[61,13070,13071],{},"Reporting"," — document all findings with severity ratings, evidence, and remediation recommendations",[175,13074,13075,13078],{},[61,13076,13077],{},"Remediation support"," — assist the organization in understanding and addressing findings",[175,13080,13081,13084],{},[61,13082,13083],{},"Retest"," — verify that remediation efforts have effectively addressed the vulnerabilities",[112,13086,13088],{"id":13087},"how-do-compliance-frameworks-address-penetration-testing","How do compliance frameworks address penetration testing?",[37,13090,13091],{},"Multiple frameworks require or recommend penetration testing:",[172,13093,13094,13099,13104,13109],{},[175,13095,13096,13098],{},[61,13097,658],{}," — while not explicitly mandated, penetration testing supports CC7.1 (detection of vulnerabilities) and CC4.1 (monitoring)",[175,13100,13101,13103],{},[61,13102,411],{}," — Requirement 11.4 requires annual penetration testing of the CDE, plus testing after significant changes",[175,13105,13106,13108],{},[61,13107,6581],{}," — DE.CM (continuous monitoring) and ID.RA (risk assessment) are supported by penetration testing",[175,13110,13111,13113],{},[61,13112,393],{}," — control A.8.8 addresses management of technical vulnerabilities, which penetration testing supports",[112,13115,13117],{"id":13116},"how-often-should-penetration-tests-be-performed","How often should penetration tests be performed?",[172,13119,13120,13126,13132],{},[175,13121,13122,13125],{},[61,13123,13124],{},"Annual testing"," is the minimum standard for most compliance frameworks",[175,13127,13128,13131],{},[61,13129,13130],{},"After significant changes"," — major infrastructure changes, application releases, or acquisitions should trigger additional testing",[175,13133,13134,13137],{},[61,13135,13136],{},"Continuous testing programs"," — some organizations implement bug bounty programs or periodic testing throughout the year",[112,13139,13141],{"id":13140},"how-do-you-select-a-penetration-testing-firm","How do you select a penetration testing firm?",[37,13143,13144],{},"When choosing a penetration testing provider:",[172,13146,13147,13150,13153,13156,13159],{},[175,13148,13149],{},"Look for relevant certifications (OSCP, OSCE, CREST, GPEN)",[175,13151,13152],{},"Request sample reports to evaluate reporting quality",[175,13154,13155],{},"Verify the firm carries appropriate insurance",[175,13157,13158],{},"Confirm experience with your technology stack and industry",[175,13160,13161],{},"Ensure clear rules of engagement and communication protocols",[112,13163,13165],{"id":13164},"how-does-episki-help-with-penetration-testing","How does episki help with penetration testing?",[37,13167,13168,13169,100],{},"episki tracks penetration testing schedules, stores reports, and manages remediation of identified findings. The platform links pen test results to compliance framework requirements and monitors remediation progress. Learn more on our ",[44,13170,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":13172},[13173],{"id":12942,"depth":547,"text":12943,"children":13174},[13175,13176,13177,13178,13179,13180],{"id":12949,"depth":554,"text":12950},{"id":13030,"depth":554,"text":13031},{"id":13087,"depth":554,"text":13088},{"id":13116,"depth":554,"text":13117},{"id":13140,"depth":554,"text":13141},{"id":13164,"depth":554,"text":13165},{},[8771,631,8774,8775],[13184,5627,1042,8782],"asv",{"title":13186,"description":13187},"What is Penetration Testing? Definition & Compliance Guide","Penetration testing is a simulated cyberattack that identifies vulnerabilities in your systems before real attackers can exploit them. Learn the types and process.","8.glossary\u002Fpenetration-testing","-DYPrBzNiyBknfyn7jeCgBrDE39XjynFvEKprLlba4U",{"id":13191,"title":13192,"body":13193,"description":546,"extension":578,"lastUpdated":1135,"meta":13467,"navigation":613,"path":5626,"relatedFrameworks":13468,"relatedTerms":13469,"seo":13470,"slug":5627,"stem":13473,"term":13198,"__hash__":13474},"glossary\u002F8.glossary\u002Fremediation.md","Remediation",{"type":29,"value":13194,"toc":13456},[13195,13199,13202,13206,13209,13273,13277,13280,13327,13331,13334,13372,13376,13379,13399,13403,13406,13423,13426,13430,13447,13451],[32,13196,13198],{"id":13197},"what-is-remediation","What is Remediation?",[37,13200,13201],{},"Remediation is the process of identifying, prioritizing, and resolving security weaknesses, compliance gaps, audit findings, or vulnerabilities in an organization's systems and processes. It is a fundamental component of any security program — identifying risks and gaps is only valuable if the organization takes action to address them.",[112,13203,13205],{"id":13204},"where-do-remediation-items-come-from","Where do remediation items come from?",[37,13207,13208],{},"Remediation needs arise from multiple sources:",[172,13210,13211,13225,13235,13241,13249,13255,13261,13267],{},[175,13212,13213,13216,13217,418,13219,13221,13222,13224],{},[61,13214,13215],{},"Audit findings"," — gaps identified during ",[44,13218,658],{"href":614},[44,13220,393],{"href":392},", or ",[44,13223,411],{"href":410}," audits",[175,13226,13227,13230,13231],{},[61,13228,13229],{},"Vulnerability scans"," — technical vulnerabilities discovered by automated scanning tools or ",[44,13232,13234],{"href":13233},"\u002Fglossary\u002Fasv","approved scanning vendors (ASVs)",[175,13236,13237,13240],{},[61,13238,13239],{},"Penetration tests"," — weaknesses identified through manual security testing",[175,13242,13243,13248],{},[61,13244,13245],{},[44,13246,13247],{"href":3306},"Risk assessments"," — risks that require new or improved controls",[175,13250,13251,13254],{},[61,13252,13253],{},"Incident investigations"," — root cause analysis revealing underlying security weaknesses",[175,13256,13257,13260],{},[61,13258,13259],{},"Compliance gap assessments"," — differences between current controls and framework requirements",[175,13262,13263,13266],{},[61,13264,13265],{},"Customer security questionnaires"," — gaps exposed through vendor assessment processes",[175,13268,13269,13272],{},[61,13270,13271],{},"Regulatory changes"," — new requirements that existing controls do not address",[112,13274,13276],{"id":13275},"what-is-the-remediation-process","What is the remediation process?",[37,13278,13279],{},"An effective remediation process follows a structured approach:",[210,13281,13282,13288,13294,13299,13305,13311,13316,13322],{},[175,13283,13284,13287],{},[61,13285,13286],{},"Identification"," — document the gap, vulnerability, or finding with sufficient detail to understand the issue",[175,13289,13290,13293],{},[61,13291,13292],{},"Assessment"," — evaluate the severity, risk, and potential impact of the issue",[175,13295,13296,13298],{},[61,13297,9700],{}," — rank remediation items based on risk severity, exploitability, and business impact",[175,13300,13301,13304],{},[61,13302,13303],{},"Assignment"," — designate a responsible owner for each remediation item",[175,13306,13307,13310],{},[61,13308,13309],{},"Planning"," — define the specific actions needed, required resources, and target completion date",[175,13312,13313,13315],{},[61,13314,9122],{}," — execute the remediation plan",[175,13317,13318,13321],{},[61,13319,13320],{},"Verification"," — confirm that the remediation effectively addresses the issue (through retesting, review, or evidence collection)",[175,13323,13324,13326],{},[61,13325,1738],{}," — record the remediation actions taken and their results",[112,13328,13330],{"id":13329},"how-do-you-prioritize-remediation-items","How do you prioritize remediation items?",[37,13332,13333],{},"Not all remediation items carry equal urgency. Common prioritization factors include:",[172,13335,13336,13342,13348,13354,13360,13366],{},[175,13337,13338,13341],{},[61,13339,13340],{},"Severity"," — how significant is the risk or vulnerability (e.g., CVSS score for technical vulnerabilities)",[175,13343,13344,13347],{},[61,13345,13346],{},"Exploitability"," — how easily could the weakness be exploited",[175,13349,13350,13353],{},[61,13351,13352],{},"Business impact"," — what would happen if the weakness were exploited",[175,13355,13356,13359],{},[61,13357,13358],{},"Compliance deadline"," — are there regulatory or contractual deadlines driving urgency",[175,13361,13362,13365],{},[61,13363,13364],{},"Effort required"," — how much work is needed to remediate",[175,13367,13368,13371],{},[61,13369,13370],{},"Dependencies"," — does remediation depend on other work being completed first",[112,13373,13375],{"id":13374},"how-do-you-track-remediation","How do you track remediation?",[37,13377,13378],{},"Effective tracking ensures accountability and progress:",[172,13380,13381,13387,13390,13393,13396],{},[175,13382,13383,13384,13386],{},"Maintain a centralized remediation tracker (often integrated with the ",[44,13385,3307],{"href":3306}," or GRC platform)",[175,13388,13389],{},"Set clear deadlines and milestone dates",[175,13391,13392],{},"Send regular reminders to owners",[175,13394,13395],{},"Escalate overdue items to management",[175,13397,13398],{},"Report on remediation metrics (open items, aging, completion rates)",[112,13400,13402],{"id":13401},"how-does-remediation-work-in-audit-contexts","How does remediation work in audit contexts?",[37,13404,13405],{},"During compliance audits, auditors expect to see:",[172,13407,13408,13411,13414,13417,13420],{},[175,13409,13410],{},"A defined process for managing remediation items",[175,13412,13413],{},"Evidence of timely resolution",[175,13415,13416],{},"Follow-up verification that fixes are effective",[175,13418,13419],{},"Escalation procedures for items that miss deadlines",[175,13421,13422],{},"Management oversight of the remediation program",[37,13424,13425],{},"Auditors view an organization's ability to remediate findings as an indicator of program maturity. A long list of aging, unresolved findings suggests the compliance program is not being actively managed.",[112,13427,13429],{"id":13428},"what-are-common-challenges-with-remediation","What are common challenges with remediation?",[172,13431,13432,13435,13438,13441,13444],{},[175,13433,13434],{},"Competing priorities between security remediation and business initiatives",[175,13436,13437],{},"Insufficient resources to address all findings in a timely manner",[175,13439,13440],{},"Lack of clear ownership for remediation items",[175,13442,13443],{},"Remediation that addresses symptoms rather than root causes",[175,13445,13446],{},"No verification step to confirm effectiveness",[112,13448,13450],{"id":13449},"how-does-episki-help-with-remediation","How does episki help with remediation?",[37,13452,13453,13454,100],{},"episki provides remediation workflows that track findings from identification through verification. The platform assigns owners, sets deadlines, sends reminders, and reports on progress. Auditors can see the full remediation history for any finding. Learn more on our ",[44,13455,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":13457},[13458],{"id":13197,"depth":547,"text":13198,"children":13459},[13460,13461,13462,13463,13464,13465,13466],{"id":13204,"depth":554,"text":13205},{"id":13275,"depth":554,"text":13276},{"id":13329,"depth":554,"text":13330},{"id":13374,"depth":554,"text":13375},{"id":13401,"depth":554,"text":13402},{"id":13428,"depth":554,"text":13429},{"id":13449,"depth":554,"text":13450},{},[631,8772,8774],[8223,12928,1876,1042,12279],{"title":13471,"description":13472},"Remediation in Compliance: Definition, Process & Best Practices","Compliance remediation is the process of fixing security gaps and audit findings. Learn how to prioritize, track, and close remediation items efficiently.","8.glossary\u002Fremediation","gUhGasusB5qoXZyMJcWGEC3m1KU4Hcwyqjc-ZpOaaho",{"id":13476,"title":13477,"body":13478,"description":546,"extension":578,"lastUpdated":1135,"meta":14075,"navigation":613,"path":3306,"relatedFrameworks":14076,"relatedTerms":14077,"seo":14078,"slug":8223,"stem":14081,"term":13483,"__hash__":14082},"glossary\u002F8.glossary\u002Frisk-register.md","Risk Register",{"type":29,"value":13479,"toc":14060},[13480,13484,13487,13491,13494,13568,13572,13575,13625,13629,13632,13664,13668,13671,13677,13683,13689,13696,13700,13703,13790,13793,13797,13803,13829,13832,13836,13839,13874,13878,13881,13982,13985,13989,13992,14021,14025,14028,14048,14051,14055],[32,13481,13483],{"id":13482},"what-is-a-risk-register","What is a Risk Register?",[37,13485,13486],{},"A risk register is a centralized document or tool that records identified risks, their assessment (likelihood and impact), assigned treatments, owners, and current status. It serves as the foundation of an organization's risk management program and is a key artifact required by frameworks including ISO 27001, SOC 2, and NIST CSF.",[112,13488,13490],{"id":13489},"what-does-a-risk-register-contain","What does a risk register contain?",[37,13492,13493],{},"A well-structured risk register typically includes the following fields for each risk:",[172,13495,13496,13502,13508,13514,13520,13526,13532,13538,13544,13550,13556,13562],{},[175,13497,13498,13501],{},[61,13499,13500],{},"Risk ID"," — a unique identifier for tracking",[175,13503,13504,13507],{},[61,13505,13506],{},"Risk description"," — a clear statement of the risk, typically describing the threat, vulnerability, and potential impact",[175,13509,13510,13513],{},[61,13511,13512],{},"Risk category"," — classification such as operational, technical, compliance, strategic, or third-party",[175,13515,13516,13519],{},[61,13517,13518],{},"Likelihood"," — the probability of the risk materializing (often rated on a scale such as 1-5 or low\u002Fmedium\u002Fhigh)",[175,13521,13522,13525],{},[61,13523,13524],{},"Impact"," — the potential consequence if the risk materializes (rated similarly)",[175,13527,13528,13531],{},[61,13529,13530],{},"Risk score"," — calculated from likelihood and impact (e.g., likelihood x impact)",[175,13533,13534,13537],{},[61,13535,13536],{},"Risk owner"," — the person accountable for managing the risk",[175,13539,13540,13543],{},[61,13541,13542],{},"Treatment option"," — mitigate, accept, transfer, or avoid",[175,13545,13546,13549],{},[61,13547,13548],{},"Controls"," — the specific controls implemented to address the risk",[175,13551,13552,13555],{},[61,13553,13554],{},"Residual risk"," — the remaining risk level after treatment is applied",[175,13557,13558,13561],{},[61,13559,13560],{},"Status"," — current state (open, in treatment, accepted, closed)",[175,13563,13564,13567],{},[61,13565,13566],{},"Review date"," — when the risk was last reviewed or when the next review is due",[112,13569,13571],{"id":13570},"how-do-you-build-a-risk-register","How do you build a risk register?",[37,13573,13574],{},"Creating a risk register follows a systematic process:",[210,13576,13577,13583,13589,13595,13601,13607,13613,13619],{},[175,13578,13579,13582],{},[61,13580,13581],{},"Identify risks"," — gather risks through workshops, interviews, threat modeling, vulnerability assessments, incident reviews, and industry threat intelligence",[175,13584,13585,13588],{},[61,13586,13587],{},"Assess each risk"," — evaluate the likelihood and impact of each risk to determine its severity",[175,13590,13591,13594],{},[61,13592,13593],{},"Prioritize"," — rank risks by their risk score to focus attention and resources on the most significant threats",[175,13596,13597,13600],{},[61,13598,13599],{},"Assign ownership"," — designate a responsible owner for each risk",[175,13602,13603,13606],{},[61,13604,13605],{},"Determine treatment"," — decide how each risk will be handled",[175,13608,13609,13612],{},[61,13610,13611],{},"Document controls"," — record the specific controls that address each risk",[175,13614,13615,13618],{},[61,13616,13617],{},"Calculate residual risk"," — assess the remaining risk after controls are applied",[175,13620,13621,13624],{},[61,13622,13623],{},"Review and approve"," — have management review and approve the register",[112,13626,13628],{"id":13627},"how-do-you-maintain-the-risk-register","How do you maintain the risk register?",[37,13630,13631],{},"A risk register is only valuable if it is kept current. Regular maintenance includes:",[172,13633,13634,13640,13646,13652,13658],{},[175,13635,13636,13639],{},[61,13637,13638],{},"Periodic reviews"," — review the full register at least quarterly, with management review at least annually",[175,13641,13642,13645],{},[61,13643,13644],{},"Triggered updates"," — update the register when significant changes occur (new systems, new services, organizational changes, incidents)",[175,13647,13648,13651],{},[61,13649,13650],{},"New risk identification"," — continuously identify and add new risks as the threat landscape evolves",[175,13653,13654,13657],{},[61,13655,13656],{},"Treatment progress tracking"," — monitor and update the status of risk treatment activities",[175,13659,13660,13663],{},[61,13661,13662],{},"Residual risk reassessment"," — re-evaluate residual risk as controls are implemented or change",[112,13665,13667],{"id":13666},"what-are-common-risk-scoring-methodologies","What are common risk scoring methodologies?",[37,13669,13670],{},"How you score risks determines how actionable the register is. The most common approaches:",[37,13672,13673,13676],{},[61,13674,13675],{},"Qualitative (low\u002Fmedium\u002Fhigh)"," — Fast and intuitive, useful for getting started or communicating with non-technical stakeholders. The downside is limited precision; everything tends to collect in the middle.",[37,13678,13679,13682],{},[61,13680,13681],{},"Semi-quantitative (1–5 scales)"," — A 5×5 matrix with likelihood and impact each rated 1 through 5 produces a 1–25 risk score. This is the most widely used approach because it balances simplicity with discrimination.",[37,13684,13685,13688],{},[61,13686,13687],{},"Quantitative (dollar-based)"," — Approaches like FAIR (Factor Analysis of Information Risk) estimate Annual Loss Expectancy in dollars. This is the gold standard for board reporting but requires more mature data and analyst time.",[37,13690,13691,13692,13695],{},"Most compliance programs start with a 5×5 matrix, then introduce quantitative methods for top-tier risks. Whichever scale you choose, ",[61,13693,13694],{},"document the definitions"," — what does \"likelihood 4\" actually mean in your organization? Without clear definitions, different raters produce wildly different scores.",[112,13697,13699],{"id":13698},"how-do-compliance-frameworks-address-risk-register","How do compliance frameworks address risk register?",[37,13701,13702],{},"Different frameworks require or recommend risk registers, often with specific expectations:",[859,13704,13705,13716],{},[862,13706,13707],{},[865,13708,13709,13711,13713],{},[868,13710,6276],{},[868,13712,8545],{},[868,13714,13715],{},"Specific reference",[875,13717,13718,13730,13742,13754,13766,13778],{},[865,13719,13720,13724,13727],{},[880,13721,13722],{},[61,13723,393],{},[880,13725,13726],{},"Documented risk assessment process with register as artifact",[880,13728,13729],{},"Clause 6.1.2 and 8.2",[865,13731,13732,13736,13739],{},[880,13733,13734],{},[61,13735,658],{},[880,13737,13738],{},"Risk identification, assessment, and response",[880,13740,13741],{},"CC3.1–CC3.4",[865,13743,13744,13748,13751],{},[880,13745,13746],{},[61,13747,6581],{},[880,13749,13750],{},"Risk assessment and risk management strategy",[880,13752,13753],{},"ID.RA and GV.RM (new in 2.0)",[865,13755,13756,13760,13763],{},[880,13757,13758],{},[61,13759,402],{},[880,13761,13762],{},"Risk analysis for ePHI",[880,13764,13765],{},"§164.308(a)(1)(ii)(A)",[865,13767,13768,13772,13775],{},[880,13769,13770],{},[61,13771,411],{},[880,13773,13774],{},"Targeted risk analyses for specific requirements",[880,13776,13777],{},"PCI DSS v4.0 Req 12.3.1",[865,13779,13780,13784,13787],{},[880,13781,13782],{},[61,13783,425],{},[880,13785,13786],{},"Risk management practices",[880,13788,13789],{},"RA.L2-3.11.1 through 3.11.3",[37,13791,13792],{},"Auditors typically look for: documented scoring criteria, evidence of regular review cadence, treatment decisions tied to each risk, and linkage between risks and controls. A register without review dates, owner signatures, or treatment tracking will draw findings even if the risks themselves are well-identified.",[112,13794,13796],{"id":13795},"what-are-the-risk-treatment-options","What are the risk treatment options?",[37,13798,13799,13800,13802],{},"For each risk, pick one of four treatment strategies (often documented in a parallel ",[44,13801,12892],{"href":12891},"):",[172,13804,13805,13811,13817,13823],{},[175,13806,13807,13810],{},[61,13808,13809],{},"Mitigate"," — implement controls to reduce likelihood or impact. Most common choice. Example: deploy MFA to reduce account takeover likelihood.",[175,13812,13813,13816],{},[61,13814,13815],{},"Accept"," — acknowledge the risk as within tolerance and proceed. Requires documented rationale and, for significant risks, executive sign-off.",[175,13818,13819,13822],{},[61,13820,13821],{},"Transfer"," — shift the risk to a third party via insurance, contract, or outsourcing. Cyber insurance is the canonical example.",[175,13824,13825,13828],{},[61,13826,13827],{},"Avoid"," — eliminate the activity causing the risk. Example: decide not to launch a feature in a high-risk jurisdiction.",[37,13830,13831],{},"Residual risk — the risk remaining after treatment — must be reassessed and either accepted or subjected to additional treatment. Chained mitigation (stacking controls) is a legitimate strategy for high-severity risks.",[112,13833,13835],{"id":13834},"how-do-you-connect-the-risk-register-to-operational-workflows","How do you connect the risk register to operational workflows?",[37,13837,13838],{},"A risk register that lives in isolation quickly goes stale. High-performing programs integrate it with:",[172,13840,13841,13850,13857,13862,13868],{},[175,13842,13843,13849],{},[61,13844,13845],{},[44,13846,13848],{"href":13847},"\u002Fglossary\u002Fvendor-risk-management","Vendor risk management"," — third-party risks from vendor assessments feed into the enterprise register",[175,13851,13852,13856],{},[61,13853,13854],{},[44,13855,1765],{"href":10836}," — post-incident reviews identify new risks or update likelihood scores for known ones",[175,13858,13859,13861],{},[61,13860,364],{}," — significant system or business changes trigger a register update before deployment",[175,13863,13864,13867],{},[61,13865,13866],{},"Policy reviews"," — annual policy reviews check whether controls still address the risks they were designed for",[175,13869,13870,13873],{},[61,13871,13872],{},"Board reporting"," — top-tier risks roll up into executive dashboards showing trends, treatment progress, and heat maps",[112,13875,13877],{"id":13876},"what-does-an-example-risk-register-entry-look-like","What does an example risk register entry look like?",[37,13879,13880],{},"A concrete example makes the structure tangible. Consider a risk identified during an ISO 27001 internal audit:",[859,13882,13883,13893],{},[862,13884,13885],{},[865,13886,13887,13890],{},[868,13888,13889],{},"Field",[868,13891,13892],{},"Value",[875,13894,13895,13902,13909,13916,13923,13930,13938,13946,13953,13960,13968,13975],{},[865,13896,13897,13899],{},[880,13898,13500],{},[880,13900,13901],{},"R-042",[865,13903,13904,13906],{},[880,13905,2653],{},[880,13907,13908],{},"Unencrypted customer PII in database backups stored in S3",[865,13910,13911,13913],{},[880,13912,4781],{},[880,13914,13915],{},"Data protection \u002F technical",[865,13917,13918,13920],{},[880,13919,13518],{},[880,13921,13922],{},"3 (possible — we have access logs but no automated detection)",[865,13924,13925,13927],{},[880,13926,13524],{},[880,13928,13929],{},"5 (severe — regulatory exposure under GDPR and state privacy laws)",[865,13931,13932,13935],{},[880,13933,13934],{},"Inherent score",[880,13936,13937],{},"15 (high)",[865,13939,13940,13943],{},[880,13941,13942],{},"Owner",[880,13944,13945],{},"CISO",[865,13947,13948,13951],{},[880,13949,13950],{},"Treatment",[880,13952,13809],{},[865,13954,13955,13957],{},[880,13956,13548],{},[880,13958,13959],{},"Enable S3 server-side encryption with KMS; rotate existing backups; add Macie scan",[865,13961,13962,13965],{},[880,13963,13964],{},"Residual score",[880,13966,13967],{},"4 (low — automated encryption + detection materially reduces both)",[865,13969,13970,13972],{},[880,13971,13560],{},[880,13973,13974],{},"In treatment — 60% complete",[865,13976,13977,13979],{},[880,13978,13566],{},[880,13980,13981],{},"2026-06-01 (quarterly cadence)",[37,13983,13984],{},"This level of detail turns the register into a practical management tool rather than a compliance artifact.",[112,13986,13988],{"id":13987},"what-are-common-pitfalls-with-a-risk-register","What are common pitfalls with a risk register?",[37,13990,13991],{},"Organizations often struggle with risk registers due to:",[172,13993,13994,13997,14000,14003,14006,14009,14015,14018],{},[175,13995,13996],{},"Making the register too complex or too simple",[175,13998,13999],{},"Failing to review and update regularly",[175,14001,14002],{},"Not assigning clear ownership or clear treatment deadlines",[175,14004,14005],{},"Rating all risks as \"high\" without meaningful differentiation",[175,14007,14008],{},"Treating the register as a compliance checkbox rather than a management tool",[175,14010,14011,14012,14014],{},"Disconnecting the register from ",[44,14013,375],{"href":10836}," and vendor management workflows",[175,14016,14017],{},"Keeping risks open indefinitely without closure criteria or residual risk acceptance",[175,14019,14020],{},"Not versioning the register, making it impossible to demonstrate historical decisions to auditors",[112,14022,14024],{"id":14023},"what-risk-register-tools-and-templates-are-available","What risk register tools and templates are available?",[37,14026,14027],{},"Organizations use a range of tools to maintain a register:",[172,14029,14030,14036,14042],{},[175,14031,14032,14035],{},[61,14033,14034],{},"Spreadsheets"," — acceptable for small teams or early-stage programs. The limitation is that spreadsheets do not track version history, send review reminders, or link risks to other artifacts cleanly.",[175,14037,14038,14041],{},[61,14039,14040],{},"GRC platforms"," — purpose-built tools (including episki) handle scoring, ownership, treatment workflows, and evidence links out of the box.",[175,14043,14044,14047],{},[61,14045,14046],{},"Issue trackers"," — some teams use Jira or Linear to track risks as tickets. This works for operational visibility but typically lacks the scoring and reporting structure auditors expect.",[37,14049,14050],{},"Whatever tool you choose, exportability matters: auditors frequently ask for point-in-time snapshots, and regulators may request historical registers during an investigation.",[112,14052,14054],{"id":14053},"how-does-episki-help-with-a-risk-register","How does episki help with a risk register?",[37,14056,14057,14058,100],{},"episki provides a built-in risk register with configurable likelihood and impact scales, automatic risk scoring, owner assignment, treatment tracking, and review scheduling. The platform links risks to controls and evidence, creating a complete chain from risk identification through treatment. Learn more on our ",[44,14059,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":14061},[14062],{"id":13482,"depth":547,"text":13483,"children":14063},[14064,14065,14066,14067,14068,14069,14070,14071,14072,14073,14074],{"id":13489,"depth":554,"text":13490},{"id":13570,"depth":554,"text":13571},{"id":13627,"depth":554,"text":13628},{"id":13666,"depth":554,"text":13667},{"id":13698,"depth":554,"text":13699},{"id":13795,"depth":554,"text":13796},{"id":13834,"depth":554,"text":13835},{"id":13876,"depth":554,"text":13877},{"id":13987,"depth":554,"text":13988},{"id":14023,"depth":554,"text":14024},{"id":14053,"depth":554,"text":14054},{},[8771,8772,8775,631],[12928,5627,9530,8222],{"title":14079,"description":14080},"What is a Risk Register? Definition & Compliance Guide","A risk register is a centralized document that records identified risks, their likelihood, impact, treatment, and ownership. Learn how to build and maintain one.","8.glossary\u002Frisk-register","NLvIZTF-yfLLX2ce3ayhQVoNPH15hEMUk7pCSPoO3Ro",{"id":14084,"title":14085,"body":14086,"description":546,"extension":578,"lastUpdated":1135,"meta":14309,"navigation":613,"path":14310,"relatedFrameworks":14311,"relatedTerms":14312,"seo":14313,"slug":14316,"stem":14317,"term":14091,"__hash__":14318},"glossary\u002F8.glossary\u002Fsecurity-awareness-training.md","Security Awareness Training",{"type":29,"value":14087,"toc":14298},[14088,14092,14095,14099,14102,14119,14123,14126,14176,14180,14202,14206,14209,14241,14245,14248,14265,14269,14272,14289,14293],[32,14089,14091],{"id":14090},"what-is-security-awareness-training","What is Security Awareness Training?",[37,14093,14094],{},"Security awareness training is an educational program designed to teach employees about cybersecurity threats, security best practices, and their responsibilities for protecting organizational data and systems. Human error remains one of the leading causes of security incidents, making awareness training a critical control for reducing risk. Every major compliance framework requires or strongly recommends security awareness training.",[112,14096,14098],{"id":14097},"why-does-security-awareness-training-matter","Why does security awareness training matter?",[37,14100,14101],{},"Technology controls alone cannot prevent all security incidents. Employees interact with sensitive data, click links, open attachments, and make decisions that affect security every day. Effective training:",[172,14103,14104,14107,14110,14113,14116],{},[175,14105,14106],{},"Reduces the likelihood of successful phishing and social engineering attacks",[175,14108,14109],{},"Helps employees recognize and report suspicious activity",[175,14111,14112],{},"Builds a security-conscious culture throughout the organization",[175,14114,14115],{},"Meets compliance requirements across multiple frameworks",[175,14117,14118],{},"Reduces the frequency and impact of human-caused security incidents",[112,14120,14122],{"id":14121},"what-are-the-core-security-awareness-training-topics","What are the core security awareness training topics?",[37,14124,14125],{},"A comprehensive security awareness program typically covers:",[172,14127,14128,14134,14140,14146,14152,14158,14164,14170],{},[175,14129,14130,14133],{},[61,14131,14132],{},"Phishing and social engineering"," — how to identify and respond to phishing emails, phone-based pretexting, and other manipulation techniques",[175,14135,14136,14139],{},[61,14137,14138],{},"Password security"," — creating strong passwords, using password managers, and understanding multi-factor authentication",[175,14141,14142,14145],{},[61,14143,14144],{},"Data handling"," — proper classification, storage, transmission, and disposal of sensitive data",[175,14147,14148,14151],{},[61,14149,14150],{},"Physical security"," — securing workstations, preventing tailgating, and protecting physical access badges",[175,14153,14154,14157],{},[61,14155,14156],{},"Remote work security"," — securing home networks, using VPNs, and protecting devices outside the office",[175,14159,14160,14163],{},[61,14161,14162],{},"Incident reporting"," — how and when to report suspected security incidents",[175,14165,14166,14169],{},[61,14167,14168],{},"Acceptable use"," — organizational policies on technology use, internet access, and personal devices",[175,14171,14172,14175],{},[61,14173,14174],{},"Regulatory requirements"," — specific requirements based on the organization's compliance obligations (HIPAA for healthcare, PCI DSS for payment card handling)",[112,14177,14179],{"id":14178},"what-training-requirements-apply-by-framework","What training requirements apply by framework?",[172,14181,14182,14187,14192,14197],{},[175,14183,14184,14186],{},[61,14185,658],{}," — CC1.4 requires that the organization demonstrates a commitment to attract, develop, and retain competent individuals, including security training",[175,14188,14189,14191],{},[61,14190,393],{}," — control A.6.3 requires information security awareness, education, and training",[175,14193,14194,14196],{},[61,14195,402],{}," — the Security Rule requires security awareness and training for all workforce members (45 CFR 164.308(a)(5))",[175,14198,14199,14201],{},[61,14200,411],{}," — Requirement 12.6 requires security awareness training for all personnel upon hire and at least annually",[112,14203,14205],{"id":14204},"how-often-should-training-be-delivered-and-how","How often should training be delivered, and how?",[37,14207,14208],{},"Best practices for training delivery include:",[172,14210,14211,14217,14223,14229,14235],{},[175,14212,14213,14216],{},[61,14214,14215],{},"Upon hire"," — all new employees should complete security awareness training during onboarding",[175,14218,14219,14222],{},[61,14220,14221],{},"Annual refresher"," — all employees should complete refresher training at least annually",[175,14224,14225,14228],{},[61,14226,14227],{},"Role-specific training"," — employees in high-risk roles (developers, administrators, finance) should receive additional targeted training",[175,14230,14231,14234],{},[61,14232,14233],{},"Continuous reinforcement"," — supplement formal training with simulated phishing