SOC 2 documentation generator
SOC 2 reports on controls relevant to the Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality and Privacy. Auditors expect documented, operating policies and evidence.
A SOC 2 examination tests whether your controls meet the AICPA Trust Services Criteria — and auditors expect documented, operating policies as evidence. CompliWiseAI generates the SOC 2 policy set, from your information security and access control policies to incident response, change management and vendor management, tailored to your systems and the commitments you make to customers.
Documents we generate for SOC 2
13 required documents, each tailored to your company and structured for audit.
Information Security Policy
RequiredOverarching security policy establishing the control environment and management direction.
Policy · CC1.0 / CC5.0
Logical Access Control Policy
RequiredProvisioning, authentication, authorization and de-provisioning of logical access.
Policy · CC6.1–CC6.3
Risk Assessment & Register
RequiredIdentification and analysis of risks to achieving the service commitments.
Risk register · CC3.0
Vendor & Third-Party Management Policy
RequiredDue diligence and ongoing monitoring of subservice organizations and vendors.
Policy · CC9.2
Change Management Policy
RequiredControlled process for authorizing, testing and deploying system changes.
SOP · CC8.1
Incident Response Plan
RequiredIdentification, response, communication and recovery from security incidents.
Incident response · CC7.3–CC7.4
Business Continuity & Disaster Recovery Plan
RequiredAvailability commitments through backup, recovery and continuity planning.
SOP · A1.2–A1.3
Data Classification & Handling Policy
RequiredClassification levels and handling rules for confidential information.
Data protection · C1.1 / CC6.7
Acceptable Use Policy
RequiredAcceptable use of company systems and data by personnel.
Policy · CC1.1 / CC2.2
Logging & Monitoring Policy
RequiredSecurity event logging, monitoring and alerting requirements and evidence.
Log template · CC7.1–CC7.2
Personnel Onboarding & Offboarding Procedure
RequiredBackground checks, access granting and timely revocation across the employee lifecycle.
SOP · CC1.4 / CC6.2
Vulnerability Management Policy
RequiredIdentification, prioritization and remediation of technical vulnerabilities.
SOP · CC7.1
Security Awareness Training Programme
RequiredRecurring security training and acknowledgement of policies by personnel.
Training · CC2.2
SOC 2 readiness checklist
- Security policies approved and acknowledged
- Logical access controls and MFA enforced
- Annual risk assessment completed
- Change management process operating
- Incident response plan tested
- Vendor risk reviews performed
- Logging and monitoring in place
- Onboarding/offboarding controls operating
- Security awareness training completed
- Evidence collected over the audit period (Type II)
SOC 2 — frequently asked questions
What is the difference between SOC 2 Type I and Type II?+
Type I assesses whether your controls are suitably designed at a point in time; Type II tests whether they operated effectively over a period (typically 3–12 months). Both rely on documented policies — CompliWiseAI generates the policy set; Type II additionally needs evidence collected over the period.
Which Trust Services Criteria do I need?+
Security (the Common Criteria) is always included; Availability, Processing Integrity, Confidentiality and Privacy are optional based on your service commitments. CompliWiseAI's documents map to the relevant criteria so you can scope your report.
Does CompliWiseAI run my SOC 2 audit?+
No. A SOC 2 report is issued by a licensed CPA firm. CompliWiseAI prepares the documentation that makes your audit readiness far faster and cheaper to reach.
Start your SOC 2 documentation free
Create a workspace, add SOC 2, and generate your first audit-ready document in minutes.