SOC 2 Fundamentals
An introduction to the System and Organization Control (SOC) 2 Information Security framework.
Course Highlights
In this course, you will learn what the SOC 2 framework is about, the benefits of the certification, and the importance of compliance and information security.
Course Features
- Understanding SOC 2
- Project Scope
- Risk assessment, Policies and Controls
- Costs and choosing the right auditor
- Preparing for a SOC 2 audit

Leonardo Soto
Instructor
Leonardo is an IT management professional focused on cybersecurity, compliance and digital transformation. His expertise includes IT project management, digital transformation, and preparing companies for information security audits, such as SOC 2, ISO 27001, and HIPPA.
- 20 hours of instructor-led classes
- Online instruction
- Certificate of Completion
- 2300 per participant
Course Synopsys
Upon the successful completion of this course, each participant will possess the skills and knowledge to support any business organization in establishing an Information Security program that leads to a SOC 2 certification.
This unique training is unlike any training offered to employees and managers in the area of information security. Successful ‘graduates’ will become coveted amongst companies for their specialized knowledge of compliance, information security, and privacy.
Having employees with this specialized knowledge also helps companies keep information safe. This training assists in raising the level of information security in the companies they work.
Course Content
9:00 AM to 12:00 PM – Instructor Led | Day 1 introduces the participants to the SOC 2 framework standard and the importance of information security. The participants will also explore the impact of SOC 2 on a business operation and how the components of SOC 2 help protect information assets. | Learning outcomes
|
---|
Unit 01 – What is SOC 2, and why does it matter?
- The SOC 2 Standard definition
- The role of the American Institute of Certified Public Accountants (AICPA)
- The goal of SOC 2 Audits
Unit 02 – Why is SOC 2 important for your business?
- Compliance considerations
- Information security considerations
- Business considerations
Unit 03 – What Are the Components of SOC 2?
- Policies
- Controls
- Evidence
Activities and Exercises | |
---|---|
1:00 PM to 4:00 PM | Independent work |
- Describe the impact a SOC 2 certification can have on your business
- List the information security policies your company currently has
9:00 AM to 12:00 PM – Instructor Led | On Day 2, the participants will understand the difference between SOC 2 Type 1 and SOC 2 Type 2 audits. We will define the four Trust Service Criteria (TSC) and how SOC 2 addresses trust for different products and services. By understanding the TSCs, the participants can scope a SOC 2 project according to the company’s needs. | Learning outcomes
|
---|
Unit 04 – SOC 2 Type 1 Versus Type 2
- SOC 2 Type 1 definition
- SOC 2 Type 2 definition
Unit 05 – Trust Service Criteria (TSC)
- Availability
- Processing integrity
- Confidentiality
- Privacy
Unit 06 – Scoping your SOC 2 Project
- Define your landscape
- Define your controls
Activities and Exercises | |
---|---|
1:00 PM to 4:00 PM | Independent work |
- Discuss which SOC 2 Type is more appropriate for your company
- Make a list of the types of personal information your company collects
- Which Trust Service Criteria should be included in your audit?
9:00 AM to 12:00 PM – Instructor Led | On Day 3, the participants will learn to identify risks that could expose information assets. They will also learn the different threat vectors and vulnerabilities, such as vendors’ supply chains. We will discuss mitigating, accepting, transferring, or avoiding risks. Finally, we will see how robust policies and controls are essential to the information security program. We will see how evidence is collected for a SOC 2 audit. | Learning outcomes
|
---|
Unit 07 – The SOC 2 Risk Assessment
- SOC 2 Risk Assessments must have clearly defined objectives
- Identifying and assessing risks against the organization’s objectives
- Identifying and evaluating the criticality of information assets
- Threats and vulnerabilities from vendors and other parties
- Responding to risks: Mitigate, Accept, Transfer, Avoid
Unit 08 – Creating SOC 2 Policies, Controls and Evidence Tasks
- Writing and updating your policies
- Designing and implementing controls
- Evidence collection
- SOC 2 Type 1 and Type 2 evidence collection
Activities and Exercises | |
---|---|
1:00 PM to 4:00 PM | Independent work |
- Find examples of Information Security policies
- List some of the controls that are important to your company.
9:00 AM to 12:00 PM – Instructor Led | On Day 4, we will discuss the cost of a SOC 2 audit and how the cost is distributed in the project’s three phases. The participants will also learn about the auditor’s role and how to select one. We will also explore cost savings tools, such as automated evidence collection. | Learning outcomes
|
---|
Unit 09 – SOC 2 Costs Explained
- Phase 1: SOC 2 Risk Assessment cost
- Phase 2: SOC 2 Audit Readiness cost
- Phase 3: The SOC 2 Audit cost
Unit 10 – How Long Does SOC 2 Take?
- Without automation
- With automation
Unit 11 – How to Select the Right Auditor
- Criteria for Choosing an Auditor
Activities and Exercises | |
---|---|
1:00 PM to 4:00 PM | Independent work |
- Interview your account to determine if they can be a SOC 2 auditor
- Prepare a rough budget for a SOC 2 certification program
9:00 AM to 12:00 PM – Instructor Led | On Day 5, the participants will learn about the Readiness Assessment as the first step in preparing for a SOC 2 audit. They will also know the difference between preparing for a SOC 1 versus a SOC 2 audit. We will review a SOC 2 Report and learn how to read and interpret the report’s five sections. | Learning outcomes
|
---|
Unit 12 – Your SOC 2 Audit: What to Expect
- The Readiness Assessment
- Preparing for a SOC 2 Type 1 Versus a SOC 2 Type 2 Audit
Unit 13 – What Happens After I Get My SOC 2 Report?
- Understanding the SOC 2 Report
Activities and Exercises | |
---|---|
1:00 PM to 4:00 PM | Independent work |
- Read and be prepared to comment Section 1 of the sample report supplied