campaigns, security tips, and brief micro-learning modules throughout the year",[175,14236,14237,14240],{},[61,14238,14239],{},"Triggered training"," — require additional training when an employee fails a phishing simulation or is involved in a security incident",[112,14242,14244],{"id":14243},"how-do-you-measure-training-effectiveness","How do you measure training effectiveness?",[37,14246,14247],{},"Training effectiveness should be measured through:",[172,14249,14250,14253,14256,14259,14262],{},[175,14251,14252],{},"Phishing simulation click rates (tracked over time to show improvement)",[175,14254,14255],{},"Training completion rates",[175,14257,14258],{},"Security incident trends related to human factors",[175,14260,14261],{},"Employee knowledge assessments (quizzes or surveys)",[175,14263,14264],{},"Time to report suspicious activity",[112,14266,14268],{"id":14267},"what-training-evidence-do-auditors-look-for","What training evidence do auditors look for?",[37,14270,14271],{},"Auditors expect to see:",[172,14273,14274,14277,14280,14283,14286],{},[175,14275,14276],{},"Training policy documenting requirements and frequency",[175,14278,14279],{},"Records of training completion for all employees",[175,14281,14282],{},"Training content covering relevant topics",[175,14284,14285],{},"Phishing simulation results and trends",[175,14287,14288],{},"Evidence of new hire training",[112,14290,14292],{"id":14291},"how-does-episki-help-with-security-awareness-training","How does episki help with security awareness training?",[37,14294,14295,14296,100],{},"episki tracks security awareness training completion, sends reminders to employees and managers, and maintains training records as compliance evidence. The platform integrates with popular training providers and maps training requirements to framework controls. Learn more on our ",[44,14297,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":14299},[14300],{"id":14090,"depth":547,"text":14091,"children":14301},[14302,14303,14304,14305,14306,14307,14308],{"id":14097,"depth":554,"text":14098},{"id":14121,"depth":554,"text":14122},{"id":14178,"depth":554,"text":14179},{"id":14204,"depth":554,"text":14205},{"id":14243,"depth":554,"text":14244},{"id":14267,"depth":554,"text":14268},{"id":14291,"depth":554,"text":14292},{},"\u002Fglossary\u002Fsecurity-awareness-training",[8771,631,8772,8773,8774],[8782,1530,1876,10156],{"title":14314,"description":14315},"What is Security Awareness Training? Definition & Compliance Guide","Security awareness training educates employees about cybersecurity threats and best practices. Learn what to include and how it satisfies compliance requirements.","security-awareness-training","8.glossary\u002Fsecurity-awareness-training","xgD6bzRoOy6RZm_k9NAZRMfP5cKo0j-xLN3LeofSjwI",{"id":14320,"title":14321,"body":14322,"description":546,"extension":578,"lastUpdated":1135,"meta":14516,"navigation":613,"path":14517,"relatedFrameworks":14518,"relatedTerms":14519,"seo":14521,"slug":6726,"stem":14524,"term":14327,"__hash__":14525},"glossary\u002F8.glossary\u002Fservice-auditor.md","Service Auditor",{"type":29,"value":14323,"toc":14505},[14324,14328,14331,14335,14338,14364,14368,14371,14390,14393,14397,14400,14431,14435,14438,14461,14464,14468,14471,14475,14478,14492,14495,14499],[32,14325,14327],{"id":14326},"what-is-a-service-auditor","What is a Service Auditor?",[37,14329,14330],{},"A service auditor is a licensed CPA (Certified Public Accountant) firm that performs attestation engagements, including SOC 1, SOC 2, and SOC 3 examinations, on behalf of service organizations. The auditor independently evaluates whether an organization's controls meet the applicable criteria and issues a formal report with their professional opinion.",[112,14332,14334],{"id":14333},"what-is-the-role-of-the-service-auditor","What is the role of the service auditor?",[37,14336,14337],{},"The service auditor's primary responsibilities include:",[172,14339,14340,14346,14352,14358],{},[175,14341,14342,14345],{},[61,14343,14344],{},"Evaluating control design"," — determining whether controls are suitably designed to meet Trust Services Criteria or other applicable standards",[175,14347,14348,14351],{},[61,14349,14350],{},"Testing operating effectiveness"," — for Type II engagements, testing whether controls operated effectively over the observation period",[175,14353,14354,14357],{},[61,14355,14356],{},"Issuing the audit report"," — providing a formal opinion on the organization's controls, including any exceptions identified",[175,14359,14360,14363],{},[61,14361,14362],{},"Maintaining independence"," — the auditor must remain independent from the organization being audited to ensure objectivity",[112,14365,14367],{"id":14366},"what-qualifications-and-standards-apply-to-service-auditors","What qualifications and standards apply to service auditors?",[37,14369,14370],{},"Service auditors must be licensed CPA firms. They perform SOC engagements under professional standards including:",[172,14372,14373,14378,14384],{},[175,14374,14375,14377],{},[61,14376,47],{}," (Statement on Standards for Attestation Engagements No. 18) — the overarching attestation standard in the United States",[175,14379,14380,14383],{},[61,14381,14382],{},"AT-C Section 205"," — the specific standard governing examination engagements",[175,14385,14386,14389],{},[61,14387,14388],{},"AICPA professional standards"," — including ethical requirements, quality control, and continuing education",[37,14391,14392],{},"Not all CPA firms perform SOC audits. Firms that specialize in SOC engagements typically have dedicated information security audit teams with relevant technical expertise.",[112,14394,14396],{"id":14395},"how-do-you-select-a-service-auditor","How do you select a service auditor?",[37,14398,14399],{},"Choosing the right auditor impacts the quality and efficiency of your audit. Consider:",[172,14401,14402,14408,14414,14419,14425],{},[175,14403,14404,14407],{},[61,14405,14406],{},"Experience"," — how many SOC 2 audits the firm performs annually, particularly in your industry",[175,14409,14410,14413],{},[61,14411,14412],{},"Technical expertise"," — whether the audit team understands modern cloud infrastructure, SaaS architectures, and security tooling",[175,14415,14416,14418],{},[61,14417,783],{}," — whether the firm is collaborative and responsive, or rigid and difficult to work with",[175,14420,14421,14424],{},[61,14422,14423],{},"Pricing and timeline"," — costs can vary significantly between firms, as can expected timelines",[175,14426,14427,14430],{},[61,14428,14429],{},"Reputation"," — whether the firm's reports are recognized and accepted by your customers and prospects",[112,14432,14434],{"id":14433},"what-should-you-expect-during-a-service-auditor-engagement","What should you expect during a service auditor engagement?",[37,14436,14437],{},"A typical SOC 2 audit engagement includes several phases:",[210,14439,14440,14445,14450,14456],{},[175,14441,14442,14444],{},[61,14443,13309],{}," — the auditor defines scope, identifies key controls, and establishes the testing approach",[175,14446,14447,14449],{},[61,14448,955],{}," — the auditor requests and reviews evidence, conducts interviews, and performs testing procedures",[175,14451,14452,14455],{},[61,14453,14454],{},"Draft review"," — the auditor shares a draft report for the organization to review for factual accuracy",[175,14457,14458,14460],{},[61,14459,967],{}," — the auditor issues the final report with their opinion",[37,14462,14463],{},"During fieldwork, the auditor may request documentation such as policies, screenshots, system configurations, access logs, and change records. Prompt and organized responses to these requests significantly reduce audit duration.",[112,14465,14467],{"id":14466},"why-is-service-auditor-independence-required","Why is service auditor independence required?",[37,14469,14470],{},"Independence is a foundational requirement. The auditor cannot provide the consulting services that design the controls they will later audit. Some firms offer readiness assessments through separate teams to maintain independence boundaries, but organizations should confirm the firm's independence policies before engaging.",[112,14472,14474],{"id":14473},"what-are-common-challenges-with-service-auditors","What are common challenges with service auditors?",[37,14476,14477],{},"Organizations often face friction during audits due to:",[172,14479,14480,14483,14486,14489],{},[175,14481,14482],{},"Incomplete or disorganized evidence",[175,14484,14485],{},"Controls that exist in policy but are not consistently executed",[175,14487,14488],{},"Misalignment between the system description and actual practices",[175,14490,14491],{},"Delayed responses to auditor requests",[37,14493,14494],{},"Preparing thoroughly and maintaining organized evidence throughout the year minimizes these issues.",[112,14496,14498],{"id":14497},"how-does-episki-help-with-service-auditors","How does episki help with service auditors?",[37,14500,14501,14502,100],{},"episki organizes your controls and evidence in a structured format that aligns with auditor expectations. The auditor portal provides secure, read-only access so your auditor can review evidence independently, reducing back-and-forth and shortening the fieldwork phase. Learn more on our ",[44,14503,14504],{"href":614},"SOC 2 compliance page",{"title":546,"searchDepth":547,"depth":547,"links":14506},[14507],{"id":14326,"depth":547,"text":14327,"children":14508},[14509,14510,14511,14512,14513,14514,14515],{"id":14333,"depth":554,"text":14334},{"id":14366,"depth":554,"text":14367},{"id":14395,"depth":554,"text":14396},{"id":14433,"depth":554,"text":14434},{"id":14466,"depth":554,"text":14467},{"id":14473,"depth":554,"text":14474},{"id":14497,"depth":554,"text":14498},{},"\u002Fglossary\u002Fservice-auditor",[631],[631,14520,6724,6725,1529],"soc2-type-1",{"title":14522,"description":14523},"What is a Service Auditor? Definition & Compliance Guide","A service auditor is a CPA firm that performs SOC 2 and other attestation engagements. Learn how to select an auditor and what to expect during the audit process.","8.glossary\u002Fservice-auditor","qm8IN1bnX0wCH3HLg4egJVTwS4rbNZPP4wJhj-kYD5c",{"id":14527,"title":5,"body":14528,"description":546,"extension":578,"lastUpdated":1135,"meta":14651,"navigation":613,"path":2447,"relatedFrameworks":14652,"relatedTerms":14653,"seo":14654,"slug":631,"stem":14657,"term":35,"__hash__":14658},"glossary\u002F8.glossary\u002Fsoc2.md",{"type":29,"value":14529,"toc":14642},[14530,14532,14535,14538,14541,14568,14571,14574,14586,14589,14593,14596,14599,14602,14633,14637],[32,14531,35],{"id":34},[37,14533,14534],{},"SOC 2 (System and Organization Controls 2) is an auditing framework developed by the AICPA that evaluates how service organizations protect customer data. It is one of the most requested security certifications for SaaS companies and technology vendors.",[112,14536,594],{"id":14537},"what-are-the-soc-2-trust-services-criteria",[37,14539,14540],{},"SOC 2 is built around five Trust Services Criteria (TSC):",[172,14542,14543,14548,14553,14558,14563],{},[175,14544,14545,14547],{},[61,14546,5219],{}," (required) — protection against unauthorized access",[175,14549,14550,14552],{},[61,14551,122],{}," — system uptime and operational reliability",[175,14554,14555,14557],{},[61,14556,134],{}," — accurate and complete data processing",[175,14559,14560,14562],{},[61,14561,141],{}," — protection of confidential information",[175,14564,14565,14567],{},[61,14566,153],{}," — handling of personal information per commitments",[37,14569,14570],{},"Most organizations start with Security and add additional criteria based on customer requirements.",[112,14572,586],{"id":14573},"what-is-the-difference-between-soc-2-type-i-and-type-ii",[172,14575,14576,14581],{},[175,14577,14578,14580],{},[61,14579,76],{}," evaluates whether controls are designed appropriately at a specific point in time",[175,14582,14583,14585],{},[61,14584,82],{}," evaluates whether controls operated effectively over a period (typically 3-12 months)",[37,14587,14588],{},"Type II reports carry more weight with enterprise buyers because they demonstrate sustained compliance rather than a single snapshot.",[112,14590,14592],{"id":14591},"who-needs-soc-2","Who needs SOC 2?",[37,14594,14595],{},"SOC 2 is not legally required, but it is effectively mandatory for SaaS companies selling to enterprises. Buyers, procurement teams, and security reviewers routinely request SOC 2 reports as part of vendor diligence.",[112,14597,583],{"id":14598},"how-long-does-a-soc-2-audit-take",[37,14600,14601],{},"A typical timeline:",[172,14603,14604,14610,14616,14621,14627],{},[175,14605,14606,14609],{},[61,14607,14608],{},"Readiness assessment:"," 2-4 weeks",[175,14611,14612,14615],{},[61,14613,14614],{},"Remediation:"," 4-12 weeks depending on gaps",[175,14617,14618,14609],{},[61,14619,14620],{},"Type I audit:",[175,14622,14623,14626],{},[61,14624,14625],{},"Observation period for Type II:"," 3-12 months",[175,14628,14629,14632],{},[61,14630,14631],{},"Type II audit:"," 4-6 weeks",[112,14634,14636],{"id":14635},"how-does-episki-help-with-soc-2","How does episki help with SOC 2?",[37,14638,14639,14640,100],{},"episki maps controls to Trust Services Criteria, tracks evidence with ownership and review cadences, and provides auditor portals for streamlined collaboration. Learn more on our ",[44,14641,14504],{"href":614},{"title":546,"searchDepth":547,"depth":547,"links":14643},[14644],{"id":34,"depth":547,"text":35,"children":14645},[14646,14647,14648,14649,14650],{"id":14537,"depth":554,"text":594},{"id":14573,"depth":554,"text":586},{"id":14591,"depth":554,"text":14592},{"id":14598,"depth":554,"text":583},{"id":14635,"depth":554,"text":14636},{},[631],[1529,14520,6724,6726,6725],{"title":14655,"description":14656},"What is SOC 2? Compliance Requirements Explained","SOC 2 is an auditing framework for service organizations based on five Trust Services Criteria. Learn about SOC 2 Type I vs Type II, audit timelines, and what it takes to get compliant.","8.glossary\u002Fsoc2","o9uC6hQlC9MVugjDvZBvvKcA5FJzrAzuVbqCBjKgWaQ",{"id":14660,"title":14661,"body":14662,"description":546,"extension":578,"lastUpdated":1135,"meta":14794,"navigation":613,"path":14795,"relatedFrameworks":14796,"relatedTerms":14797,"seo":14798,"slug":14520,"stem":14801,"term":14667,"__hash__":14802},"glossary\u002F8.glossary\u002Fsoc2-type-1.md","Soc2 Type 1",{"type":29,"value":14663,"toc":14783},[14664,14668,14671,14675,14678,14681,14707,14709,14712,14724,14727,14731,14733,14753,14757,14760,14764,14767,14771,14774,14778],[32,14665,14667],{"id":14666},"what-is-soc-2-type-i","What is SOC 2 Type I?",[37,14669,14670],{},"A SOC 2 Type I report is an independent auditor's assessment of whether an organization's controls are suitably designed to meet one or more Trust Services Criteria at a specific point in time. Unlike a Type II report, which tests controls over a period, a Type I report provides a snapshot of control design on a single date.",[112,14672,14674],{"id":14673},"how-does-a-soc-2-type-i-audit-work","How does a SOC 2 Type I audit work?",[37,14676,14677],{},"During a Type I engagement, the service auditor examines the organization's system description and the controls management has put in place. The auditor evaluates whether those controls, if operating as described, would reasonably achieve the relevant Trust Services Criteria objectives.",[37,14679,14680],{},"The process typically involves:",[210,14682,14683,14689,14695,14701],{},[175,14684,14685,14688],{},[61,14686,14687],{},"System description review"," — the auditor reviews a written description of the organization's system, including infrastructure, software, people, procedures, and data",[175,14690,14691,14694],{},[61,14692,14693],{},"Control identification"," — the auditor identifies the controls relevant to the selected Trust Services Criteria",[175,14696,14697,14700],{},[61,14698,14699],{},"Design assessment"," — the auditor evaluates whether each control is suitably designed to meet its objective",[175,14702,14703,14706],{},[61,14704,14705],{},"Report issuance"," — the auditor produces a report with an opinion on the design of controls as of the specified date",[112,14708,586],{"id":14573},[37,14710,14711],{},"The key differences between Type I and Type II reports:",[172,14713,14714,14719],{},[175,14715,14716,14718],{},[61,14717,5642],{}," assesses control design at a point in time. It answers: \"Are the controls properly designed?\"",[175,14720,14721,14723],{},[61,14722,3742],{}," assesses control design and operating effectiveness over a period (typically 3-12 months). It answers: \"Are the controls working as intended over time?\"",[37,14725,14726],{},"Type I reports are faster and less expensive to obtain, but they carry less weight with enterprise buyers. Many organizations use a Type I report as a stepping stone while building toward a Type II.",[112,14728,14730],{"id":14729},"when-should-you-pursue-a-soc-2-type-i-report","When should you pursue a SOC 2 Type I report?",[37,14732,7581],{},[172,14734,14735,14741,14747],{},[175,14736,14737,14740],{},[61,14738,14739],{},"First-time SOC 2"," — organizations new to SOC 2 often start with Type I to validate their control design before committing to an observation period",[175,14742,14743,14746],{},[61,14744,14745],{},"Urgent customer requests"," — when a prospect or customer needs a SOC 2 report quickly and cannot wait for a full Type II observation period",[175,14748,14749,14752],{},[61,14750,14751],{},"Significant system changes"," — after a major infrastructure migration or reorganization, a Type I can confirm the redesigned controls are appropriate",[112,14754,14756],{"id":14755},"what-is-the-timeline-and-cost-of-a-soc-2-type-i","What is the timeline and cost of a SOC 2 Type I?",[37,14758,14759],{},"A Type I audit typically takes 2-4 weeks once the organization is audit-ready. The total timeline including preparation can range from 6-12 weeks. Costs vary based on scope and auditor, but Type I engagements generally cost 30-50% less than Type II engagements.",[112,14761,14763],{"id":14762},"what-are-the-limitations-of-soc-2-type-i","What are the limitations of SOC 2 Type I?",[37,14765,14766],{},"Because a Type I report only evaluates design at a single point in time, it does not demonstrate that controls actually operated effectively. An organization could have well-designed controls that are not consistently followed. This is why sophisticated buyers and security teams prefer Type II reports for ongoing vendor assessment.",[112,14768,14770],{"id":14769},"how-do-you-move-from-soc-2-type-i-to-type-ii","How do you move from SOC 2 Type I to Type II?",[37,14772,14773],{},"Most organizations treat Type I as a milestone, not a destination. After obtaining a Type I report, the next step is to enter an observation period (typically 3-6 months for the first Type II) during which the auditor can test operating effectiveness. This transition requires maintaining consistent control execution and evidence collection throughout the observation window.",[112,14775,14777],{"id":14776},"how-does-episki-help-with-soc-2-type-i","How does episki help with SOC 2 Type I?",[37,14779,14780,14781,100],{},"episki streamlines Type I readiness by mapping your existing controls to Trust Services Criteria, identifying design gaps, and organizing evidence for your auditor. When you are ready to progress to Type II, episki's continuous evidence collection ensures you are building a track record from day one. Learn more on our ",[44,14782,14504],{"href":614},{"title":546,"searchDepth":547,"depth":547,"links":14784},[14785],{"id":14666,"depth":547,"text":14667,"children":14786},[14787,14788,14789,14790,14791,14792,14793],{"id":14673,"depth":554,"text":14674},{"id":14573,"depth":554,"text":586},{"id":14729,"depth":554,"text":14730},{"id":14755,"depth":554,"text":14756},{"id":14762,"depth":554,"text":14763},{"id":14769,"depth":554,"text":14770},{"id":14776,"depth":554,"text":14777},{},"\u002Fglossary\u002Fsoc2-type-1",[631],[631,6724,1529,6726],{"title":14799,"description":14800},"What is SOC 2 Type I? Definition & Compliance Guide","A SOC 2 Type I report evaluates whether an organization's controls are properly designed at a specific point in time. Learn how it differs from Type II.","8.glossary\u002Fsoc2-type-1","EHxT6-1DQjMWGjjg7PrkF69NI3OUmcc7dNHXFjmXXSk",{"id":14804,"title":14805,"body":14806,"description":546,"extension":578,"lastUpdated":1135,"meta":14963,"navigation":613,"path":94,"relatedFrameworks":14964,"relatedTerms":14965,"seo":14966,"slug":6724,"stem":14969,"term":14811,"__hash__":14970},"glossary\u002F8.glossary\u002Fsoc2-type-2.md","Soc2 Type 2",{"type":29,"value":14807,"toc":14952},[14808,14812,14815,14819,14822,14853,14857,14860,14863,14867,14870,14896,14900,14903,14926,14929,14933,14936,14940,14943,14947],[32,14809,14811],{"id":14810},"what-is-soc-2-type-ii","What is SOC 2 Type II?",[37,14813,14814],{},"A SOC 2 Type II report is an independent auditor's assessment of whether an organization's controls are suitably designed and operating effectively over a defined period of time, typically ranging from 3 to 12 months. It is considered the gold standard for demonstrating security posture to customers and partners.",[112,14816,14818],{"id":14817},"how-does-a-soc-2-type-ii-audit-work","How does a SOC 2 Type II audit work?",[37,14820,14821],{},"A Type II engagement goes beyond evaluating control design. The auditor tests whether controls actually operated as intended throughout the observation period. This involves:",[210,14823,14824,14829,14835,14841,14847],{},[175,14825,14826,14828],{},[61,14827,989],{}," — the organization operates its controls for a defined window (commonly 6 or 12 months for mature programs, sometimes 3 months for a first Type II)",[175,14830,14831,14834],{},[61,14832,14833],{},"Evidence sampling"," — the auditor selects samples of evidence from across the observation period to verify controls were consistently executed",[175,14836,14837,14840],{},[61,14838,14839],{},"Testing procedures"," — the auditor performs inquiry, observation, inspection, and re-performance to test each control",[175,14842,14843,14846],{},[61,14844,14845],{},"Exception identification"," — any instances where controls did not operate as designed are documented as exceptions",[175,14848,14849,14852],{},[61,14850,14851],{},"Opinion issuance"," — the auditor issues a report with an opinion on both design suitability and operating effectiveness",[112,14854,14856],{"id":14855},"why-does-soc-2-type-ii-matter","Why does SOC 2 Type II matter?",[37,14858,14859],{},"Enterprise buyers, procurement teams, and security reviewers strongly prefer Type II reports because they demonstrate sustained compliance rather than a point-in-time snapshot. A Type II report provides assurance that security controls are not just designed on paper but are consistently followed in practice.",[37,14861,14862],{},"Many enterprise vendor assessment processes require a current Type II report. Without one, sales cycles can stall or deals can be lost to competitors who have the report.",[112,14864,14866],{"id":14865},"what-are-observation-period-considerations-for-soc-2-type-ii","What are observation period considerations for SOC 2 Type II?",[37,14868,14869],{},"The observation period is a critical element of a Type II audit:",[172,14871,14872,14878,14884,14890],{},[175,14873,14874,14877],{},[61,14875,14876],{},"First Type II"," — a 3-month observation period is common for organizations transitioning from Type I",[175,14879,14880,14883],{},[61,14881,14882],{},"Subsequent reports"," — most organizations move to a 12-month observation period to align with annual renewal cycles",[175,14885,14886,14889],{},[61,14887,14888],{},"Gap periods"," — if there is a gap between the end of one report period and the start of the next, customers may flag this as a concern",[175,14891,14892,14895],{},[61,14893,14894],{},"Bridge letters"," — some organizations provide bridge letters to cover gaps between report periods",[112,14897,14899],{"id":14898},"what-do-soc-2-type-ii-auditors-test","What do SOC 2 Type II auditors test?",[37,14901,14902],{},"During a Type II audit, auditors examine evidence such as:",[172,14904,14905,14908,14911,14914,14917,14920,14923],{},[175,14906,14907],{},"Access review documentation and approvals",[175,14909,14910],{},"Change management tickets and approval workflows",[175,14912,14913],{},"Security monitoring alerts and response records",[175,14915,14916],{},"Employee onboarding and offboarding checklists",[175,14918,14919],{},"Vendor assessment records",[175,14921,14922],{},"Incident response logs",[175,14924,14925],{},"Backup and recovery test results",[37,14927,14928],{},"The auditor selects samples across the full observation period to confirm controls operated consistently, not just at the beginning or end.",[112,14930,14932],{"id":14931},"what-are-exceptions-and-qualified-opinions-in-soc-2","What are exceptions and qualified opinions in SOC 2?",[37,14934,14935],{},"If a control did not operate effectively for some portion of the period, the auditor documents an exception. A small number of exceptions does not necessarily result in a qualified opinion, but significant or pervasive exceptions can. Organizations should address exceptions promptly and implement corrective actions.",[112,14937,14939],{"id":14938},"how-do-you-maintain-continuous-compliance-after-soc-2-type-ii","How do you maintain continuous compliance after SOC 2 Type II?",[37,14941,14942],{},"The biggest challenge with Type II is not passing the first audit — it is maintaining compliance year after year. Controls must be executed consistently, evidence must be collected on schedule, and new risks must be addressed as they emerge.",[112,14944,14946],{"id":14945},"how-does-episki-help-with-soc-2-type-ii","How does episki help with SOC 2 Type II?",[37,14948,14949,14950,100],{},"episki automates evidence collection on recurring schedules, sends reminders to control owners, and maintains a complete audit trail throughout your observation period. When your auditor arrives, evidence is organized and ready for review. Learn more on our ",[44,14951,14504],{"href":614},{"title":546,"searchDepth":547,"depth":547,"links":14953},[14954],{"id":14810,"depth":547,"text":14811,"children":14955},[14956,14957,14958,14959,14960,14961,14962],{"id":14817,"depth":554,"text":14818},{"id":14855,"depth":554,"text":14856},{"id":14865,"depth":554,"text":14866},{"id":14898,"depth":554,"text":14899},{"id":14931,"depth":554,"text":14932},{"id":14938,"depth":554,"text":14939},{"id":14945,"depth":554,"text":14946},{},[631],[631,14520,1529,6726,1876],{"title":14967,"description":14968},"What is SOC 2 Type II? Definition & Compliance Guide","A SOC 2 Type II report evaluates whether controls operated effectively over a period of time. Learn about observation periods, audit processes, and requirements.","8.glossary\u002Fsoc2-type-2","Lt5yNICwvtnPL68-78__bdkfP_05abKmQbB56jmwocg",{"id":14972,"title":14973,"body":14974,"description":546,"extension":578,"lastUpdated":1135,"meta":15132,"navigation":613,"path":46,"relatedFrameworks":15133,"relatedTerms":15134,"seo":15135,"slug":6725,"stem":15138,"term":14979,"__hash__":15139},"glossary\u002F8.glossary\u002Fssae-18.md","Ssae 18",{"type":29,"value":14975,"toc":15122},[14976,14980,14983,14987,14990,15016,15019,15023,15026,15043,15046,15050,15053,15079,15083,15086,15100,15103,15107,15110,15113,15117],[32,14977,14979],{"id":14978},"what-is-ssae-18","What is SSAE 18?",[37,14981,14982],{},"SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the professional standard issued by the AICPA that governs how attestation engagements, including SOC 1, SOC 2, and SOC 3 examinations, are performed in the United States. It provides the authoritative guidance that service auditors must follow when conducting these engagements.",[112,14984,14986],{"id":14985},"what-is-the-background-and-history-of-ssae-18","What is the background and history of SSAE 18?",[37,14988,14989],{},"SSAE 18 replaced SSAE 16 in May 2017. The update introduced several important changes:",[172,14991,14992,14998,15004,15010],{},[175,14993,14994,14997],{},[61,14995,14996],{},"Risk assessment requirements"," — auditors must perform a formal risk assessment as part of planning the engagement",[175,14999,15000,15003],{},[61,15001,15002],{},"Monitoring of subservice organizations"," — organizations that use subservice providers (such as cloud hosting providers) must demonstrate monitoring of those providers' controls",[175,15005,15006,15009],{},[61,15007,15008],{},"Written assertion"," — management must provide a written assertion about the effectiveness of their controls",[175,15011,15012,15015],{},[61,15013,15014],{},"Clarified engagement standards"," — the standard consolidated and clarified previous attestation guidance",[37,15017,15018],{},"These changes strengthened the rigor of SOC engagements and aligned US attestation standards more closely with international practices.",[112,15020,15022],{"id":15021},"how-does-ssae-18-relate-to-soc-reports","How does SSAE 18 relate to SOC reports?",[37,15024,15025],{},"SSAE 18 is the umbrella standard under which SOC reports are issued:",[172,15027,15028,15033,15038],{},[175,15029,15030,15032],{},[61,15031,6247],{}," — examines controls relevant to user entities' financial reporting (performed under AT-C Section 320)",[175,15034,15035,15037],{},[61,15036,658],{}," — examines controls related to security, availability, processing integrity, confidentiality, and privacy (performed under AT-C Section 205)",[175,15039,15040,15042],{},[61,15041,6252],{}," — a general-use version of SOC 2 with a shortened report format",[37,15044,15045],{},"The standard defines the auditor's responsibilities, the required elements of the report, and the criteria for issuing opinions.",[112,15047,15049],{"id":15048},"what-are-the-key-requirements-under-ssae-18","What are the key requirements under SSAE 18?",[37,15051,15052],{},"Organizations undergoing SOC engagements should understand several key requirements:",[172,15054,15055,15061,15067,15073],{},[175,15056,15057,15060],{},[61,15058,15059],{},"Management's assertion"," — the organization's management must formally assert that their system description is accurate and that controls are suitably designed (and operating effectively for Type II)",[175,15062,15063,15066],{},[61,15064,15065],{},"Subservice organization oversight"," — if the organization relies on third-party providers (such as AWS, Azure, or a data center), it must demonstrate how it monitors those providers' controls",[175,15068,15069,15072],{},[61,15070,15071],{},"System description"," — the organization must prepare a detailed description of its system, including infrastructure, software, people, procedures, and data",[175,15074,15075,15078],{},[61,15076,15077],{},"Control environment"," — the organization must maintain a defined control environment with clear ownership and accountability",[112,15080,15082],{"id":15081},"how-does-ssae-18-treat-subservice-organizations","How does SSAE 18 treat subservice organizations?",[37,15084,15085],{},"One of the most significant aspects of SSAE 18 is the treatment of subservice organizations. Companies can present subservice organizations in their SOC report using one of two methods:",[172,15087,15088,15094],{},[175,15089,15090,15093],{},[61,15091,15092],{},"Inclusive method"," — the subservice organization's controls are included within the scope of the report",[175,15095,15096,15099],{},[61,15097,15098],{},"Carve-out method"," — the subservice organization's controls are excluded from scope, and the report notes that certain controls are the responsibility of the subservice organization",[37,15101,15102],{},"Most organizations use the carve-out method, referencing their cloud provider's own SOC 2 report as complementary evidence.",[112,15104,15106],{"id":15105},"why-does-ssae-18-matter","Why does SSAE 18 matter?",[37,15108,15109],{},"Understanding SSAE 18 helps organizations prepare more effectively for SOC engagements. It sets expectations for what auditors will require and what management must provide. Organizations that are unfamiliar with these requirements often face delays and additional costs during the audit process.",[37,15111,15112],{},"For buyers reviewing SOC 2 reports, understanding that the report was issued under SSAE 18 provides confidence that it meets a rigorous professional standard.",[112,15114,15116],{"id":15115},"how-does-episki-help-with-ssae-18","How does episki help with SSAE 18?",[37,15118,15119,15120,100],{},"episki structures your compliance program to align with SSAE 18 requirements, including system description preparation, subservice organization tracking, and management assertion documentation. This ensures your organization is audit-ready when the service auditor begins their engagement. Learn more on our ",[44,15121,14504],{"href":614},{"title":546,"searchDepth":547,"depth":547,"links":15123},[15124],{"id":14978,"depth":547,"text":14979,"children":15125},[15126,15127,15128,15129,15130,15131],{"id":14985,"depth":554,"text":14986},{"id":15021,"depth":554,"text":15022},{"id":15048,"depth":554,"text":15049},{"id":15081,"depth":554,"text":15082},{"id":15105,"depth":554,"text":15106},{"id":15115,"depth":554,"text":15116},{},[631],[631,6726,14520,6724],{"title":15136,"description":15137},"What