Your SOC 2 Audit Is in 90 Days. Your Policies Are a Mess.
You just got the calendar invite: SOC 2 Type II audit kicks off in three months. Your auditor wants to see documented policies, controls, and evidence. You open the company SharePoint and find a collection of Word documents last updated two years ago, each running 30+ pages, with no clear mapping to SOC 2 Trust Service Criteria.
This is where most compliance teams panic. And it's where the traditional approach to governance — writing big policy documents and hoping they cover everything — falls apart.
There's a better way. Instead of scrambling to rewrite monolithic policies, you can build your SOC 2 compliance program from governance statements: discrete, auditable requirements that map directly to Trust Service Criteria.
What SOC 2 Actually Requires
SOC 2 is built around five Trust Service Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. Each category contains specific criteria — CC1 through CC9 for Security (the Common Criteria), plus additional criteria for each optional category.
Here's what auditors actually evaluate:
| Evaluation Area | What the Auditor Looks For |
|---|---|
| Policies | Documented statements of management intent |
| Controls | Mechanisms that enforce those policies |
| Evidence | Proof that controls operate effectively |
| Monitoring | Ongoing oversight of control performance |
The critical insight: auditors don't grade the quality of your policy documents. They grade whether your organization has clearly stated requirements and can demonstrate that those requirements are being followed.
This is exactly what governance statements are designed for.
From Monolithic Policies to Individual Statements
A traditional SOC 2 policy document might have a section on access control that reads like a 5-page essay. Buried inside are dozens of individual requirements — password complexity, access reviews, least privilege, segregation of duties — all tangled together.
A statement-first approach extracts each requirement into a standalone, trackable unit:
"Access to production systems must be restricted to authorized personnel using role-based access controls, reviewed quarterly by system owners."
"Multi-factor authentication must be enforced for all remote access and privileged account access."
"Terminated employees must have all system access revoked within 24 hours of separation."
Each statement is atomic. Each can be assigned an owner. Each can be mapped to one or more Trust Service Criteria. Each can have evidence attached independently.
Why This Matters for SOC 2
SOC 2 criteria are granular. CC6.1 alone covers logical and physical access controls, and an auditor will check multiple sub-requirements within it. When your governance lives as individual statements, the mapping is direct:
| Trust Service Criteria | Example Governance Statement |
|---|---|
| CC6.1 (Logical Access) | "Role-based access controls must be implemented for all information systems." |
| CC6.2 (Access Provisioning) | "System access must be provisioned through a documented approval workflow." |
| CC6.3 (Access Removal) | "Access must be revoked within 24 hours of role change or termination." |
| CC7.2 (Monitoring) | "Security events must be logged and reviewed daily by the security operations team." |
| CC8.1 (Change Management) | "All changes to production systems must follow the documented change control process." |
No ambiguity. No flipping through a 40-page document to find the relevant section. The auditor sees a statement, sees its mapping, and asks for evidence. Done.
Building Your SOC 2 Statement Library
Here's a practical approach to building SOC 2-ready governance statements from scratch — or refactoring existing policies into statements.
Step 1: Inventory Your Trust Service Criteria
Start with the criteria you need. Every SOC 2 report requires Security (Common Criteria). Add Availability, Processing Integrity, Confidentiality, or Privacy based on your service commitments.
For each criterion, list the specific sub-requirements. AICPA's Trust Services Criteria documentation provides these, and your auditor can confirm which apply to your scope.
Step 2: Draft Statements for Each Sub-Requirement
Write one statement per sub-requirement. Each statement should follow a clear structure:
- Subject: Who or what the statement applies to
- Action: What must be done
- Condition: When, how often, or under what circumstances
- Standard: The measurable threshold or method
For example, CC6.1 might generate 5-8 individual statements covering role-based access, authentication mechanisms, network segmentation, and physical access. Each is a standalone governance statement.
