What is SOC 2 compliance software?

SOC 2 compliance software unifies AICPA SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy), SSAE 18 attestation standards, SOC 1 + SOC 3 + AICPA SOC for Cybersecurity, AICPA Description Criteria DC-200, ISO 27001:2022, NIST CSF 2.0, CSA STAR, SIG Lite + Core, HITRUST CSF, and ISO 42001:2023 on a single survey-based platform. It replaces parallel compliance-automation tools, GRC platforms, vendor portals, and customer-audit response binders with one auditor-ready evidence trail.

What's the difference between Type I and Type II?

Type I is a point-in-time attestation: as of date X, controls were designed and implemented. Type II is an operating-effectiveness attestation over a 6–12 month period: controls were designed, implemented, and operated effectively over the audit window. Most enterprise procurement reviews require Type II. RiskWatch tracks both, with Type II evidence captured continuously rather than reassembled at year-end.

What are the 5 Trust Services Criteria?

AICPA SOC 2 has 5 Trust Services Criteria: Security (the Common Criteria, always required), Availability (system uptime + resilience), Processing Integrity (system processing is complete + accurate + timely), Confidentiality (data marked confidential is protected), and Privacy (PII collection + use + retention follows the entity's privacy notice). Most SaaS reports cover Security; mature reports add 1–4 more. RiskWatch ships all 5 pre-loaded.

How does RiskWatch handle sub-service organizations?

Sub-service organizations (e.g., AWS, GCP, Azure underneath your SaaS product) can be excluded via the carve-out method (you exclude them from your scope, customer audits the sub-service report) or included via the inclusive method (you bring their controls into your report). RiskWatch tracks both methods per sub-service org, with sub-service report retention, customer-responsibility delineation, and inclusive-method evidence collection.

Does RiskWatch handle ISO 27001 + SOC 2 dual surveillance?

Yes. ISO 27001:2022 Annex A (93 controls) is cross-mapped to the SOC 2 TSCs so a single control assessment scores against both. Most B2B SaaS run dual surveillance: ISO 27001 for international customers, SOC 2 Type II for North American enterprise. RiskWatch reduces dual-framework cost by ~60% via shared evidence + auditor-ready packages for both.

Does RiskWatch handle the AICPA DC-200 description criteria?

Yes. The 2022 AICPA Description Criteria DC-200 update aligned SOC 2 reporting with COSO ERM. RiskWatch ships DC-200-aligned description templates, the 9 description criteria categories pre-loaded, and the COSO ERM cross-mapping live. Description-of-the-system writing time drops from 4–6 weeks to 1–2.

Does RiskWatch support customer SIG, CAIQ, and custom questionnaires?

Yes. SIG Lite + SIG Core, CSA CAIQ, custom enterprise questionnaires, and the trust portal flow from the same evidence vault. Customer-audit response time drops from 7–11 days to 1–2 days because answers are pre-mapped to controls + evidence rather than re-authored each time.

Does RiskWatch support ISO 42001:2023 for AI-native SaaS?

Yes. ISO 42001:2023 (AI Management System) is built into the library as a SOC 2 add-on. Model-governance controls, responsible-AI controls, AI risk assessment, and AI training-data lineage cross-map to the SOC 2 TSCs and EU AI Act 2024 obligations.

How long does SOC 2 implementation typically take?

Most B2B SaaS go live in 30 days for the platform itself. Pre-built libraries for the 5 TSCs, ISO 27001:2022, NIST CSF 2.0, CSA STAR, SIG, plus white-glove implementation handle the heavy lift. Type I (point-in-time) attestation is typically achievable 60–90 days from kickoff. Type II requires a 6-month observation window minimum, so first Type II report typically lands ~9 months from kickoff.

For B2B SaaS + Service Organizations + Multi-Product CSPs

One platform for Trust Services Criteria, Type II attestation, and CUEC tracking across every product.

Q: How does the CUEC tracker work?

Complementary User Entity Controls (CUECs) are controls SOC 2 reports require customers to perform, without them, the auditor's opinion is meaningless. Common CUECs include user-access provisioning, annual access reviews, BYOK key rotation, audit log review, incident reporting, and MFA enforcement. The CUEC tracker shows which customers have attested to which CUECs, surfacing audit-meaningless gaps before the next auditor finds them.