is SSAE 18? Definition & Compliance Guide","SSAE 18 is the attestation standard governing SOC 1, SOC 2, and SOC 3 audits in the United States. Learn how it shapes audit requirements and reporting.","8.glossary\u002Fssae-18","NaTe99emRS8D5qz9QNNVptILFWyKwKCnH1XjCtiNv6s",{"id":15141,"title":15142,"body":15143,"description":546,"extension":578,"lastUpdated":1135,"meta":15352,"navigation":613,"path":8037,"relatedFrameworks":15353,"relatedTerms":15354,"seo":15356,"slug":8221,"stem":15359,"term":15148,"__hash__":15360},"glossary\u002F8.glossary\u002Fthird-party-risk.md","Third Party Risk",{"type":29,"value":15144,"toc":15342},[15145,15149,15152,15156,15159,15203,15207,15210,15242,15246,15249,15276,15280,15283,15326,15330,15333,15337],[32,15146,15148],{"id":15147},"what-is-third-party-risk","What is Third-Party Risk?",[37,15150,15151],{},"Third-party risk is the potential for negative outcomes — including data breaches, operational disruptions, compliance violations, and reputational damage — arising from an organization's relationships with external vendors, partners, and service providers. As modern organizations depend on extensive networks of third parties, managing this risk has become a critical discipline within information security and compliance programs.",[112,15153,15155],{"id":15154},"what-are-the-types-of-third-party-risk","What are the types of third-party risk?",[37,15157,15158],{},"Third-party risk encompasses several categories:",[172,15160,15161,15167,15173,15179,15185,15191,15197],{},[175,15162,15163,15166],{},[61,15164,15165],{},"Security risk"," — the vendor's security weaknesses could lead to unauthorized access to your data or systems",[175,15168,15169,15172],{},[61,15170,15171],{},"Compliance risk"," — the vendor's practices may not meet regulatory requirements, creating liability for your organization",[175,15174,15175,15178],{},[61,15176,15177],{},"Operational risk"," — vendor outages, service failures, or business disruptions could impact your operations",[175,15180,15181,15184],{},[61,15182,15183],{},"Financial risk"," — vendor financial instability could threaten service continuity",[175,15186,15187,15190],{},[61,15188,15189],{},"Reputational risk"," — a vendor's public security incident or ethical violation could damage your brand",[175,15192,15193,15196],{},[61,15194,15195],{},"Strategic risk"," — over-reliance on a single vendor creates concentration risk",[175,15198,15199,15202],{},[61,15200,15201],{},"Data risk"," — the vendor may mishandle, lose, or improperly disclose your data",[112,15204,15206],{"id":15205},"why-is-third-party-risk-growing","Why is third-party risk growing?",[37,15208,15209],{},"Several trends are increasing third-party risk exposure:",[172,15211,15212,15218,15224,15230,15236],{},[175,15213,15214,15217],{},[61,15215,15216],{},"Cloud adoption"," — organizations store sensitive data with cloud providers and SaaS applications",[175,15219,15220,15223],{},[61,15221,15222],{},"Supply chain complexity"," — vendors use their own vendors (fourth parties), creating layers of risk",[175,15225,15226,15229],{},[61,15227,15228],{},"Data sharing"," — business processes increasingly require sharing data with external parties",[175,15231,15232,15235],{},[61,15233,15234],{},"Remote work"," — distributed workforces rely on more external tools and services",[175,15237,15238,15241],{},[61,15239,15240],{},"Regulatory expansion"," — regulators increasingly hold organizations accountable for their vendors' practices",[112,15243,15245],{"id":15244},"how-do-compliance-frameworks-address-third-party-risk","How do compliance frameworks address third-party risk?",[37,15247,15248],{},"Compliance frameworks address third-party risk explicitly:",[172,15250,15251,15256,15261,15266,15271],{},[175,15252,15253,15255],{},[61,15254,658],{}," — CC9.2 requires assessing risks from vendor relationships. The SSAE 18 standard also requires monitoring subservice organizations.",[175,15257,15258,15260],{},[61,15259,393],{}," — clauses A.5.19 through A.5.23 address supplier relationship security, including policies, assessment, and monitoring",[175,15262,15263,15265],{},[61,15264,6581],{}," — the Govern function includes supply chain risk management expectations",[175,15267,15268,15270],{},[61,15269,402],{}," — requires BAAs with business associates and oversight of how they handle PHI",[175,15272,15273,15275],{},[61,15274,411],{}," — Requirement 12.8 requires maintaining and monitoring service provider relationships",[112,15277,15279],{"id":15278},"how-do-you-manage-third-party-risk","How do you manage third-party risk?",[37,15281,15282],{},"Effective third-party risk management involves:",[210,15284,15285,15291,15297,15302,15308,15314,15320],{},[175,15286,15287,15290],{},[61,15288,15289],{},"Inventory"," — know all your third parties and what data or systems they can access",[175,15292,15293,15296],{},[61,15294,15295],{},"Assess"," — evaluate each third party's security posture before and during the relationship",[175,15298,15299,15301],{},[61,15300,2650],{}," — classify third parties by risk level to allocate assessment effort appropriately",[175,15303,15304,15307],{},[61,15305,15306],{},"Contract"," — include security requirements, breach notification clauses, and audit rights",[175,15309,15310,15313],{},[61,15311,15312],{},"Monitor"," — continuously track vendor security posture, not just at onboarding",[175,15315,15316,15319],{},[61,15317,15318],{},"Respond"," — have plans for responding to vendor incidents, including data breaches and service outages",[175,15321,15322,15325],{},[61,15323,15324],{},"Exit"," — plan for vendor transitions, ensuring data is returned or destroyed and access is revoked",[112,15327,15329],{"id":15328},"what-is-fourth-party-risk","What is fourth-party risk?",[37,15331,15332],{},"An often-overlooked dimension is fourth-party risk — the risk from your vendors' vendors. If your SaaS provider stores data on a cloud platform that is breached, you are affected even though you have no direct relationship with the cloud provider. Understanding and addressing fourth-party risk requires knowing your vendors' critical subservice organizations.",[112,15334,15336],{"id":15335},"how-does-episki-help-with-third-party-risk","How does episki help with third-party risk?",[37,15338,15339,15340,100],{},"episki provides a centralized platform for managing third-party risk, including vendor inventories, risk assessments, contract tracking, and continuous monitoring. The platform maps vendor relationships to compliance framework requirements and flags vendors that require reassessment. Learn more on our ",[44,15341,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":15343},[15344],{"id":15147,"depth":547,"text":15148,"children":15345},[15346,15347,15348,15349,15350,15351],{"id":15154,"depth":554,"text":15155},{"id":15205,"depth":554,"text":15206},{"id":15244,"depth":554,"text":15245},{"id":15278,"depth":554,"text":15279},{"id":15328,"depth":554,"text":15329},{"id":15335,"depth":554,"text":15336},{},[631,8772,8775],[8222,8223,12928,15355],"business-associate",{"title":15357,"description":15358},"What is Third-Party Risk? Definition & Compliance Guide","Third-party risk is the potential for security incidents, data breaches, or operational disruption originating from your vendors and service providers.","8.glossary\u002Fthird-party-risk","Dxu5bTWIkyoD6ZHRPLQgh07uV8r8_KtcEKritXx39Ao",{"id":15362,"title":55,"body":15363,"description":546,"extension":578,"lastUpdated":1135,"meta":15494,"navigation":613,"path":99,"relatedFrameworks":15495,"relatedTerms":15496,"seo":15497,"slug":1529,"stem":15500,"term":15368,"__hash__":15501},"glossary\u002F8.glossary\u002Ftrust-services-criteria.md",{"type":29,"value":15364,"toc":15484},[15365,15369,15372,15376,15379,15406,15410,15413,15416,15420,15423,15452,15455,15459,15462,15465,15469,15472,15475,15479],[32,15366,15368],{"id":15367},"what-is-trust-services-criteria","What is Trust Services Criteria?",[37,15370,15371],{},"Trust Services Criteria (TSC) are the foundational categories defined by the American Institute of Certified Public Accountants (AICPA) that form the basis of SOC 2 audits. They provide a structured set of principles against which a service organization's controls are evaluated. Understanding TSC is essential for any company pursuing SOC 2 compliance.",[112,15373,15375],{"id":15374},"what-are-the-five-trust-services-criteria-categories","What are the five Trust Services Criteria categories?",[37,15377,15378],{},"The Trust Services Criteria are organized into five categories:",[172,15380,15381,15386,15391,15396,15401],{},[175,15382,15383,15385],{},[61,15384,5219],{}," — the only required category in every SOC 2 engagement, covering protection of systems and data against unauthorized access, both physical and logical",[175,15387,15388,15390],{},[61,15389,122],{}," — addresses whether systems are operational and accessible as committed in service-level agreements or contracts",[175,15392,15393,15395],{},[61,15394,134],{}," — evaluates whether system processing is complete, valid, accurate, timely, and authorized",[175,15397,15398,15400],{},[61,15399,141],{}," — focuses on protecting information designated as confidential, such as trade secrets, intellectual property, or business plans",[175,15402,15403,15405],{},[61,15404,153],{}," — concerns the collection, use, retention, disclosure, and disposal of personal information in accordance with an organization's privacy notice",[112,15407,15409],{"id":15408},"how-does-the-trust-services-criteria-relate-to-soc-2","How does the Trust Services Criteria relate to SOC 2?",[37,15411,15412],{},"Every SOC 2 audit is built around one or more Trust Services Criteria. The Security category (also known as the Common Criteria) is mandatory. Organizations then select additional categories based on the nature of their services and what their customers or prospects require.",[37,15414,15415],{},"For example, a cloud infrastructure provider may include Availability because uptime guarantees are central to its business. A data analytics company might include Processing Integrity to demonstrate accuracy of its outputs. A healthcare SaaS product may include Privacy to address handling of personal information.",[112,15417,15419],{"id":15418},"what-are-the-common-criteria-cc-series","What are the Common Criteria (CC series)?",[37,15421,15422],{},"The Security category is broken into a series of Common Criteria points (CC1 through CC9) that address topics like:",[172,15424,15425,15428,15431,15434,15437,15440,15443,15446,15449],{},[175,15426,15427],{},"CC1: Control environment",[175,15429,15430],{},"CC2: Communication and information",[175,15432,15433],{},"CC3: Risk assessment",[175,15435,15436],{},"CC4: Monitoring activities",[175,15438,15439],{},"CC5: Control activities",[175,15441,15442],{},"CC6: Logical and physical access controls",[175,15444,15445],{},"CC7: System operations",[175,15447,15448],{},"CC8: Change management",[175,15450,15451],{},"CC9: Risk mitigation",[37,15453,15454],{},"These Common Criteria points also serve as a foundation for the other four categories. Additional criteria specific to Availability, Processing Integrity, Confidentiality, and Privacy supplement the common set.",[112,15456,15458],{"id":15457},"why-does-tsc-matter-for-your-organization","Why does TSC matter for your organization?",[37,15460,15461],{},"Selecting the right Trust Services Criteria directly impacts the scope, cost, and duration of your SOC 2 audit. Choosing too few categories might not satisfy customer requirements. Choosing too many can increase the number of controls you need to implement and the evidence you need to collect, driving up both effort and audit fees.",[37,15463,15464],{},"A strategic approach is to start with Security (required) and one or two additional categories that align with customer demand, then expand over time as your compliance program matures.",[112,15466,15468],{"id":15467},"how-do-you-map-controls-to-the-trust-services-criteria","How do you map controls to the Trust Services Criteria?",[37,15470,15471],{},"Each Trust Services Criteria category includes specific points of focus that guide what controls should exist. Organizations must map their internal controls to these points and collect evidence showing the controls are designed and operating effectively.",[37,15473,15474],{},"This mapping exercise is a core part of SOC 2 readiness. It identifies gaps where new controls are needed and highlights areas where existing processes already satisfy the criteria.",[112,15476,15478],{"id":15477},"how-does-episki-help-with-the-trust-services-criteria","How does episki help with the Trust Services Criteria?",[37,15480,15481,15482,100],{},"episki provides pre-built control mappings to all five Trust Services Criteria categories, making it straightforward to see which controls satisfy which criteria points. The platform tracks evidence collection tied to each control and flags gaps before your auditor arrives. Learn more on our ",[44,15483,14504],{"href":614},{"title":546,"searchDepth":547,"depth":547,"links":15485},[15486],{"id":15367,"depth":547,"text":15368,"children":15487},[15488,15489,15490,15491,15492,15493],{"id":15374,"depth":554,"text":15375},{"id":15408,"depth":554,"text":15409},{"id":15418,"depth":554,"text":15419},{"id":15457,"depth":554,"text":15458},{"id":15467,"depth":554,"text":15468},{"id":15477,"depth":554,"text":15478},{},[631],[631,14520,6724,9251],{"title":15498,"description":15499},"What is Trust Services Criteria? Definition & Compliance Guide","Trust Services Criteria (TSC) are the five categories used in SOC 2 audits to evaluate security, availability, processing integrity, confidentiality, and privacy.","8.glossary\u002Ftrust-services-criteria","nEmxG65hj-8eFizc3Ll2FuMeEAy41rX5qokFQSqeh34",{"id":15503,"title":15504,"body":15505,"description":546,"extension":578,"lastUpdated":1135,"meta":15671,"navigation":613,"path":15672,"relatedFrameworks":15673,"relatedTerms":15674,"seo":15675,"slug":8778,"stem":15678,"term":15510,"__hash__":15679},"glossary\u002F8.glossary\u002Fuser-entity-controls.md","User Entity Controls",{"type":29,"value":15506,"toc":15660},[15507,15511,15514,15518,15521,15524,15528,15531,15565,15569,15572,15575,15579,15582,15608,15612,15615,15641,15645,15648,15651,15655],[32,15508,15510],{"id":15509},"what-are-user-entity-controls","What are User Entity Controls?",[37,15512,15513],{},"User entity controls (UECs) are controls that a service organization expects its customers (user entities) to implement in order for the service organization's own controls to function effectively. They represent the shared responsibility between a service provider and its customers within a SOC 2 or SOC 1 reporting framework.",[112,15515,15517],{"id":15516},"why-do-user-entity-controls-exist","Why do user entity controls exist?",[37,15519,15520],{},"No service organization operates in complete isolation. The security of a system depends not only on the provider's controls but also on how customers use the service. For example, a SaaS platform may enforce role-based access control, but if the customer assigns administrator privileges to every employee, the control environment breaks down.",[37,15522,15523],{},"UECs acknowledge this shared responsibility by explicitly listing what the customer must do on their end.",[112,15525,15527],{"id":15526},"what-are-common-examples-of-uecs","What are common examples of UECs?",[37,15529,15530],{},"User entity controls frequently address:",[172,15532,15533,15538,15544,15549,15555,15560],{},[175,15534,15535,15537],{},[61,15536,6025],{}," — customers are responsible for managing their own user accounts, including timely deactivation when employees leave",[175,15539,15540,15543],{},[61,15541,15542],{},"Password policies"," — customers should enforce strong password requirements for their users",[175,15545,15546,15548],{},[61,15547,14144],{}," — customers must classify and protect sensitive data according to their own policies before sharing it with the service provider",[175,15550,15551,15554],{},[61,15552,15553],{},"Configuration management"," — customers are responsible for properly configuring security settings within the platform",[175,15556,15557,15559],{},[61,15558,12288],{}," — customers should review audit logs and activity reports provided by the service organization",[175,15561,15562,15564],{},[61,15563,14162],{}," — customers should promptly report suspected security incidents to the service provider",[112,15566,15568],{"id":15567},"where-do-user-entity-controls-appear-in-soc-2-reports","Where do user entity controls appear in SOC 2 reports?",[37,15570,15571],{},"UECs are documented in the service organization's SOC 2 report, typically in a section titled \"Complementary User Entity Controls\" or similar. The service auditor includes these to clarify the boundaries of the service organization's control environment.",[37,15573,15574],{},"When a customer reads a SOC 2 report, they should pay close attention to the UECs section. If the customer is not implementing these controls, the overall assurance provided by the SOC 2 report is diminished.",[112,15576,15578],{"id":15577},"what-are-the-service-organization-responsibilities-for-uecs","What are the service organization responsibilities for UECs?",[37,15580,15581],{},"Service organizations should:",[172,15583,15584,15590,15596,15602],{},[175,15585,15586,15589],{},[61,15587,15588],{},"Clearly define UECs"," — be specific about what customers need to do, avoiding vague or overly broad statements",[175,15591,15592,15595],{},[61,15593,15594],{},"Communicate UECs to customers"," — proactively share UEC expectations during onboarding and in security documentation",[175,15597,15598,15601],{},[61,15599,15600],{},"Provide enablement"," — offer tools, configurations, and documentation that make it easy for customers to implement UECs",[175,15603,15604,15607],{},[61,15605,15606],{},"Review regularly"," — update UECs as the platform evolves and new features or risks emerge",[112,15609,15611],{"id":15610},"what-are-the-user-entity-responsibilities-for-uecs","What are the user entity responsibilities for UECs?",[37,15613,15614],{},"Customers who receive SOC 2 reports from their vendors should:",[172,15616,15617,15623,15629,15635],{},[175,15618,15619,15622],{},[61,15620,15621],{},"Review the UECs section"," — understand what controls they are expected to implement",[175,15624,15625,15628],{},[61,15626,15627],{},"Assess their own compliance"," — verify that their internal processes satisfy the stated UECs",[175,15630,15631,15634],{},[61,15632,15633],{},"Document their controls"," — if the customer is also subject to audits, demonstrate that vendor UECs are addressed",[175,15636,15637,15640],{},[61,15638,15639],{},"Follow up on gaps"," — if a UEC cannot be met, discuss alternative mitigations with the service provider",[112,15642,15644],{"id":15643},"how-do-uecs-relate-to-the-shared-responsibility-model","How do UECs relate to the shared responsibility model?",[37,15646,15647],{},"The concept of user entity controls aligns closely with the shared responsibility model popularized by cloud providers. Just as AWS or Azure define which security responsibilities belong to the provider and which belong to the customer, UECs in a SOC 2 report define the same boundary for any service organization.",[37,15649,15650],{},"Understanding and implementing UECs is critical for organizations that rely on third-party services and want to maintain a robust security posture.",[112,15652,15654],{"id":15653},"how-does-episki-help-with-user-entity-controls","How does episki help with user entity controls?",[37,15656,15657,15658,100],{},"episki helps service organizations define and document user entity controls as part of their compliance program. For customers evaluating vendors, episki tracks which UECs apply to each vendor relationship and monitors whether your internal controls satisfy those requirements. Learn more on our ",[44,15659,14504],{"href":614},{"title":546,"searchDepth":547,"depth":547,"links":15661},[15662],{"id":15509,"depth":547,"text":15510,"children":15663},[15664,15665,15666,15667,15668,15669,15670],{"id":15516,"depth":554,"text":15517},{"id":15526,"depth":554,"text":15527},{"id":15567,"depth":554,"text":15568},{"id":15577,"depth":554,"text":15578},{"id":15610,"depth":554,"text":15611},{"id":15643,"depth":554,"text":15644},{"id":15653,"depth":554,"text":15654},{},"\u002Fglossary\u002Fuser-entity-controls",[631],[631,6724,9251,1529],{"title":15676,"description":15677},"What are User Entity Controls? Definition & Compliance Guide","User entity controls (UECs) are controls that a service organization's customers must implement for the overall control environment to be effective.","8.glossary\u002Fuser-entity-controls","32EB6hy0vFvSbHlg-xETyvmzqRW8AopUI9_EGmafvAU",{"id":15681,"title":15682,"body":15683,"description":546,"extension":578,"lastUpdated":1135,"meta":16272,"navigation":613,"path":13847,"relatedFrameworks":16273,"relatedTerms":16274,"seo":16276,"slug":8222,"stem":16279,"term":15688,"__hash__":16280},"glossary\u002F8.glossary\u002Fvendor-risk-management.md","Vendor Risk Management",{"type":29,"value":15684,"toc":16259},[15685,15689,15692,15696,15699,15726,15730,15733,15739,15753,15758,15772,15778,15792,15798,15815,15821,15835,15839,15842,15891,15895,15912,15916,15919,15985,15990,15995,16010,16015,16024,16028,16031,16037,16054,16060,16077,16083,16097,16103,16114,16120,16124,16127,16133,16139,16145,16151,16164,16168,16171,16177,16212,16218,16247,16250,16254],[32,15686,15688],{"id":15687},"what-is-vendor-risk-management","What is Vendor Risk Management?",[37,15690,15691],{},"Vendor risk management (VRM) is the process of identifying, assessing, monitoring, and mitigating risks associated with third-party vendors and service providers. As organizations increasingly rely on external partners for critical services — from cloud infrastructure to payroll processing — the security of those vendors directly impacts the organization's own risk posture.",[112,15693,15695],{"id":15694},"why-does-vendor-risk-management-matter","Why does vendor risk management matter?",[37,15697,15698],{},"Third-party vendors are a leading source of data breaches and security incidents. When a vendor that handles your data is compromised, you are compromised. Compliance frameworks recognize this reality:",[172,15700,15701,15706,15711,15716,15721],{},[175,15702,15703,15705],{},[61,15704,658],{}," — CC9.2 requires organizations to assess and manage risks associated with vendors and business partners",[175,15707,15708,15710],{},[61,15709,393],{}," — controls A.5.19 through A.5.23 address information security in supplier relationships",[175,15712,15713,15715],{},[61,15714,6581],{}," — the Identify function includes supply chain risk management",[175,15717,15718,15720],{},[61,15719,402],{}," — requires Business Associate Agreements with vendors handling PHI",[175,15722,15723,15725],{},[61,15724,411],{}," — requires monitoring of service provider PCI DSS compliance",[112,15727,15729],{"id":15728},"what-are-the-components-of-a-vrm-program","What are the components of a VRM program?",[37,15731,15732],{},"An effective vendor risk management program includes:",[37,15734,15735,15738],{},[61,15736,15737],{},"Vendor inventory"," — maintain a complete list of all third-party vendors, including:",[172,15740,15741,15744,15747,15750],{},[175,15742,15743],{},"What services they provide",[175,15745,15746],{},"What data they can access",[175,15748,15749],{},"Their criticality to business operations",[175,15751,15752],{},"Contract terms and renewal dates",[37,15754,15755,15757],{},[61,15756,2247],{}," — evaluate each vendor's security posture through:",[172,15759,15760,15763,15766,15769],{},[175,15761,15762],{},"Security questionnaires (SIG, CAIQ, or custom)",[175,15764,15765],{},"Review of compliance reports (SOC 2, ISO 27001 certificates)",[175,15767,15768],{},"Technical assessments when appropriate",[175,15770,15771],{},"Review of publicly available security information",[37,15773,15774,15777],{},[61,15775,15776],{},"Risk tiering"," — classify vendors by risk level based on:",[172,15779,15780,15783,15786,15789],{},[175,15781,15782],{},"Sensitivity of data they access",[175,15784,15785],{},"Criticality of the service they provide",[175,15787,15788],{},"Volume of data handled",[175,15790,15791],{},"Regulatory requirements (e.g., HIPAA business associates)",[37,15793,15794,15797],{},[61,15795,15796],{},"Contractual protections"," — ensure vendor contracts include:",[172,15799,15800,15803,15806,15809,15812],{},[175,15801,15802],{},"Security requirements and responsibilities",[175,15804,15805],{},"Data protection obligations",[175,15807,15808],{},"Breach notification requirements",[175,15810,15811],{},"Right to audit",[175,15813,15814],{},"Compliance certifications",[37,15816,15817,15820],{},[61,15818,15819],{},"Ongoing monitoring"," — continuously monitor vendors through:",[172,15822,15823,15826,15829,15832],{},[175,15824,15825],{},"Annual or periodic reassessments",[175,15827,15828],{},"Review of updated compliance reports",[175,15830,15831],{},"Monitoring for security incidents or breaches",[175,15833,15834],{},"Tracking changes in the vendor's services or risk profile",[112,15836,15838],{"id":15837},"what-is-the-vendor-assessment-process","What is the vendor assessment process?",[37,15840,15841],{},"A typical vendor assessment follows these steps:",[210,15843,15844,15850,15856,15862,15868,15873,15879,15885],{},[175,15845,15846,15849],{},[61,15847,15848],{},"Categorize the vendor"," — determine risk tier based on data access and service criticality",[175,15851,15852,15855],{},[61,15853,15854],{},"Send questionnaire"," — distribute a security questionnaire appropriate to the risk tier",[175,15857,15858,15861],{},[61,15859,15860],{},"Review responses"," — evaluate the vendor's security practices against your requirements",[175,15863,15864,15867],{},[61,15865,15866],{},"Request evidence"," — ask for supporting documentation (SOC 2 report, policies, certifications)",[175,15869,15870,15872],{},[61,15871,9915],{}," — document areas where the vendor does not meet your standards",[175,15874,15875,15878],{},[61,15876,15877],{},"Make decision"," — approve, approve with conditions, or reject the vendor",[175,15880,15881,15884],{},[61,15882,15883],{},"Document results"," — record the assessment findings and decision",[175,15886,15887,15890],{},[61,15888,15889],{},"Schedule reassessment"," — set a date for the next review based on risk tier",[112,15892,15894],{"id":15893},"what-are-common-challenges-with-vendor-risk-management","What are common challenges with vendor risk management?",[172,15896,15897,15900,15903,15906,15909],{},[175,15898,15899],{},"Managing assessments across dozens or hundreds of vendors",[175,15901,15902],{},"Getting timely responses to security questionnaires",[175,15904,15905],{},"Assessing vendors that lack formal compliance certifications",[175,15907,15908],{},"Monitoring vendor risk between assessment cycles",[175,15910,15911],{},"Balancing thoroughness with business velocity",[112,15913,15915],{"id":15914},"what-is-vrm-requirements-by-compliance-framework","What is VRM requirements by compliance framework?",[37,15917,15918],{},"Different compliance frameworks address vendor risk management with varying depth and specificity. Understanding where each framework sets expectations helps you design a VRM program that satisfies multiple standards simultaneously.",[859,15920,15921,15932],{},[862,15922,15923],{},[865,15924,15925,15927,15929],{},[868,15926,6276],{},[868,15928,11862],{},[868,15930,15931],{},"Specific controls",[875,15933,15934,15944,15954,15964,15974],{},[865,15935,15936,15938,15941],{},[880,15937,658],{},[880,15939,15940],{},"Vendor risk assessment, monitoring",[880,15942,15943],{},"CC9.2, CC3.2",[865,15945,15946,15948,15951],{},[880,15947,393],{},[880,15949,15950],{},"Supplier security policies, monitoring, change management",[880,15952,15953],{},"A.5.19–A.5.23",[865,15955,15956,15958,15961],{},[880,15957,402],{},[880,15959,15960],{},"BAAs required for PHI-handling vendors",[880,15962,15963],{},"§164.308(b), §164.314",[865,15965,15966,15968,15971],{},[880,15967,411],{},[880,15969,15970],{},"Service provider compliance validation",[880,15972,15973],{},"Req 12.8, Req 12.9",[865,15975,15976,15979,15982],{},[880,15977,15978],{},"NIST CSF 2.0",[880,15980,15981],{},"Dedicated supply chain governance",[880,15983,15984],{},"GV.SC (expanded in 2.0)",[37,15986,15987,15989],{},[61,15988,658],{}," treats vendor risk as part of the broader risk management criteria. CC9.2 requires organizations to assess risks arising from vendor and business partner relationships, while CC3.2 covers risk identification across the entity — including third-party risks. Auditors expect documented vendor inventories, risk assessments, and evidence of ongoing monitoring.",[37,15991,15992,15994],{},[61,15993,393],{}," provides the most prescriptive set of supplier controls. Controls A.5.19 through A.5.23 cover information security in supplier relationships, including establishing policies, addressing security within agreements, managing the ICT supply chain, monitoring and reviewing supplier services, and managing changes to supplier services.",[37,15996,15997,15999,16000,16004,16005,16009],{},[61,15998,402],{}," takes a narrower but legally binding approach. Any vendor that creates, receives, maintains, or transmits ",[44,16001,16003],{"href":16002},"\u002Fglossary\u002Fphi","protected health information (PHI)"," on behalf of a covered entity must sign a ",[44,16006,16008],{"href":16007},"\u002Fglossary\u002Fbaa","Business Associate Agreement",". The BAA must specify permitted uses of PHI, breach notification obligations, and data return or destruction requirements.",[37,16011,16012,16014],{},[61,16013,411],{}," Requirement 12.8 requires organizations to maintain a list of service providers, ensure a written agreement acknowledging the provider's security responsibilities, establish a process for engaging providers, and monitor their PCI DSS compliance status at least annually. Requirement 12.9 adds that service providers must themselves acknowledge their responsibilities in writing.",[37,16016,16017,16019,16020,100],{},[61,16018,15978],{}," significantly expanded its supply chain risk management guidance, moving it from a sub-category into its own top-level function category — GV.SC — under the Govern function. This reflects the growing recognition that supply chain risk requires dedicated governance structures, not just ad hoc assessments. For a deeper look at these changes, see our guide to ",[44,16021,16023],{"href":16022},"\u002Fframeworks\u002Fnistcsf\u002Fv2-changes","NIST CSF v2.0 changes",[112,16025,16027],{"id":16026},"how-do-you-build-a-vendor-risk-tiering-model","How do you build a vendor risk tiering model?",[37,16029,16030],{},"Not every vendor requires the same level of scrutiny. A risk tiering model lets you allocate assessment effort proportionally to the risk each vendor introduces. Most organizations use a four-tier model based on data sensitivity, service criticality, and replaceability.",[37,16032,16033,16036],{},[61,16034,16035],{},"Critical (Tier 1)"," — The vendor handles sensitive data (PII, PHI, cardholder data), provides a business-critical service, or would be difficult and costly to replace. Examples include your primary cloud infrastructure provider, EHR system, or payment processor.",[172,16038,16039,16042,16045,16048,16051],{},[175,16040,16041],{},"Full security assessment with detailed questionnaire (SIG or equivalent)",[175,16043,16044],{},"Review of SOC 2 Type II report and\u002For ISO 27001 certificate",[175,16046,16047],{},"Annual reassessment at minimum, with continuous monitoring where feasible",[175,16049,16050],{},"Comprehensive contractual security requirements, including breach notification, audit rights, and data handling obligations",[175,16052,16053],{},"Executive-level relationship management and regular security review meetings",[37,16055,16056,16059],{},[61,16057,16058],{},"High (Tier 2)"," — The vendor accesses internal systems or handles moderate-sensitivity data, but the service is not irreplaceable. Examples include HR\u002Fpayroll platforms, CRM systems, or development tools with access to production data.",[172,16061,16062,16065,16068,16071,16074],{},[175,16063,16064],{},"Standard security questionnaire",[175,16066,16067],{},"Review of available compliance certifications",[175,16069,16070],{},"Annual reassessment",[175,16072,16073],{},"Basic contractual protections including breach notification and data protection clauses",[175,16075,16076],{},"Periodic check-ins with vendor security contacts",[37,16078,16079,16082],{},[61,16080,16081],{},"Medium (Tier 3)"," — The vendor has limited data access, provides a replaceable service, and does not interact with regulated data. Examples include project management tools, marketing analytics platforms, or office productivity suites.",[172,16084,16085,16088,16091,16094],{},[175,16086,16087],{},"Abbreviated assessment or targeted questionnaire",[175,16089,16090],{},"Biennial reassessment (every two years)",[175,16092,16093],{},"Standard contract terms with security addendum",[175,16095,16096],{},"Reassess earlier if the vendor's scope of access changes",[37,16098,16099,16102],{},[61,16100,16101],{},"Low (Tier 4)"," — The vendor has no access to