Step 3: Assign Ownership and Maturity
Every statement needs an owner — the person accountable for compliance. For SOC 2, this often maps to functional roles:
- Access control statements: IT Security Manager
- Change management statements: Engineering Lead
- Incident response statements: CISO or Security Operations
- HR-related statements: HR Director
Assign a maturity level to each statement based on current compliance status. This gives you an honest assessment of readiness. A statement at the "foundational" level means the requirement is documented but not yet consistently enforced. One at "advanced" means it's automated and regularly evidenced.
Step 4: Assemble into Policies
Once you have individual statements, assemble them into the policy documents your organization needs. A single "Information Security Policy" becomes an assembly of 30-50 statements covering access control, encryption, incident response, and monitoring.
The difference from the traditional approach: the policy document is now a view into your governance, not the governance itself. The statements are the source of truth.
Step 5: Map and Cross-Reference
Map each statement to its Trust Service Criteria. Many statements will map to multiple criteria — an encryption statement might satisfy both CC6.7 (data protection) and C1.1 (confidentiality).
This cross-referencing is where the statement-first approach pays dividends. In a document-centric model, showing that CC6.7 is covered requires searching through multiple policy documents. In a statement-first model, you query the mapping directly.
Handling the Multi-Framework Challenge
Most organizations pursuing SOC 2 also face other compliance requirements — ISO 27001, HIPAA, PCI DSS, or industry-specific regulations. The statement-first approach solves the multi-framework problem elegantly.
A single governance statement like "Data at rest must be encrypted using AES-256 or equivalent" can be mapped to:
- SOC 2 CC6.7
- ISO 27001 A.10.1.1
- HIPAA 164.312(a)(2)(iv)
- PCI DSS 3.4
One statement. One owner. One evidence collection process. Four framework mappings.
Organizations using a governance statement library maintain these mappings centrally. When a framework updates its requirements, you update the mapping — not a dozen policy documents.
Common SOC 2 Gaps That Statements Prevent
Working with audit firms reveals recurring gaps in SOC 2 readiness. Statement-first governance prevents most of them:
Gap: Risk assessment not tied to controls. When governance statements are mapped to both risks and controls, the traceability is built in. Each statement connects a risk (unauthorized access) to a control (quarterly access reviews).
Gap: Policies exist but aren't enforced. Individual statements with assigned owners and maturity levels make enforcement visible. A statement at "foundational" maturity is an honest admission — and an actionable improvement item.
Gap: Evidence is scattered. When each statement is an independent tracking unit, evidence collection becomes systematic. Statement owners know exactly what evidence they need to produce.
Gap: Changes aren't reflected in documentation. Statement-level versioning means changes are granular and auditable. You can see exactly when a requirement changed, who approved it, and what the previous version said.
Preparing for Your Audit
With governance statements in place, SOC 2 audit preparation becomes structured:
-
Run a coverage check. For each Trust Service Criterion in scope, verify that at least one governance statement maps to it. Gaps here mean missing controls.
-
Assess maturity levels. Statements at "foundational" maturity may not satisfy an auditor who wants to see operational effectiveness. Prioritize advancing these to "intermediate" or above.
-
Collect evidence per statement. For each statement, document the evidence that demonstrates compliance. Screenshots, system configurations, access review logs, change records — each tied to a specific statement.
-
Prepare your control matrix. Your auditor will want a mapping of controls to criteria. With statement-based governance, this matrix generates itself from the existing mappings.
Getting Started
If you're facing an upcoming SOC 2 audit — or building your compliance program proactively — the shift from document-centric to statement-first governance is the highest-leverage change you can make.
You don't need to rewrite everything at once. Start with your highest-risk area (usually access control or change management), extract the individual requirements as statements, and build from there.
Dictiva provides a pre-built library of governance statements mapped to SOC 2 Trust Service Criteria, so you can start with expert-crafted statements and customize them for your organization. Explore the statement-first approach and see how it transforms compliance from a document chase into a structured, auditable program.