Skip to main content
SOC 2 audits 5 Trust Service Criteria — Security (mandatory), Availability, Confidentiality, Processing Integrity, and Privacy. Most companies start with Security only (the “Common Criteria”) and add others when customers demand them.

Type I vs Type II

Recommendation: if you’ve never had a SOC 2, start with Type I to validate your controls work, then immediately begin a Type II observation window. Most companies run Type II annually thereafter.

How Codex maps the Common Criteria (CC) controls

The 2017 (TSC 2017) and 2022 update (Trust Services Criteria 2017 — Revised May 2022) define ~60 Common Criteria controls. Codex auto-evidences the majority:

CC6 — Logical and Physical Access Controls (the heavy lifting)

CC7 — System Operations

CC8 — Change Management

CC1-CC5 — Governance, risk assessment, communication

These are mostly policy + training + role definitions — Codex links to your Notion/Confluence pages and tracks training completion via the LMS connector.

What Codex can’t auto-evidence (you assign humans)

  • CC1.1 — Code of conduct: link to your published code of conduct
  • CC2.2 — Internal/external communication: link to your security page + customer comms templates
  • CC3.1 — Risk identification process: link to your risk register and quarterly review minutes
  • CC9 — Risk mitigation: vendor due diligence questionnaires (Codex stores them; humans complete them)
  • A1.1 — Availability commitments: SLAs and uptime monitoring contracts
  1. Day 1: Sign up, pick SOC 2 (Common Criteria), connect Google Workspace or M365 (covers ~30% of CC6 controls instantly)
  2. Day 1-3: Connect MDM (Jamf/Kandji/Intune). Covers CC6.7, CC6.8 — disk encryption, endpoint protection. ~20% more.
  3. Day 3-7: Connect GitHub or GitLab. Covers CC8.1 (change management). ~10% more.
  4. Week 2: Connect ticketing (Jira/Linear) and on-call (PagerDuty). Covers CC7.3, CC7.4. ~15% more.
  5. Week 2: Connect cloud (AWS/GCP/Azure). Covers CC7.1 partial (infrastructure CVEs), CC6.7 cloud encryption. ~10% more.
  6. Week 3-4: Assign humans to the remaining 15-20% (policy, risk, training, vendor mgmt).
After ~4 weeks of focused setup, ~80-85% of CC controls are auto-evidenced and continuously monitored. The remaining 15-20% are humans-required workflows tracked in Codex.

When you’re ready for the auditor

Reports → SOC 2 evidence package generates a single PDF + folder of CSVs with:
  • Every CC control, status, evidence sources, last-verified timestamp
  • Per-control evidence snapshots (with API call timestamps)
  • Exception list (controls marked “exception” with documented justification)
  • Ownership matrix (who is responsible for each non-auto-evidenced control)
Hand to your auditor. Most accept Codex packages with no follow-up.