B2B SaaS and service organizations face a uniquely customer-facing compliance stack: AICPA SOC 2 Trust Services Criteria, Type I vs Type II attestation, the CUEC (Complementary User Entity Controls) ecosystem, sub-service organization carve-out / inclusive methods, AICPA SOC 1 cross-mapping, and 380+ enterprise customers conducting their own SOC 2 reviews. RiskWatch handles all of it as one survey-based assessment platform sized for VPs of Trust running Type II + ISO 27001 dual surveillance.

Start 30-day free trial Download the SOC 2 + TSC pack

Risk

Service · Vendor · Sub-service

Compliance

Common · Add-on · TSC

Validation

Type I · Type II · CUEC

One Score

95 / 100

Auditor-ready posture

Auditor-ready

Type II · TSC · CUEC-readyLive

Trusted by B2B SaaS, multi-product CSPs, and enterprise service organizations managing SOC 2 Type II + ISO 27001 dual surveillance, multi-product carve-out scoping, the CUEC ecosystem, and 380+ enterprise customer audits across cloud, AI, and platform-as-a-service categories.

4.8G2 Crowd·134+

4.7Capterra·92+

4.8Gartner Peer Insights·Voice of Customer

Why VPs of Trust + Security Pick RiskWatch

RiskWatch turns Type II, TSC, CUEC, and ISO 27001 into one program.

RiskWatch runs SOC 2 Type II, the 5 Trust Services Criteria, the CUEC ecosystem, sub-service organization carve-outs, ISO 27001:2022 + Annex A, NIST CSF 2.0, CSA STAR, SIG, and HITRUST CSF as one program on one platform, scored against the same controls library, and tracked through a single auditor-ready evidence trail. Built for VPs of Trust + Security where one team covers every product, every customer audit, and every surveillance cycle, without enterprise-bank GRC overhead.

Type I + Type II + CUEC in one library

Type I point-in-time + Type II 6-or-12-month operating-effectiveness + CUEC customer-attestation tracking share evidence, no parallel binders. The CUEC tracker shows which customers have attested to which CUECs, surfacing audit-meaningless gaps before the auditor finds them.

Cross-mapping to ISO 27001 + NIST CSF + CSA STAR

ISO 27001:2022 Annex A (93 controls), NIST CSF 2.0 outcome-based mapping, CSA STAR self-assessment + certification, and SIG Lite + Core questionnaires share evidence with SOC 2. Score one control, satisfy multiple frameworks.

Multi-product + sub-service org built in

Multi-product SaaS companies run per-product TSC posture with rollup to the consolidated SOC 2 report. Sub-service org carve-out vs inclusive method tracked. White-glove implementation in 30 days, not 6 months.

The SOC 2 Attestation Landscape

SOC 2 Type II is the de-facto B2B SaaS audit. The numbers prove it.

More than 90% of enterprise procurement reviews require a current SOC 2 Type II. The 2017 Trust Services Criteria revision (still current) added the 'Common Criteria' framework + Additional Criteria for Availability / Processing Integrity / Confidentiality / Privacy. The 2022 AICPA Description Criteria DC-200 update aligned SOC 2 reporting with COSO ERM. ISO 42001:2023 (AI management) is becoming the SOC 2 add-on of choice for AI-native SaaS. The CUEC ecosystem keeps growing as customers cite missing CUEC attestations as audit-blocking findings.

5 TSC

Trust Services Criteria, Security · Availability · Processing Integrity · Confidentiality · Privacy

AICPA SOC 2 TSC

Type II

Operating-effectiveness attestation over 6–12 months, the enterprise default

AICPA SSAE 18

DC-200

AICPA Description Criteria 2022, aligned to COSO ERM

AICPA DC-200

CUEC

Complementary User Entity Controls, customer-side controls SOC 2 reports require

AICPA SOC 2 CUEC guidance

Three Domains, One Platform

SOC 2 risk lives in three concrete domains

RiskWatch covers all three. Each domain has a dedicated workflow, scoring model, and remediation queue. They share data so a single TSC assessment satisfies the SOC 2 Common Criteria, the relevant Additional Criteria, the corresponding ISO 27001 Annex A control, and the NIST CSF 2.0 mapping simultaneously.