organizational data and provides a commodity service. Examples include office supply vendors, cleaning services, or publicly available information tools.",[172,16104,16105,16108,16111],{},[175,16106,16107],{},"Self-attestation or security waiver",[175,16109,16110],{},"Reassess on contract renewal",[175,16112,16113],{},"Standard procurement terms, no additional security clauses required",[37,16115,16116,16117,16119],{},"The tiering decision should be documented in your ",[44,16118,3307],{"href":3306}," and revisited whenever the vendor's scope of service changes. A vendor that starts at Tier 3 may move to Tier 1 if you later grant it access to sensitive data.",[112,16121,16123],{"id":16122},"what-vendor-assessment-tools-and-questionnaires-are-available","What vendor assessment tools and questionnaires are available?",[37,16125,16126],{},"Choosing the right assessment tool depends on the vendor's risk tier, your industry, and the depth of information you need.",[37,16128,16129,16132],{},[61,16130,16131],{},"SIG (Standardized Information Gathering) questionnaire"," — maintained by Shared Assessments, the SIG is the most widely used vendor assessment questionnaire. SIG Full covers 18 risk domains and is appropriate for Tier 1 and Tier 2 vendors. SIG Lite provides a condensed version for lower-risk vendors. The SIG maps to multiple compliance frameworks, making it efficient for organizations with overlapping regulatory requirements.",[37,16134,16135,16138],{},[61,16136,16137],{},"CAIQ (Consensus Assessment Initiative Questionnaire)"," — developed by the Cloud Security Alliance, the CAIQ is purpose-built for evaluating cloud service providers. It maps to the CSA Cloud Controls Matrix and covers cloud-specific risks such as multi-tenancy, data residency, and virtualization security. Use it alongside or in place of the SIG for cloud-heavy vendor portfolios.",[37,16140,16141,16144],{},[61,16142,16143],{},"Custom questionnaires"," — many organizations supplement standardized questionnaires with custom questions tailored to their specific regulatory environment or risk appetite. Custom questions are particularly useful for addressing industry-specific risks, such as PCI DSS requirements for payment processors or HIPAA requirements for healthcare vendors.",[37,16146,16147,16150],{},[61,16148,16149],{},"Automated risk rating platforms"," — tools like SecurityScorecard and BitSight provide continuous, outside-in assessments of a vendor's security posture by analyzing publicly observable signals such as DNS configuration, patching cadence, exposed services, and breach history. These platforms are useful for continuous monitoring between formal assessment cycles and for initial screening of prospective vendors.",[37,16152,16153,16156,16157,16159,16160,16163],{},[61,16154,16155],{},"Direct review of compliance reports"," — reviewing a vendor's ",[44,16158,82],{"href":94}," report is often more valuable than a questionnaire response. A SOC 2 report is independently audited and covers the vendor's actual controls over a defined period, including any exceptions or control gaps identified by the auditor. Similarly, an ",[44,16161,393],{"href":16162},"\u002Fglossary\u002Fiso27001"," certificate confirms that the vendor's information security management system has been independently assessed. When a vendor can provide these reports, they should be your primary source of assurance — supplemented by questionnaires only for areas not covered by the audit scope.",[112,16165,16167],{"id":16166},"how-do-you-handle-vendor-offboarding-and-incident-response","How do you handle vendor offboarding and incident response?",[37,16169,16170],{},"Vendor risk management does not end when the contract is signed — it also requires structured processes for when the relationship ends or when something goes wrong.",[37,16172,16173,16176],{},[61,16174,16175],{},"Vendor offboarding"," — terminating a vendor relationship requires deliberate steps to protect your data and systems:",[172,16178,16179,16185,16191,16197,16206],{},[175,16180,16181,16184],{},[61,16182,16183],{},"Data return or destruction"," — require the vendor to return all organizational data in a usable format and certify destruction of any remaining copies. The contract should specify timelines and acceptable destruction methods (e.g., cryptographic erasure, physical destruction).",[175,16186,16187,16190],{},[61,16188,16189],{},"Access revocation"," — immediately revoke the vendor's access to all systems, networks, VPNs, and APIs. Disable any service accounts, API keys, or shared credentials associated with the vendor.",[175,16192,16193,16196],{},[61,16194,16195],{},"Certificate and key rotation"," — if the vendor had access to encryption keys, certificates, or shared secrets, rotate them promptly. This includes API tokens, SSH keys, and any credentials the vendor may have stored.",[175,16198,16199,16202,16203,16205],{},[61,16200,16201],{},"Risk register update"," — update your ",[44,16204,3307],{"href":3306}," to reflect the terminated relationship and document any residual risks, such as data that was processed during the engagement.",[175,16207,16208,16211],{},[61,16209,16210],{},"Knowledge transfer"," — if the vendor provided a critical service, ensure operational knowledge has been transferred to the replacement vendor or internal team before the relationship ends.",[37,16213,16214,16217],{},[61,16215,16216],{},"Vendor-side breach response"," — your contracts and BAAs should establish clear expectations for what happens when a vendor experiences a security incident:",[172,16219,16220,16226,16235,16241],{},[175,16221,16222,16225],{},[61,16223,16224],{},"Notification timelines"," — specify how quickly the vendor must notify you of a confirmed or suspected breach. Industry standards range from 24 to 72 hours, but for critical vendors handling regulated data, shorter timelines may be appropriate. HIPAA requires notification without unreasonable delay and no later than 60 days.",[175,16227,16228,16231,16232,16234],{},[61,16229,16230],{},"Cooperation requirements"," — the vendor should be contractually obligated to cooperate with your ",[44,16233,375],{"href":10836}," investigation, including providing forensic evidence, access logs, and impact assessments.",[175,16236,16237,16240],{},[61,16238,16239],{},"Remediation obligations"," — define who bears responsibility for remediation costs, including notification to affected individuals, credit monitoring, legal fees, and regulatory fines. The contract should also specify timelines for implementing corrective actions.",[175,16242,16243,16246],{},[61,16244,16245],{},"Communication coordination"," — establish protocols for how breach-related communications will be coordinated between your organization and the vendor to ensure consistent messaging to regulators, customers, and the public.",[37,16248,16249],{},"A well-defined vendor offboarding and incident response process reduces the risk of lingering access, orphaned data, and confused responsibilities when the unexpected happens.",[112,16251,16253],{"id":16252},"how-does-episki-help-with-vendor-risk-management","How does episki help with vendor risk management?",[37,16255,16256,16257,100],{},"episki centralizes vendor risk management with vendor inventories, automated questionnaire distribution, risk scoring, and reassessment scheduling. The platform tracks vendor compliance status and flags vendors that require attention. Learn more on our ",[44,16258,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":16260},[16261],{"id":15687,"depth":547,"text":15688,"children":16262},[16263,16264,16265,16266,16267,16268,16269,16270,16271],{"id":15694,"depth":554,"text":15695},{"id":15728,"depth":554,"text":15729},{"id":15837,"depth":554,"text":15838},{"id":15893,"depth":554,"text":15894},{"id":15914,"depth":554,"text":15915},{"id":16026,"depth":554,"text":16027},{"id":16122,"depth":554,"text":16123},{"id":16166,"depth":554,"text":16167},{"id":16252,"depth":554,"text":16253},{},[631,8772,8775],[8221,8223,16275,1876],"baa",{"title":16277,"description":16278},"What is Vendor Risk Management? Definition & Compliance Guide","Vendor risk management (VRM) is the process of assessing and monitoring security risks from third-party vendors. Learn how to build an effective VRM program.","8.glossary\u002Fvendor-risk-management","zYUPNHD7rd1SYb6jxTVuGceKFAFQoewNnryA575dKLg",{"id":16282,"title":16283,"body":16284,"description":546,"extension":578,"lastUpdated":1135,"meta":16445,"navigation":613,"path":16446,"relatedFrameworks":16447,"relatedTerms":16448,"seo":16450,"slug":16453,"stem":16454,"term":16289,"__hash__":16455},"glossary\u002F8.glossary\u002Fvulnerability-management.md","Vulnerability Management",{"type":29,"value":16285,"toc":16436},[16286,16290,16293,16297,16300,16333,16337,16340,16367,16371,16397,16401,16404,16427,16431],[32,16287,16289],{"id":16288},"what-is-vulnerability-management","What is Vulnerability Management?",[37,16291,16292],{},"Vulnerability management is the continuous process of identifying, classifying, prioritizing, and remediating security vulnerabilities in an organization's systems, software, and infrastructure. Unlike one-time assessments, vulnerability management is an ongoing program that adapts as new threats emerge and your environment changes.",[112,16294,16296],{"id":16295},"what-is-the-vulnerability-management-lifecycle","What is the vulnerability management lifecycle?",[37,16298,16299],{},"An effective program follows a repeating cycle:",[210,16301,16302,16308,16313,16318,16323,16328],{},[175,16303,16304,16307],{},[61,16305,16306],{},"Asset discovery"," — maintain an accurate inventory of all hardware, software, and cloud resources in scope",[175,16309,16310,16312],{},[61,16311,3632],{}," — use automated tools to detect known vulnerabilities across your environment on a regular schedule",[175,16314,16315,16317],{},[61,16316,9700],{}," — rank findings by severity (CVSS score), exploitability, asset criticality, and business context — not every \"critical\" CVE is critical to your organization",[175,16319,16320,16322],{},[61,16321,13192],{}," — apply patches, configuration changes, or compensating controls to address vulnerabilities within defined SLAs",[175,16324,16325,16327],{},[61,16326,13320],{}," — rescan to confirm that remediation was effective and didn't introduce new issues",[175,16329,16330,16332],{},[61,16331,13071],{}," — track metrics like mean time to remediate (MTTR), vulnerability aging, and coverage rates",[112,16334,16336],{"id":16335},"how-do-compliance-frameworks-address-vulnerability-management","How do compliance frameworks address vulnerability management?",[37,16338,16339],{},"Most security frameworks require a formal vulnerability management program:",[172,16341,16342,16347,16352,16357,16362],{},[175,16343,16344,16346],{},[61,16345,411],{}," — Requirement 6.3 requires patching critical vulnerabilities within defined timeframes; Requirement 11.3 requires internal and external vulnerability scanning",[175,16348,16349,16351],{},[61,16350,658],{}," — CC7.1 covers detection of vulnerabilities and CC8.1 addresses change management for remediation",[175,16353,16354,16356],{},[61,16355,393],{}," — A.8.8 (management of technical vulnerabilities) requires timely identification and remediation of vulnerabilities",[175,16358,16359,16361],{},[61,16360,6581],{}," — ID.RA (risk assessment) and PR.IP (information protection) directly relate to vulnerability identification and remediation",[175,16363,16364,16366],{},[61,16365,425],{}," — RA.L2-3.11.2 requires remediation of vulnerabilities in accordance with risk assessments",[112,16368,16370],{"id":16369},"what-are-common-vulnerability-scanning-tools","What are common vulnerability scanning tools?",[172,16372,16373,16379,16385,16391],{},[175,16374,16375,16378],{},[61,16376,16377],{},"Infrastructure scanners"," — Nessus, Qualys, Rapid7 InsightVM for network and host-level vulnerabilities",[175,16380,16381,16384],{},[61,16382,16383],{},"Application scanners"," — OWASP ZAP, Burp Suite for web application vulnerabilities",[175,16386,16387,16390],{},[61,16388,16389],{},"Dependency scanners"," — Snyk, Dependabot, Trivy for software composition analysis (SCA)",[175,16392,16393,16396],{},[61,16394,16395],{},"Cloud security posture"," — AWS Inspector, Azure Defender, GCP Security Command Center for cloud misconfigurations",[112,16398,16400],{"id":16399},"what-are-sla-best-practices-for-vulnerability-management","What are SLA best practices for vulnerability management?",[37,16402,16403],{},"Define remediation timelines based on severity:",[172,16405,16406,16412,16417,16422],{},[175,16407,16408,16411],{},[61,16409,16410],{},"Critical"," — remediate within 24–72 hours",[175,16413,16414,16416],{},[61,16415,7976],{}," — remediate within 7–14 days",[175,16418,16419,16421],{},[61,16420,7987],{}," — remediate within 30 days",[175,16423,16424,16426],{},[61,16425,7998],{}," — remediate within 90 days or accept risk with documented justification",[112,16428,16430],{"id":16429},"how-does-episki-help-with-vulnerability-management","How does episki help with vulnerability management?",[37,16432,16433,16434,100],{},"episki tracks vulnerability findings, manages remediation workflows with due dates and ownership, and maps vulnerabilities to compliance framework requirements. The platform provides dashboards showing remediation progress and aging metrics for auditors. Learn more on our ",[44,16435,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":16437},[16438],{"id":16288,"depth":547,"text":16289,"children":16439},[16440,16441,16442,16443,16444],{"id":16295,"depth":554,"text":16296},{"id":16335,"depth":554,"text":16336},{"id":16369,"depth":554,"text":16370},{"id":16399,"depth":554,"text":16400},{"id":16429,"depth":554,"text":16430},{},"\u002Fglossary\u002Fvulnerability-management",[631,8772,8774,8775,8771],[12279,5627,1042,16449],"web-application-security",{"title":16451,"description":16452},"What is Vulnerability Management? Definition & Compliance Guide","Vulnerability management is the ongoing process of identifying, classifying, prioritizing, and remediating security vulnerabilities across your systems and applications.","vulnerability-management","8.glossary\u002Fvulnerability-management","uzdMPlyqCfawsSDUCyB5DBUfYbPo1BYxc5FJB7wJDgM",{"id":16457,"title":16458,"body":16459,"description":546,"extension":578,"lastUpdated":1135,"meta":16582,"navigation":613,"path":16583,"relatedFrameworks":16584,"relatedTerms":16585,"seo":16586,"slug":16449,"stem":16589,"term":16464,"__hash__":16590},"glossary\u002F8.glossary\u002Fweb-application-security.md","Web Application Security",{"type":29,"value":16460,"toc":16574},[16461,16465,16468,16472,16475,16513,16517,16539,16543,16565,16569],[32,16462,16464],{"id":16463},"what-is-web-application-security","What is Web Application Security?",[37,16466,16467],{},"Web application security is the practice of protecting websites and web applications from attacks that exploit vulnerabilities in application code, configuration, or infrastructure. As organizations increasingly deliver services through web applications, securing these applications has become a critical component of any compliance program.",[112,16469,16471],{"id":16470},"what-are-common-web-application-threats","What are common web application threats?",[37,16473,16474],{},"The OWASP Top 10 provides a widely recognized list of the most critical web application security risks:",[172,16476,16477,16483,16489,16495,16501,16507],{},[175,16478,16479,16482],{},[61,16480,16481],{},"Injection attacks"," — including SQL injection, where attackers insert malicious code through input fields to manipulate databases",[175,16484,16485,16488],{},[61,16486,16487],{},"Cross-site scripting (XSS)"," — injecting malicious scripts into web pages viewed by other users",[175,16490,16491,16494],{},[61,16492,16493],{},"Broken authentication"," — weaknesses in authentication mechanisms that allow unauthorized access",[175,16496,16497,16500],{},[61,16498,16499],{},"Insecure direct object references"," — exposing internal implementation objects through URLs or parameters",[175,16502,16503,16506],{},[61,16504,16505],{},"Security misconfiguration"," — default credentials, unnecessary features enabled, or missing security headers",[175,16508,16509,16512],{},[61,16510,16511],{},"Cross-site request forgery (CSRF)"," — tricking authenticated users into performing unintended actions",[112,16514,16516],{"id":16515},"how-do-compliance-frameworks-address-web-application-security","How do compliance frameworks address web application security?",[172,16518,16519,16524,16529,16534],{},[175,16520,16521,16523],{},[61,16522,411],{}," — Requirement 6 addresses secure development practices and web application firewalls for applications handling cardholder data",[175,16525,16526,16528],{},[61,16527,658],{}," — CC7.1 and CC8.1 cover vulnerability management and change management for applications",[175,16530,16531,16533],{},[61,16532,393],{}," — A.8.25 through A.8.28 address secure development lifecycle, testing, and application security",[175,16535,16536,16538],{},[61,16537,6581],{}," — PR.IP covers security in development and information protection processes",[112,16540,16542],{"id":16541},"what-are-web-application-defense-strategies","What are web application defense strategies?",[172,16544,16545,16548,16551,16554,16559,16562],{},[175,16546,16547],{},"Implement a secure development lifecycle (SDLC) with security reviews at each stage",[175,16549,16550],{},"Use static application security testing (SAST) and dynamic application security testing (DAST) in CI\u002FCD pipelines",[175,16552,16553],{},"Deploy a web application firewall (WAF) to filter malicious traffic",[175,16555,12631,16556,16558],{},[44,16557,12635],{"href":12634}," focused on application-layer vulnerabilities",[175,16560,16561],{},"Keep application frameworks and dependencies patched and up to date",[175,16563,16564],{},"Validate and sanitize all user input on the server side",[112,16566,16568],{"id":16567},"how-does-episki-help-with-web-application-security","How does episki help with web application security?",[37,16570,16571,16572,100],{},"episki tracks web application security controls, manages vulnerability remediation workflows, and documents security testing evidence for auditors. Learn more on our ",[44,16573,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":16575},[16576],{"id":16463,"depth":547,"text":16464,"children":16577},[16578,16579,16580,16581],{"id":16470,"depth":554,"text":16471},{"id":16515,"depth":554,"text":16516},{"id":16541,"depth":554,"text":16542},{"id":16567,"depth":554,"text":16568},{},"\u002Fglossary\u002Fweb-application-security",[631,8772,8774,8775],[12279,12658,2781,16453],{"title":16587,"description":16588},"What is Web Application Security? Definition & Compliance Guide","Web application security is the practice of protecting websites and web apps from attacks such as SQL injection, cross-site scripting (XSS), and unauthorized access.","8.glossary\u002Fweb-application-security","qOQ02_z-vhAF1v25Yq_MRSjVS7VEGJjSiQUC3OPdzkc",{"id":16592,"title":16593,"body":16594,"description":546,"extension":578,"lastUpdated":1135,"meta":16702,"navigation":613,"path":16703,"relatedFrameworks":16704,"relatedTerms":16705,"seo":16706,"slug":16709,"stem":16710,"term":16599,"__hash__":16711},"glossary\u002F8.glossary\u002Fworkforce-security.md","Workforce Security",{"type":29,"value":16595,"toc":16694},[16596,16600,16603,16607,16636,16640,16657,16661,16685,16689],[32,16597,16599],{"id":16598},"what-is-workforce-security","What is Workforce Security?",[37,16601,16602],{},"Workforce security refers to the policies, procedures, and controls that ensure employees, contractors, and other workforce members handle sensitive information responsibly and securely. It encompasses the full employment lifecycle — from hiring and onboarding through ongoing access management to termination and offboarding.",[112,16604,16606],{"id":16605},"what-are-the-key-components-of-workforce-security","What are the key components of workforce security?",[172,16608,16609,16614,16619,16624,16630],{},[175,16610,16611,16613],{},[61,16612,2202],{}," — verifying the identity, qualifications, and history of new hires before granting access to sensitive systems",[175,16615,16616,16618],{},[61,16617,2211],{}," — educating the workforce on security policies, threats, and their responsibilities",[175,16620,16621,16623],{},[61,16622,6025],{}," — assigning appropriate access based on role and revoking it when no longer needed",[175,16625,16626,16629],{},[61,16627,16628],{},"Acceptable use policies"," — defining what constitutes proper use of organizational systems and data",[175,16631,16632,16635],{},[61,16633,16634],{},"Termination procedures"," — ensuring timely and complete access revocation when workforce members depart",[112,16637,16639],{"id":16638},"how-do-compliance-frameworks-address-workforce-security","How do compliance frameworks address workforce security?",[172,16641,16642,16647,16652],{},[175,16643,16644,16646],{},[61,16645,402],{}," — the Security Rule (45 CFR 164.308(a)(3)) explicitly requires workforce security controls including authorization and supervision, clearance procedures, and termination procedures",[175,16648,16649,16651],{},[61,16650,658],{}," — CC1.4 and CC6.2 address human resource security including hiring, training, and termination",[175,16653,16654,16656],{},[61,16655,393],{}," — A.6.1 through A.6.5 cover screening, terms of employment, awareness training, disciplinary processes, and post-employment responsibilities",[112,16658,16660],{"id":16659},"what-are-best-practices-for-workforce-security","What are best practices for workforce security?",[172,16662,16663,16666,16669,16676,16682],{},[175,16664,16665],{},"Conduct background checks proportional to the sensitivity of the role",[175,16667,16668],{},"Require security awareness training at hire and annually thereafter",[175,16670,16671,16672,16675],{},"Implement role-based access that follows the ",[44,16673,16674],{"href":11621},"least privilege"," principle",[175,16677,16678,16679,16681],{},"Document and enforce termination and ",[44,16680,12809],{"href":12803}," checklists",[175,16683,16684],{},"Review workforce security policies annually and after significant organizational changes",[112,16686,16688],{"id":16687},"how-does-episki-help-with-workforce-security","How does episki help with workforce security?",[37,16690,16691,16692,100],{},"episki tracks workforce security controls, manages training completion records, and documents evidence of hiring and termination procedures for compliance audits. Learn more on our ",[44,16693,8753],{"href":8752},{"title":546,"searchDepth":547,"depth":547,"links":16695},[16696],{"id":16598,"depth":547,"text":16599,"children":16697},[16698,16699,16700,16701],{"id":16605,"depth":554,"text":16606},{"id":16638,"depth":554,"text":16639},{"id":16659,"depth":554,"text":16660},{"id":16687,"depth":554,"text":16688},{},"\u002Fglossary\u002Fworkforce-security",[8773,631,8772],[8782,14316,12809],{"title":16707,"description":16708},"What is Workforce Security? Definition & Compliance Guide","Workforce security refers to the policies and controls that ensure employees and contractors handle sensitive information responsibly and securely.","workforce-security","8.glossary\u002Fworkforce-security","na2bHZsChgoatdZZY7JsQpjSx5s4F6y3rTrEiRhd0js",[16713,17216,17794,18283,18900,19407],{"id":16714,"title":16715,"advantages":16716,"body":16738,"checklist":17149,"cta":17158,"description":546,"extension":578,"faq":17161,"hero":17179,"lastUpdated":610,"meta":17187,"name":425,"navigation":613,"path":17188,"resources":17189,"seo":17201,"slug":8771,"stats":17204,"stem":17214,"__hash__":17215},"frameworks\u002F5.frameworks\u002Fcmmc.md","Cmmc",[16717,16724,16731],{"title":16718,"description":16719,"bullets":16720},"NIST 800-171 control mapping","Every CMMC Level 2 practice is linked to its NIST SP 800-171 source requirement with pre-written narratives.",[16721,16722,16723],"14 control families mapped to 110 security requirements","AI-drafted implementation narratives and testing procedures","Gap analysis highlights missing controls before your assessment",{"title":16725,"description":16726,"bullets":16727},"Assessment preparation workspace","Whether you self-assess or engage a C3PAO, episki organizes evidence and scoring in one place.",[16728,16729,16730],"POA&M tracking with 180-day close-out reminders","Scoring methodology aligned to DoD assessment guide","Assessor portal with scoped read-only access",{"title":16732,"description":16733,"bullets":16734},"Cross-framework reuse","Controls mapped to CMMC automatically satisfy overlapping NIST CSF, ISO 27001, and FedRAMP requirements.",[16735,16736,16737],"Unified control graph eliminates duplicate documentation","Evidence collected once, reused across every framework","Framework coverage dashboard shows gaps at a glance",{"type":29,"value":16739,"toc":17132},[16740,16744,16747,16750,16754,16761,16772,16783,16787,16795,16827,16830,16834,16846,16857,16861,16864,16881,16894,16897,16901,16904,16915,16922,16926,16940,16943,16947,16955,16981,16985,17012,17016,17024,17028,17036,17040,17048,17052,17055,17093,17097,17129],[32,16741,16743],{"id":16742},"what-is-cmmc","What is CMMC?",[37,16745,16746],{},"The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's verification program for ensuring that every organization in the defense industrial base adequately protects sensitive federal information. CMMC takes the cybersecurity standards the DoD has required for years and turns them into a verifiable certification that contractors must hold before a contract can be awarded.",[37,16748,16749],{},"Before CMMC, defense contractors were expected to comply with DFARS clause 252.204-7012 and the 110 security requirements in NIST SP 800-171 on the honor system. They self-attested. A 2018 DoD Inspector General report and the 2019 MITRE \"Deliver Uncompromised\" study both found the self-attestation model was failing — contractors claimed compliance they had not achieved, and nation-state adversaries were quietly stealing terabytes of Controlled Unclassified Information (CUI) from the supply chain. CMMC is the DoD's response: instead of trust, the Pentagon now requires verification.",[112,16751,16753],{"id":16752},"cmmc-10-to-cmmc-20","CMMC 1.0 to CMMC 2.0",[37,16755,16756,16757,16760],{},"The first version of CMMC — sometimes called CMMC 1.0 — was announced in January 2020. It had ",[61,16758,16759],{},"five maturity levels",", added its own unique practices and maturity processes on top of NIST SP 800-171, and would have required third-party assessment for almost everyone in the defense supply chain. Industry pushback was substantial. Small businesses said the compliance burden was unaffordable. Cybersecurity teams argued that the custom CMMC practices and \"maturity processes\" diverged from established standards without clear security benefit.",[37,16762,16763,16764,16767,16768,16771],{},"In November 2021 the DoD announced ",[61,16765,16766],{},"CMMC 2.0",", a streamlined successor. CMMC 2.0 collapsed the five levels into ",[61,16769,16770],{},"three",", eliminated the custom CMMC practices, and aligned Level 2 directly with NIST SP 800-171 so there is no daylight between the two. It also re-introduced self-assessment as a compliant path for many contracts — a concession to cost that CMMC 1.0 did not allow.",[37,16773,16774,16775,16778,16779,16782],{},"The CMMC 2.0 program rule (32 CFR Part 170) was published in the Federal Register on October 15, 2024, and took effect on ",[61,16776,16777],{},"December 16, 2024",". The companion DFARS rule (48 CFR) was published on September 10, 2025, and took effect on ",[61,16780,16781],{},"November 10, 2025"," — the moment CMMC moved from a program on paper to an enforceable contract requirement. When we talk about \"CMMC\" today, we mean CMMC 2.0 as enforced through DFARS.",[112,16784,16786],{"id":16785},"the-three-cmmc-levels","The three CMMC levels",[37,16788,16789,16790,16794],{},"CMMC uses a tiered model so that a small contractor handling a bill of materials gets a proportionate requirement, while a prime contractor engineering a weapons system gets a much heavier one. Each CMMC level builds on the one below it. ",[44,16791,16793],{"href":16792},"\u002Fframeworks\u002Fcmmc\u002Flevels","See the full breakdown of CMMC levels"," for control counts, assessment types, and scoping rules.",[172,16796,16797,16807,16817],{},[175,16798,16799,16802,16803,16806],{},[61,16800,16801],{},"Level 1 — Foundational."," Covers the basic safeguarding of Federal Contract Information (FCI). It requires 17 practices drawn directly from FAR 52.204-21. Any organization that processes FCI under a DoD contract must meet Level 1. It is verified through an ",[61,16804,16805],{},"annual self-assessment"," with a senior official affirming the results in the Supplier Performance Risk System (SPRS).",[175,16808,16809,16812,16813,16816],{},[61,16810,16811],{},"Level 2 — Advanced."," Protects Controlled Unclassified Information (CUI). It requires all ",[61,16814,16815],{},"110 security requirements"," from NIST SP 800-171 Rev 2 across 14 control families. Level 2 has two assessment paths — self-assessment for less sensitive CUI, and third-party C3PAO assessment for more sensitive CUI or critical programs. Level 2 is where most defense contractors will land.",[175,16818,16819,16822,16823,16826],{},[61,16820,16821],{},"Level 3 — Expert."," Reserved for the most sensitive DoD programs where advanced persistent threats are a credible risk. It includes every Level 2 requirement ",[61,16824,16825],{},"plus 24 enhanced requirements"," selected from NIST SP 800-172. Level 3 is verified through a government-led DIBCAC assessment and requires a valid Level 2 C3PAO certification as a prerequisite.",[37,16828,16829],{},"The CMMC level you need is determined by the specific solicitation or contract — not by company size or industry. A small engineering firm with a CUI-sensitive subcontract may need Level 2 C3PAO, while a larger prime on a less sensitive contract may only need Level 1.",[112,16831,16833],{"id":16832},"nist-sp-800-171-is-the-heart-of-cmmc","NIST SP 800-171 is the heart of CMMC",[37,16835,16836,16837,16840,16841,16845],{},"CMMC Level 2 is a ",[61,16838,16839],{},"direct one-to-one mapping"," to NIST SP 800-171 Rev 2. There are no extra practices, no CMMC-specific maturity processes, no layered-on requirements. Every CMMC Level 2 practice corresponds to a single NIST SP 800-171 security requirement. This alignment was intentional: it made CMMC easier to implement and easier to audit, and it meant organizations that had been working toward ",[44,16842,16844],{"href":16843},"\u002Fglossary\u002Fnist","NIST"," SP 800-171 compliance since 2017 did not have to start over.",[37,16847,16848,16849,16853,16854,16856],{},"The 110 requirements are organized into 14 control families including Access Control, Audit and Accountability, Configuration Management, Identification and Authentication, Incident Response, System and Communications Protection, and System and Information Integrity. CMMC Level 3 layers 24 additional enhanced requirements on top, drawn from NIST SP 800-172. ",[44,16850,16852],{"href":16851},"\u002Fframeworks\u002Fcmmc\u002Fnist-800-171-mapping","See the detailed NIST SP 800-171 mapping"," for the full control family breakdown and cross-framework overlap with ",[44,16855,6581],{"href":8423}," and ISO 27001.",[112,16858,16860],{"id":16859},"who-needs-cmmc","Who needs CMMC?",[37,16862,16863],{},"Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract will need CMMC certification. That is a much broader population than \"defense contractors\" in the traditional sense. CMMC applies to:",[172,16865,16866,16869,16872,16875,16878],{},[175,16867,16868],{},"Prime contractors holding contracts directly with the DoD",[175,16870,16871],{},"Subcontractors at every tier in the supply chain",[175,16873,16874],{},"Cloud service providers hosting DoD contractor data",[175,16876,16877],{},"Managed service providers and IT vendors with access to FCI or CUI",[175,16879,16880],{},"Foreign suppliers in the defense industrial base handling covered information",[37,16882,16883,16884,16888,16889,16893],{},"CMMC flow-down is one of the most important operational realities. If a prime contractor shares CUI with a subcontractor, that subcontractor must hold the same CMMC level. If that subcontractor further shares CUI with a tier-three supplier, the tier-three supplier must also be certified. CMMC's reach extends deep into the supply chain. ",[44,16885,16887],{"href":16886},"\u002Fframeworks\u002Fcmmc\u002Fwho-needs-cmmc","See who needs CMMC"," for detailed scoping guidance, and our ",[44,16890,16892],{"href":16891},"\u002Findustry\u002Fgovernment","government industry page"," for broader public-sector compliance context.",[37,16895,16896],{},"Roughly 80,000 organizations are expected to pursue CMMC Level 2, and a few thousand the most stringent CMMC Level 3 — numbers from the DoD's own economic analysis of the CMMC rule.",[112,16898,16900],{"id":16899},"the-cmmc-assessment-process","The CMMC assessment process",[37,16902,16903],{},"CMMC assessments come in three flavors that align to the three CMMC levels: self-assessment, C3PAO third-party assessment, and DIBCAC government-led assessment. Regardless of type, the assessment