RiskWatch
SOC 2 Compliance Platform · Continuous evidence

SOC 2 Type 2, no exceptions.

The #1 reason Type 2 audits fail is missing evidence for some month in the audit window. Continuous evidence collection from Okta, AWS, Datadog, Snyk, GitHub — every day of every month, mapped to the right Common Criterion automatically. Started your reporting period? You're already auditing.

  • All 5 TSC: Security · Availability · PI · Confidentiality · Privacy
  • Type 1 readiness through Type 2 observation period
  • Evidence collected continuously from your existing tools
  • Cross-mapped to ISO 27001, HIPAA, NIST CSF, PCI DSS
Start 30-day free trialWatch 4-min platform tour
No credit card · TSC library + COSO 2013 mappings ship day 1
app.riskwatch.com / soc-2
Live · Type 2
SOC 2 Type 2 · Q4 readiness
0/100
0 vs Q3
Security (CC1–CC9)94%
Availability (A1)88%
Processing Integrity (PI1)84%
Open exceptions6
Controls
0 mapped
Evidence req'ts
0 auto
Days in observation
0/365
Type 2 readiness
0%
Top open exceptions · by days remaining
CC6.1 · MFA on prod admin
0d
CC7.2 · Anomaly monitoring
0d
CC2.3 · External comms log
0d
A1.2 · Capacity planning
0d
PI1.5 · Output reconciliation
0d
Trusted by SaaS, FinTech, and HealthTech teams pursuing SOC 2
Oracle
AWS
Pinterest
NTT DATA
WWT
Stryker
Avery Dennison
Trane
Oracle
AWS
Pinterest
NTT DATA
WWT
Stryker
Avery Dennison
Trane
Oracle
AWS
Pinterest
NTT DATA
WWT
Stryker
Avery Dennison
Trane
What it is

What is SOC 2 compliance software?

Type 2 evidence captured year-round, not in a 6-week prep sprint. RiskWatch covers all 5 trust services criteria with 100+ Common Criteria, tracks per-customer CUEC attestation that determines whether your report is evidence or theatre, and bridges to ISO 27001 / HIPAA / GDPR on the same control library. The CPA firm signing the report sees the evidence; sales sees the report; customers see the trust center.

Why teams move to RiskWatch

Most Type 2 audits don't fail loudly. They fail in the “exceptions” section of the report.

SOC 2 auditors and compliance leads we asked were unanimous about the three failure modes — and they're not what most teams worry about. The rare catastrophic failures get the attention; the routine pile-up of exceptions is what actually weakens the report.

Pain #1

Started your Type 2 reporting period too early. Month 1 is full of exceptions.

The reporting period should start the day controls are fully implemented and operating effectively — not the day you decide to start. Type 1 readiness gates the Type 2 reporting period. The platform recommends a start-date once Common Criteria are 100% green and have been operating for 30 days clean.

Pain #2

You did the access review. You didn't screenshot it. Auditor says you didn't.

The most-cited Type 2 failure mode: “we did it but can't show you.” If the evidence isn't captured, the control didn't operate — even if it actually did. Continuous evidence pulls daily from Okta, AWS, Datadog, Snyk, GitHub, Jira. Every access review, every approval, every change ticket auto-mapped to the Common Criterion that needs it.

Pain #3

Former employees still have prod access. Auditors find this in 30 seconds.

Access drift is the silent Type 2 killer — orphaned accounts, MFA gaps, shared credentials. Type 2's 6-12 month window catches every one. Quarterly access reviews automated from Okta/AD with attestation tracking. Drift flagged before the auditor finds it.

5
Trust services categories
Security · Availability · PI · Confidentiality · Privacy
178+
Controls mapped to TSC
Common Criteria + supplemental criteria
365d
Type 2 evidence captured
continuously, from your existing tooling
The SOC 2 platform

Every module a SOC 2 program needs — in one platform.

Sixteen modules sharing the TSC library, evidence vault, and audit trail. Built around the Type 2 observation period so evidence accumulates continuously, not in monthly screenshot bursts.

SOC 2 Dashboard

TSC progress at a glance

Per-TSC compliance %, top open exceptions, evidence freshness, days-in-observation, auditor-meeting status.