Risk

Service + Vendor + Sub-service Risk

Survey-based risk assessment across service organization, vendor TPRM, and sub-service organization carve-out / inclusive scoping.

Sub-service org register live
Vendor TPRM integrated
Risk register tied to TSC

Explore Risk Management

Compliance

Common + Add-on + TSC

Common Criteria, Additional Criteria, the 5 Trust Services Criteria, and the cross-mapped ISO + NIST + CSA STAR libraries.

All 5 TSC pre-loaded
ISO 27001 cross-mapped
DC-200 description ready

Explore Compliance Management

Validation

Type I + Type II + CUEC

Type I point-in-time, Type II operating-effectiveness, and the CUEC customer-attestation ecosystem tracked in one place.

Type II evidence vault live
CUEC tracker integrated
Auditor portal ready

Explore Cybersecurity

SOC 2 Type II · CUEC Spotlight

Without CUEC attestations, the auditor's opinion is meaningless.

Complementary User Entity Controls, user-access provisioning, annual access reviews, BYOK key rotation, audit-log review, MFA enforcement, are the controls SOC 2 reports require customersto perform. When customers don't actually perform them, the report is audit-meaningless. The CUEC tracker shows which customers have attested to which CUECs, surfaces gaps before the auditor finds them, and routes missing attestations back into the trust-portal workflow.

SOC 2 Type 2 · CUEC tracker

Complementary User Entity Controls · 6 CUECs · 47 customers

Customer attestation status · auditor-visible

CUEC-1User access provisioning + termination per contract

47/47

attested

CUEC-2Annual access review of customer admin users

41/47

attested

CUEC-3Encryption key rotation (BYOK customers only)

9/12

attested

CUEC-4Audit log review for customer-initiated actions

23/47

attested

CUEC-5Incident reporting within agreed-upon SLA

47/47

attested

CUEC-6MFA enforcement for customer admin users

45/47

attested

Annual customer attestation cycle · auto-renewedType 2 report stops being theatre.

The Coverage Gap

Most SOC 2 software covers one TSC

Compliance automation tools handle Security TSC. Vendor risk platforms cover sub-service orgs. Audit-prep specialty handles document collection. Each does one job. VPs of Trust still operate four parallel programs across products, customers, and audit cycles.

Platform Category	TSC	Type I	Type II	CUEC	Cross-mapping	Multi-product
Compliance AutomationDrata, Vanta, Secureframe	Yes	Yes	Yes	Partial	Partial	Partial
Generic GRCServiceNow GRC, Archer	Partial	Partial	Partial	Partial	Partial	Partial
Audit-Prep SpecialtyAuditBoard, Workiva	Partial	Partial	Yes	·	Yes	Partial
Vendor Risk ToolsOneTrust VRM, ProcessUnity	·	·	·	Partial	·	Partial
ISO 27001 SpecialtyBSI Connect, Conformio	·	·	·	·	Yes	·
Spreadsheets & Email	·	·	·	·	·	·
RiskWatchThe unified auditor-ready platform	Yes	Yes	Yes	Yes	Yes	Yes

RiskWatch is the only platform covering all six SOC 2 compliance domains: Trust Services Criteria, Type I, Type II, the CUEC ecosystem, ISO 27001 + NIST CSF cross-mapping, and multi-product coordination. Compliance automation handles security TSC. Audit-prep tools handle documents. Vendor risk handles sub-services. Each does one job. RiskWatch unifies all six in one survey-based assessment workflow.

How It Works

One platform. Continuous compliance across every TSC + framework.

RiskWatch is a survey-based assessment platform. The work is structured around questionnaires that capture Trust Services Criteria posture, control implementation, and CUEC attestations in a consistent format, then scored against every framework you align to.

For SOC 2, that workflow runs continuously across the 5 TSC, Type I + Type II evidence, the CUEC ecosystem, sub-service org scoping, ISO 27001:2022, NIST CSF 2.0, CSA STAR, SIG, and HITRUST. A single TSC control assessment scores against the SOC 2 Common Criteria, the corresponding ISO 27001 Annex A control, the NIST CSF mapping, and the customer SIG response simultaneously.