methodology is the same — scoring is based on the DoD Assessment Methodology and NIST SP 800-171A objectives.",[37,16905,16906,16907,16910,16911,16914],{},"A CMMC Level 2 C3PAO assessment typically runs through five stages: scoping, readiness review, evidence collection and review, on-site or virtual assessment, and scoring with any final findings. A Level 2 assessment starts with a score of 110 and subtracts points for each unmet objective. A score of 110 yields full certification. A score of ",[61,16908,16909],{},"88 or above"," with remaining gaps documented in a Plan of Action and Milestones (POA&M) yields a ",[61,16912,16913],{},"conditional"," certification with a 180-day remediation window. A score below 88 yields no certification at all.",[37,16916,16917,16921],{},[44,16918,16920],{"href":16919},"\u002Fframeworks\u002Fcmmc\u002Fassessment-process","See the full CMMC assessment process"," for scoring details, POA&M rules, and what you can and cannot defer.",[112,16923,16925],{"id":16924},"c3paos-and-certified-assessors","C3PAOs and certified assessors",[37,16927,16928,16929,16932,16933,96,16936,16939],{},"Third-party CMMC assessments are conducted by ",[61,16930,16931],{},"CMMC Third-Party Assessment Organizations (C3PAOs)"," accredited by the Cyber AB (the Cyber Accreditation Body, formerly the CMMC Accreditation Body). C3PAOs employ ",[61,16934,16935],{},"Certified CMMC Assessors (CCAs)",[61,16937,16938],{},"Certified CMMC Professionals (CCPs)"," who conduct the actual assessment work. CCAs must pass a certification exam administered by the Cyber AB and complete ongoing professional development.",[37,16941,16942],{},"The pool of accredited C3PAOs is deliberately limited — growing from just a handful at the start of 2024 to several dozen by early 2026. That scarcity matters. As CMMC Phase 2 enforcement begins in November 2026 and more contracts require C3PAO assessment, assessor availability will tighten. Organizations that wait to begin CMMC preparation until a contract requires it will likely find assessment slots booked six to twelve months out.",[112,16944,16946],{"id":16945},"cmmc-implementation-timeline","CMMC implementation timeline",[37,16948,16949,16950,16954],{},"CMMC enforcement follows a four-phase rollout under the DFARS rule. The rollout gradually expands CMMC requirements over four years so the assessor ecosystem can scale and contractors have time to prepare. ",[44,16951,16953],{"href":16952},"\u002Fframeworks\u002Fcmmc\u002Fimplementation-timeline","See the full CMMC implementation timeline"," for dates and milestones.",[172,16956,16957,16963,16969,16975],{},[175,16958,16959,16962],{},[61,16960,16961],{},"Phase 1 (November 2025 – November 2026)."," Active now. CMMC Level 1 and Level 2 self-assessments appear as conditions of award in select solicitations. A limited number of contracts require Level 2 C3PAO assessments at DoD discretion.",[175,16964,16965,16968],{},[61,16966,16967],{},"Phase 2 (November 2026 – November 2027)."," CMMC Level 2 C3PAO certification requirements expand significantly. Level 3 requirements begin appearing in select solicitations.",[175,16970,16971,16974],{},[61,16972,16973],{},"Phase 3 (November 2027 – November 2028)."," CMMC Level 2 and Level 3 requirements appear broadly across applicable DoD contracts.",[175,16976,16977,16980],{},[61,16978,16979],{},"Phase 4 (November 2028 onward)."," All DoD contracts requiring FCI or CUI handling include the appropriate CMMC level as a condition of award. Full CMMC enforcement.",[112,16982,16984],{"id":16983},"cmmc-and-dfars","CMMC and DFARS",[37,16986,16987,16988,16991,16992,96,16995,16998,16999,17002,17003,17007,17008,100],{},"CMMC is the certification. DFARS is the contractual mechanism that makes the certification binding. ",[61,16989,16990],{},"DFARS 252.204-7012"," has required safeguarding of covered defense information and rapid incident reporting since 2017. ",[61,16993,16994],{},"DFARS 252.204-7019",[61,16996,16997],{},"-7020"," added the requirement to post NIST SP 800-171 assessment scores to SPRS. ",[61,17000,17001],{},"DFARS 252.204-7021",", effective November 10, 2025, added the requirement to hold the specific CMMC level called out in the solicitation before contract award. ",[44,17004,17006],{"href":17005},"\u002Fframeworks\u002Fcmmc\u002Fdfars-relationship","See how CMMC and DFARS relate"," for the full clause-by-clause picture. For blog-length coverage of DFARS and CMMC in context, see our ",[44,17009,17011],{"href":17010},"\u002Fnow\u002Fcompliance-framework-comparison","compliance framework comparison",[112,17013,17015],{"id":17014},"self-assessment-vs-third-party-assessment","Self-assessment vs third-party assessment",[37,17017,17018,17019,17023],{},"Not every CMMC obligation requires bringing in a C3PAO. CMMC Level 1 is always a self-assessment. CMMC Level 2 splits — some contracts accept self-assessment, and some require C3PAO certification. CMMC Level 3 is always government-led by DIBCAC. Self-assessment is cheaper and faster, but it comes with False Claims Act exposure if the attestation misrepresents your posture. Third-party CMMC assessment is more expensive but produces a defensible certification. ",[44,17020,17022],{"href":17021},"\u002Fframeworks\u002Fcmmc\u002Fself-assessment-vs-third-party","Compare CMMC self-assessment vs third-party"," to decide which applies to you and how to budget.",[112,17025,17027],{"id":17026},"handling-cui-the-cmmc-way","Handling CUI the CMMC way",[37,17029,17030,17031,17035],{},"Controlled Unclassified Information sits at the center of CMMC Level 2 and CMMC Level 3. Identifying CUI in your environment, marking it correctly, applying the right access controls, and documenting the CUI boundary are all preconditions for a successful CMMC assessment. FCI and CUI are not the same thing, and the differences drive which CMMC level you need. ",[44,17032,17034],{"href":17033},"\u002Fframeworks\u002Fcmmc\u002Fcui-handling","See CUI handling under CMMC"," for marking rules, scoping guidance, and common mistakes.",[112,17037,17039],{"id":17038},"subcontractor-requirements","Subcontractor requirements",[37,17041,17042,17043,17047],{},"CMMC flow-down affects nearly every defense prime. If you share FCI or CUI with a subcontractor, the subcontractor must hold the required CMMC level before you share the data. That means primes need to track subcontractor CMMC status across their supply chain, verify SPRS entries, and plan for the long tail of small suppliers that may not have started their CMMC journey. ",[44,17044,17046],{"href":17045},"\u002Fframeworks\u002Fcmmc\u002Fsubcontractor-requirements","See CMMC subcontractor requirements"," for the full flow-down model and how to reduce the burden.",[112,17049,17051],{"id":17050},"getting-cmmc-ready","Getting CMMC ready",[37,17053,17054],{},"CMMC readiness is not a last-mile sprint. Most organizations need 6 to 18 months to close gaps across all 110 NIST SP 800-171 requirements and prepare for CMMC Level 2. The high-leverage moves to start today:",[210,17056,17057,17063,17069,17075,17081,17087],{},[175,17058,17059,17062],{},[61,17060,17061],{},"Scope your CMMC environment."," Map where FCI and CUI enter, flow through, and are stored in your systems. Your CMMC assessment boundary is only as good as your scoping work.",[175,17064,17065,17068],{},[61,17066,17067],{},"Complete your SSP."," A System Security Plan that documents every NIST SP 800-171 requirement — implementation status, responsible party, and evidence reference — is the backbone of any CMMC assessment.",[175,17070,17071,17074],{},[61,17072,17073],{},"Submit a SPRS score."," Even before any contract requires CMMC, a current SPRS score demonstrates good faith and exposes gaps early. DoD agencies increasingly reference SPRS scores in source selection.",[175,17076,17077,17080],{},[61,17078,17079],{},"Stand up a POA&M register."," Track every gap with an owner, a remediation plan, and a 180-day countdown. CMMC conditional certification lives or dies on POA&M closure.",[175,17082,17083,17086],{},[61,17084,17085],{},"Review your flow-down."," Inventory every subcontractor, cloud service provider, and managed service provider that touches FCI or CUI. Confirm they are on their own CMMC path.",[175,17088,17089,17092],{},[61,17090,17091],{},"Schedule a readiness review."," A mock CMMC assessment — internal or with a consultant or C3PAO — surfaces problems while there is still time to fix them.",[112,17094,17096],{"id":17095},"common-cmmc-challenges","Common CMMC challenges",[172,17098,17099,17105,17111,17117,17123],{},[175,17100,17101,17104],{},[61,17102,17103],{},"Scoping complexity."," Determining which systems, people, and processes handle CUI is often the hardest first step and the source of the most CMMC assessment rework.",[175,17106,17107,17110],{},[61,17108,17109],{},"NIST SP 800-171 gaps."," Many contractors self-attested NIST SP 800-171 compliance for years but never closed all 110 requirements. CMMC exposes that gap.",[175,17112,17113,17116],{},[61,17114,17115],{},"POA&M management."," Tracking remediation across teams within a 180-day window is hard without tooling. CMMC conditional certifications are revoked when POA&Ms go stale.",[175,17118,17119,17122],{},[61,17120,17121],{},"Subcontractor flow-down."," Primes must verify subcontractor CMMC status continuously, not once at onboarding.",[175,17124,17125,17128],{},[61,17126,17127],{},"Evidence organization."," A CMMC assessment can touch hundreds of evidence artifacts. Without a single source of truth, assessors burn billable hours chasing documents.",[37,17130,17131],{},"A structured approach that maps controls to NIST SP 800-171, reuses evidence across CMMC and other frameworks, tracks POA&M progress, and monitors the assessment timeline removes most of this friction — and that is exactly what the episki CMMC workspace is designed for.",{"title":546,"searchDepth":547,"depth":547,"links":17133},[17134],{"id":16742,"depth":547,"text":16743,"children":17135},[17136,17137,17138,17139,17140,17141,17142,17143,17144,17145,17146,17147,17148],{"id":16752,"depth":554,"text":16753},{"id":16785,"depth":554,"text":16786},{"id":16832,"depth":554,"text":16833},{"id":16859,"depth":554,"text":16860},{"id":16899,"depth":554,"text":16900},{"id":16924,"depth":554,"text":16925},{"id":16945,"depth":554,"text":16946},{"id":16983,"depth":554,"text":16984},{"id":17014,"depth":554,"text":17015},{"id":17026,"depth":554,"text":17027},{"id":17038,"depth":554,"text":17039},{"id":17050,"depth":554,"text":17051},{"id":17095,"depth":554,"text":17096},{"title":17150,"description":17151,"items":17152},"CMMC readiness checklist inside episki","Everything is preloaded in your free trial so you can start scoping your assessment and closing gaps immediately.",[17153,17154,17155,17156,17157],"NIST SP 800-171 control library with mapped CMMC practices","Level 1, 2, and 3 scoping guidance and practice sets","POA&M register with risk-ranked remediation priorities","System Security Plan (SSP) template with AI drafting","Evidence library organized by control family",{"title":17159,"description":17160},"Launch your CMMC workspace today","Import your NIST 800-171 controls, map them to CMMC levels, and start closing gaps before your next assessment.",{"title":17162,"items":17163},"CMMC frequently asked questions",[17164,17167,17170,17173,17176],{"label":17165,"content":17166},"What is CMMC 2.0?","CMMC 2.0 (Cybersecurity Maturity Model Certification) is the Department of Defense's program for verifying that defense contractors protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The final program rule took effect December 16, 2024, and DFARS contract enforcement began November 10, 2025.",{"label":17168,"content":17169},"What are the three CMMC levels?","Level 1 requires 17 basic safeguarding practices for FCI based on FAR 52.204-21. Level 2 requires 110 security practices aligned to NIST SP 800-171 Rev 2 for CUI. Level 3 adds 24 enhanced practices from NIST SP 800-172 for the most sensitive programs. Each level builds on the one below it.",{"label":17171,"content":17172},"How much does CMMC certification cost?","Costs vary by level and organization size. Level 1 requires only an annual self-assessment. Level 2 self-assessments are free but require significant preparation effort. Level 2 C3PAO assessments typically range from $50,000 to $150,000+ depending on scope. episki reduces preparation costs by automating evidence collection and control documentation.",{"label":17174,"content":17175},"When will CMMC be required in contracts?","CMMC is being phased into DoD contracts over four phases. Phase 1 began November 10, 2025, requiring Level 1 and Level 2 self-assessments in select solicitations. Phase 2 (November 2026) expands Level 2 C3PAO requirements. Phase 3 (November 2027) adds Level 3. By Phase 4 (November 2028), all applicable DoD contracts will require the appropriate CMMC level.",{"label":17177,"content":17178},"Who needs CMMC certification?","Any organization that processes, stores, or transmits FCI or CUI as part of a DoD contract or subcontract needs CMMC certification. This includes prime contractors, subcontractors at all tiers, and cloud service providers hosting DoD data. The required level depends on the sensitivity of information handled.",{"headline":17180,"title":17181,"description":17182,"links":17183},"CMMC without the guesswork","Get assessment-ready for CMMC without rebuilding your security program","episki maps NIST SP 800-171 and 800-172 controls to CMMC levels, automates evidence collection, and keeps your POA&M current so your team can focus on winning contracts.",[17184,17186],{"label":17185,"icon":603,"to":535},"Start CMMC trial",{"label":605,"icon":606,"color":607,"variant":608,"to":542,"target":609},{},"\u002Fframeworks\u002Fcmmc",{"headline":17190,"title":17190,"description":17191,"items":17192},"CMMC acceleration resources","Give leadership and contracting officers visibility into your cybersecurity posture at every stage.",[17193,17195,17198],{"title":620,"description":17194},"Translate control work into CMMC readiness percentages and contract eligibility status.",{"title":17196,"description":17197},"Assessment readiness kit","Pre-assessment checklist, evidence package review, and mock scoring aligned to DIBCAC methodology.",{"title":17199,"description":17200},"Subcontractor flow-down tracker","Monitor which subcontractors need their own CMMC certification and track their progress.",{"title":17202,"description":17203},"CMMC Compliance Software","Prepare for CMMC Level 1, 2, and 3 assessments with pre-mapped NIST 800-171 controls, automated evidence collection, and C3PAO-ready workspaces. Start your free 14-day trial.",[17205,17208,17211],{"value":17206,"description":17207},"3 maturity levels","Pre-mapped practices for Level 1, Level 2, and Level 3 with assessment-type guidance for each.",{"value":17209,"description":17210},"110 practices","Full NIST SP 800-171 Rev 2 control set mapped to CMMC Level 2 objectives out of the box.",{"value":17212,"description":17213},"Phase 1 live now","DFARS enforcement began November 2025. Level 1 and Level 2 self-assessments already required in select solicitations.","5.frameworks\u002Fcmmc","p5hUeZMYUGNFyYF4xjERSy0kHoJW_1ZFhsORUKeU3is",{"id":17217,"title":17218,"advantages":17219,"body":17241,"checklist":17727,"cta":17736,"description":546,"extension":578,"faq":17739,"hero":17757,"lastUpdated":610,"meta":17765,"name":402,"navigation":613,"path":401,"resources":17766,"seo":17779,"slug":8773,"stats":17782,"stem":17792,"__hash__":17793},"frameworks\u002F5.frameworks\u002Fhipaa.md","Hipaa",[17220,17227,17234],{"title":17221,"description":17222,"bullets":17223},"Safeguards mapped to your stack","Every HIPAA standard comes with plain-language owners, SLAs, and tests.",[17224,17225,17226],"Assign compliance, engineering, and ops leads to each safeguard","Playbooks explain what “good” looks like for each requirement","Timeline view keeps renewals and reviews on schedule",{"title":17228,"description":17229,"bullets":17230},"PHI-aware evidence locker","Secure uploads, access controls, and audit trails keep regulators satisfied.",[17231,17232,17233],"Granular permissions for internal and external reviewers","Automated retention and deletion policies","Download tracking and access audit trails",{"title":17235,"description":17236,"bullets":17237},"Vendor & incident workflows","Track BAAs, vendor attestations, and incidents from discovery to closure.",[17238,17239,17240],"BAA repository tied to vendor risk levels","Incident response runbooks with reminders","Post-incident reports aligned to HIPAA timelines",{"type":29,"value":17242,"toc":17700},[17243,17247,17250,17261,17264,17268,17271,17314,17318,17321,17326,17330,17333,17337,17344,17364,17367,17371,17378,17385,17389,17392,17396,17399,17402,17415,17419,17422,17425,17429,17447,17451,17463,17467,17470,17477,17481,17484,17487,17494,17498,17505,17508,17512,17519,17522,17545,17549,17552,17555,17561,17565,17568,17594,17597,17600,17604,17607,17625,17628,17632,17638,17642,17645,17674,17682,17686,17689,17697],[32,17244,17246],{"id":17245},"what-is-hipaa","What is HIPAA?",[37,17248,17249],{},"HIPAA, the Health Insurance Portability and Accountability Act of 1996, is the cornerstone US federal law governing the privacy and security of patient health information. Signed into law by President Bill Clinton, the act was originally designed to improve the portability of health insurance coverage when workers changed jobs, combat fraud and waste in healthcare, and simplify the administration of health insurance through standardized electronic transactions. Over the decades since, HIPAA has evolved into the defining US regulation for how healthcare organizations and their partners handle sensitive patient data.",[37,17251,17252,17253,17256,17257,17260],{},"At its core, the law establishes national standards that protect sensitive patient information — known as ",[44,17254,17255],{"href":16002},"protected health information",", or PHI — from unauthorized use and disclosure. Any organization that creates, receives, maintains, or transmits PHI must comply, whether that organization is a hospital, a health plan, a billing clearinghouse, or a SaaS vendor providing services to healthcare customers. The ",[44,17258,17259],{"href":12015},"HIPAA glossary entry"," provides a concise definition, while this page walks through the full regulatory landscape so you understand how each HIPAA rule fits together.",[37,17262,17263],{},"Enforcement falls to the US Department of Health and Human Services (HHS) through its Office for Civil Rights (OCR). State attorneys general also have authority to bring enforcement actions under powers granted by the HITECH Act. The law applies across all 50 states and preempts weaker state privacy laws, though state laws that provide greater protection remain in force.",[32,17265,17267],{"id":17266},"a-brief-history-of-hipaa","A brief history of HIPAA",[37,17269,17270],{},"HIPAA was enacted in 1996, but its privacy and security requirements were not finalized overnight. The act directed HHS to develop implementing regulations, and the major rules were rolled out over more than a decade.",[172,17272,17273,17279,17285,17291,17302,17308],{},[175,17274,17275,17278],{},[61,17276,17277],{},"1996"," — Congress passes HIPAA, directing HHS to issue regulations on privacy, security, and electronic transactions.",[175,17280,17281,17284],{},[61,17282,17283],{},"2000"," — The HIPAA Privacy Rule is published; it takes full effect in 2003.",[175,17286,17287,17290],{},[61,17288,17289],{},"2003"," — The HIPAA Security Rule is finalized, with compliance required by 2005 for most entities.",[175,17292,17293,17296,17297,17301],{},[61,17294,17295],{},"2009"," — The Health Information Technology for Economic and Clinical Health Act (",[44,17298,17300],{"href":17299},"\u002Fframeworks\u002Fhipaa\u002Fhitech-and-omnibus","HITECH",") is signed into law as part of the American Recovery and Reinvestment Act, extending HIPAA obligations to business associates and introducing breach notification requirements.",[175,17303,17304,17307],{},[61,17305,17306],{},"2013"," — The HIPAA Omnibus Rule implements HITECH and further strengthens HIPAA enforcement, fines, and patient rights.",[175,17309,17310,17313],{},[61,17311,17312],{},"2024 and beyond"," — HHS continues to update HIPAA guidance, most recently around cybersecurity expectations, reproductive health privacy, and the proposed modernization of the HIPAA Security Rule to reflect modern threats.",[112,17315,17317],{"id":17316},"hitech-and-the-omnibus-rule","HITECH and the Omnibus Rule",[37,17319,17320],{},"The HITECH Act of 2009 was a watershed moment. Before HITECH, HIPAA obligations technically applied only to covered entities, and business associates were bound solely by contract. HITECH changed that by making business associates directly liable. It also introduced the federal Breach Notification Rule, increased civil monetary penalties, and funded the nationwide adoption of electronic health records — which dramatically expanded the volume of electronic PHI requiring protection.",[37,17322,17323,17324,100],{},"The 2013 Omnibus Rule then translated HITECH into binding regulation. It extended the Privacy and Security Rules to business associates and their subcontractors, tightened the definition of a breach, strengthened individual rights to access electronic health records, and aligned the law with the Genetic Information Nondiscrimination Act (GINA). For a deeper breakdown of what changed, read ",[44,17325,17317],{"href":17299},[32,17327,17329],{"id":17328},"who-hipaa-applies-to","Who HIPAA applies to",[37,17331,17332],{},"HIPAA applies to two broad categories of organizations: covered entities and business associates. Understanding which category your organization falls into is the first and most important step in any HIPAA compliance program.",[112,17334,17336],{"id":17335},"covered-entities","Covered entities",[37,17338,73,17339,17343],{},[44,17340,17342],{"href":17341},"\u002Fglossary\u002Fcovered-entity","covered entity"," is any of the following:",[172,17345,17346,17352,17358],{},[175,17347,17348,17351],{},[61,17349,17350],{},"Health plans"," — health insurance companies, HMOs, employer-sponsored group health plans, government programs like Medicare and Medicaid, and long-term care insurers.",[175,17353,17354,17357],{},[61,17355,17356],{},"Healthcare providers"," — hospitals, clinics, physician practices, dentists, pharmacies, psychologists, and any other provider that transmits health information electronically for billing or eligibility purposes.",[175,17359,17360,17363],{},[61,17361,17362],{},"Healthcare clearinghouses"," — entities that process nonstandard health information into standard formats (or vice versa), such as billing services and repricing companies.",[37,17365,17366],{},"If your organization directly delivers healthcare or finances it, you are almost certainly a covered entity.",[112,17368,17370],{"id":17369},"business-associates","Business associates",[37,17372,73,17373,17377],{},[44,17374,17376],{"href":17375},"\u002Fglossary\u002Fbusiness-associate","business associate"," is any person or organization that performs a function or activity on behalf of a covered entity that involves the use or disclosure of PHI. Typical business associates include cloud hosting providers, billing vendors, EHR vendors, IT service providers, analytics firms, legal counsel, accounting firms, transcription services, and SaaS platforms that process PHI on behalf of covered entities.",[37,17379,17380,17381,17384],{},"Most modern SaaS companies serving healthcare customers are business associates. If your product ingests, stores, processes, or transmits PHI for a covered entity, HIPAA applies to you directly — regardless of whether you consider yourself a \"healthcare company.\" Subcontractors of business associates are themselves business associates and are bound by the same obligations. Signing a ",[44,17382,17383],{"href":16007},"business associate agreement"," with every upstream and downstream partner that touches PHI is non-negotiable.",[112,17386,17388],{"id":17387},"who-is-not-covered-by-hipaa","Who is not covered by HIPAA?",[37,17390,17391],{},"Not every organization that handles health information is subject to the law. Consumer wellness apps, fitness trackers, direct-to-consumer genetic testing services, employers (in their role as employers), life insurers, and schools generally fall outside its reach unless they act on behalf of a covered entity. That said, many of these organizations still face FTC oversight, state privacy laws, and customer expectations that mirror HIPAA protections.",[32,17393,17395],{"id":17394},"the-hipaa-privacy-rule","The HIPAA Privacy Rule",[37,17397,17398],{},"The HIPAA Privacy Rule sets national standards for the protection of PHI in all forms — electronic, paper, and oral. It establishes when PHI may be used and disclosed, defines patient rights over their own health data, and imposes the minimum necessary standard on most disclosures. The Privacy Rule applies to covered entities directly and to business associates through their BAAs.",[37,17400,17401],{},"Key Privacy Rule concepts include the Notice of Privacy Practices, patient access rights (including the right to an electronic copy of an electronic health record within 30 days), the right to request amendments and accounting of disclosures, the minimum necessary standard, permitted uses for treatment, payment, and operations, and the authorization requirements for marketing and sale of PHI.",[37,17403,17404,17405,17409,17410,17414],{},"For a comprehensive walkthrough of the HIPAA Privacy Rule, permitted disclosures, and patient rights, read the dedicated ",[44,17406,17408],{"href":17407},"\u002Fframeworks\u002Fhipaa\u002Fprivacy-rule","HIPAA Privacy Rule"," guide. For more on the narrowly tailored access principle that governs day-to-day PHI handling, see the ",[44,17411,17413],{"href":17412},"\u002Fframeworks\u002Fhipaa\u002Fminimum-necessary-rule","minimum necessary rule"," page.",[32,17416,17418],{"id":17417},"the-hipaa-security-rule","The HIPAA Security Rule",[37,17420,17421],{},"The HIPAA Security Rule establishes the national floor for protecting electronic PHI (ePHI). While the Privacy Rule covers every form of PHI, the Security Rule is scoped to electronic data — which, in 2026, is effectively every record of clinical or financial relevance inside a modern healthcare organization.",[37,17423,17424],{},"The Security Rule organizes its requirements into three categories of safeguards. Every covered entity and business associate must implement each category based on a documented HIPAA risk analysis.",[112,17426,17428],{"id":17427},"administrative-safeguards","Administrative safeguards",[37,17430,17431,17432,17436,17437,17441,17442,17446],{},"Administrative safeguards are the policies, procedures, and organizational measures that govern your HIPAA program. They include security management processes, a designated security official, ",[44,17433,17435],{"href":17434},"\u002Fframeworks\u002Fhipaa\u002Fworkforce-training","workforce training",", a ",[44,17438,17440],{"href":17439},"\u002Fframeworks\u002Fhipaa\u002Fsanctions-policy","sanctions policy"," for workforce violations, access management, ",[44,17443,17445],{"href":17444},"\u002Fframeworks\u002Fhipaa\u002Fcontingency-planning","contingency planning",", periodic evaluations, and BAAs with every downstream partner. These typically consume the most effort because they touch every corner of the business.",[112,17448,17450],{"id":17449},"physical-safeguards","Physical safeguards",[37,17452,17453,17454,418,17458,17462],{},"Physical safeguards protect the facilities, workstations, devices, and media that house ePHI. This category covers ",[44,17455,17457],{"href":17456},"\u002Fframeworks\u002Fhipaa\u002Ffacility-access-controls","facility access controls",[44,17459,17461],{"href":17460},"\u002Fframeworks\u002Fhipaa\u002Fworkstation-and-device-controls","workstation and device controls",", and media disposal. For cloud-first SaaS companies, physical safeguards increasingly translate into inherited controls from hyperscale cloud providers, but every regulated organization still needs defensible answers for the laptops, offices, and portable media its workforce uses.",[112,17464,17466],{"id":17465},"technical-safeguards","Technical safeguards",[37,17468,17469],{},"Technical safeguards are the technology controls that protect ePHI and govern access to it. They include unique user identification, automatic logoff, encryption and decryption of ePHI at rest and in transit, audit controls that log system activity, integrity controls that prevent improper alteration, and person or entity authentication.",[37,17471,17472,17473,17476],{},"For a deep dive into the complete Security Rule standards, required versus addressable implementation specifications, and how to pass an OCR audit of your ePHI safeguards, read the ",[44,17474,17475],{"href":8407},"HIPAA Security Rule"," guide.",[32,17478,17480],{"id":17479},"the-hipaa-breach-notification-rule","The HIPAA Breach Notification Rule",[37,17482,17483],{},"The Breach Notification Rule, added by HITECH and finalized in the Omnibus Rule, requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. A breach is presumed whenever PHI is used or disclosed in a way that is not permitted under the Privacy Rule, unless the organization can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.",[37,17485,17486],{},"Notifications must be made without unreasonable delay and in no case later than 60 calendar days after discovery. Business associates must notify their covered entity clients, who in turn notify affected individuals. Breaches involving 500 or more individuals must be reported to HHS within 60 days and listed on the public OCR \"Wall of Shame,\" while smaller breaches may be reported in an annual log.",[37,17488,17489,17490,17476],{},"For full details on timelines, content requirements, and documentation expectations, see the ",[44,17491,17493],{"href":17492},"\u002Fframeworks\u002Fhipaa\u002Fbreach-notification","HIPAA Breach Notification Rule",[32,17495,17497],{"id":17496},"business-associate-agreements","Business associate agreements",[37,17499,17500,17501,17504],{},"No PHI should ever leave a covered entity — or a business associate — without a properly executed BAA in place. A ",[44,17502,17383],{"href":17503},"\u002Fframeworks\u002Fhipaa\u002Fbusiness-associate-agreements"," is a legally binding contract that defines permitted uses and disclosures of PHI, requires implementation of appropriate safeguards, obligates breach notification, mandates BAA flow-down to subcontractors, and establishes termination rights when a business associate violates the agreement.",[37,17506,17507],{},"In practice, BAA management is one of the most common HIPAA failure modes for growing SaaS companies. Deals close, engineering ships, and PHI starts flowing before legal has countersigned the BAA — creating exposure for both sides. A disciplined BAA intake process, a BAA repository with renewal reminders, and clear ownership of vendor risk are table stakes for any serious compliance program.",[32,17509,17511],{"id":17510},"hipaa-compliance-checklist","HIPAA compliance checklist",[37,17513,17514,17515,17518],{},"Translating the regulatory language into day-to-day operations is where most programs struggle. The ",[44,17516,17511],{"href":17517},"\u002Fframeworks\u002Fhipaa\u002Fcompliance-checklist"," walks through every major obligation — from assigning a security official through finalizing your Notice of Privacy Practices — as a sequenced program of work.",[37,17520,17521],{},"At a high level, a complete HIPAA program includes:",[172,17523,17524,17527,17530,17533,17536,17539,17542],{},[175,17525,17526],{},"A current risk analysis and documented risk management plan.",[175,17528,17529],{},"Written policies and procedures covering Privacy, Security, and Breach Notification obligations.",[175,17531,17532],{},"A signed BAA with every vendor, subcontractor, and customer that exchanges PHI.",[175,17534,17535],{},"Workforce training at hire and at least annually thereafter, with documented completion.",[175,17537,17538],{},"Access control, audit logging, encryption, and contingency planning for every system that touches ePHI.",[175,17540,17541],{},"An incident response runbook aligned to the Breach Notification Rule.",[175,17543,17544],{},"Documentation retained for at least six years from creation or last effective date, whichever is later.",[32,17546,17548],{"id":17547},"hipaa-risk-analysis","HIPAA risk analysis",[37,17550,17551],{},"Every HIPAA Security Rule program begins with a risk analysis. Under 45 CFR §164.308(a)(1)(ii)(A), covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. HHS has repeatedly stated that a missing or superficial risk analysis is among the most common findings in OCR enforcement actions.",[37,17553,17554],{},"A defensible risk analysis inventories every system that creates, receives, maintains, or transmits ePHI, identifies threats and vulnerabilities affecting each system, measures the likelihood and impact of each risk, and feeds directly into the Security Management Process that prioritizes mitigation. Most mature programs align their methodology to NIST Special Publication 800-30, which OCR cites favorably.",[37,17556,17557,17558,17476],{},"For