The conference room was silent except for the tapping of pens on the mahogany table. I was sitting across from the executive team of a promising fintech startup, and I'd just delivered news they didn't want to hear: their SOC 2 audit had failed. Not because they lacked security tools—they had plenty. Not because their team wasn't talented—they were brilliant. They failed because their controls were poorly designed.
The CEO leaned forward. "We have firewalls, encryption, MFA... what more do they want?"
"They want controls that actually work," I said. "And more importantly, controls you can prove work."
That conversation happened in early 2020, and it marked a turning point in my approach to SOC 2 consulting. Over the past fifteen years, I've learned that control design isn't about implementing every possible security measure—it's about implementing the right measures in the right way, with the right evidence.
What Makes a SOC 2 Control "Well-Designed"?
Before we dive deep, let me share something that took me years to fully understand: SOC 2 auditors aren't looking for perfection. They're looking for three things:
Suitable Design: Does the control address the risk it's supposed to address?
Implementation: Is the control actually in place and functioning?
Operating Effectiveness: Does the control work consistently over time?
I once worked with a company that had implemented an elaborate access review process. Every quarter, managers would receive spreadsheets listing all user access rights. The manager would review and approve. Perfect, right?
Wrong.
During the audit, we discovered that managers were approving everything without actually reviewing. The control was designed. It was implemented. But it wasn't effective because it didn't account for human behavior.
"A control that looks good on paper but fails in practice is worse than no control at all—it creates a false sense of security while leaving you completely exposed."
The Five Trust Services Criteria: Your Foundation
SOC 2 is built on five Trust Services Criteria. Not every organization needs all five, but understanding each is crucial for proper control design.
Trust Service Criteria | Core Focus | When You Need It | Common Control Examples |
|---|---|---|---|
Security (Required) | Protection against unauthorized access | Always - this is mandatory for all SOC 2 audits | MFA, encryption, access controls, vulnerability management, incident response |
Availability | System uptime and accessibility | When customers depend on your system being operational | Monitoring, redundancy, disaster recovery, capacity planning, SLA tracking |
Processing Integrity | Complete, valid, accurate, and timely processing | When data accuracy directly impacts customer operations | Input validation, error handling, reconciliation, data quality checks |
Confidentiality | Protection beyond basic security | When handling proprietary customer information | NDAs, data classification, restricted access, secure disposal |
Privacy | Collection, use, retention, and disposal of personal information | When processing personal information subject to privacy commitments | Consent management, data subject rights, purpose limitation, retention schedules |
Here's a lesson from the field: I worked with a HR tech platform that initially thought they only needed Security criteria. During scoping, we realized their customers absolutely needed Availability (their system processes payroll—downtime means people don't get paid) and Privacy (they handle sensitive employee PII).
Starting with the wrong criteria would have meant months of wasted effort and a report that didn't meet customer needs.
The Anatomy of an Effective Control
Let me break down what makes a control actually work. I call this the "Five Elements of Control Design":
1. Clear Objective
Every control must have a specific, measurable objective. "Improve security" isn't an objective. "Prevent unauthorized access to customer data" is.
Bad Control Objective: "Implement access controls"
Good Control Objective: "Ensure that only authorized personnel with documented business need can access production databases containing customer data"
See the difference? The second one tells you exactly what you're trying to achieve, who should have access, and what you're protecting.
2. Defined Scope
I've seen organizations waste months implementing controls for systems that weren't even in scope for their audit.
A SaaS company I worked with had twenty-three different internal tools and applications. Only three of them touched customer data. We scoped the audit to those three systems, which reduced their control implementation workload by 65%.
System Type | In Scope for SOC 2? | Control Requirements |
|---|---|---|
Production systems handling customer data | ✅ Always | Full control implementation |
Systems with access to production (jumpboxes, admin tools) | ✅ Always | Access controls, logging, monitoring |
Development/test environments with NO production data | ❌ Usually not | Basic security hygiene only |
Internal HR/Finance systems (unless you're an HR/Finance service provider) | ❌ Usually not | Not required for SOC 2 |
Third-party services processing customer data | ✅ Indirect | Vendor management controls |
3. Responsible Parties
Every control needs an owner. Not "the security team." Not "IT." A specific person who is accountable.