TSC Library

All 5 categories pre-loaded

Security (CC1–CC9), Availability (A1), Processing Integrity (PI1), Confidentiality (C1), Privacy (P1–P8).

Continuous Evidence

From your existing tooling

Okta, AWS, Azure, Datadog, Snyk, GitHub, Jira — evidence pulls daily, mapped to controls automatically.

Type 1 Readiness

Design effectiveness in 8 weeks

Assessment workflow walks Common Criteria-by-Common Criterion. Gaps tracked to remediation tasks with due dates.

Type 2 Observation

365 days, automatically

Track every control's operating effectiveness across the observation period. Exception flagging at the moment of breach.

Auditor Export

By TSC, by criterion, by period

AICPA-aligned export bundles evidence for the CPA firm. Drilldown from criterion to source log/screenshot/ticket.

Remediation Tasks

Exceptions → tracked work

Exceptions convert to tasks with owner, due date, evidence-of-close. Bidirectional Jira/ServiceNow sync.

Vendor SOC 2 Tracking

Subservice organizations

Track subservice org SOC 2 reports, complementary user-entity controls (CUECs), and inclusive vs carve-out treatment.

Access Reviews

CC6.1 · CC6.2 · CC6.3

Automated quarterly access reviews from Okta/AD with attestation tracking. Evidence captured per review cycle.

Incident Tracking

CC7 incident response

Security incidents from your SIEM auto-create CC7 evidence records. Closure workflows with post-incident reviews.

Cross-Framework Mapping

SOC 2 + ISO 27001 + HIPAA + PCI

Each TSC criterion maps to ISO 27001 Annex A, HIPAA §164, PCI DSS requirements. One evidence set, multiple audits.

Policy Library

All SOC 2-required policies

12 policies covering CC1 governance, CC2 communications, CC5 control activities. Attestation tracking per policy version.

Workforce Attestation

CC1.1 · CC1.4 evidence

Onboarding, training, periodic re-attestation tracked per employee. Auditor sees a per-person training history.

CMDB Sync

In-scope systems mapped

Sync from ServiceNow/Lansweeper to keep the in-scope system inventory current. Auto-tag SOC 2 boundary.

Audit Trail

"Who closed CC7.2?" answered instantly

Timestamped log of every control score, evidence upload, exception transition. CPA-admissible for SOC 2 review.

Recurring Reviews

Quarterly cadence per TSC

Quarterly access reviews, monthly anomaly review, daily log review — cadences automated per Common Criterion.

All 5 trust services criteria

Security · Availability · PI · Confidentiality · Privacy.

Most SOC 2 vendors cover Security only. RiskWatch covers all five Trust Services Categories from day one — including the new 2017 TSC Privacy criteria (P1–P8) and the 2022 Common Criteria refinements. The auditor sees the full picture, the customer sees a comprehensive report, and you score once across all categories.

  • Security (CC1–CC9)Common Criteria covering control environment, risk assessment, control activities, monitoring
  • Availability (A1)Capacity planning, environmental protections, recovery procedures
  • Processing Integrity (PI1)Inputs, processing, outputs, retention — relevant for FinTech and processors
  • Confidentiality (C1)Information designated as confidential, retention, destruction
  • Privacy (P1–P8)Notice, choice, collection, use, retention, access, disclosure, quality, monitoring
See all 5 TSCs in action
SOC 2 · Trust Services Criteria
CC1
Control environment (governance, ethics)
94%
CC2
Communication and information
88%
CC3
Risk assessment
92%
CC4
Monitoring activities
86%
CC5
Control activities
90%
CC6
Logical and physical access controls
78%
CC7
System operations (anomaly detection)
82%
CC8
Change management
91%
CC9
Risk mitigation
84%
A1
Availability · capacity & recovery
88%
All TSC criteria →Auditor-ready in 2 clicks
One assessment
Control library
ISO 27001
SOC 2
HIPAA
NIST CSF
PCI DSS
GDPR
Cross-framework mapping

SOC 2 + ISO 27001 + HIPAA + PCI.

Every Common Criterion maps to ISO 27001 Annex A controls, HIPAA §164 sections, and PCI DSS requirements. One evidence set satisfies multiple audits — SaaS teams typically run SOC 2 alongside ISO 27001, plus HIPAA for healthcare verticals or PCI DSS for payment flows. RiskWatch flags overlap and conflicts.