a full breakdown of methodology, documentation requirements, and common pitfalls, read the ",[44,17559,17548],{"href":17560},"\u002Fframeworks\u002Fhipaa\u002Frisk-analysis",[32,17562,17564],{"id":17563},"penalties-and-enforcement","Penalties and enforcement",[37,17566,17567],{},"Enforcement is administered by OCR, with parallel criminal enforcement authority held by the Department of Justice and civil enforcement authority held by state attorneys general. HIPAA penalties are tiered by culpability.",[172,17569,17570,17576,17582,17588],{},[175,17571,17572,17575],{},[61,17573,17574],{},"Tier 1 — Unknowing violation"," — $100 to $50,000 per violation; annual cap $25,000 for identical violations.",[175,17577,17578,17581],{},[61,17579,17580],{},"Tier 2 — Reasonable cause"," — $1,000 to $50,000 per violation; annual cap $100,000.",[175,17583,17584,17587],{},[61,17585,17586],{},"Tier 3 — Willful neglect, corrected"," — $10,000 to $50,000 per violation; annual cap $250,000.",[175,17589,17590,17593],{},[61,17591,17592],{},"Tier 4 — Willful neglect, uncorrected"," — $50,000 per violation; annual cap $1.5 million per violation category.",[37,17595,17596],{},"Penalty amounts are adjusted annually for inflation. Criminal penalties can reach $250,000 and 10 years of imprisonment for offenses involving intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.",[37,17598,17599],{},"OCR enforcement tends to cluster around predictable themes: missing or inadequate risk analyses, lost unencrypted devices, failure to terminate workforce access, insufficient BAAs, delayed breach notifications, and refusal to provide patient access to records. Organizations that can demonstrate a mature, well-documented program — with evidence of ongoing risk analysis, training, and monitoring — consistently receive more favorable resolutions.",[32,17601,17603],{"id":17602},"hipaa-vs-hitech-vs-hitrust","HIPAA vs HITECH vs HITRUST",[37,17605,17606],{},"These three acronyms sit close together in healthcare conversations and are often conflated. They are related but distinct.",[172,17608,17609,17614,17619],{},[175,17610,17611,17613],{},[61,17612,402],{}," is the underlying federal law and its implementing regulations (Privacy, Security, Breach Notification, and Enforcement Rules). HIPAA defines the legal obligations.",[175,17615,17616,17618],{},[61,17617,17300],{}," is a 2009 federal law that strengthened HIPAA — extending it to business associates, introducing breach notification, increasing penalties, and funding EHR adoption. HITECH is part of HIPAA's regulatory stack, not a separate framework.",[175,17620,17621,17624],{},[61,17622,17623],{},"HITRUST"," is a private-sector certification maintained by the HITRUST Alliance. The HITRUST CSF is a control framework that maps HIPAA, NIST, ISO 27001, PCI DSS, and other standards into a single certifiable set of controls. HITRUST is a common way to demonstrate HIPAA compliance to sophisticated healthcare customers, but HITRUST certification is not itself required by HIPAA.",[37,17626,17627],{},"A healthcare SaaS company might pursue HITRUST CSF certification as a commercial asset while its underlying legal obligation remains HIPAA compliance under HITECH-amended rules.",[112,17629,17631],{"id":17630},"hipaa-and-soc-2","HIPAA and SOC 2",[37,17633,17634,17635,17637],{},"Many SaaS companies pursue ",[44,17636,658],{"href":614}," alongside HIPAA. The two frameworks complement each other: SOC 2 evaluates security, availability, confidentiality, processing integrity, and privacy trust services criteria, while HIPAA is a statutory requirement for handling PHI. A well-designed control environment can satisfy both with substantial overlap.",[32,17639,17641],{"id":17640},"getting-hipaa-compliant","Getting HIPAA compliant",[37,17643,17644],{},"The most successful HIPAA programs treat compliance as a continuous operating rhythm rather than a once-a-year scramble. A typical rollout for a SaaS company serving healthcare customers looks like this.",[210,17646,17647,17650,17653,17656,17659,17662,17665,17668,17671],{},[175,17648,17649],{},"Confirm your status as a covered entity, business associate, or both, and inventory the PHI you handle today.",[175,17651,17652],{},"Appoint a security official and a privacy official (the same person may hold both roles at small companies).",[175,17654,17655],{},"Conduct a risk analysis scoped to every system that creates, receives, maintains, or transmits ePHI.",[175,17657,17658],{},"Implement the administrative, physical, and technical safeguards required by the Security Rule, informed by your risk analysis.",[175,17660,17661],{},"Draft and publish policies and procedures covering Privacy, Security, and Breach Notification obligations.",[175,17663,17664],{},"Execute BAAs with every vendor that touches PHI, and require a signed BAA before onboarding any new customer that qualifies as a covered entity.",[175,17666,17667],{},"Deliver workforce training at hire and annually thereafter, and document completion.",[175,17669,17670],{},"Stand up an incident response runbook aligned to the Breach Notification Rule.",[175,17672,17673],{},"Operate the program: review access quarterly, test contingency plans at least annually, refresh your risk analysis whenever material change occurs, and retain documentation for at least six years.",[37,17675,17676,17677,17681],{},"For companies operating in the broader ",[44,17678,17680],{"href":17679},"\u002Findustry\u002Fhealthcare","healthcare industry",", HIPAA is rarely the only regulation in scope. State privacy laws, the 21st Century Cures Act, FDA software-as-a-medical-device requirements, and payor-specific security reviews often run in parallel — which is why most compliance programs are built into a broader GRC operating model.",[32,17683,17685],{"id":17684},"how-episki-helps-with-hipaa-compliance","How episki helps with HIPAA compliance",[37,17687,17688],{},"episki is the HIPAA compliance platform for healthtech teams that need to ship fast without losing control of PHI. We map Privacy, Security, and Breach Notification obligations directly to your systems, automate evidence collection for every safeguard, manage BAAs across your vendor ecosystem, and keep risk analyses current as your stack evolves.",[37,17690,17691,17692,17696],{},"Our platform was designed by practitioners who have led HIPAA programs at healthcare organizations and audited them as consultants. The result is a workspace that makes it obvious what is done, what is due, and what is drifting — so you can spend less time reconstructing evidence the week before a customer audit and more time building product. Read the ",[44,17693,17695],{"href":17694},"\u002Fnow\u002Fhipaa-compliance-healthtech","HIPAA for healthtech"," playbook for a closer look at how modern SaaS companies operate HIPAA at startup speed.",[37,17698,17699],{},"Ready to tighten your HIPAA program? Start a free trial or book a demo from the top of this page.",{"title":546,"searchDepth":547,"depth":547,"links":17701},[17702,17703,17706,17711,17712,17717,17718,17719,17720,17721,17722,17725,17726],{"id":17245,"depth":547,"text":17246},{"id":17266,"depth":547,"text":17267,"children":17704},[17705],{"id":17316,"depth":554,"text":17317},{"id":17328,"depth":547,"text":17329,"children":17707},[17708,17709,17710],{"id":17335,"depth":554,"text":17336},{"id":17369,"depth":554,"text":17370},{"id":17387,"depth":554,"text":17388},{"id":17394,"depth":547,"text":17395},{"id":17417,"depth":547,"text":17418,"children":17713},[17714,17715,17716],{"id":17427,"depth":554,"text":17428},{"id":17449,"depth":554,"text":17450},{"id":17465,"depth":554,"text":17466},{"id":17479,"depth":547,"text":17480},{"id":17496,"depth":547,"text":17497},{"id":17510,"depth":547,"text":17511},{"id":17547,"depth":547,"text":17548},{"id":17563,"depth":547,"text":17564},{"id":17602,"depth":547,"text":17603,"children":17723},[17724],{"id":17630,"depth":554,"text":17631},{"id":17640,"depth":547,"text":17641},{"id":17684,"depth":547,"text":17685},{"title":17728,"description":17729,"items":17730},"HIPAA launch kit","Guided steps keep privacy, security, and ops in sync from day one.",[17731,17732,17733,17734,17735],"Safeguard library with ownership matrix","Evidence tracking for access logs and configs","BAA tracker with renewal reminders","Incident and breach response templates","Stakeholder portal with PHI redaction controls",{"title":17737,"description":17738},"Launch HIPAA monitoring in minutes","Kick off the free trial and invite stakeholders before your next diligence call.",{"title":17740,"items":17741},"HIPAA compliance frequently asked questions",[17742,17745,17748,17751,17754],{"label":17743,"content":17744},"Who needs to comply with HIPAA?","HIPAA applies to covered entities (health plans, healthcare providers, clearinghouses) and business associates — any vendor or subcontractor that creates, receives, maintains, or transmits protected health information (PHI). SaaS companies serving healthcare customers almost always qualify as business associates.",{"label":17746,"content":17747},"What is a Business Associate Agreement (BAA)?","A BAA is a legally required contract between a covered entity and a business associate that establishes permitted uses and disclosures of PHI, requires appropriate safeguards, and outlines breach notification responsibilities. No PHI should be shared with a vendor before a BAA is signed.",{"label":17749,"content":17750},"What are the penalties for HIPAA violations?","HIPAA penalties range from $100 to $50,000 per violation depending on the level of negligence, with annual maximums up to $1.5 million per violation category. Criminal penalties can include fines up to $250,000 and imprisonment. The HHS Office for Civil Rights enforces compliance.",{"label":17752,"content":17753},"Does HIPAA apply to SaaS companies?","Yes. Any SaaS company that handles, stores, or transmits PHI on behalf of a healthcare organization is considered a business associate under HIPAA and must comply with the Security Rule, Privacy Rule, and Breach Notification Rule.",{"label":17755,"content":17756},"What are the three HIPAA safeguard categories?","HIPAA requires administrative safeguards (policies, training, risk assessments), physical safeguards (facility access, workstation security), and technical safeguards (access controls, encryption, audit logging) to protect electronic PHI.",{"headline":17758,"title":17759,"description":17760,"links":17761},"HIPAA-ready cloud teams","Stay HIPAA compliant while shipping product weekly","episki maps administrative, physical, and technical safeguards to your systems and keeps PHI protections verifiable.",[17762,17764],{"label":17763,"icon":603,"to":535},"Start HIPAA trial",{"label":605,"icon":606,"color":607,"variant":608,"to":542,"target":609},{},{"headline":17767,"title":17767,"description":17768,"items":17769},"HIPAA enablement","Keep leadership, customers, and partners aligned.",[17770,17773,17776],{"title":17771,"description":17772},"Board-ready posture report","Shows maturity score, risk trends, and upcoming audits.",{"title":17774,"description":17775},"Customer FAQ pack","Answers the most common HIPAA diligence questions.",{"title":17777,"description":17778},"Ops automation guide","Explains how to plug security tasks into existing tools.",{"title":17780,"description":17781},"HIPAA Compliance Management Software","Map HIPAA safeguards, track PHI evidence, and manage BAAs in one secure workspace. Get audit-ready in 30 days with episki's free trial.",[17783,17786,17789],{"value":17784,"description":17785},"30-day rollout","Average time to production monitoring across safeguards.",{"value":17787,"description":17788},"PHI-safe sharing","Role-based portals keep sensitive documents organized and protected.",{"value":17790,"description":17791},"24\u002F7 alerts","Continuous monitoring for access, logging, and vendor risks.","5.frameworks\u002Fhipaa","9IldK-wXldOkZs8WFGmDWXYF8To1wETqwKkhsGGUW04",{"id":17795,"title":17796,"advantages":17797,"body":17819,"checklist":18216,"cta":18227,"description":546,"extension":578,"faq":18230,"hero":18248,"lastUpdated":610,"meta":18256,"name":393,"navigation":613,"path":392,"resources":18257,"seo":18270,"slug":8772,"stats":18273,"stem":18281,"__hash__":18282},"frameworks\u002F5.frameworks\u002Fiso27001.md","Iso27001",[17798,17805,17812],{"title":17799,"description":17800,"bullets":17801},"Statement of Applicability in minutes","Generate and maintain your SoA directly from your control graph with justification notes for every inclusion and exclusion.",[17802,17803,17804],"Auto-populate applicability status from existing controls","Link each control to risk treatment decisions","Export auditor-ready SoA documents on demand",{"title":17806,"description":17807,"bullets":17808},"Risk-driven control management","Connect your risk register to Annex A controls so treatment plans and evidence stay aligned as threats evolve.",[17809,17810,17811],"Risk assessment templates following ISO 27005 guidance","Heat maps show residual risk by domain","Treatment plans tie directly to control tasks and owners",{"title":17813,"description":17814,"bullets":17815},"Surveillance audit confidence","Keep your ISMS current between certification cycles with continuous monitoring and internal audit workflows.",[17816,17817,17818],"Automated evidence refresh and expiration alerts","Internal audit scheduling with finding tracking","Management review templates with trend data",{"type":29,"value":17820,"toc":18198},[17821,17825,17835,17838,17841,17844,17848,17851,17854,17857,17861,17864,17877,17881,17884,17891,17894,17898,17905,17908,17916,17920,17927,17930,17938,17942,17945,17989,17997,18005,18009,18012,18015,18022,18026,18029,18032,18043,18047,18050,18058,18062,18065,18072,18076,18079,18105,18112,18116,18119,18127,18131,18134,18141,18145,18148,18169,18175,18179,18182,18192,18195],[32,17822,17824],{"id":17823},"what-is-iso-27001","What is ISO 27001?",[37,17826,17827,17829,17830,17834],{},[44,17828,393],{"href":16162}," is the world's most widely adopted international standard for information security management. Formally titled ISO\u002FIEC 27001, it defines the requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System, or ",[44,17831,17833],{"href":17832},"\u002Fglossary\u002Fisms","ISMS",". Organizations that align with ISO 27001 commit to a risk-based, process-driven approach to protecting the confidentiality, integrity, and availability of the information they hold on behalf of customers, employees, and business partners.",[37,17836,17837],{},"The standard is published jointly by two bodies. The International Organization for Standardization (ISO), headquartered in Geneva, develops consensus-based standards across nearly every industry. The International Electrotechnical Commission (IEC) is its counterpart for electrotechnical and information technology standards. Together, their joint technical committee ISO\u002FIEC JTC 1\u002FSC 27 maintains the ISO 27001 family, which includes supporting documents such as ISO 27002 (implementation guidance) and ISO 27005 (risk management guidance).",[37,17839,17840],{},"ISO 27001 was first released in 2005, revised in 2013, and most recently updated in October 2022. The 2022 revision is now the only version against which new ISO 27001 certifications are issued. Any discussion of ISO 27001 today should default to this edition, which reorganized the control set and introduced eleven new controls addressing modern risks like threat intelligence, data masking, and secure coding.",[37,17842,17843],{},"At the heart of ISO 27001 is the concept of an ISMS. An ISMS is not a product you can buy or a checklist you can run through once. It is the living combination of policies, processes, people, and technology that your organization uses to identify information security risks, decide how to treat them, implement controls, measure effectiveness, and continually improve. ISO 27001 provides the blueprint. Your ISMS is the thing you build from that blueprint.",[32,17845,17847],{"id":17846},"why-iso-27001-matters","Why ISO 27001 matters",[37,17849,17850],{},"ISO 27001 is recognized in more than 160 countries and frequently shows up as a procurement requirement for enterprise technology contracts, financial services partnerships, public sector work, and any organization selling into European or APAC markets. Unlike self-attested programs, ISO 27001 certification is issued by an independent accredited certification body, which gives customers and regulators external assurance that your security practices are real and not marketing.",[37,17852,17853],{},"Beyond procurement, ISO 27001 brings discipline. Many organizations treat security as a reactive function that only activates after an incident or failed audit. The ISO 27001 approach forces proactive risk identification, documented decisions, and measurable effectiveness. Even teams that never pursue certification often adopt the ISO 27001 framework as an internal operating model because it is mature, well-documented, and maps cleanly to other standards.",[37,17855,17856],{},"ISO 27001 also signals organizational maturity to investors. Due diligence for Series B and later funding rounds almost always includes a security review. Holding an ISO 27001 certificate short-circuits much of that review and accelerates close.",[32,17858,17860],{"id":17859},"the-iso-27001-certification-process","The ISO 27001 certification process",[37,17862,17863],{},"ISO 27001 certification follows a standardized two-stage audit model used worldwide. A Stage 1 audit reviews your ISMS documentation and readiness. A Stage 2 audit evaluates whether your ISMS is actually implemented and effective in practice. If there are no major nonconformities, the certification body recommends certification and a three-year certificate is issued. Annual surveillance audits follow, with full recertification every three years.",[37,17865,17866,17867,17871,17872,17876],{},"For a deep walkthrough of every phase of the journey, including timelines, auditor expectations, and common pitfalls, see the ",[44,17868,17870],{"href":17869},"\u002Fframeworks\u002Fiso27001\u002Fcertification-process","ISO 27001 certification process guide",". If you are still evaluating whether to pursue ISO 27001 at all, the ",[44,17873,17875],{"href":17874},"\u002Fnow\u002Fiso27001-certification-guide","ISO 27001 certification guide"," covers the business case and sequencing decisions.",[32,17878,17880],{"id":17879},"iso-270012022-what-changed","ISO 27001:2022 — What changed",[37,17882,17883],{},"The 2022 revision is the current version of the standard. Two changes matter most for teams implementing ISO 27001 today.",[37,17885,17886,17887,17890],{},"First, the control set was restructured. The 2013 edition had 114 controls across 14 domains. ISO 27001:2022 consolidates these into ",[61,17888,17889],{},"93 controls across four themes",": organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Eleven entirely new controls were introduced, including threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, configuration management, information deletion, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding.",[37,17892,17893],{},"Second, the clause-level requirements in sections 4 through 10 received targeted updates around planning, leadership commitment, and operational control. The Plan-Do-Check-Act structure remains, but the language is tighter and more aligned with other ISO management system standards such as ISO 9001 and ISO 14001. Organizations holding ISO 27001:2013 certificates were given a transition window, and most have now migrated. New certifications are assessed exclusively against ISO 27001:2022.",[32,17895,17897],{"id":17896},"annex-a-controls","Annex A controls",[37,17899,17900,17901,17904],{},"Annex A of ISO 27001 is the reference control set. The ",[44,17902,17903],{"href":8395},"93 Annex A controls"," are organized under the four themes described above and represent the universe of possible safeguards your ISMS might apply. Every control must be evaluated for applicability and either implemented or formally excluded with justification.",[37,17906,17907],{},"Organizational controls cover governance, policy, third-party management, incident response, and business continuity. People controls address screening, training, responsibilities, and remote working. Physical controls protect buildings, equipment, and storage media. Technological controls handle access control, cryptography, logging, vulnerability management, secure development, and cloud security.",[37,17909,17910,17911,17915],{},"For a full breakdown of every theme, example controls in each, and how to prioritize implementation, see the ",[44,17912,17914],{"href":17913},"\u002Fframeworks\u002Fiso27001\u002Fannex-a-controls","ISO 27001 Annex A controls reference",". ISO 27002:2022 provides detailed implementation guidance for each control and is invaluable as a companion reference, though it is not mandatory to follow prescriptively.",[32,17917,17919],{"id":17918},"statement-of-applicability-soa","Statement of Applicability (SoA)",[37,17921,107,17922,17926],{},[44,17923,17925],{"href":17924},"\u002Fglossary\u002Fstatement-of-applicability","Statement of Applicability"," is arguably the single most important document in your ISO 27001 program. The SoA lists every Annex A control, records whether it is applicable to your ISMS, explains why, and summarizes how the control is implemented. It is the document auditors will open first, and it is the document customers may ask to see.",[37,17928,17929],{},"A well-built SoA ties directly to your risk assessment output. Controls are marked applicable because they treat identified risks, satisfy legal or contractual requirements, or reflect business decisions. Controls marked not applicable require a short but credible justification. Auditors routinely sample SoA entries during Stage 2 and ask for corresponding evidence.",[37,17931,17932,17933,17937],{},"See the dedicated guide on the ",[44,17934,17936],{"href":17935},"\u002Fframeworks\u002Fiso27001\u002Fstatement-of-applicability","ISO 27001 Statement of Applicability"," for format examples, justification patterns, and common SoA mistakes.",[32,17939,17941],{"id":17940},"building-your-isms","Building your ISMS",[37,17943,17944],{},"Implementing ISO 27001 is primarily an exercise in building a functioning ISMS. The standard walks through this in clauses 4 through 10:",[172,17946,17947,17953,17959,17965,17971,17977,17983],{},[175,17948,17949,17952],{},[61,17950,17951],{},"Clause 4 — Context of the organization."," Understand internal and external issues, interested parties, and define the ISMS scope.",[175,17954,17955,17958],{},[61,17956,17957],{},"Clause 5 — Leadership."," Top management must demonstrate commitment, approve the information security policy, and assign roles.",[175,17960,17961,17964],{},[61,17962,17963],{},"Clause 6 — Planning."," Identify risks and opportunities, set information security objectives, and plan how to achieve them.",[175,17966,17967,17970],{},[61,17968,17969],{},"Clause 7 — Support."," Provide resources, competence, awareness, communication, and documented information.",[175,17972,17973,17976],{},[61,17974,17975],{},"Clause 8 — Operation."," Execute the risk assessment and risk treatment process and operate the ISMS on an ongoing basis.",[175,17978,17979,17982],{},[61,17980,17981],{},"Clause 9 — Performance evaluation."," Monitor, measure, analyze, evaluate, conduct internal audits, and hold management reviews.",[175,17984,17985,17988],{},[61,17986,17987],{},"Clause 10 — Improvement."," Handle nonconformities and drive continual improvement.",[37,17990,17991,17992,17996],{},"Each clause has mandatory documented information and mandatory activities. The ",[44,17993,17995],{"href":17994},"\u002Fframeworks\u002Fiso27001\u002Fisms-implementation","ISO 27001 ISMS implementation guide"," breaks down exactly what to produce at each stage.",[37,17998,17999,18000,18004],{},"Scope definition deserves special attention. A scope that is too narrow can fail to satisfy customers. A scope that is too broad inflates audit cost and implementation effort. The ",[44,18001,18003],{"href":18002},"\u002Fframeworks\u002Fiso27001\u002Fisms-scope","ISMS scope"," guide walks through how to draw the right boundaries for your business.",[32,18006,18008],{"id":18007},"iso-27001-risk-assessment","ISO 27001 risk assessment",[37,18010,18011],{},"Risk assessment is the engine that drives control selection in ISO 27001. The standard requires a documented, repeatable methodology. Most organizations use a qualitative or semi-quantitative approach that evaluates likelihood and impact across confidentiality, integrity, and availability. ISO 27005 provides detailed guidance but is not mandatory.",[37,18013,18014],{},"Outputs of the risk assessment feed directly into the risk treatment plan, which in turn feeds the Statement of Applicability. This chain is why ISO 27001 auditors spend significant time tracing from a risk to a treatment decision to a control to evidence of operation. Break this chain and you create nonconformities.",[37,18016,18017,18018,100],{},"For methodology, risk register structure, treatment options, and residual risk handling, see the ",[44,18019,18021],{"href":18020},"\u002Fframeworks\u002Fiso27001\u002Frisk-assessment","ISO 27001 risk assessment guide",[32,18023,18025],{"id":18024},"internal-audits-and-management-review","Internal audits and management review",[37,18027,18028],{},"Two activities inside Clause 9 are frequent failure points for first-time ISO 27001 certifiers. Clause 9.2 requires internal audits of the ISMS at planned intervals. Clause 9.3 requires a formal management review with defined inputs and outputs. Both must be complete before your Stage 2 audit.",[37,18030,18031],{},"Internal audits must cover every clause of ISO 27001 and every applicable Annex A control across your audit cycle. Auditors must be objective and impartial, which typically means the person who built a control cannot audit it. Findings must be documented, communicated, and tracked to closure.",[37,18033,18034,18035,6500,18039,100],{},"Management reviews force leadership engagement. Inputs include audit results, risk changes, nonconformities, and stakeholder feedback. Outputs include decisions on resources, improvement opportunities, and changes to the ISMS. Detailed coverage lives in the ",[44,18036,18038],{"href":18037},"\u002Fframeworks\u002Fiso27001\u002Finternal-audit","internal audit guide",[44,18040,18042],{"href":18041},"\u002Fframeworks\u002Fiso27001\u002Fmanagement-review","management review guide",[32,18044,18046],{"id":18045},"nonconformities-and-corrective-action","Nonconformities and corrective action",[37,18048,18049],{},"When something in your ISMS does not meet ISO 27001 requirements, your own policies, or customer obligations, that is a nonconformity. Clauses 10.1 and 10.2 require you to react, contain the consequences, perform root cause analysis, implement corrective action, and verify effectiveness.",[37,18051,18052,18053,18057],{},"Mature organizations treat nonconformities as valuable signals rather than failures. The ",[44,18054,18056],{"href":18055},"\u002Fframeworks\u002Fiso27001\u002Fnonconformity-and-corrective-action","nonconformity and corrective action"," guide walks through the full CAPA workflow auditors expect to see.",[32,18059,18061],{"id":18060},"continual-improvement","Continual improvement",[37,18063,18064],{},"Clause 10.3 requires continual improvement of the suitability, adequacy, and effectiveness of the ISMS. This is not about constantly changing controls. It is about demonstrating measurable progress over time through metrics, KPIs, trend analysis, and lessons learned.",[37,18066,18067,18068,100],{},"Learn how to set ISMS metrics that auditors respect and leadership actually uses in the ",[44,18069,18071],{"href":18070},"\u002Fframeworks\u002Fiso27001\u002Fcontinual-improvement","continual improvement guide",[32,18073,18075],{"id":18074},"cost-and-timeline","Cost and timeline",[37,18077,18078],{},"ISO 27001 certification costs vary by scope, organization size, and maturity. A realistic budget range for a first-time certification at a small to mid-sized technology company looks like this:",[172,18080,18081,18087,18093,18099],{},[175,18082,18083,18086],{},[61,18084,18085],{},"Internal effort."," Six to twelve months of fractional time from an ISMS owner plus contributions from engineering, HR, legal, and IT. Equivalent fully loaded cost of $50,000 to $200,000.",[175,18088,18089,18092],{},[61,18090,18091],{},"External consulting (optional)."," Gap analysis and implementation support from a consultancy typically runs $20,000 to $100,000 depending on scope.",[175,18094,18095,18098],{},[61,18096,18097],{},"Certification body fees."," Stage 1 and Stage 2 audits combined usually cost $15,000 to $40,000. Annual surveillance audits run $8,000 to $20,000. Recertification in year three runs similar to the initial audit.",[175,18100,18101,18104],{},[61,18102,18103],{},"Platform and tooling."," GRC platforms like episki typically replace $30,000 or more in spreadsheet-driven consulting labor annually.",[37,18106,18107,18108,18111],{},"Total first-year ISO 27001 program cost for a 50 to 200 person company commonly lands between $60,000 and $150,000 all-in. Timeline from kickoff to certificate in hand is typically nine to fifteen months. See the ",[44,18109,18110],{"href":17869},"cost and timeline discussion in the certification process guide"," for more detail.",[32,18113,18115],{"id":18114},"choosing-a-certification-body","Choosing a certification body",[37,18117,18118],{},"Only an accredited certification body can issue a recognized ISO 27001 certificate. Accreditation is granted by national bodies such as UKAS in the United Kingdom, ANAB in the United States, and JAS-ANZ in Australia and New Zealand, all operating under the International Accreditation Forum (IAF). A certificate from a non-accredited body has little value with enterprise customers.",[37,18120,18121,18122,18126],{},"Selection criteria include accreditation scope, industry experience, auditor availability, geographic coverage, and cost transparency. The ",[44,18123,18125],{"href":18124},"\u002Fframeworks\u002Fiso27001\u002Fcertification-body-selection","certification body selection guide"," walks through the full evaluation.",[32,18128,18130],{"id":18129},"surveillance-audits-and-recertification","Surveillance audits and recertification",[37,18132,18133],{},"Once certified, your ISO 27001 certificate is valid for three years. Certification bodies conduct a lighter annual surveillance audit in years one and two to confirm the ISMS is still operating effectively. A full recertification audit occurs in year three. Nonconformities identified during surveillance can put your certificate at risk if not resolved within the specified timeframe.",[37,18135,2373,18136,18140],{},[44,18137,18139],{"href":18138},"\u002Fframeworks\u002Fiso27001\u002Fsurveillance-audits","surveillance audits guide"," for preparation checklists and what auditors typically sample during year-one and year-two visits.",[32,18142,18144],{"id":18143},"iso-27001-vs-soc-2-vs-nist-csf","ISO 27001 vs SOC 2 vs NIST CSF",[37,18146,18147],{},"Customers and leadership teams frequently ask how ISO 27001 compares to other frameworks. The short version:",[172,18149,18150,18158],{},[175,18151,18152,18157],{},[61,18153,18154,18155,100],{},"ISO 27001 vs ",[44,18156,658],{"href":614}," ISO 27001 is an international certification of an ISMS. SOC 2 is a US-centric attestation of controls aligned with the AICPA Trust Services Criteria. SOC 2 produces a detailed report; ISO 27001 produces a certificate. SOC 2 is faster to complete and often preferred by US buyers. ISO 27001 is stronger for European customers and regulated industries. Many organizations run both, mapping controls once in a tool like episki.",[175,18159,18160,18163,18164,18168],{},[61,18161,18162],{},"ISO 27001 vs NIST CSF."," NIST CSF is a voluntary US framework structured around five functions: Identify, Protect, Detect, Respond, and Recover. It is not a certification. Organizations often use NIST CSF as a maturity assessment tool and ISO 27001 as the formal certification. The two map cleanly at the control level. See ",[44,18165,18167],{"href":18166},"\u002Fframeworks\u002Fnistcsf\u002Fmapping-to-other-frameworks","NIST CSF mapping to other frameworks"," for a side-by-side comparison.",[37,18170,18171,18172,18174],{},"If you are weighing which framework to pursue first, the ",[44,18173,17875],{"href":17874}," covers framework sequencing for growing companies.",[32,18176,18178],{"id":18177},"getting-certified-with-episki","Getting certified with episki",[37,18180,18181],{},"Most teams discover that ISO 27001 certification is less about security expertise and more about sustained, organized execution across months of risk assessments, control implementation, evidence collection, and documentation. Spreadsheet-based ISO 27001 programs tend to collapse under their own weight, especially when the certification cycle extends across surveillance audits and the 2022 transition creates additional documentation churn.",[37,18183,18184,18185,96,18188,18191],{},"episki was built to collapse that effort. The platform ships with the full 93-control Annex A library pre-mapped, automatic Statement of