I worked with a company where their access review control failed because "everyone thought someone else was doing it." We redesigned the control with:
Control Owner: CISO (overall accountability)
Control Operator: HR Manager (executes quarterly reviews)
Control Reviewer: VP of Engineering (validates completeness)
Escalation Point: CFO (handles exceptions)
After that change, the control never failed again.
4. Frequency and Timing
Controls must operate at the right frequency. Too frequent, and you waste resources. Too infrequent, and risks materialize before you detect them.
Control Type | Recommended Frequency | Reasoning |
|---|---|---|
User access provisioning | Real-time/immediate | Delays create security gaps or business disruption |
Failed login monitoring | Real-time/continuous | Attacks happen fast; delayed detection allows breach |
Vulnerability scanning | Weekly | New vulnerabilities emerge constantly |
Access reviews | Quarterly | Balances thoroughness with resource efficiency |
Disaster recovery testing | Semi-annually | Sufficient to validate without excessive disruption |
Security awareness training | Annually (minimum) | Knowledge decay; new hire onboarding |
Risk assessment | Annually | Business and threat landscape changes |
Penetration testing | Annually | Validates overall security posture |
I learned this lesson the hard way with a client who was doing access reviews monthly. It created such fatigue that managers stopped taking it seriously. We moved to quarterly reviews with more thorough processes, and effectiveness improved dramatically.
5. Evidence Generation
This is where most organizations fail. You might have the best control in the world, but if you can't prove it operates effectively, it doesn't count for SOC 2.
"In SOC 2 audits, if it isn't documented, it didn't happen. Your auditor isn't there to trust you—they're there to verify you."
Real-World Control Design: A Complete Example
Let me walk you through designing a complete control from scratch. This is based on a real engagement from 2022.
Scenario: A healthcare technology company needs to ensure that only authorized personnel can access electronic health records (EHR) in their system.
Step 1: Identify the Risk
Risk Statement: Unauthorized access to patient health records could result in HIPAA violations, loss of customer trust, and significant financial penalties.
Risk Impact: Critical Risk Likelihood: High (PHI is a prime target for attackers)
Step 2: Design Preventive Controls
These stop the risk from occurring:
Control ID | Control Description | Control Owner | Frequency | Evidence |
|---|---|---|---|---|
AC-001 | Access to EHR systems requires manager approval via ticketing system | IT Manager | Per request | Approved tickets showing request, business justification, and approval |
AC-002 | All EHR access requires MFA using hardware tokens or biometric authentication | Security Engineer | Continuous | MFA enforcement logs, configuration screenshots |
AC-003 | Role-based access control (RBAC) limits users to minimum necessary access | System Administrator | Per provisioning | Role definition documents, user-to-role mappings |
AC-004 | VPN required for all remote access to EHR systems | Network Administrator | Continuous | VPN access logs, configuration documentation |
Step 3: Design Detective Controls
These identify when something goes wrong:
Control ID | Control Description | Control Owner | Frequency | Evidence |
|---|---|---|---|---|
AC-005 | Automated alerting for failed login attempts (>5 in 15 minutes) | SOC Analyst | Real-time | SIEM alerts, incident tickets from alerts |
AC-006 | Daily review of privileged access logs | Security Manager | Daily | Log review documentation, sign-offs |
AC-007 | Quarterly access reviews by data owners | Department Heads | Quarterly | Access review reports, approval documentation, remediation tickets |
AC-008 | Monthly analysis of unusual access patterns using UEBA | Security Analyst | Monthly | UEBA reports, investigation documentation |
Step 4: Design Corrective Controls
These fix issues when detected:
Control ID | Control Description | Control Owner | Frequency | Evidence |
|---|---|---|---|---|
AC-009 | Automatic account lockout after 5 failed login attempts | System Administrator | Automatic | Lockout logs, configuration settings |
AC-010 | Access removal process when access review identifies unauthorized access | IT Manager | Within 24 hours | Remediation tickets, access removal logs |
AC-011 | Incident response procedure for suspected unauthorized access | Incident Response Team | Per incident | Incident response reports, timeline documentation |
Step 5: Implementation and Testing
Here's where theory meets reality. When we implemented these controls for the healthcare tech company, we discovered several gaps:
Gap 1: Managers were approving access requests without understanding what they were approving.
