SOC 2 Framework
Automate SOC 2 Type I and Type II compliance assessments across your managed Microsoft 365 tenants. OpsPilot365 Trust Center maps your M365 security configurations directly to SOC 2 Trust Service Criteria, enabling continuous monitoring and audit-ready evidence collection.
Note: SOC 2 compliance monitoring is part of the Trust Center add-on. It provides automated control assessments, evidence collection, and audit-ready reporting mapped to all five Trust Service Criteria. Designed for MSPs managing SOC 2 obligations across multiple client tenants.
Trust Service Criteria Overview
SOC 2 is organized around five Trust Service Criteria (TSC). OpsPilot365 maps Microsoft 365 controls to each criterion, providing coverage scores and gap analysis per tenant.
- Security (CC) — Common Criteria covering logical and physical access, system operations.
- Availability (A) — System uptime and performance monitoring.
- Processing Integrity (PI) — Data accuracy and complete, accurate processing.
- Confidentiality (C) — Confidential information protection and data handling.
- Privacy (P) — Personal data collection, use, and disclosure management.
Type I vs Type II Audits
OpsPilot365 supports both SOC 2 Type I (point-in-time) and Type II (period-of-time) assessments, with continuous monitoring capabilities essential for Type II readiness.
| Aspect | Type I | Type II |
|---|---|---|
| Assessment Period | Point-in-time snapshot | Minimum 6-month observation period |
| What Is Evaluated | Control design and suitability | Control design and operating effectiveness |
| Evidence Required | Current configuration snapshots | Historical logs, trend data, continuous evidence |
| OpsPilot365 Support | On-demand snapshot reports | Continuous monitoring with historical evidence retention |
| Typical Use Case | Initial compliance baseline | Ongoing client assurance and vendor requirements |
Control Mapping to SOC 2 Criteria
OpsPilot365 automatically maps Microsoft 365 security settings, policies, and configurations to SOC 2 Common Criteria. Below is a summary of key mappings assessed per tenant.
| SOC 2 Criterion | Description | M365 Controls Mapped | Auto-Assessed |
|---|---|---|---|
| CC1.1 - CC1.5 | Control Environment | Admin role assignments, RBAC policies, directory roles | Yes |
| CC2.1 - CC2.3 | Communication and Information | Security policies, user notifications, classification labels | Partial |
| CC3.1 - CC3.4 | Risk Assessment | Secure Score, threat assessments, vulnerability reports | Yes |
| CC5.1 - CC5.3 | Control Activities | Conditional Access policies, DLP rules, retention policies | Yes |
| CC6.1 - CC6.8 | Logical and Physical Access Controls | MFA, Conditional Access, PIM, session policies | Yes |
| CC7.1 - CC7.5 | System Operations | Audit logs, monitoring alerts, incident response | Yes |
| CC8.1 | Change Management | Configuration change tracking, drift detection | Yes |
| CC9.1 - CC9.2 | Risk Mitigation | Threat protection, anti-malware, safe links/attachments | Yes |
Continuous Monitoring
SOC 2 Type II requires demonstrating that controls operate effectively over time. OpsPilot365 provides continuous monitoring capabilities designed specifically for this requirement.
- Automated Scanning — Configurable scan schedules (hourly, daily, weekly), real-time drift detection against baseline configurations, automated re-assessment when M365 configurations change, per-tenant and cross-tenant scanning.
- Historical Evidence — Point-in-time configuration snapshots stored for audit periods, compliance score trend tracking over 6, 9, or 12-month windows, immutable audit trail of all control state changes, timestamped evidence packages for auditor review.
- Drift Alerts — Immediate notification when a passing control regresses, severity-based alerting (critical, high, medium, low), integration with email, Teams, and webhook notifications, auto-remediation options for common drift scenarios.
- Multi-Tenant Oversight — Aggregate SOC 2 posture view across all managed tenants, per-client compliance dashboards for reporting, comparative benchmarking between similar tenants, bulk policy enforcement for consistent control coverage.
Compliance Status Indicators
Each SOC 2 control is assigned a status based on the automated assessment of M365 tenant configurations.
- Compliant — Control is fully implemented and operating as expected.
- Partial — Control is partially implemented or requires manual verification.
- Non-Compliant — Control is not implemented or is failing validation.
- Not Applicable — Control is excluded based on scope or services used.
Evidence Requirements
SOC 2 auditors require specific evidence for each control. OpsPilot365 automates evidence collection from Microsoft 365 APIs and organizes it by criterion.
| Evidence Type | Source | Collection | Retention |
|---|---|---|---|
| Conditional Access Policy exports | Microsoft Graph API | Automated, daily | 12 months |
| MFA registration and enforcement reports | Entra ID Reports | Automated, daily | 12 months |
| Audit log exports | M365 Unified Audit Log | Automated, continuous | 12 months |
| DLP policy configurations | Security & Compliance Center | Automated, weekly | 12 months |
| Admin role assignment history | Entra ID PIM | Automated, daily | 12 months |
| Configuration change logs | OpsPilot365 Drift Detection | Automated, continuous | 12 months |
Audit Readiness Reporting
Generate comprehensive audit packages for SOC 2 auditors directly from the Trust Center dashboard.
- Readiness Assessment Report — Pre-audit gap analysis showing which controls are fully implemented, partially implemented, or missing. Includes remediation recommendations with estimated effort.
- Evidence Package Export — Bundled evidence artifacts organized by SOC 2 criterion. Includes configuration snapshots, policy exports, audit log samples, and trend data covering the full observation period.
- Control Narrative Templates — Auto-generated control descriptions based on tenant configuration, suitable for inclusion in the SOC 2 report. Narratives are pre-mapped to each Trust Service Criterion.
- Exception Tracking — Document and track control exceptions with compensating controls, risk acceptance notes, and management sign-off workflows.
Note: For clients pursuing SOC 2 Type II for the first time, use the Readiness Assessment to establish a baseline, then enable continuous monitoring for a minimum of six months before the formal audit. This builds the historical evidence trail auditors require and helps identify and resolve control drift before it becomes a finding.
API Reference
GET /api/addons/trust-center/frameworks/soc2/status— Get SOC 2 compliance status summary for a tenantGET /api/addons/trust-center/frameworks/soc2/controls— List all SOC 2 controls with current assessment resultsGET /api/addons/trust-center/frameworks/soc2/criteria/:criterionId— Get detailed status for a specific Trust Service CriterionPOST /api/addons/trust-center/frameworks/soc2/scan— Trigger a SOC 2 compliance scan for the specified tenantGET /api/addons/trust-center/frameworks/soc2/evidence— Export evidence package for a specified audit periodGET /api/addons/trust-center/frameworks/soc2/readiness— Generate audit readiness assessment reportGET /api/addons/trust-center/frameworks/soc2/history— Retrieve historical compliance scores for Type II trend analysis