  • ISO 27001:2022 Annex ACC6.1 → A.5.16, CC7.2 → A.8.16, CC8.1 → A.8.32 — full crosswalk pre-built
  • HIPAA Security Rulefor healthcare SaaS — CC6.1 ↔ §164.312(a), CC7.2 ↔ §164.308(a)(1)(ii)(D)
  • PCI DSS v4.0.1for payment SaaS — CC6.1 ↔ Req 8.3, CC7.2 ↔ Req 10.4
  • NIST CSF 2.0TSC criteria mapped to Govern, Identify, Protect, Detect, Respond, Recover
  • GDPR (privacy TSC)P1–P8 cross-mapped to GDPR Articles 5–35
Type 1 vs Type 2

From design effectiveness to operating effectiveness.

Item 1
Type 1 · Point-in-time

Design of controls — 'are the controls properly designed?' One-day audit. Typical: 8–12 weeks readiness.

Item 2
Type 2 · Period of time

Operating effectiveness — 'do the controls work?' 6–12 month observation. Typical: ongoing.

Item 3
Common Criteria

9 categories shared by all SOC 2 reports — CC1 through CC9 covering the security TSC

Item 4
Supplemental Criteria

A1, PI1, C1, P1–P8 — added to the report based on which TSCs the org pursues

CUECs · the auditor reads them too

Your Type 2 report relies on customers performing controls.

Complementary User Entity Controls are the controls your customers must perform for your SOC 2 report to be meaningful. Most SaaS providers list CUECs in the report and never check whether customers actually perform them. When a customer's auditor pulls your SOC 2 and asks “did you do CUEC-2?”, your customer's answer determines whether your report is useful or theatre. The CUEC tracker captures attestation per customer, per cycle.

  • Per-customer CUEC inventoryevery CUEC tied to every contract; customers see their own list in their portal
  • Annual attestation cycleauto-routed reminders; customers attest with timestamp + auditor for the audit log
  • Gap-to-coverage tracking% of customers attested per CUEC; auditor sees the rolled-up status in the Type 2 evidence pack
  • CSA STAR alignmentCUEC inventory cross-mapped to CSA STAR shared-responsibility matrix
SOC 2 Type 2 · CUEC tracker
Complementary User Entity Controls · 6 CUECs · 47 customers
Customer attestation status · auditor-visible
CUEC-1User access provisioning + termination per contract
47/47
attested
CUEC-2Annual access review of customer admin users
41/47
attested
CUEC-3Encryption key rotation (BYOK customers only)
9/12
attested
CUEC-4Audit log review for customer-initiated actions
23/47
attested
CUEC-5Incident reporting within agreed-upon SLA
47/47
attested
CUEC-6MFA enforcement for customer admin users
45/47
attested
Annual customer attestation cycle · auto-renewedType 2 report stops being theatre.
How it works

From Type 1 readiness to Type 2 audit in five stages.

Most teams complete Type 1 readiness in 8–12 weeks. The 6–12 month Type 2 observation period runs continuously after that. Stage 5 is on-demand the moment your CPA firm needs evidence.

1
Stage 01·Week 1–2

Scope and select TSC

Decide which TSC categories apply (Security mandatory; the others optional). Sync CMDB to identify in-scope systems.

2
Stage 02·Week 3–8

Type 1 readiness

Score each Common Criterion. Map controls. Close design gaps. Type 1 audit: design effectiveness as of a single date.

3
Stage 03·Continuous

Type 2 observation

Continuous evidence collection from existing tooling. Each control's operating effectiveness tracked across the period.

4
Stage 04·Month 11–12

Auditor walkthrough

AICPA-licensed CPA firm reviews evidence by TSC and Common Criterion. Exceptions flagged, root-caused, remediated.

Stage 05·On-demand

Type 2 report issued

AICPA-format SOC 2 Type 2 report with management assertion, system description, control mapping, and operating-effectiveness opinion.

Customer stories

The Type 2 audit that stopped requiring a war room.

Real SaaS teams. Real Type 1-to-Type 2 timelines. Real auditor sign-offs without screenshot scrambles.