Applicability generation, a risk register tied to ISO 27005 treatment options, internal audit workflows, management review templates, and continuous evidence collection. Customers regularly compare episki against more established vendors; see ",[44,18186,18187],{"href":3520},"episki vs Vanta",[44,18189,18190],{"href":3524},"episki vs Drata"," for honest side-by-side views.",[37,18193,18194],{},"Teams using episki typically cut ISO 27001 preparation time by 60 percent compared to manual approaches and arrive at Stage 2 with a clean, auditor-ready evidence pack. Whether you are starting from zero or migrating an existing ISO 27001:2013 program to the 2022 standard, the platform scales with your scope.",[37,18196,18197],{},"Start a free trial, import your controls, and run your first ISO 27001 gap analysis in under an hour.",{"title":546,"searchDepth":547,"depth":547,"links":18199},[18200,18201,18202,18203,18204,18205,18206,18207,18208,18209,18210,18211,18212,18213,18214,18215],{"id":17823,"depth":547,"text":17824},{"id":17846,"depth":547,"text":17847},{"id":17859,"depth":547,"text":17860},{"id":17879,"depth":547,"text":17880},{"id":17896,"depth":547,"text":17897},{"id":17918,"depth":547,"text":17919},{"id":17940,"depth":547,"text":17941},{"id":18007,"depth":547,"text":18008},{"id":18024,"depth":547,"text":18025},{"id":18045,"depth":547,"text":18046},{"id":18060,"depth":547,"text":18061},{"id":18074,"depth":547,"text":18075},{"id":18114,"depth":547,"text":18115},{"id":18129,"depth":547,"text":18130},{"id":18143,"depth":547,"text":18144},{"id":18177,"depth":547,"text":18178},{"title":18217,"description":18218,"items":18219},"ISO 27001 certification checklist inside episki","Everything you need to scope, implement, and certify your ISMS is preloaded in your free trial.",[18220,18221,18222,18223,18224,18225,18226],"ISMS scope definition and context of the organization templates","Full Annex A control library with implementation guidance","Risk assessment and treatment plan workflows","Statement of Applicability generator","Internal audit programme with finding management","Management review agenda and output templates","Corrective action tracking with root cause analysis",{"title":18228,"description":18229},"Start your ISO 27001 journey today","Import your controls, define your ISMS scope, and generate your first Statement of Applicability in under an hour.",{"title":18231,"items":18232},"ISO 27001 frequently asked questions",[18233,18236,18239,18242,18245],{"label":18234,"content":18235},"How long does ISO 27001 certification take?","Most organizations achieve certification in 6-12 months depending on scope and existing maturity. The process includes a Stage 1 documentation review and a Stage 2 implementation audit. episki reduces preparation time by up to 60% with pre-mapped controls and automated evidence.",{"label":18237,"content":18238},"What is the difference between ISO 27001 and SOC 2?","ISO 27001 is an international certification standard focused on building a complete information security management system (ISMS). SOC 2 is a US-based attestation that evaluates specific Trust Services Criteria. Many companies pursue both, and episki lets you map controls once and reuse them across frameworks.",{"label":18240,"content":18241},"What is an ISMS?","An Information Security Management System (ISMS) is the set of policies, procedures, controls, and processes an organization uses to manage information security risk. ISO 27001 provides the framework for establishing, implementing, maintaining, and continually improving an ISMS.",{"label":18243,"content":18244},"How much does ISO 27001 certification cost?","Certification costs vary by organization size and scope but typically range from $30,000 to $80,000 including auditor fees, with ongoing surveillance audit costs annually. episki's flat-rate pricing keeps the platform cost predictable at $500\u002Fmonth.",{"label":18246,"content":18247},"How often are ISO 27001 surveillance audits?","After initial certification, surveillance audits occur annually to confirm your ISMS remains effective. A full recertification audit is required every three years. episki's continuous monitoring keeps evidence current between audits.",{"headline":18249,"title":18250,"description":18251,"links":18252},"ISO 27001 certification on your timeline","Build and maintain your ISMS without drowning in spreadsheets","episki maps Annex A controls, tracks your Statement of Applicability, and keeps risk treatment plans linked to real evidence so certification audits run smoothly.",[18253,18255],{"label":18254,"icon":603,"to":535},"Start ISO 27001 trial",{"label":605,"icon":606,"color":607,"variant":608,"to":542,"target":609},{},{"headline":18258,"title":18258,"description":18259,"items":18260},"ISO 27001 certification resources","Give leadership, auditors, and customers visibility into your ISMS maturity.",[18261,18264,18267],{"title":18262,"description":18263},"ISMS maturity dashboard","Visual progress across all Annex A domains with gap analysis and trending.",{"title":18265,"description":18266},"Auditor collaboration portal","Scoped access for certification bodies with evidence requests and Q&A threads.",{"title":18268,"description":18269},"Customer trust pack","Shareable ISO 27001 certification summary with scope details and control highlights.",{"title":18271,"description":18272},"ISO 27001 Compliance Platform","Build and certify your ISMS faster with episki. Annex A control mapping, SoA generation, and risk treatment plans in one workspace. Free 14-day trial.",[18274,18276,18279],{"value":17903,"description":18275},"Pre-mapped to your control graph with owners, evidence, and review cadences.",{"value":18277,"description":18278},"60% less prep","Average reduction in Stage 2 audit preparation time with episki's automation.",{"value":9480,"description":18280},"Surveillance audits stay painless with always-current evidence and risk registers.","5.frameworks\u002Fiso27001","aThn2G4vv-MUlfe5mhRJFQHtMgpdfJi3-UMVou77OZs",{"id":18284,"title":18285,"advantages":18286,"body":18308,"checklist":18833,"cta":18842,"description":546,"extension":578,"faq":18845,"hero":18862,"lastUpdated":610,"meta":18871,"name":6581,"navigation":613,"path":8423,"resources":18872,"seo":18885,"slug":8775,"stats":18888,"stem":18898,"__hash__":18899},"frameworks\u002F5.frameworks\u002Fnistcsf.md","Nistcsf",[18287,18294,18301],{"title":18288,"description":18289,"bullets":18290},"Tailored CSF roadmap","Start with opinionated baseline controls, then layer your own.",[18291,18292,18293],"Gap analysis highlights missing outcomes","Auto-generated improvement initiatives","Budget impact estimates for leadership",{"title":18295,"description":18296,"bullets":18297},"Continuous monitoring and AI ops","Stream alerts, detections, and incidents into CSF context.",[18298,18299,18300],"Connect SIEM, EDR, and cloud posture tools","AI summarizes incidents for exec updates","Workflows escalate unreviewed alerts",{"title":18302,"description":18303,"bullets":18304},"Board and customer alignment","Share progress externally with confidence.",[18305,18306,18307],"Customizable scorecards for customers or partners","Trend lines show quarter-over-quarter improvements","Trust room access with expiring links",{"type":29,"value":18309,"toc":18811},[18310,18314,18321,18324,18328,18335,18338,18342,18345,18355,18359,18362,18365,18403,18408,18412,18415,18418,18422,18431,18435,18445,18449,18459,18463,18473,18477,18486,18490,18500,18503,18507,18514,18540,18546,18550,18556,18559,18573,18576,18586,18590,18600,18617,18624,18628,18636,18642,18653,18657,18660,18707,18710,18714,18717,18749,18752,18755,18759,18762,18805,18808],[32,18311,18313],{"id":18312},"what-is-nist-csf","What is NIST CSF?",[37,18315,18316,18317,18320],{},"The NIST Cybersecurity Framework (NIST CSF) is a voluntary, outcome-based set of cybersecurity guidelines published by the ",[44,18318,18319],{"href":16843},"National Institute of Standards and Technology",". The NIST Cybersecurity Framework gives organizations a shared vocabulary and a prioritized structure for managing cybersecurity risk, measuring program maturity, and communicating security posture to executives, boards, regulators, customers, and insurers.",[37,18322,18323],{},"NIST CSF is not a certification, a control catalog, or a compliance standard. It is a framework — a model that organizes cybersecurity activities into functions, categories, and subcategories so that any organization can describe its current cybersecurity posture, describe its target cybersecurity posture, identify and prioritize opportunities for improvement, assess progress, and communicate cybersecurity risk in a consistent way. Because NIST CSF is technology- and sector-neutral, it has become one of the most widely adopted cybersecurity frameworks in the world, used by Fortune 500 companies, federal contractors, critical infrastructure operators, state and local governments, startups, nonprofits, and multinational enterprises.",[112,18325,18327],{"id":18326},"nist-origin-and-executive-order-13636","NIST origin and Executive Order 13636",[37,18329,18330,18331,18334],{},"The NIST Cybersecurity Framework was created in response to a growing wave of attacks against United States critical infrastructure. In February 2013, President Barack Obama signed ",[61,18332,18333],{},"Executive Order 13636 — Improving Critical Infrastructure Cybersecurity",", which directed NIST to work with industry, academia, and other government agencies to develop a voluntary cybersecurity framework for critical infrastructure operators. The executive order explicitly called for a flexible, repeatable, performance-based, and cost-effective approach that could scale from small municipal utilities to the largest financial institutions.",[37,18336,18337],{},"NIST published version 1.0 of the NIST Cybersecurity Framework in February 2014 after a year of public workshops, industry comment periods, and collaboration with more than three thousand individuals and organizations. The first version of NIST CSF introduced the five core functions — Identify, Protect, Detect, Respond, and Recover — along with the concept of framework profiles and implementation tiers. Even though NIST CSF was designed for critical infrastructure, organizations in every sector quickly adopted it because it filled a gap that prescriptive standards did not: a business-friendly model for talking about cybersecurity risk.",[112,18339,18341],{"id":18340},"the-evolution-of-nist-csf","The evolution of NIST CSF",[37,18343,18344],{},"In April 2018, NIST released NIST CSF version 1.1. This incremental update clarified existing guidance, added a new Supply Chain Risk Management category (ID.SC), improved the self-assessment language, and added authentication and identity proofing subcategories. NIST CSF 1.1 contained 108 subcategories grouped under 23 categories across the five functions, and it remained the dominant version of the NIST Cybersecurity Framework for six years.",[37,18346,18347,18348,18350,18351,18354],{},"In February 2024, NIST published ",[61,18349,15978],{}," — the first major revision of the NIST Cybersecurity Framework. NIST CSF 2.0 expanded the scope of the framework beyond critical infrastructure, added a brand-new sixth function called ",[61,18352,18353],{},"Govern",", reorganized several categories, and introduced a richer set of implementation resources including quick-start guides, informative references, and community profiles.",[32,18356,18358],{"id":18357},"nist-csf-20-changes","NIST CSF 2.0 changes",[37,18360,18361],{},"The jump from NIST CSF 1.1 to NIST CSF 2.0 is the most significant update the NIST Cybersecurity Framework has ever received. The changes are not cosmetic — they reshape how organizations are expected to structure and govern their cybersecurity programs.",[37,18363,18364],{},"Highlights of NIST CSF 2.0:",[172,18366,18367,18373,18379,18385,18397],{},[175,18368,18369,18372],{},[61,18370,18371],{},"A sixth function — Govern (GV)"," — elevates cybersecurity governance from a sub-category under Identify to a standalone top-level function covering organizational context, risk management strategy, roles and responsibilities, policy, oversight, and cybersecurity supply chain risk management.",[175,18374,18375,18378],{},[61,18376,18377],{},"Explicit scope expansion"," — NIST CSF 2.0 applies to organizations of any size, sector, or maturity level, not just critical infrastructure. Small-business quick-start guides, community profiles, and sector-specific profiles make the NIST Cybersecurity Framework accessible to organizations that previously found NIST CSF 1.1 too enterprise-centric.",[175,18380,18381,18384],{},[61,18382,18383],{},"Stronger supply chain focus"," — GV.SC expands the NIST CSF treatment of third-party risk, supplier due diligence, and software supply chain security, reflecting the lessons of SolarWinds, Kaseya, Log4j, and MOVEit.",[175,18386,18387,18390,18391,18393,18394,18396],{},[61,18388,18389],{},"Improved implementation guidance"," — NIST CSF 2.0 ships with a companion CSF Reference Tool, searchable informative references mapping NIST CSF subcategories to ",[44,18392,9618],{"href":16843},", ISO 27001, CIS Controls, ",[44,18395,658],{"href":614},", and more.",[175,18398,18399,18402],{},[61,18400,18401],{},"Refreshed implementation tiers"," — the four-tier maturity model (Partial, Risk-Informed, Repeatable, Adaptive) now explicitly incorporates governance and supply chain considerations.",[37,18404,18405,18406,17476],{},"For a deep dive into every structural and categorical change between NIST CSF 1.1 and NIST CSF 2.0, see our ",[44,18407,18358],{"href":16022},[32,18409,18411],{"id":18410},"the-six-core-functions-of-nist-csf-20","The six core functions of NIST CSF 2.0",[37,18413,18414],{},"The NIST Cybersecurity Framework organizes cybersecurity activity into a small number of top-level functions. NIST CSF 1.1 defined five functions; NIST CSF 2.0 defines six. Each function represents a category of outcomes that a mature cybersecurity program must deliver, and each function decomposes into categories and subcategories that describe the outcomes in progressively more specific terms.",[37,18416,18417],{},"The six NIST CSF 2.0 functions are:",[112,18419,18421],{"id":18420},"govern-gv","Govern (GV)",[37,18423,107,18424,18426,18427,100],{},[61,18425,18353],{}," function — new in NIST CSF 2.0 — establishes, communicates, and monitors the organization's cybersecurity risk management strategy, expectations, and policy. Govern is the leadership and accountability layer of NIST CSF. It sits above the other five functions and informs everything the organization does to identify, protect, detect, respond, and recover. Deep dive: ",[44,18428,18430],{"href":18429},"\u002Fframeworks\u002Fnistcsf\u002Fgovern-function","NIST CSF Govern function",[112,18432,18434],{"id":18433},"identify-id","Identify (ID)",[37,18436,107,18437,18440,18441,100],{},[61,18438,18439],{},"Identify"," function develops an organizational understanding of cybersecurity risk to systems, people, assets, data, and capabilities. Identify is where you inventory what you have, understand the business context in which it operates, and decide what matters most. Without Identify, the rest of the NIST Cybersecurity Framework has nothing to act on. Deep dive: ",[44,18442,18444],{"href":18443},"\u002Fframeworks\u002Fnistcsf\u002Fidentify-function","NIST CSF Identify function",[112,18446,18448],{"id":18447},"protect-pr","Protect (PR)",[37,18450,107,18451,18454,18455,100],{},[61,18452,18453],{},"Protect"," function implements safeguards to ensure delivery of critical services and limit or contain the impact of cybersecurity events. Protect encompasses identity and access management, awareness and training, data security, information protection processes, maintenance, and protective technology. Deep dive: ",[44,18456,18458],{"href":18457},"\u002Fframeworks\u002Fnistcsf\u002Fprotect-function","NIST CSF Protect function",[112,18460,18462],{"id":18461},"detect-de","Detect (DE)",[37,18464,107,18465,18468,18469,100],{},[61,18466,18467],{},"Detect"," function develops and implements appropriate activities to identify the occurrence of a cybersecurity event in a timely manner. Detect covers continuous monitoring, anomaly analysis, and detection processes — the telemetry, alerting, and threat-hunting capabilities that surface attacks as they happen. Deep dive: ",[44,18470,18472],{"href":18471},"\u002Fframeworks\u002Fnistcsf\u002Fdetect-function","NIST CSF Detect function",[112,18474,18476],{"id":18475},"respond-rs","Respond (RS)",[37,18478,107,18479,18481,18482,100],{},[61,18480,15318],{}," function contains activities to take action regarding a detected cybersecurity incident. Respond covers incident response planning, communications, analysis, containment, eradication, and lessons-learned improvements. A strong Respond capability is what separates a contained incident from a front-page breach. Deep dive: ",[44,18483,18485],{"href":18484},"\u002Fframeworks\u002Fnistcsf\u002Frespond-function","NIST CSF Respond function",[112,18487,18489],{"id":18488},"recover-rc","Recover (RC)",[37,18491,107,18492,18495,18496,100],{},[61,18493,18494],{},"Recover"," function contains activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity incident. Recover covers recovery planning, improvements, and communications. Recover is how organizations return to normal operations while capturing lessons learned to strengthen the program. Deep dive: ",[44,18497,18499],{"href":18498},"\u002Fframeworks\u002Fnistcsf\u002Frecover-function","NIST CSF Recover function",[37,18501,18502],{},"Together, the six NIST CSF functions describe the complete cybersecurity lifecycle. Mature organizations operate all six functions simultaneously and continuously, not in a linear sequence.",[32,18504,18506],{"id":18505},"nist-csf-implementation-tiers","NIST CSF implementation tiers",[37,18508,18509,18510,18513],{},"NIST CSF uses ",[61,18511,18512],{},"implementation tiers"," to describe the degree to which an organization's cybersecurity risk management practices exhibit the characteristics defined in the NIST Cybersecurity Framework. The four tiers are not a maturity scale in the traditional sense — NIST is careful to say that Tier 4 is not required for every organization. Instead, implementation tiers help organizations choose an appropriate level of rigor given their risk tolerance, mission, regulatory obligations, threat environment, and resources.",[172,18515,18516,18522,18528,18534],{},[175,18517,18518,18521],{},[61,18519,18520],{},"Tier 1 — Partial",": Cybersecurity risk management is ad hoc and reactive. Policies are informal, risk awareness is limited, and supply chain considerations are rarely formalized.",[175,18523,18524,18527],{},[61,18525,18526],{},"Tier 2 — Risk-Informed",": Risk management practices are approved by management but may not be established organization-wide. Cybersecurity activities consider organizational risk objectives.",[175,18529,18530,18533],{},[61,18531,18532],{},"Tier 3 — Repeatable",": Formal policies exist and are applied consistently. The organization has the people, processes, and tooling to operate the NIST Cybersecurity Framework repeatably.",[175,18535,18536,18539],{},[61,18537,18538],{},"Tier 4 — Adaptive",": The organization adapts its cybersecurity practices based on lessons learned, threat intelligence, and changes in the business environment. Cybersecurity risk management is part of the organizational culture.",[37,18541,18542,18543,17476],{},"For a complete walkthrough of each tier, including how to select a target tier and move between tiers, see our ",[44,18544,18506],{"href":18545},"\u002Fframeworks\u002Fnistcsf\u002Fimplementation-tiers",[32,18547,18549],{"id":18548},"nist-csf-framework-profiles","NIST CSF framework profiles",[37,18551,73,18552,18555],{},[61,18553,18554],{},"framework profile"," is the unique alignment of NIST CSF functions, categories, and subcategories with the organization's business requirements, risk tolerance, and resources. Profiles are the tool that turns the NIST Cybersecurity Framework from a generic model into a specific plan for a specific organization.",[37,18557,18558],{},"NIST CSF supports two kinds of profiles:",[172,18560,18561,18567],{},[175,18562,73,18563,18566],{},[61,18564,18565],{},"Current Profile"," describes the cybersecurity outcomes the organization is achieving today.",[175,18568,73,18569,18572],{},[61,18570,18571],{},"Target Profile"," describes the cybersecurity outcomes the organization wants to achieve.",[37,18574,18575],{},"The gap between the Current Profile and the Target Profile becomes a prioritized roadmap: which NIST CSF subcategories need investment, in what order, and at what cost. Community profiles published by NIST (for small business, healthcare, financial services, manufacturing, and others) give organizations a head start by providing pre-built Target Profiles tailored to specific sectors.",[37,18577,18578,18579,18582,18583,100],{},"For a complete framework profiles walkthrough — including how to build your first profile, how to use community profiles, and how to link profiles to your ",[44,18580,18581],{"href":9744},"control framework"," — see ",[44,18584,18549],{"href":18585},"\u002Fframeworks\u002Fnistcsf\u002Fframework-profiles",[32,18587,18589],{"id":18588},"nist-csf-categories-and-subcategories","NIST CSF categories and subcategories",[37,18591,18592,18593,96,18596,18599],{},"Below the function layer, NIST CSF decomposes cybersecurity activity into ",[61,18594,18595],{},"categories",[61,18597,18598],{},"subcategories",". Categories group related outcomes within a function (for example, Asset Management, Access Control, Continuous Monitoring), and subcategories express specific outcome statements that a mature program should achieve.",[172,18601,18602,18612],{},[175,18603,18604,18607,18608,18611],{},[61,18605,18606],{},"NIST CSF 1.1"," defined 23 categories and ",[61,18609,18610],{},"108 subcategories"," across the five original functions.",[175,18613,18614,18616],{},[61,18615,15978],{}," reorganized the catalog around six functions. The total number of subcategories in NIST CSF 2.0 was restructured (and slightly reduced after consolidation) to roughly 106, grouped under 22 categories, with Govern contributing six new categories of its own.",[37,18618,18619,18620,18623],{},"Every NIST CSF subcategory is written as an outcome — for example, \"PR.AA-01: Identities and credentials for authorized users, services, and hardware are managed by the organization.\" NIST intentionally avoids prescribing specific technologies, controls, or implementation details. Instead, NIST CSF provides ",[61,18621,18622],{},"informative references"," that map each subcategory to specific controls in NIST SP 800-53, ISO 27001 Annex A, CIS Critical Security Controls, COBIT, and other authoritative sources. This outcome-first design is what makes NIST CSF work across industries, company sizes, and technology stacks.",[32,18625,18627],{"id":18626},"mapping-nist-csf-to-other-frameworks","Mapping NIST CSF to other frameworks",[37,18629,18630,18631,418,18633,18635],{},"One of the most valuable properties of the NIST Cybersecurity Framework is its ability to act as a unifying layer across multiple compliance regimes. Organizations that need to satisfy ",[44,18632,658],{"href":614},[44,18634,393],{"href":392},", HIPAA, PCI DSS, GDPR, FedRAMP, CMMC, and NIST SP 800-171 at the same time can use NIST CSF as the \"Rosetta Stone\" that maps each requirement to a common set of outcomes.",[37,18637,18638,18639,18641],{},"For federal contractors in particular, NIST CSF acts as the governance umbrella above NIST SP 800-171 and ",[44,18640,425],{"href":16851},", both of which are derived from the NIST family of publications. A NIST CSF Target Profile that references NIST SP 800-53 informative references can be reused — with minor adjustments — as an ISO 27001 Statement of Applicability, a SOC 2 Trust Services Criteria mapping, and a HIPAA Security Rule crosswalk.",[37,18643,18644,18645,18647,18648,18652],{},"For a detailed crosswalk between NIST CSF and the major compliance frameworks — including worked examples of how a single NIST CSF subcategory maps to multiple standards — see ",[44,18646,18627],{"href":18166},". If you are actively building that mapping into a live compliance program, our ",[44,18649,18651],{"href":18650},"\u002Fnow\u002Fnist-csf-mapping-compliance","NIST CSF mapping compliance"," guide walks through the operational mechanics.",[32,18654,18656],{"id":18655},"who-uses-nist-csf","Who uses NIST CSF?",[37,18658,18659],{},"The NIST Cybersecurity Framework started as a voluntary framework for United States critical infrastructure. A decade later, NIST CSF is used by:",[172,18661,18662,18668,18677,18683,18689,18695,18701],{},[175,18663,18664,18667],{},[61,18665,18666],{},"Critical infrastructure operators"," — energy, water, transportation, communications, healthcare, and financial services organizations that fall under the 16 critical infrastructure sectors originally targeted by Executive Order 13636.",[175,18669,18670,18673,18674,100],{},[61,18671,18672],{},"Federal agencies and federal contractors"," — Executive Order 13800 required federal agencies to use NIST CSF to manage cybersecurity risk. Agencies and their contractors routinely use NIST CSF alongside ",[44,18675,18676],{"href":16851},"NIST SP 800-171 and the CMMC program",[175,18678,18679,18682],{},[61,18680,18681],{},"State, local, tribal, and territorial (SLTT) governments"," — many states have adopted NIST CSF as the baseline cybersecurity model for agencies and municipal systems.",[175,18684,18685,18688],{},[61,18686,18687],{},"Large enterprises"," — Fortune 500 companies use NIST CSF to communicate cybersecurity risk to boards, investors, insurers, and regulators.",[175,18690,18691,18694],{},[61,18692,18693],{},"Small and mid-sized businesses (SMBs)"," — especially after NIST CSF 2.0, which ships with SMB-specific quick-start guides and community profiles.",[175,18696,18697,18700],{},[61,18698,18699],{},"Non-US organizations"," — NIST CSF is widely used outside the United States as a practical cybersecurity model that complements ISO 27001 and other international standards.",[175,18702,18703,18706],{},[61,18704,18705],{},"Insurers and investors"," — cyber insurance carriers and private-equity diligence teams increasingly ask portfolio companies to report maturity against NIST CSF as evidence of disciplined cybersecurity risk management.",[37,18708,18709],{},"The common thread is that NIST CSF works for any organization that needs to manage cybersecurity risk and communicate that risk to non-technical stakeholders. That is essentially every organization.",[32,18711,18713],{"id":18712},"nist-csf-vs-nist-sp-800-53-vs-nist-sp-800-171","NIST CSF vs NIST SP 800-53 vs NIST SP 800-171",[37,18715,18716],{},"NIST publishes dozens of cybersecurity documents, and three of them — NIST CSF, NIST SP 800-53, and NIST SP 800-171 — are often confused. Here is how they differ and how they fit together.",[172,18718,18719,18729,18739],{},[175,18720,18721,18724,18725,18728],{},[61,18722,18723],{},"NIST CSF (Cybersecurity Framework)"," is an ",[61,18726,18727],{},"outcome-based framework",". It defines what cybersecurity outcomes to achieve (the subcategories) but does not tell you exactly how to achieve them. NIST CSF is voluntary, technology-neutral, and applies to any organization.",[175,18730,18731,18734,18735,18738],{},[61,18732,18733],{},"NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations)"," is a comprehensive ",[61,18736,18737],{},"control catalog",". SP 800-53 contains more than one thousand security and privacy controls organized into families such as Access Control (AC), Audit and Accountability (AU), and System and Communications Protection (SC). NIST SP 800-53 is mandatory for US federal information systems under FISMA and the Risk Management Framework (RMF).",[175,18740,18741,18744,18745,18748],{},[61,18742,18743],{},"NIST SP 800-171 (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations)"," is a ",[61,18746,18747],{},"derived subset"," of NIST SP 800-53 focused on protecting Controlled Unclassified Information (CUI) in nonfederal systems. SP 800-171 is mandatory for any organization that handles CUI on behalf of the federal government and forms the basis for CMMC.",[37,18750,18751],{},"The relationship between the three is straightforward: NIST CSF describes the outcomes, NIST SP 800-53 and NIST SP 800-171 describe the controls that deliver those outcomes, and the NIST CSF informative references tell you which 800-53 and 800-171 controls satisfy each NIST CSF subcategory. Organizations use NIST CSF to frame the strategy and use NIST SP 800-53 or NIST SP 800-171 to implement the controls.",[37,18753,18754],{},"Federal contractors that handle CUI will typically use all three: NIST CSF for executive communication and maturity scoring, NIST SP 800-171 as the binding control baseline, and NIST SP 800-53 as the deeper reference catalog.",[32,18756,18758],{"id":18757},"getting-started-with-nist-csf","Getting started with NIST CSF",[37,18760,18761],{},"Implementing the NIST Cybersecurity Framework does not require a multi-year consulting engagement. A typical first NIST CSF implementation follows a repeatable pattern:",[210,18763,18764,18770,18776,18782,18787,18793,18799],{},[175,18765,18766,18769],{},[61,18767,18768],{},"Scope and prioritize"," — decide which parts of the organization are in scope for this iteration of NIST CSF. Startups often scope the entire company. Enterprises may scope a business unit, a product line, or a critical system.",[175,18771,18772,18775],{},[61,18773,18774],{},"Build a Current Profile"," — score the organization's current performance against each NIST CSF subcategory. Be honest. Many organizations discover that half of their NIST CSF subcategories are informal or partially implemented.",[175,18777,18778,18781],{},[61,18779,18780],{},"Build a Target Profile"," — decide what level of NIST CSF maturity the organization needs. Community profiles and sector profiles published by NIST are excellent starting points.",[175,18783,18784,18786],{},[61,18785,6125],{}," — the delta between Current and Target is your NIST CSF roadmap. Prioritize by business impact, risk, and cost.",[175,18788,18789,18792],{},[61,18790,18791],{},"Select implementation tiers"," — match each part of the program to an appropriate tier. Not every subcategory needs to be Tier 4.",[175,18794,18795,18798],{},[61,18796,18797],{},"Execute and measure"," — track initiatives, re-score the NIST CSF profile quarterly, and report progress to leadership.",[175,18800,18801,18804],{},[61,18802,18803],{},"Map to other frameworks"," — reuse the NIST CSF profile as the source of truth for SOC 2, ISO 27001, HIPAA, and CMMC evidence.",[37,18806,18807],{},"episki was built for exactly this workflow. episki turns NIST CSF into a live scorecard: you import or build a Current Profile, choose a Target Profile, and episki generates the initiatives, tasks, and evidence collection needed to close the gap — all mapped to your other frameworks automatically. If you are starting from scratch or migrating from NIST CSF 1.1 to NIST CSF 2.0, episki can help you skip the spreadsheet phase entirely.",[37,18809,18810],{},"Ready to operationalize the NIST Cybersecurity Framework? Start a trial, import your controls, and share a NIST CSF scorecard with leadership the same day.",{"title":546,"searchDepth":547,"depth":547,"links":18812},[18813,18817,18818,18826,18827,18828,18829,18830,18831,18832],{"id":18312,"depth":547,"text":18313,"children":18814},[18815,18816],{"id":18326,"depth":554,"text":18327},{"id":18340,"depth":554,"text":18341},{"id":18357,"depth":547,"text":18358},{"id":18410,"depth":547,"text":18411,"children":18819},[18820,18821,18822,18823,18824,18825],{"id":18420,"depth":554,"text":18421},{"id":18433,"depth":554,"text":18434},{"id":18447,"depth":554,"text":18448},{"id":18461,"depth":554,"text":18462},{"id":18475,"depth":554,"text":18476},{"id":18488,"depth":554,"text":18489},{"id":18505,"depth":547,"text":18506},{"id":18548,"depth":547,"text":18549},{"id":18588,"depth":547,"text":18589},{"id":18626,"depth":547,"text":18627},{"id":18655,"depth":547,"text":18656},{"id":18712,"depth":547,"text":18713},{"id":18757,"depth":547,"text":18758},{"title":18834,"description":18835,"items":18836},"NIST CSF launch guide","Use episki’s free trial to benchmark, prioritize, and communicate fast.",[18837,18838,18839,18840,18841],"Baseline maturity assessment","Control library mapped to CSF categories","Initiative tracker with due dates and owners","Risk register tied to CSF outcomes","Executive report template",{"title":18843,"description":18844},"See your NIST CSF score in episki","Start the trial, import controls, and share a scorecard the same day.",{"title":18846,"items":18847},"NIST CSF frequently asked questions",[18848,18850,18853,18856,18859],{"label":18313,"content":18849},"The NIST Cybersecurity Framework (CSF) is a voluntary framework published by the National Institute of Standards and Technology that helps organizations manage and reduce cybersecurity risk. It provides a common language for understanding, managing, and expressing cybersecurity risk through five core functions.",{"label":18851,"content":18852},"What is the difference between