The same platform runs all of it, surfaces gaps before auditor arrival, assigns remediation owners, and tracks completion. Replace the compliance-automation tool, the GRC platform, the vendor portal, and the customer-audit response binder between them.

The Workflow

01
Scope
Trust Services Criteria selected. Sub-service org carve-out / inclusive method documented. System description per DC-200 captured. CUEC inventory built.
02
Score
Responses score against the 5 TSC, Common Criteria + Additional Criteria, ISO 27001:2022 Annex A, NIST CSF 2.0, CSA STAR, SIG Lite + Core, and HITRUST CSF.
03
Remediate
Gaps become assigned tasks. Owners get deadlines. Vendor + sub-service-org + 3rd-party tasks cascade to the supplier portal automatically. CUEC notifications sent to customers.
04
Attest
Evidence trails export to Type I (point-in-time) or Type II (operating-effectiveness) auditor formats. ISO 27001 surveillance package ready. Customer SIG responses generated.

TSCType IICUECISO 27001Customer Audit

Built For Your Role

Who uses RiskWatch in a B2B SaaS or service organization

VP Trust + Security

Owns enterprise trust posture, multi-framework attestation strategy, and the customer-facing security program for 380+ enterprise customers.

SOC 2 Type II + ISO 27001 dual surveillance live. Customer-facing trust portal continuous. Customer SIG response time tracked.

Director of Compliance

Owns the SOC 2 audit cycle, ISO 27001 surveillance, CSA STAR submission, and the cross-framework control mapping.

Type II evidence vault live. ISO 27001 Annex A mapped. CSA STAR submission ready. Cross-framework gaps surfaced.

Head of Information Security

Owns the technical Security TSC controls, threat modeling, vulnerability management, and the CC6 / CC7 / CC8 control families.

All Security TSC controls scored. CC6/7/8 evidence captured. Vulnerability tracking integrated. Pen-test cycle continuous.

Customer Success / Trust Lead

Owns the customer-facing trust portal, the SOC 2 report distribution + customer audit responses, and CUEC attestation.

Trust portal live. Customer SIG + CAIQ + custom-questionnaire responses generated. CUEC tracker shows attested vs missing.

Privacy Officer

Owns the Privacy TSC additional criteria, GDPR + CCPA cross-mapping, and DPA / customer-data-processing addendum tracking.

Privacy TSC controls scored. GDPR + CCPA cross-walked. DPA register live. Customer data subject requests tracked.

Audit + Risk Lead

Owns internal audit cycles, COSO ERM mapping per DC-200, sub-service organization risk, and the residual-risk register.

Internal audit cycle continuous. DC-200 description ready. Sub-service org register live. Residual risk register tied to TSCs.

Built For Your Segment

SOC 2 segments we serve

B2B SaaS Platforms

Enterprise B2B SaaS running multi-product Type II + ISO 27001 dual surveillance with 100+ enterprise customers conducting their own audits.

Multi-Product CSPs

Multi-product cloud service providers running per-product Type II with consolidated reporting + sub-service org carve-out / inclusive method scoping.

AI-Native + ML Platforms

AI-native SaaS adding ISO 42001:2023 AI management as the SOC 2 add-on, with model-governance + responsible-AI controls in scope.

Fintech + Embedded Finance

Fintech and embedded-finance platforms running SOC 2 alongside SOC 1 ICFR, PCI DSS, and state lending licenses.

Healthcare SaaS + HealthTech

HealthTech running SOC 2 + HIPAA + HITRUST CSF, with the BAA cascade and PHI flows in scope alongside the standard TSCs.

Service Organizations

Outsourced HR, payroll, billing, customer service, and managed-services providers running SOC 2 for client procurement diligence.

Frameworks We Cover

SOC 2 frameworks built into the library

RiskWatch ships with pre-built libraries for every major attestation + assurance + cross-mapped framework. Map controls once. Score against the framework that matters this audit cycle.