Continuous evidence collection from Okta, Snyk, and Datadog meant our Type 2 observation period was already 90% audited the day we started.
SK
Sandeep K.
VP InfoSec · Series-C SaaS · 1,200 employees
Type 1 readiness
8 weeks
↓ from 16 weeks prior
Evidence per quarter
Auto
from existing tools
Time-to-deploy
3 weeks
first TSC scoring

We pursued SOC 2 + ISO 27001 simultaneously. Cross-mapping cut the second audit's prep time by 60% — same evidence, two reports.

RA
Rachel A.
Head of GRC · FinTech · 800 employees

Subservice org tracking caught two of our Tier 1 vendors with expired SOC 2 reports before our auditor did. We avoided a CUEC finding.

BK
Brian K.
Director of Compliance · HealthTech SaaS · 1,500 employees

Adding the Privacy TSC felt impossible until we saw P1–P8 already mapped to our existing GDPR work. Same controls, same evidence, second category in-scope.

MM
Marina M.
CISO · Marketing SaaS · 2,100 employees
Cross-mapped frameworks

Plus every framework SaaS teams run alongside SOC 2 — cross-mapped.

Score one TSC criterion, satisfy ISO 27001, HIPAA, PCI DSS, NIST CSF, and GDPR simultaneously. The same evidence becomes the same audit deliverable, multiple times.

SOC 2 Type 2
AICPA TSC 2017 + 2022
SOC 2 Type 1
Design effectiveness
ISO 27001:2022
ISMS · Annex A controls
ISO 27017
Cloud security
ISO 27018
Cloud privacy
HIPAA Security
Healthcare SaaS
PCI DSS v4.0.1
Payment SaaS
NIST CSF 2.0
Outcome-based
NIST 800-53 r5
Federal control catalog
GDPR
EU data protection
CCPA / CPRA
California privacy
FedRAMP
Cloud federal
HITRUST CSF
Healthcare unified
SOC 1 (SSAE 18)
Financial controls
+20 more
Custom on request
Free resources

Take RiskWatch home before you sign anything.

Three downloads. Use them to evaluate, share with your CPA firm, or build the SOC 2 readiness business case.

Most popular
SOC 2 Readiness · 32 pages
SOC 2 Readiness
Common Criteria CC1–CC9 Checklist
CC1
CC2
CC6
CC7
CC8
PDF · 32 pages · CPA-aligned

SOC 2 Readiness Checklist

Thirty-two pages walking through Common Criteria CC1 through CC9 plus the Availability, Processing Integrity, Confidentiality, and Privacy criteria. Includes an evidence-collection guide per criterion.

  • All 5 TSC categories
  • Per-criterion evidence guide
  • Type 1 → Type 2 transition plan
Get the checklist
Crosswalk · 2026
Crosswalk
SOC 2 ↔ ISO 27001 mapping
RISKWATCH 2026
Excel · TSC ↔ Annex A

SOC 2 to ISO 27001 Crosswalk

Every Common Criterion mapped to its ISO 27001 Annex A counterpart. Use as a control-mapping reference if you're running both audits, or as a migration source if you're evaluating which to start with.

  • CC1–CC9 ↔ Annex A mapping
  • Conflict-flag column
  • Implementation guidance per row
Get the crosswalk
Buyer's Guide
Buyer's Guide
SOC 2 Compliance Platform
2026 Vendor Comparison
20-page PDF

SOC 2 Platform Buyer's Guide

Vendor scorecard, Vanta-vs-Drata-vs-RiskWatch comparison, evidence-automation depth, multi-framework support, pricing by org size.

  • Feature matrix · 6 vendors
  • Continuous-evidence comparison
  • Pricing benchmarks
Get the guide
FAQ

Common questions, answered up front.

About SOC 2 Type 1 vs Type 2, the Trust Services Criteria, continuous evidence, CUECs, and cross-framework mapping — and how RiskWatch covers all of them.