NIST CSF and ISO 27001?","NIST CSF is a voluntary, outcome-focused maturity framework that helps organizations assess and improve their cybersecurity posture. ISO 27001 is a certifiable standard requiring a formal ISMS. Many organizations use NIST CSF as an internal maturity model alongside ISO 27001 certification for external assurance.",{"label":18854,"content":18855},"Is NIST CSF mandatory?","NIST CSF is voluntary for most private-sector organizations but is mandatory for US federal agencies under Executive Order 13800. Many industries and regulators reference it as a best-practice baseline, and customers increasingly expect suppliers to demonstrate alignment.",{"label":18857,"content":18858},"What are the NIST CSF implementation tiers?","The four tiers describe the maturity of an organization's cybersecurity risk management. Tier 1 (Partial) is ad hoc and reactive. Tier 2 (Risk-Informed) has some risk awareness. Tier 3 (Repeatable) has formal policies. Tier 4 (Adaptive) continuously improves based on lessons learned and threat intelligence.",{"label":18860,"content":18861},"How does NIST CSF relate to other compliance frameworks?","NIST CSF maps to many standards including SOC 2, ISO 27001, HIPAA, and PCI DSS. Organizations use it as a unifying layer to identify control gaps and overlaps across multiple compliance requirements, reducing duplicate work when pursuing multiple frameworks.",{"headline":18863,"title":18864,"description":18865,"links":18866},"Measure security maturity","Operationalize NIST CSF across Identify, Protect, Detect, Respond, and Recover","episki translates CSF categories into action plans with real-time scoring and executive reporting.",[18867,18869],{"label":18868,"icon":603,"to":535},"Start NIST CSF trial",{"label":605,"icon":18870,"color":607,"variant":608,"to":542,"target":609},"i-lucide-presentation",{},{"headline":18873,"title":18873,"description":18874,"items":18875},"NIST CSF toolset","Everything you need to show measurable progress.",[18876,18879,18882],{"title":18877,"description":18878},"Quarterly business review pack","Slides with KPIs, upcoming initiatives, and resource needs.",{"title":18880,"description":18881},"Customer assurance brief","Explains how NIST CSF maps to their requirements.",{"title":18883,"description":18884},"Automation cookbook","Step-by-step instructions for connecting your tooling.",{"title":18886,"description":18887},"NIST CSF Framework Software","Operationalize NIST CSF with live maturity scoring, risk registers, and executive dashboards. Benchmark and improve your cybersecurity posture with episki.",[18889,18892,18895],{"value":18890,"description":18891},"Live maturity score","Automated scoring by category, tier, and business unit.",{"value":18893,"description":18894},"Unified risk register","Link risks to CSF categories with AI-prioritized remediation.",{"value":18896,"description":18897},"Executive-ready","Dashboards turn security work into business milestones.","5.frameworks\u002Fnistcsf","Doz-LVyeK9ESsWNopGw7Kjfzq0igBKQBgD_u17qdUwk",{"id":18901,"title":18902,"advantages":18903,"body":18925,"checklist":19339,"cta":19348,"description":546,"extension":578,"faq":19351,"hero":19369,"lastUpdated":610,"meta":19378,"name":411,"navigation":613,"path":410,"resources":19379,"seo":19392,"slug":8774,"stats":19395,"stem":19405,"__hash__":19406},"frameworks\u002F5.frameworks\u002Fpci.md","Pci",[18904,18911,18918],{"title":18905,"description":18906,"bullets":18907},"Cardholder data mapped","Visualize systems, networks, and data flows tied to each DSS requirement.",[18908,18909,18910],"Track segmentation documentation and approvals","Connect SIEM and log tools for retention evidence","Link vulnerability scans and pen tests to controls",{"title":18912,"description":18913,"bullets":18914},"Task orchestration for engineering","Send prioritized remediation tasks to Jira or Linear with context.",[18915,18916,18917],"Auto-created tickets with required evidence","SLA tracking ensures high-risk remediations close on time","Change management logs sync back automatically",{"title":18919,"description":18920,"bullets":18921},"QSA-ready collaboration","Centralize requests, walkthroughs, and findings with secure file sharing.",[18922,18923,18924],"QSA comments resolve next to each control","Expiring links for sensitive diagrams","Exportable ROC narrative drafts",{"type":29,"value":18926,"toc":19326},[18927,18931,18937,18940,18943,18947,18955,19041,19044,19048,19055,19059,19072,19076,19084,19137,19149,19153,19164,19167,19170,19174,19191,19195,19198,19235,19243,19247,19250,19254,19267,19271,19274,19323],[32,18928,18930],{"id":18929},"what-is-pci-dss","What is PCI DSS?",[37,18932,18933,18934,18936],{},"The Payment Card Industry Data Security Standard -- universally known as ",[44,18935,411],{"href":12007}," -- is the global baseline for protecting payment card data. Any organization that stores, processes, or transmits cardholder data is expected to meet PCI DSS, from a mom-and-pop e-commerce store to a Fortune 500 retailer and every payment processor in between. PCI DSS exists because card data is one of the most monetizable targets on the internet, and a single breach can expose millions of account numbers, trigger steep fines, and end businesses. PCI DSS translates decades of hard-won lessons into a prescriptive framework that security, engineering, and finance teams can operationalize.",[37,18938,18939],{},"PCI DSS is maintained by the Payment Card Industry Security Standards Council (PCI SSC), an independent standards body founded in 2006 by the five major payment brands: Visa, Mastercard, American Express, Discover, and JCB. The PCI SSC writes and publishes the standard, accredits assessors and scanning vendors, and runs supporting programs such as PA-DSS (now replaced by the PCI Secure Software Standard) and P2PE. While the PCI SSC owns the standard itself, it does not enforce PCI DSS. Enforcement is delegated to the card brands, which in turn push obligations down through acquiring banks and payment processors to merchants and service providers. In practice, your acquirer is the entity that tells you which PCI DSS validation path you owe and what happens if you fail it.",[37,18941,18942],{},"PCI DSS emerged from a patchwork of brand-specific programs in the early 2000s, including Visa's Cardholder Information Security Program (CISP) and Mastercard's Site Data Protection (SDP). PCI DSS v1.0 launched in December 2004. PCI DSS v2.0 arrived in 2010, v3.0 in 2013, v3.1 in 2015, v3.2 in 2016, v3.2.1 in 2018, and the long-anticipated PCI DSS v4.0 in March 2022, followed by v4.0.1 clarifications in June 2024. Organizations have until March 31, 2025 to fully meet the new \"future-dated\" PCI DSS v4.0 requirements. Each revision tightens controls around emerging threats: phishing-resistant authentication, e-commerce script tampering, automated log review, and customized approaches for mature security programs.",[32,18944,18946],{"id":18945},"the-12-pci-dss-requirements","The 12 PCI DSS requirements",[37,18948,18949,18950,18954],{},"PCI DSS organizes technical and operational controls across twelve core requirements grouped into six objectives. The full set of PCI DSS requirements is detailed on the ",[44,18951,18953],{"href":18952},"\u002Fframeworks\u002Fpci\u002Frequirements","PCI DSS requirements page","; at a glance they are:",[210,18956,18957,18967,18973,18987,18993,18999,19005,19011,19017,19023,19029,19035],{},[175,18958,18959,18962,18963,100],{},[61,18960,18961],{},"Install and maintain network security controls"," -- firewalls and equivalent controls around the ",[44,18964,18966],{"href":18965},"\u002Fglossary\u002Fcardholder-data-environment","cardholder data environment",[175,18968,18969,18972],{},[61,18970,18971],{},"Apply secure configurations to all system components"," -- hardening standards, default credential elimination, and secure build baselines.",[175,18974,18975,18978,18979,18982,18983,18986],{},[61,18976,18977],{},"Protect stored account data"," -- encryption, truncation, hashing, or ",[44,18980,10157],{"href":18981},"\u002Fglossary\u002Ftokenization"," of the ",[44,18984,18985],{"href":11422},"PAN"," and prohibition on storing sensitive authentication data.",[175,18988,18989,18992],{},[61,18990,18991],{},"Protect cardholder data with strong cryptography during transmission"," over open, public networks.",[175,18994,18995,18998],{},[61,18996,18997],{},"Protect all systems and networks from malicious software"," -- anti-malware on in-scope systems and defenses against script-based threats.",[175,19000,19001,19004],{},[61,19002,19003],{},"Develop and maintain secure systems and software"," -- secure SDLC, patching, and vulnerability management for in-scope systems.",[175,19006,19007,19010],{},[61,19008,19009],{},"Restrict access to system components and cardholder data by business need to know"," -- least-privilege role design.",[175,19012,19013,19016],{},[61,19014,19015],{},"Identify users and authenticate access to system components"," -- unique IDs, strong authentication, and phishing-resistant MFA.",[175,19018,19019,19022],{},[61,19020,19021],{},"Restrict physical access to cardholder data"," -- physical security for facilities, media, and devices.",[175,19024,19025,19028],{},[61,19026,19027],{},"Log and monitor all access to system components and cardholder data"," -- centralized logging, daily review, and tamper protection.",[175,19030,19031,19034],{},[61,19032,19033],{},"Test security of systems and networks regularly"," -- ASV scans, internal scans, pen tests, and segmentation validation.",[175,19036,19037,19040],{},[61,19038,19039],{},"Support information security with organizational policies and programs"," -- governance, awareness, incident response, and third-party oversight.",[37,19042,19043],{},"Each PCI DSS requirement is broken into numbered sub-requirements with explicit testing procedures that an assessor follows line by line. The \"defined approach\" dictates specific controls; PCI DSS v4.0 also introduces a \"customized approach\" where mature organizations can meet a requirement's objective through alternative controls, documented in a controls matrix and targeted risk analysis.",[32,19045,19047],{"id":19046},"pci-dss-v40-changes","PCI DSS v4.0 changes",[37,19049,19050,19051,100],{},"PCI DSS v4.0 is the largest revision in more than a decade. Its headline shifts include a customized-approach validation path, mandatory multi-factor authentication for all access into the CDE, expanded requirements to detect and respond to e-commerce script tampering, targeted risk analyses replacing prescriptive frequencies, and stronger expectations for continuous security rather than point-in-time compliance. Several of the most material v4.0 controls became mandatory on March 31, 2025 after a two-year grace period. The full changelog, new testing procedures, and a migration checklist are covered in the ",[44,19052,19054],{"href":19053},"\u002Fframeworks\u002Fpci\u002Fv4-changes","PCI DSS v4.0 changes guide",[32,19056,19058],{"id":19057},"merchant-compliance-levels-1-4","Merchant compliance levels 1-4",[37,19060,19061,19062,19066,19067,19071],{},"Every merchant is assigned to one of four PCI DSS compliance levels based on annual card transaction volume across all channels. PCI DSS Level 1 covers merchants processing more than 6 million transactions per year and requires a formal Report on Compliance (ROC) signed by a ",[44,19063,19065],{"href":19064},"\u002Fglossary\u002Fqsa","QSA",". Level 2 covers 1-6 million transactions. Level 3 covers 20,000 to 1 million e-commerce transactions. Level 4 covers everything below those thresholds. Service providers have their own two-level structure. Your acquiring bank can also assign you a higher PCI DSS level at its discretion -- particularly after a breach. The ",[44,19068,19070],{"href":19069},"\u002Fframeworks\u002Fpci\u002Fcompliance-levels","PCI DSS compliance levels page"," breaks down every threshold by card brand and the validation path each level owes.",[32,19073,19075],{"id":19074},"self-assessment-questionnaires-saqs","Self-Assessment Questionnaires (SAQs)",[37,19077,19078,19079,19083],{},"Merchants and service providers that are not required to complete a full PCI DSS Report on Compliance validate using a ",[44,19080,19082],{"href":19081},"\u002Fglossary\u002Fsaq","Self-Assessment Questionnaire",", or SAQ. The PCI SSC publishes nine SAQ types, each tailored to a specific acceptance channel and technology profile:",[172,19085,19086,19092,19098,19104,19110,19116,19122,19128],{},[175,19087,19088,19091],{},[61,19089,19090],{},"SAQ A"," -- card-not-present merchants that fully outsource all cardholder data functions.",[175,19093,19094,19097],{},[61,19095,19096],{},"SAQ A-EP"," -- e-commerce merchants that partially outsource payment processing but host pages that could affect payment page security.",[175,19099,19100,19103],{},[61,19101,19102],{},"SAQ B"," -- merchants using only imprint machines or standalone dial-out terminals.",[175,19105,19106,19109],{},[61,19107,19108],{},"SAQ B-IP"," -- merchants using only standalone IP-connected POI devices.",[175,19111,19112,19115],{},[61,19113,19114],{},"SAQ C-VT"," -- merchants entering transactions into a virtual payment terminal.",[175,19117,19118,19121],{},[61,19119,19120],{},"SAQ C"," -- merchants with payment application systems connected to the internet.",[175,19123,19124,19127],{},[61,19125,19126],{},"SAQ P2PE"," -- merchants using PCI-listed point-to-point encryption solutions.",[175,19129,19130,96,19133,19136],{},[61,19131,19132],{},"SAQ D for Merchants",[61,19134,19135],{},"SAQ D for Service Providers"," -- the catch-all SAQs for entities that store cardholder data or do not qualify for a simpler SAQ.",[37,19138,19139,19140,6500,19144,19148],{},"Eligibility is narrow and precise. Picking the wrong SAQ is one of the most common PCI DSS mistakes -- and one that an acquiring bank or breach investigation can expose instantly. The ",[44,19141,19143],{"href":19142},"\u002Fframeworks\u002Fpci\u002Fself-assessment-questionnaire","SAQ reference",[44,19145,19147],{"href":19146},"\u002Fframeworks\u002Fpci\u002Fsaq-types-explained","SAQ types explained"," page walk through each SAQ's eligibility, question count, and typical pitfalls.",[32,19150,19152],{"id":19151},"cardholder-data-environment-cde-and-scoping","Cardholder data environment (CDE) and scoping",[37,19154,19155,19156,19158,19159,19163],{},"Every PCI DSS program begins with scoping. The ",[44,19157,18966],{"href":18965},", or CDE, is the set of people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any system component that is connected to or could impact the security of those components. Determining what is in ",[44,19160,19162],{"href":19161},"\u002Fglossary\u002Fpci-scope","PCI scope"," is the single highest-leverage activity in a PCI DSS program -- it drives how many controls apply, how much evidence you collect, and how much your QSA engagement costs.",[37,19165,19166],{},"PCI DSS scoping has three categories: CDE systems that directly handle card data; connected-to systems that can route traffic to the CDE, authenticate CDE users, or otherwise interact with CDE components; and security-impacting systems that could affect CDE security even without direct connectivity (think SIEM, patch management, or anti-malware consoles). All three categories are in scope for PCI DSS.",[37,19168,19169],{},"Document your CDE with an annotated network diagram and a data-flow diagram for every payment channel. PCI DSS v4.0 makes these diagrams a requirement, not a nice-to-have, and your assessor will test them during every assessment.",[32,19171,19173],{"id":19172},"scope-reduction-strategies","Scope reduction strategies",[37,19175,19176,19177,19181,19182,19186,19187,19190],{},"Because PCI DSS obligations scale with the CDE, shrinking the CDE is the fastest way to cut PCI DSS cost and risk. Effective ",[44,19178,19180],{"href":19179},"\u002Fframeworks\u002Fpci\u002Fscope-reduction","PCI DSS scope reduction"," typically combines four levers: strong ",[44,19183,19185],{"href":19184},"\u002Fframeworks\u002Fpci\u002Fnetwork-segmentation","network segmentation"," that isolates the CDE onto dedicated VLANs with tightly controlled firewall rules; ",[44,19188,10157],{"href":19189},"\u002Fframeworks\u002Fpci\u002Ftokenization-vs-encryption"," that replaces stored PANs with non-sensitive surrogates; PCI-listed point-to-point encryption (P2PE) that removes in-store networks from PCI scope; and outsourcing card capture to a validated service provider so your systems never touch real card data. Layered correctly, these strategies can reduce a PCI DSS assessment from hundreds of in-scope systems to a handful.",[32,19192,19194],{"id":19193},"key-pci-dss-roles-qsas-asvs-and-isas","Key PCI DSS roles: QSAs, ASVs, and ISAs",[37,19196,19197],{},"Three accredited roles support every PCI DSS program:",[172,19199,19200,19215,19229],{},[175,19201,19202,19209,19210,19214],{},[61,19203,19204,19205,19208],{},"Qualified Security Assessors (",[44,19206,19207],{"href":19064},"QSAs",")"," -- individuals and firms certified by the PCI SSC to perform on-site PCI DSS assessments, produce the ROC, and sign the Attestation of Compliance. Selecting the right QSA shapes your PCI DSS experience for years; the ",[44,19211,19213],{"href":19212},"\u002Fframeworks\u002Fpci\u002Fqsa-selection","QSA selection guide"," covers how to evaluate firms, cost drivers, and red flags.",[175,19216,19217,19223,19224,19228],{},[61,19218,19219,19220,19208],{},"Approved Scanning Vendors (",[44,19221,19222],{"href":13233},"ASVs"," -- PCI SSC-approved firms that run the quarterly external vulnerability scans required by PCI DSS Requirement 11.3.2. The ",[44,19225,19227],{"href":19226},"\u002Fframeworks\u002Fpci\u002Fasv-program","ASV program guide"," covers vendor selection, scanning cadence, passing thresholds, and remediation workflows.",[175,19230,19231,19234],{},[61,19232,19233],{},"Internal Security Assessors (ISAs)"," -- employees who have completed PCI SSC training and can complete certain internal PCI DSS assessments or support a QSA engagement. ISAs are a cost-effective way to build PCI DSS capability inside large programs.",[37,19236,19237,19238,19242],{},"Penetration testing (Requirement 11.4) sits alongside ASV scanning and is a frequent source of PCI DSS findings. The ",[44,19239,19241],{"href":19240},"\u002Fframeworks\u002Fpci\u002Fpenetration-testing","PCI DSS penetration testing guide"," covers internal vs external scope, segmentation testing, and frequency.",[32,19244,19246],{"id":19245},"penalties-for-non-compliance","Penalties for non-compliance",[37,19248,19249],{},"PCI DSS is not law, but non-compliance carries material financial consequences. Acquirers can levy fines of $5,000 to $100,000 per month for PCI DSS violations, pass fines down to merchants, raise transaction fees, or revoke payment processing privileges outright. After a confirmed breach of card data, a merchant typically faces a forensic PFI investigation, card brand fines, assessments for fraud losses, reissuance costs for compromised cards, and mandatory Level 1 PCI DSS validation going forward. Regulators and state attorneys general may also get involved, and the organization almost always faces litigation. In short, PCI DSS fines are rarely the largest line item -- the true cost of a breach is reputational damage, customer churn, and the fully loaded cost of breach response.",[32,19251,19253],{"id":19252},"pci-dss-vs-other-frameworks","PCI DSS vs other frameworks",[37,19255,19256,19257,19261,19262,19266],{},"PCI DSS is narrower and more prescriptive than most security frameworks. ISO 27001 is a management-system standard focused on the process of running an ISMS; it tells you how to manage risk but does not specify controls the way PCI DSS does. SOC 2 is an attestation framework where you define your own controls against the Trust Services Criteria; PCI DSS prescribes them. HIPAA and HITECH cover protected health information, not cardholder data. NIST CSF and NIST SP 800-53 offer control catalogues and risk management guidance that many organizations map into their PCI DSS program, especially under the v4.0 customized approach. PCI DSS is also one of the few frameworks with ongoing external validation -- ASV scans every quarter, penetration tests at least annually, and a full assessment every year. For businesses in the ",[44,19258,19260],{"href":19259},"\u002Findustry\u002Ffinance","finance industry"," or running ",[44,19263,19265],{"href":19264},"\u002Findustry\u002Fecommerce","e-commerce"," platforms, PCI DSS almost always becomes the binding constraint that the rest of the security program organizes around.",[32,19268,19270],{"id":19269},"getting-pci-compliant","Getting PCI compliant",[37,19272,19273],{},"A typical path to PCI DSS compliance looks like this:",[210,19275,19276,19281,19287,19293,19299,19305,19311,19317],{},[175,19277,19278,19280],{},[61,19279,673],{}," -- inventory every place card data lives, moves, or could move. Produce annotated network and data-flow diagrams.",[175,19282,19283,19286],{},[61,19284,19285],{},"Reduce scope"," -- apply segmentation, tokenization, P2PE, and outsourcing to shrink the CDE before assessment.",[175,19288,19289,19292],{},[61,19290,19291],{},"Select your validation path"," -- confirm your PCI DSS level with your acquirer and determine whether you owe a ROC or an SAQ.",[175,19294,19295,19298],{},[61,19296,19297],{},"Gap assess"," -- map your current controls to every applicable PCI DSS requirement and prioritize remediation.",[175,19300,19301,19304],{},[61,19302,19303],{},"Remediate and document"," -- close gaps, write the policies and procedures PCI DSS expects, and stand up the logging, monitoring, scanning, and testing programs.",[175,19306,19307,19310],{},[61,19308,19309],{},"Engage your QSA or ASV"," -- commission the ASV scans, book the penetration test, and (for Level 1) schedule your QSA engagement early enough to allow remediation cycles.",[175,19312,19313,19316],{},[61,19314,19315],{},"Validate and attest"," -- produce the ROC or SAQ plus Attestation of Compliance, and submit to your acquirer on the required cadence.",[175,19318,19319,19322],{},[61,19320,19321],{},"Operate continuously"," -- PCI DSS v4.0 expects continuous monitoring, targeted risk analyses, and evidence that controls stay effective between assessments.",[37,19324,19325],{},"episki automates the bulk of the evidence collection, control testing, and QSA collaboration work so your PCI DSS program is audit-ready year-round instead of scrambling at the end of each cycle. If you are starting a new PCI DSS program or rebuilding an existing one, episki can shorten your path from scoping through Report on Compliance.",{"title":546,"searchDepth":547,"depth":547,"links":19327},[19328,19329,19330,19331,19332,19333,19334,19335,19336,19337,19338],{"id":18929,"depth":547,"text":18930},{"id":18945,"depth":547,"text":18946},{"id":19046,"depth":547,"text":19047},{"id":19057,"depth":547,"text":19058},{"id":19074,"depth":547,"text":19075},{"id":19151,"depth":547,"text":19152},{"id":19172,"depth":547,"text":19173},{"id":19193,"depth":547,"text":19194},{"id":19245,"depth":547,"text":19246},{"id":19252,"depth":547,"text":19253},{"id":19269,"depth":547,"text":19270},{"title":19340,"description":19341,"items":19342},"PCI DSS playbook","Follow structured milestones from scoping through ROC submission.",[19343,19344,19345,19346,19347],"Automated scope confirmation questionnaires","Connector-backed logging and monitoring checks","Quarterly vulnerability and penetration testing tracker","Change-management evidence capture","ROC narrative template and artifact index",{"title":19349,"description":19350},"Keep PCI DSS audit-ready around the clock","Spin up your trial, sync evidence, and invite your QSA in a single day.",{"title":19352,"items":19353},"PCI DSS frequently asked questions",[19354,19357,19360,19363,19366],{"label":19355,"content":19356},"What are the PCI DSS compliance levels?","PCI DSS has four merchant levels based on annual transaction volume. Level 1 (over 6 million transactions) requires a formal Report on Compliance by a QSA. Levels 2-4 may self-assess using the appropriate Self-Assessment Questionnaire (SAQ). Service providers have two levels with different validation requirements.",{"label":19358,"content":19359},"What changed in PCI DSS 4.0?","PCI DSS 4.0 introduced a customized validation approach allowing organizations to meet objectives with alternative controls, expanded multi-factor authentication requirements, strengthened e-commerce and phishing protections, and added emphasis on continuous security rather than point-in-time compliance.",{"label":19361,"content":19362},"Who needs PCI DSS compliance?","Any organization that stores, processes, or transmits cardholder data must comply with PCI DSS. This includes merchants, payment processors, acquirers, issuers, and service providers. The scope is determined by your cardholder data environment (CDE).",{"label":19364,"content":19365},"How often is a PCI DSS assessment required?","PCI DSS assessments are required annually. Level 1 merchants and service providers must complete a formal assessment by a Qualified Security Assessor (QSA). Additionally, quarterly network vulnerability scans by an Approved Scanning Vendor (ASV) are required.",{"label":19367,"content":19368},"What is a cardholder data environment (CDE)?","The CDE includes all people, processes, and technologies that store, process, or transmit cardholder data or sensitive authentication data, plus any systems connected to those components. Accurate CDE scoping is the foundation of an efficient PCI DSS assessment.",{"headline":19370,"title":19371,"description":19372,"links":19373},"PCI controls that stay current","Keep PCI DSS requirements passing even as your CDE evolves","episki maps DSS requirements, automates testing, and keeps QSAs collaborating in one secure workspace.",[19374,19376],{"label":19375,"icon":603,"to":535},"Start PCI trial",{"label":605,"icon":19377,"color":607,"variant":608,"to":542,"target":609},"i-lucide-calendar",{},{"headline":19380,"title":19380,"description":19381,"items":19382},"PCI enablement kit","Give leadership, ops, and QSAs a single source of truth.",[19383,19386,19389],{"title":19384,"description":19385},"CDE architecture report","Share sanitized diagrams and segmentation notes with prospects.",{"title":19387,"description":19388},"Risk and remediation digest","Weekly summary of open items, owners, and due dates.",{"title":19390,"description":19391},"Assessor workspace","Prebuilt template keeps every requirement, artifact, and note aligned.",{"title":19393,"description":19394},"PCI DSS Compliance Tool","Automate PCI DSS evidence collection, manage QSA collaboration, and keep cardholder data controls current. Start your free 14-day trial with episki.",[19396,19399,19402],{"value":19397,"description":19398},"90% automation","Evidence coverage across access, logging, segmentation, and monitoring.",{"value":19400,"description":19401},"QSA portal","Scoped access keeps your assessor in sync without endless spreadsheets.",{"value":19403,"description":19404},"Weekly drift checks","Automated alerts highlight misconfigurations before audits.","5.frameworks\u002Fpci","wxvQHRYeBHEsDrDF1QZg43Nio6AvwX3DWW21RftBG2c",{"id":4,"title":5,"advantages":19408,"body":19415,"checklist":19740,"cta":19742,"description":546,"extension":578,"faq":19743,"hero":19750,"lastUpdated":610,"meta":19754,"name":612,"navigation":613,"path":614,"resources":19755,"seo":19760,"slug":631,"stats":19761,"stem":642,"__hash__":643},[19409,19411,19413],{"title":8,"description":9,"bullets":19410},[11,12,13],{"title":15,"description":16,"bullets":19412},[18,19,20],{"title":22,"description":23,"bullets":19414},[25,26,27],{"type":29,"value":19416,"toc":19722},[19417,19419,19421,19425,19429,19433,19435,19437,19441,19445,19453,19455,19459,19461,19463,19465,19469,19471,19473,19475,19479,19481,19485,19487,19489,19491,19503,19507,19509,19513,19539,19541,19543,19545,19547,19573,19577,19579,19581,19617,19619,19621,19623,19629,19635,19641,19649,19653,19655,19659,19681,19683,19685,19687,19689,19715],[32,19418,35],{"id":34},[37,19420,39],{},[37,19422,42,19423,48],{},[44,19424,47],{"href":46},[37,19426,51,19427,56],{},[44,19428,55],{"href":54},[37,19430,59,19431,63],{},[61,19432,55],{},[32,19434,67],{"id":66},[37,19436,70],{},[37,19438,73,19439,77],{},[61,19440,76],{},[37,19442,73,19443,83],{},[61,19444,82],{},[37,19446,86,19447,91,19449,96,19451,100],{},[44,19448,90],{"href":89},[44,19450,95],{"href":94},[44,19452,55],{"href":99},[32,19454,104],{"id":103},[37,19456,107,19457,110],{},[44,19458,55],{"href":54},[112,19460,115],{"id":114},[37,19462,118],{},[112,19464,122],{"id":121},[37,19466,125,19467,130],{},[44,19468,129],{"href":128},[112,19470,134],{"id":133},[37,19472,137],{},[112,19474,141],{"id":140},[37,19476,144,19477,149],{},[44,19478,148],{"href":147},[112,19480,153],{"id":152},[37,19482,156,19483,100],{},[44,19484,160],{"href":159},[32,19486,164],{"id":163},[37,19488,167],{},[37,19490,170],{},[172,19492,19493,19495,19497,19499,19501],{},[175,19494,177],{},[175,19496,180],{},[175,19498,183],{},[175,19500,186],{},[175,19502,189],{},[37,19504,192,19505,197],{},[44,19506,196],{"href":195},[32,19508,201],{"id":200},[37,19510,107,19511,208],{},[44,19512,207],{"href":206},[210,19514,19515,19523,19527,19531,19535],{},[175,19516,19517,217,19519,222,19521,227],{},[61,19518,216],{},[44,19520,221],{"href":220},[44,19522,226],{"href":225},[175,19524,19525,233],{},[61,19526,232],{},[175,19528,19529,239],{},[61,19530,238],{},[175,19532,19533,245],{},[61,19534,244],{},[175,19536,19537,251],{},[61,19538,250],{},[37,19540,254],{},[32,19542,258],{"id":257},[37,19544,261],{},[37,19546,264],{},[172,19548,19549,19553,19557,19561,19565,19569],{},[175,19550,19551,272],{},[61,19552,271],{},[175,19554,19555,278],{},[61,19556,277],{},[175,19558,19559,284],{},[61,19560,283],{},[175,19562,19563,290],{},[61,19564,289],{},[175,19566,19567,296],{},[61,19568,295],{},[175,19570,19571,302],{},[61,19572,301],{},[37,19574,305,19575,310],{},[44,19576,309],{"href":308},[32,19578,314],{"id":313},[37,19580,317],{},[172,19582,19583,19587,19591,19595,19599,19605,19611],{},[175,19584,19585,325],{},[61,19586,324],{},[175,19588,19589,331],{},[61,19590,330],{},[175,19592,19593,337],{},[61,19594,336],{},[175,19596,19597,343],{},[61,19598,342],{},[175,19600,19601,349,19603,354],{},[61,19602,348],{},[44,19604,353],{"href":352},[175,19606,19607,360,19609,365],{},[61,19608,359],{},[44,19610,364],{"href":363},[175,19612,19613,371,19615,100],{},[61,19614,370],{},[44,19616,375],{"href":374},[37,19618,378],{},[32,19620,382],{"id":381},[37,19622,385],{},[37,19624,19625,394],{},[61,19626,19627],{},[44,19628,393],{"href":392},[37,19630,19631,403],{},[61,19632,19633],{},[44,19634,402],{"href":401},[37,19636,19637,412],{},[61,19638,19639],{},[44,19640,411],{"href":410},[37,19642,19643,418,19645,422,19647,426],{},[61,19644,417],{},[61,19646,421],{},[61,19648,425],{},[37,19650,429,19651,434],{},[44,19652,433],{"href":432},[32,19654,438],{"id":437},[37,19656,441,19657,446],{},[44,19658,445],{"href":444},[172,19660,19661,19663,19665,19667,19669,19671,19673,19675,19677,19679],{},[175,19662,451],{},[175,19664,454],{},[175,19666,457],{},[175,19668,460],{},[175,19670,463],{},[175,19672,466],{},[175,19674,469],{},[175,19676,472],{},[175,19678,475],{},[175,19680,478],{},[37,19682,481],{},[32,19684,485],{"id":484},[37,19686,488],{},[37,19688,491],{},[210,19690,19691,19695,19699,19703,19707,19711],{},[175,19692,19693,499],{},[61,19694,498],{},[175,19696,19697,505],{},[61,19698,504],{},[175,19700,19701,511],{},[61,19702,510],{},[175,19704,19705,517],{},[61,19706,516],{},[175,19708,19709,523],{},[61,19710,522],{},[175,19712,19713,529],{},[61,19714,528],{},[37,19716,532,19717,539,19720,544],{},[44,19718,538],{"href":535,"rel":19719},[537],[44,19721,543],{"href":542},{"title":546,"searchDepth":547,"depth":547,"links":19723},[19724,19725,19726,19733,19734,19735,19736,19737,19738,19739],{"id":34,"depth":547,"text":35},{"id":66,"depth":547,"text":67},{"id":103,"depth":547,"text":104,"children":19727},[19728,19729,19730,19731,19732],{"id":114,"depth":554,"text":115},{"id":121,"depth":554,"text":122},{"id":133,"depth":554,"text":134},{"id":140,"depth":554,"text":141},{"id":152,"depth":554,"text":153},{"id":163,"depth":547,"text":164},{"id":200,"depth":547,"text":201},{"id":257,"depth":547,"text":258},{"id":313,"depth":547,"text":314},{"id":381,"depth":547,"text":382},{"id":437,"depth":547,"text":438},{"id":484,"depth":547,"text":485},{"title":567,"description":568,"items":19741},[570,571,572,573,574],{"title":576,"description":577},{"title":580,"items":19744},[19745,19746,19747,19748,19749],{"label":583,"content":584},{"label":586,"content":587},{"label":589,"content":590},{"label":164,"content":592},{"label":594,"content":595},{"headline":597,"title":598,"description":599,"links":19751},[19752,19753],{"label":602,"icon":603,"to":535},{"label":605,"icon":606,"color":607,"variant":608,"to":542,"target":609},{},{"headline":616,"title":616,"description":617,"items":19756},[19757,19758,19759],{"title":620,"description":621},{"title":623,"description":624},{"title":626,"description":627},{"title":629,"description":630},[19762,19763,19764],{"value":634,"description":635},{"value":637,"description":638},{"value":640,"description":641},1778494662428]