Skip to content

Compliance — SOC 2 Type II

Informational only — not a compliance guarantee

The control mappings, recommendations, and architecture patterns on this page are educational guidance for implementing the named framework on Microsoft Azure with CSA-in-a-Box. They are not:

  • An audit, certification, ATO, attestation, or accreditation
  • Legal advice
  • A guarantee that any deployment based on this content will be deemed compliant by an auditor, regulator, or accreditation body

Authoritative sources are:

  • The Microsoft Trust Center and Microsoft Service Trust Portal — for what Microsoft has formally certified for which Azure services. Where Microsoft has formally certified an Azure service for this framework, the certification is cited inline on this page.
  • Your organization's compliance counsel — for legal interpretation.
  • Your authorizing official, FedRAMP PMO, 3PAO, agency Authorizing Official, Confidentiality Officer, or equivalent — for the actual accreditation decision.

Validate through proper channels before production use. Neither the CSA-in-a-Box maintainers nor Microsoft accept liability for compliance outcomes of deployments based on this content. Use at your own risk and verify every control, mapping, and recommendation against the authoritative sources above.

Status: Implementation guidance and Trust Services Criteria (TSC) crosswalk for SOC 2 Type II reports. This is the most-requested commercial-sector compliance framework and is required for selling to most enterprises.

What is SOC 2 Type II?

SOC 2 (System and Organization Controls 2) is an attestation framework from the AICPA that evaluates an organization's controls over the Trust Services Criteria (TSC):

  • Security (always required)
  • Availability (optional, recommended)
  • Processing Integrity (optional, for transaction-heavy workloads)
  • Confidentiality (optional, recommended for B2B)
  • Privacy (optional, often replaced by GDPR/CCPA frameworks)

A Type I report attests that controls are designed appropriately at a point in time. A Type II report attests that controls are operating effectively over a period (typically 6–12 months) — this is what enterprise buyers require.

A SOC 2 audit is performed by a licensed CPA firm (not just any auditor). The output is an attestation report you share under NDA with prospects/customers.

How CSA-in-a-Box helps

The platform implements many Common Criteria (CC) controls out-of-box and provides documentation patterns for the rest. You still need:

  • An auditor (CPA firm) — Microsoft can suggest partners
  • A 6–12 month observation window with evidence
  • Your own policies (Information Security Policy, Acceptable Use, etc.)
  • Operational evidence (logs, ticket exports, change records)

TSC crosswalk

Common Criteria (CC) — applies to all SOC 2 reports

CC Description Where in CSA-in-a-Box
CC1 Control Environment Org structure, ethics, board oversight Out of scope — your org policies
CC2 Communication & Information Internal/external comms about objectives Out of scope — your policies
CC3 Risk Assessment Risk identification + mitigation Defender for Cloud + Defender Vulnerability Management → risk register; Best Practices — Security
CC4 Monitoring Activities Ongoing evaluations + remediation Defender for Cloud Secure Score, Sentinel, monthly compliance reviews
CC5 Control Activities Implementation of policies This entire repo
CC6 Logical & Physical Access Access controls + restriction Identity & Secrets Flow, Entra + PIM + Conditional Access; physical inherited from Azure CSP
CC6.1 Logical access security Authentication + authorization Entra ID + MFA + RBAC + PIM
CC6.2 New access provisioned Access reviews on hire Runbook — Tenant Onboarding
CC6.3 Access removed Deprovisioning Entra Lifecycle Workflows + access reviews
CC6.6 Encryption in transit TLS 1.2+ All Azure services TLS 1.2 enforced; Bicep modules set minTLSVersion: '1.2'
CC6.7 Encryption at rest At-rest encryption All Azure storage encrypted by default; CMK with Key Vault on sensitive workloads
CC6.8 Malicious software AV/EDR Defender for Servers + Defender for Containers (if AKS)
CC7 System Operations Detection + response to anomalies Defender for Cloud + Sentinel + Runbook — Security Incident
CC7.1 Vulnerability management Vuln scanning + patching Defender Vulnerability Management + Trivy in CI + Update Management
CC7.2 Monitoring of system components Log collection + analysis Log Analytics + Diagnostic Settings + LOG_SCHEMA.md
CC7.3 Anomaly detection Behavioral analytics Sentinel UEBA, Defender for Cloud alerts
CC7.4 Incident response Documented IR process Runbook — Security Incident, Runbook — Break-Glass
CC7.5 Recovery DR + backup DR.md, Runbook — DR Drill
CC8 Change Management Authorized + tested changes Bicep IaC + GitHub PR reviews + branch protection + az deployment what-if
CC8.1 Change authorization Approvals before deploy GitHub required reviewers, environment protection rules
CC9 Risk Mitigation Vendor + business continuity SUPPLY_CHAIN.md, DR.md
Criterion Where
A1.1 Capacity planning Best Practices — Performance Tuning, Azure Monitor capacity alerts
A1.2 Environmental protections Inherited from Azure CSP
A1.3 Recovery + redundancy DR.md, zone-redundant storage, geo-replication, Bicep multi-region module