Solution: We created a mandatory field in the ticketing system requiring requesters to explain in plain English why they needed access and exactly what they would do with it. We also added examples of good and bad justifications.
Gap 2: The quarterly access reviews were taking 40+ hours per department.
Solution: We implemented automated reporting that pre-populated manager reviews with each user's role, hire date, and recent access patterns. Review time dropped to 4-6 hours per department.
Gap 3: The UEBA tool generated so many alerts that analysts ignored them.
Solution: We spent three months tuning the system, creating baselines for normal behavior, and reducing false positives by 89%. Only then did it become useful.
"Control implementation isn't a one-time event—it's an iterative process of design, test, fail, improve, and repeat until you get it right."
Common Control Design Mistakes (And How to Avoid Them)
After reviewing hundreds of SOC 2 programs, I've seen the same mistakes repeatedly. Let me save you the pain:
Mistake 1: Copying Someone Else's Controls
I can't tell you how many times I've seen companies download a "SOC 2 control template" from the internet and try to implement it verbatim.
Here's the problem: Your business is unique. Your risks are unique. Your controls must be unique.
A control that works perfectly for a 500-person enterprise software company might be completely inappropriate for a 15-person mobile app startup.
Instead: Start with frameworks and templates as inspiration, but customize every control to your specific business context, risk profile, and operational reality.
Mistake 2: Over-Engineering Controls
I worked with a startup that designed a control requiring CTO approval for every single code deployment. Every. Single. One.
They were deploying 40+ times per day.
The CTO started rubber-stamping approvals without review within a week. The control was theoretically perfect but operationally impossible.
Instead: Design controls that fit your operational tempo. If you deploy continuously, your change management control needs to rely on automated testing, not manual approvals.
Mistake 3: No Control Ownership
"The security team" isn't a control owner. I've seen controls fail during audits simply because no specific person was accountable.
Real Example: A company had a control stating "vulnerability scans are performed weekly." In reality:
The security engineer who usually ran scans went on paternity leave
Nobody else knew they were supposed to do it
Scans didn't run for 6 weeks
The audit found the gap
Instead: Name names. Document backups. Create redundancy for critical controls.
Mistake 4: Evidence Theater
Some organizations design elaborate evidence collection processes that generate impressive-looking documentation but don't actually prove the control works.
I audited a company that produced beautiful monthly security reports. Thirty pages of graphs, charts, and metrics. Completely useless for audit purposes because they didn't show:
Who performed the reviews
What they were looking for
What they found
What actions they took
Instead: Design evidence that answers three questions:
Did the control operate as designed?
Who performed it?
What was the result, and were any issues found and remediated?
Mistake 5: Ignoring the Complement User Entity (CUE)
This is subtle but critical. Some controls require your customers to implement their own controls for your overall system to be secure.
Example: A cloud storage provider's backup system might be perfectly designed, but if customers don't enable versioning on their end, data loss can still occur.
These complementary controls must be documented in your SOC 2 report so customers know their responsibilities.
I worked with a SaaS provider who had a brilliantly designed encryption system, but customers could disable it in settings. The complementary control was: "Customers must enable encryption in their account settings." We documented this in the report, and customer success teams started proactively helping customers enable the setting.
Control Testing: Proving Your Controls Work
Designing controls is half the battle. Proving they work is the other half.
Type I vs Type II: Understanding the Difference
Aspect | SOC 2 Type I | SOC 2 Type II |
|---|---|---|
What it tests | Control design at a point in time | Control operation over a period (usually 6-12 months) |
Duration | Single day assessment | Minimum 6 months of operation |
Audit effort | 2-4 weeks | 4-8 weeks |
Value to customers | Limited - proves you designed controls | High - proves controls actually work |
Use case | Initial certification, new companies | Mature companies, customer requirements |
Typical cost | $15,000 - $40,000 | $30,000 - $100,000+ |
Here's my advice: Most companies should go straight for Type II. Type I is like saying "I designed a parachute." Type II is saying "I jumped out of a plane with the parachute, and it worked."