What is SOC 2 compliance software?
SOC 2 compliance software is a platform that helps service organizations achieve SOC 2 Type 1 readiness and pass SOC 2 Type 2 audits without exceptions piling up. The 2026 SOC 2 automation market is $1.3B+ and has shifted decisively toward continuous monitoring — point-in-time audits are functionally extinct. RiskWatch covers all 5 Trust Services Criteria categories with 100+ Common Criteria, continuous evidence collection from your existing tools (Okta, AWS, Datadog, Snyk, GitHub, Jira), Type 1 readiness gating Type 2 start-date, access-drift detection, auditor-ready exports, and cross-framework mapping to ISO 27001, HIPAA, PCI DSS, and NIST CSF.
What's the difference between SOC 2 Type 1 and Type 2?
SOC 2 Type 1 attests to the design of controls at a single point in time — the auditor confirms 'are the controls properly designed?' on the audit date. SOC 2 Type 2 attests to operating effectiveness over an observation period — typically 6 to 12 months — confirming 'do the controls actually work?' Type 1 takes 8–12 weeks of readiness work. Type 2 requires continuous evidence across the observation period. Most enterprise customers want a Type 2 report, but Type 1 is often the first deliverable while the org builds the evidence base for Type 2.
Which Trust Services Criteria do I need?
Security (CC1–CC9) is mandatory in every SOC 2 report. The other four are optional and selected based on what your customers care about: Availability (A1) for SaaS where uptime is the SLA, Processing Integrity (PI1) for FinTech and payment processors, Confidentiality (C1) for orgs handling NDAs and IP, Privacy (P1–P8) for orgs handling personal data. Most B2B SaaS reports cover Security + Availability + Confidentiality. RiskWatch supports all five — you select which apply at scope-setting.
How is SOC 2 different from ISO 27001?
SOC 2 is an attestation report from an AICPA-licensed CPA firm, governed by the Trust Services Criteria. ISO 27001 is a certification from an ISO-accredited registrar, governed by the ISO 27001 standard plus Annex A controls. SOC 2 reports are typically used for B2B sales transparency in the US (especially SaaS). ISO 27001 certificates are used globally and have more rigorous management-system requirements (the ISMS). Many SaaS teams pursue both — SOC 2 for US enterprise sales, ISO 27001 for global expansion. RiskWatch's cross-framework mapping makes pursuing both 60% less work than pursuing them sequentially.
How does continuous evidence collection work?
RiskWatch integrates with the tools where your control evidence already lives — Okta and Azure AD for access reviews, AWS and Azure for infrastructure config, Datadog and CloudWatch for monitoring, Snyk and GitHub for vulnerability and SDLC, Jira and ServiceNow for change management. Each integration pulls the relevant evidence daily and maps it to the corresponding Common Criterion automatically. Your auditor sees an evidence record per control per day, not a quarterly screenshot. This is the core requirement of a Type 2 audit.
What are CUECs and how does the platform handle subservice orgs?
Complementary User-Entity Controls (CUECs) are controls that the user-entity (your customer) must perform to make your controls operate effectively — a cloud provider's 'customer is responsible for managing user access' is a CUEC for that customer's SOC 2. Subservice organizations are vendors whose services are part of your in-scope environment (your AWS, your Auth0). RiskWatch's vendor-tracking module captures every subservice org's SOC 2 report, parses the CUECs that apply to you, and tracks which CUECs your team has implemented. Inclusive vs carve-out treatment is configurable per subservice org.
How does cross-framework mapping reduce audit cost?
Most SaaS teams running SOC 2 also need ISO 27001 (global customers), HIPAA (healthcare verticals), or PCI DSS (payment flows). Each Common Criterion in SOC 2 maps to specific controls in those frameworks — CC6.1 (logical access) maps to ISO 27001 A.5.16, HIPAA §164.312(a), PCI Req 8.3, and NIST CSF PR.AA-3. Score CC6.1 once, satisfy four frameworks. Customers running SOC 2 + ISO 27001 simultaneously typically reduce combined audit prep by 60% by starting from a complete TSC scoring.
Is there a free trial?
Yes. The 30-day free trial requires no credit card and includes full access — every TSC category, all Common Criteria, continuous evidence integrations, Type 1 readiness workflows, Type 2 observation tracking, and cross-framework mapping. You can run a real SOC 2 readiness assessment against your own environment and decide before purchasing.
Ready for Type 2?

Start your Type 1 readiness this week.

Start a 30-day free trial — every TSC category, all Common Criteria, continuous evidence integrations, Type 2 observation tracking, and cross-framework mapping. No credit card required.

Start free trialBook a demo

No credit card required · 30-day free trial · Cancel anytime