What it is
SOC 2 is the most-requested attestation for SaaS and service organizations — but unlike CIS Microsoft 365 or CISA SCuBA, it isn't a "scannable" framework. SOC 2 is a set of Trust Services Criteria (TSC) an auditor evaluates against your control environment. TATER makes SOC 2 first-class by crosswalking the criteria to the control checks it already evaluates, so a SOC 2 readiness view is computed from your existing scans — no new scanning, no separate framework to run.
Because the coverage is derived from the controls TATER already tracks, the moment your latest M365 cloud scan lands, your SOC 2 readiness updates with it.
The Trust Services Criteria
A SOC 2 report always covers the mandatory Common Criteria (Security) and may add any of four optional categories the service organization elects:
| Category | Criteria | What it covers |
|---|---|---|
| Common Criteria (CC) — mandatory | CC1–CC9 | Control environment, communication, risk assessment, monitoring, control activities, logical & physical access, system operations, change management, and risk mitigation. |
| Availability (A1) | A1.1–A1.3 | Capacity, environmental protections, backup/recovery, and recovery testing. |
| Confidentiality (C1) | C1.1–C1.2 | Identifying, protecting, and disposing of confidential information. |
| Processing Integrity (PI1) | PI1.x | Complete, accurate, timely, and authorized processing. |
| Privacy (P) | P1–P8 | Notice, choice, collection, use, retention, disclosure, and disposal of personal information. |
How the crosswalk works
Each criterion maps to zero or more of the M365 control checks TATER evaluates in a Cloud Graph scan. For example:
- CC6.1 — Logical access / authentication ← MFA for all users + admins, MFA via Conditional Access, legacy-auth blocking, FIDO2 / phishing-resistant methods.
- CC6.3 — Role-based access & least privilege ← limited Global Admins, Privileged Identity Management in use, privileged-role review, access reviews.
- CC6.7 — Transmission of information ← DLP / sensitivity labels, external-sharing limits, mail-forwarding controls, device encryption.
- CC7.2 — Anomaly monitoring ← sign-in/audit logs, risky-user detection, mailbox auditing, log retention.
- C1.1 — Confidential information ← sensitivity labels, Customer Lockbox.
A criterion's automated coverage = passing mapped checks ÷ resolvable mapped checks. A verified or risk-accepted override counts the mapped check as satisfied, exactly as it does on your compliance dashboard.
Criteria that have no automated mapping (e.g. CC1.1 "commitment to integrity," CC9.1 "business-disruption mitigation") are flagged auditor-attested — they're surfaced so nothing is silently dropped, but they must be evidenced manually in your SOC 2 audit with policies, BCP/DR plans, vendor reviews, and the like.
Reading your readiness
- Overall automated readiness % — the mean coverage across all criteria that have an automated signal.
- By category — readiness per Trust Services Category, so you can see at a glance whether your Common Criteria, Availability, or Confidentiality coverage is where it needs to be.
- Per criterion — coverage %, the count of evidencing checks passing, and a Strong / Partial / Weak / Manual status.
Because the readiness is computed from your latest cloud scan, the report header tells you which scan it's based on — and prompts you to run a Cloud Graph scan if none with SOC 2-mapped checks exists yet.
Where to find it
- TATER Insights — the SOC 2 Readiness (Trust Services Criteria) report (Compliance category) gives the full per-criterion table, a category readiness bar chart, and an auditor-attested gap notice. Schedule it to your inbox, or export it to share with your auditor.
- MCP — your AI agent (Claude, Copilot, …) can answer "how SOC 2-ready are we?" with the
get_soc2_posturetool. Ask it to "summarize our SOC 2 readiness by Trust Services Category and list the gaps," and it will cite the evidencing checks and the auditor-attested criteria. The crosswalk itself is available viaGET /api/soc2/crosswalk.
Using it for an audit
- Run a Cloud Graph scan so the criteria with automated signals are current.
- Open the SOC 2 Readiness report and work the Weak and Partial criteria first — each lists the exact controls to remediate.
- For the auditor-attested criteria, attach your evidence in the related modules — policies, BCP/DR plans, vendor reviews, the risk register, and access reviews — so you walk into the audit with both the automated coverage and the manual evidence assembled.
Roles
Auditor and Admin can view the SOC 2 crosswalk and the computed posture. The readiness is read-only — it reflects your scans and overrides; you change it by remediating controls or recording verified/risk-accepted overrides, not by editing the SOC 2 view directly.