Confidentiality (C) — optional but common

Criterion Where
C1.1 Confidential information identified Purview classification + data product contracts (classification: confidential)
C1.2 Disposal of confidential information Lifecycle policies on Storage, soft-delete on Key Vault, retention policies

Processing Integrity (PI) — optional, for transaction systems

Criterion Where
PI1.1 Inputs validated Data product contracts validate schema; dbt tests + Great Expectations on silver
PI1.2 Processing complete + accurate dbt tests, ADF pipeline monitoring, dead-letter queues (Runbook)
PI1.3 Outputs accurate Gold-tier dbt tests + reconciliation queries

Specific implementations worth highlighting

CC6.1 + CC6.2 — Logical access (the auditor's #1 focus)

  • Implemented:
    • Entra ID is the only identity provider; no local accounts on data resources
    • MFA enforced via Conditional Access for all users, all admin actions
    • PIM-eligible (not active) for any role with */write
    • Federated CI/CD identities (no client secrets) — see Identity & Secrets Flow
    • Quarterly access reviews via Entra Access Reviews
  • Evidence:
    • Conditional Access policy export
    • PIM activation logs
    • Access review completion records
    • GitHub federated credential trust config

CC7.2 — Monitoring (the auditor's #2 focus)

  • Implemented:
    • Diagnostic Settings on every resource → Log Analytics workspace
    • 90-day retention hot, multi-year archive in Storage with immutability
    • LOG_SCHEMA.md standardizes log formats
    • Workbooks for daily security review
    • Alerts on Defender for Cloud high/critical
  • Evidence:
    • KQL query exports showing log coverage
    • Retention policy export
    • Sample alert + acknowledgement chain

CC8.1 — Change management

  • Implemented:
    • Every infrastructure change is a Bicep PR with required review
    • GitHub branch protection on main (required PR review, required CI checks)
    • Environment protection rules require approver for production deploys
    • az deployment what-if runs in CI on every PR
  • Evidence:
    • GitHub branch protection settings export
    • Sample PR with reviews + what-if results
    • Deploy history correlated to PR merge events

Auditor-friendly evidence collection

Set up a dedicated Log Analytics workspace for compliance evidence with:

// Daily evidence pack: who changed what
AzureActivity
| where TimeGenerated > ago(1d)
| where OperationNameValue contains "/write" or OperationNameValue contains "/delete"
| project TimeGenerated, Caller, OperationNameValue, ResourceId, ActivityStatusValue
| order by TimeGenerated desc

// Quarterly access review evidence
SigninLogs
| where TimeGenerated > ago(90d)
| summarize SignInCount = count() by UserPrincipalName, AppDisplayName
| order by SignInCount desc

Save these as Workbooks. Auditors love Workbook screenshots.

Documentation deliverables checklist

For your SOC 2 Type II report you'll need:

  • System Description (the formal narrative the auditor publishes)
  • Information Security Policy
  • Acceptable Use Policy
  • Access Control Policy
  • Change Management Policy
  • Incident Response Plan ← reference Runbook — Security Incident
  • Business Continuity / DR Plan ← reference DR.md
  • Vendor Management policy + register
  • Risk Assessment (annual, with output)
  • Vulnerability Management Policy
  • Asset Inventory (Azure Resource Graph queries can auto-generate)
  • Data Classification policy
  • Encryption Policy
  • Logging & Monitoring Policy
  • Backup Policy
  • Personnel Security (background checks, training)

Type I vs Type II — sequencing

gantt
    title Typical SOC 2 path for an early-stage org
    dateFormat YYYY-MM
    section Prep
    Gap assessment             :2026-01, 2M
    Remediate gaps             :2026-02, 3M
    Pick auditor               :2026-04, 1M
    section Type I
    Type I observation         :2026-05, 1M
    Type I report issued       :milestone, 2026-07, 0d
    section Type II
    Type II observation window :2026-07, 6M
    Type II audit fieldwork    :2027-01, 2M
    Type II report issued      :milestone, 2027-03, 0d
    section Steady state
    Annual Type II             :2027-04, 12M

Trade-offs

Why this is a strong starting point

  • Most CC6/CC7/CC8 controls are platform-implemented
  • Bicep IaC + git history = automated change evidence
  • Azure Diagnostic Settings = automated monitoring evidence
  • Defender for Cloud = automated security posture evidence

⚠️ What this does not give you

  • An attestation report (you must engage a CPA firm)
  • Org-level policies (your CISO/legal)
  • Personnel controls (your HR)
  • Customer comms for control deviations (your account team)