Regulatory + AICPA Frameworks

AICPA SOC 2 TSC: Trust Services Criteria, Security (Common Criteria), Availability, Processing Integrity, Confidentiality, Privacy (Additional Criteria).
SSAE 18: AICPA Statement on Standards for Attestation Engagements, the attestation framework SOC 2 reports follow.
SOC 1: Internal Control over Financial Reporting (ICFR) attestation for service organizations affecting customer financial reporting.
SOC 3: General-use trust report, SOC 2-equivalent assertions distributed publicly without restricted-use language.
AICPA DC-200: 2022 Description Criteria for service-organization controls, aligned to COSO ERM and the updated SOC reporting framework.
AICPA SOC for Cybersecurity: Entity-level cybersecurity risk-management examination, separate from SOC 2 but cross-evidenced.

Industry + Cross-Mapped Frameworks

ISO 27001:2022: ISMS standard with the 2022 Annex A (93 controls), the international counterpart, dual-surveillance default.
NIST CSF 2.0: Cybersecurity Framework 2.0 (Feb 2024), outcome-based mapping of every TSC control to Govern / Identify / Protect / Detect / Respond / Recover.
CSA STAR: Cloud Security Alliance STAR self-assessment + certification, CAIQ + CCM cross-walked to TSCs.
SIG Lite + Core: Shared Assessments Standardized Information Gathering questionnaires, customer-audit response evidence.
HITRUST CSF: Health-industry common-security framework, cross-mapped for SaaS serving healthcare customers requiring HITRUST.
ISO 42001:2023: AI Management System standard, the SOC 2 add-on of choice for AI-native SaaS.

Trusted by 1,500+ risk and compliance teams

We were running SOC 2 in Drata, ISO 27001 in a separate spreadsheet, the customer trust portal in a third tool, and CUEC tracking in Notion. Now it's one platform. Type II evidence, ISO 27001 Annex A mapping, the CUEC tracker, and customer SIG responses all run from the same evidence vault. Our last Type II audit closed with two findings instead of nine, and we cut customer-audit response time from 11 days to 2.

G. Magaki

VP Trust + Security, B2B SaaS company · 1,400 employees · SOC 2 Type II + ISO 27001 dual surveillance · 380+ enterprise customers

4 → 1tools consolidated to one platform

9 → 2Type II findings on most recent audit

11 → 2 dayscustomer SIG response time reduced

Resources

Practical playbooks for VPs of Trust + Security

Checklist

Frequently asked questions

Type II · TSC · CUEC-ready

See RiskWatch run a SOC 2 Type II + ISO 27001 cycle live

30-minute walkthrough of the SOC 2 library, your product + customer + sub-service-org inputs, and the auditor-ready evidence-trail output. No slideware, no consulting upsell.

Book a 30-minute walkthrough Talk to a SOC 2 specialist

Or call US: +1 941-500-4525

One platform for Trust Services Criteria, Type II attestation, and CUEC tracking across every product.

RiskWatch turns Type II, TSC, CUEC, and ISO 27001 into one program.

SOC 2 Type II is the de-facto B2B SaaS audit. The numbers prove it.

SOC 2 risk lives in three concrete domains

Service + Vendor + Sub-service Risk

Common + Add-on + TSC

Type I + Type II + CUEC

Without CUEC attestations, the auditor's opinion is meaningless.

Most SOC 2 software covers one TSC

One platform. Continuous compliance across every TSC + framework.

The Workflow

Who uses RiskWatch in a B2B SaaS or service organization

VP Trust + Security

Director of Compliance

Head of Information Security

Customer Success / Trust Lead

Privacy Officer

Audit + Risk Lead

SOC 2 segments we serve

B2B SaaS Platforms

Multi-Product CSPs

AI-Native + ML Platforms

Fintech + Embedded Finance

Healthcare SaaS + HealthTech

Service Organizations

SOC 2 frameworks built into the library

Regulatory + AICPA Frameworks

Industry + Cross-Mapped Frameworks

Practical playbooks for VPs of Trust + Security

SOC 2 Type II 5 TSC Audit Readiness Checklist

CUEC Inventory + Customer Attestation Mapping Worksheet

Compliance Automation vs Unified GRC for SOC 2: How to Choose

SOC 2 + ISO 27001 Quote Builder

Frequently asked questions

See RiskWatch run a SOC 2 Type II + ISO 27001 cycle live