Type I vs Type II
Recommendation: if you’ve never had a SOC 2, start with Type I to validate your controls work, then immediately begin a Type II observation window. Most companies run Type II annually thereafter.
How Codex maps the Common Criteria (CC) controls
The 2017 (TSC 2017) and 2022 update (Trust Services Criteria 2017 — Revised May 2022) define ~60 Common Criteria controls. Codex auto-evidences the majority:CC6 — Logical and Physical Access Controls (the heavy lifting)
CC7 — System Operations
CC8 — Change Management
CC1-CC5 — Governance, risk assessment, communication
These are mostly policy + training + role definitions — Codex links to your Notion/Confluence pages and tracks training completion via the LMS connector.What Codex can’t auto-evidence (you assign humans)
- CC1.1 — Code of conduct: link to your published code of conduct
- CC2.2 — Internal/external communication: link to your security page + customer comms templates
- CC3.1 — Risk identification process: link to your risk register and quarterly review minutes
- CC9 — Risk mitigation: vendor due diligence questionnaires (Codex stores them; humans complete them)
- A1.1 — Availability commitments: SLAs and uptime monitoring contracts
Recommended setup order
- Day 1: Sign up, pick SOC 2 (Common Criteria), connect Google Workspace or M365 (covers ~30% of CC6 controls instantly)
- Day 1-3: Connect MDM (Jamf/Kandji/Intune). Covers CC6.7, CC6.8 — disk encryption, endpoint protection. ~20% more.
- Day 3-7: Connect GitHub or GitLab. Covers CC8.1 (change management). ~10% more.
- Week 2: Connect ticketing (Jira/Linear) and on-call (PagerDuty). Covers CC7.3, CC7.4. ~15% more.
- Week 2: Connect cloud (AWS/GCP/Azure). Covers CC7.1 partial (infrastructure CVEs), CC6.7 cloud encryption. ~10% more.
- Week 3-4: Assign humans to the remaining 15-20% (policy, risk, training, vendor mgmt).
When you’re ready for the auditor
Reports → SOC 2 evidence package generates a single PDF + folder of CSVs with:- Every CC control, status, evidence sources, last-verified timestamp
- Per-control evidence snapshots (with API call timestamps)
- Exception list (controls marked “exception” with documented justification)
- Ownership matrix (who is responsible for each non-auto-evidenced control)