Customers want Type II. Trust me on this—I've never seen an enterprise sales deal close with just a Type I report.
Sample Size Matters
Auditors will test a sample of your control operations. Understanding sampling helps you prepare.
For controls that operate:
Continuously/Daily: Auditors typically sample 25-40 instances across the audit period
Weekly/Monthly: Auditors often test all instances or a majority
Quarterly: Auditors will test every instance (usually 2-4 occurrences)
Annually: Must test the single occurrence
Pro Tip: If a control operates daily and auditors sample 30 days, you need 30 good examples. One missing piece of evidence isn't a deal-breaker. But if 3-4 samples fail, that's a control deficiency.
Building a Control Matrix: Your SOC 2 Blueprint
A control matrix maps your controls to Trust Services Criteria. This becomes your audit roadmap.
Here's a simplified example:
Control ID | Trust Criteria | Control Description | Type | Frequency | Owner | Evidence |
|---|---|---|---|---|---|---|
CC1.1 | Common Criteria | Board reviews and approves security policies annually | Governance | Annually | CISO | Board meeting minutes with approval |
CC6.1 | Common Criteria | Logical access requires MFA | Preventive | Continuous | IT Manager | MFA configuration screenshots, enforcement logs |
CC6.2 | Common Criteria | Access reviews performed quarterly | Detective | Quarterly | Department Heads | Access review reports with sign-offs |
CC6.3 | Common Criteria | Unauthorized access detected and removed within 24 hours | Corrective | As needed | Security Team | Incident tickets, access removal logs |
CC7.2 | Common Criteria | Vulnerability scans run weekly | Detective | Weekly | Security Engineer | Scan reports, remediation tracking |
A1.2 | Availability | System monitoring alerts on-call team 24/7 | Detective | Continuous | DevOps Team | Alerting configuration, incident response logs |
In reality, a comprehensive SOC 2 control matrix might have 50-150 controls depending on your complexity and criteria selection.
The Control Lifecycle: It Doesn't End at Implementation
Here's something nobody tells you: getting to SOC 2 certification is the easy part. Maintaining it is where most organizations struggle.
Year 1: Design and Implement
Document policies and procedures
Implement technical controls
Train your team
Start generating evidence
Pass initial audit
Year 2: Optimize
Identify controls that create excessive burden
Automate evidence collection where possible
Refine processes based on lessons learned
Prepare for surveillance audit
Year 3+: Mature
Controls become organizational habits
Evidence generation is largely automated
Focus shifts to continuous improvement
Consider expanding criteria or additional certifications
I have a client who's on their 6th consecutive year of SOC 2 compliance. Their first year was brutal—endless meetings, constant evidence gathering, audit stress. Now? Their compliance manager spends maybe 10 hours per month on SOC 2, most of it reviewing automated reports. Everything else runs on autopilot.
That's what mature control design looks like.
Automation: Your Secret Weapon
Let me share a transformation story. In 2021, I worked with a company spending 40+ hours per week collecting evidence for SOC 2. It was crushing their security team.
We implemented:
Manual Process | Automated Solution | Time Saved |
|---|---|---|
Manually screenshotting MFA configuration monthly | Automated configuration extraction via API, stored in compliance tool | 2 hours/month |
Copying access logs into spreadsheets for review | SIEM automatically generates formatted reports | 8 hours/month |
Manually tracking vulnerability remediation in spreadsheets | Integration between scanner and ticketing system with auto-reporting | 12 hours/month |
Emailing managers for quarterly access reviews | Automated workflow tool sends reviews with pre-populated data | 16 hours/month |
Manually collecting change tickets for sample testing | Automated evidence collection from Jira with filters | 6 hours/month |
Total time savings: 44 hours per month, or roughly 25% of a full-time employee.
The investment in automation tools paid for itself in less than six months.
"Manual evidence collection doesn't scale. Automate everything you can, then automate the things you thought you couldn't."
Control Design for Different Business Models
Your business model dramatically impacts control design. Here's what I've learned across different contexts:
Early-Stage Startups (10-50 employees)
Challenges: Limited resources, rapid change, wearing multiple hats
Control Design Strategy:
Leverage cloud provider controls (AWS, Azure, GCP have built-in SOC 2 controls)
Focus on the minimum viable control set
Use affordable SaaS tools with SOC 2 features built-in
Document processes as you build them
Accept some manual processes initially
Real Example: A 12-person startup I worked with achieved SOC 2 by:
Using Google Workspace with MFA and SSO
Implementing AWS security best practices
Using open-source tools where possible
Having founders personally execute key controls
Total implementation cost: $35,000 over 6 months
Growth-Stage Companies (50-200 employees)
Challenges: Scaling processes, multiple teams, increasing complexity
Control Design Strategy:
Invest in GRC (Governance, Risk, Compliance) platforms
Create dedicated compliance role (at least part-time)
Automate evidence collection
Implement formal change management
Document everything proactively
Enterprise Organizations (200+ employees)
Challenges: Complex systems, multiple audits, global operations
Control Design Strategy:
Build dedicated compliance team
Implement enterprise GRC platforms
Create control automation
Integrate compliance into DevOps pipeline
Prepare for multiple simultaneous audits (SOC 2, ISO 27001, etc.)
Your Control Design Checklist
After fifteen years of doing this, here's the checklist I use for every control design:
Control Design Review Questions:
✅ Does this control address a specific, documented risk? ✅ Is the control objective clear and measurable? ✅ Is there a named, accountable owner? ✅ Is the frequency appropriate for the risk? ✅ Can we actually implement this with our current resources? ✅ Does it fit our operational tempo? ✅ What evidence will this control generate? ✅ Can we collect that evidence efficiently? ✅ Have we considered automation opportunities? ✅ Is there a backup if the primary control operator is unavailable? ✅ Have we tested this control in practice? ✅ Does this control integrate with our existing processes? ✅ Will this control still work as we scale? ✅ Have we documented compensating controls if this control has limitations? ✅ Do our customers care about this control?
If you can't answer "yes" to at least 12 of these 15 questions, redesign the control.
Common Questions From the Field
Let me address the questions I get asked most often:
"How many controls do I need?"
There's no magic number. I've seen successful SOC 2 programs with 40 controls and others with 150. It depends on your complexity, criteria, and risk profile. Focus on coverage, not quantity.
"Can I use the same control for multiple criteria?"
Absolutely. A good access control addresses Security, and potentially Confidentiality and Privacy. Map controls to multiple criteria where applicable—it reduces your total control count.
"What if a control fails during the audit?"
Don't panic. Control deficiencies happen. What matters is:
How significant is the deficiency?
Do you have compensating controls?
How quickly can you remediate?
I've seen audits pass with minor deficiencies that were documented and remediated during the audit period.
"Should I design controls to exceed SOC 2 requirements?"
My philosophy: meet SOC 2 requirements first, then exceed them only where it makes business sense. Don't gold-plate controls just to impress auditors—they care about effectiveness, not excess.
The Path Forward
Designing effective SOC 2 controls isn't about security theater. It's about building real, operational security practices that:
Protect your customers' data
Scale with your business
Generate auditable evidence
Create competitive advantage
I'll leave you with a story. In 2023, I worked with a company that had failed their SOC 2 audit twice. They were ready to give up. "Maybe we're just not cut out for enterprise sales," the CEO said.
We redesigned their control environment from scratch using the principles I've shared here. Six months later, they passed their Type II audit with zero deficiencies. Nine months after that, they closed a $3.2 million deal with a Fortune 500 company—a deal that would have been impossible without SOC 2.
The CEO called me after closing the deal. "You know what the craziest part is?" he said. "We're actually more secure now. SOC 2 didn't just help us win deals—it helped us build a better company."
That's what good control design does. It doesn't just satisfy auditors. It makes your business better, stronger, and more resilient.
"Perfect controls don't exist. But effective controls—ones that are well-designed, properly implemented, and consistently operated—those are worth their weight in gold."
Now go design some controls that actually work.