SOC 2 people controls: HR's part of the audit, in plain English
A deep, plain-English field guide to the SOC 2 controls HR owns — Trust Services Criteria mapping, exact evidence the auditor samples, joiner-mover-leaver…
On this page▾
- What SOC 2 actually is (and isn't)
- Why a third of the audit lands on HR
- The HR-owned controls, mapped to TSC
- What 'evidence' really means to an auditor
- Joiner-Mover-Leaver: the spine of the audit
- Background checks done audit-proof
- Security awareness training that survives sampling
- Quarterly access reviews without the spreadsheet pain
- Contractors, interns, and the scope trap
- The eight findings that kill audits
- A 90-day readiness plan
- Tooling: what to buy, what to build
- How SOC 2 overlaps with ISO 27001 and GDPR
- FAQ
- SOC 2 is a security audit issued under the AICPA Trust Services Criteria — but 25-35% of the controls live in HR's swim lane.
- HR usually owns 10-14 controls, concentrated in CC1 (control environment), CC2 (communication), CC6 (logical access), and CC7 (system monitoring of personnel changes).
- The five audit hot spots are: background checks, security awareness training, joiner provisioning, quarterly access reviews, and leaver de-provisioning SLAs.
- Evidence ≠ policy. Auditors sample. For every control they want: (1) the documented policy, (2) the artefact showing you executed it, (3) proof a second person reviewed it, all with timestamps.
- Type I asks 'is the control designed?' Type II asks 'did you operate it consistently for 6–12 months?' Type II is what enterprise buyers want — and where HR discipline becomes decisive.
- Automate the evidence trail in the HRIS/IdP, not in Notion. Screenshots and spreadsheets are how companies fail.
SOC 2 readiness panic usually arrives the week before kickoff. The CISO forwards the auditor's request list, HR scrolls down, and there it is — 'sample 25 hires from the audit period and provide background check results, signed code of conduct, security training completion, and provisioning ticket per system.' By then it's too late to retroactively run a background check on someone who started seven months ago. The trick is not to memorise the framework. The trick is to know which controls land on HR, wire the evidence collection into the workflow itself, and run the audit on autopilot for years. This guide is the long version of that playbook — written for a People Ops lead, an HR Business Partner supporting engineering, or a founder doing it themselves for the first time.
What SOC 2 actually is (and isn't)
SOC 2 stands for 'Service Organization Control 2.' It is an attestation report — not a certification — issued by an independent CPA firm under the AICPA's SSAE 18 attestation standards. The CPA evaluates a service organisation's controls against the Trust Services Criteria (TSC), a framework published by the AICPA's Assurance Services Executive Committee and last substantively revised in 2017 (with the 2022 'points of focus' update). The five TSC categories are Security (mandatory, often called the 'Common Criteria' or CC), Availability, Processing Integrity, Confidentiality, and Privacy. The vast majority of B2B SaaS SOC 2 reports cover Security only, sometimes Availability and Confidentiality as well.
There are two report types and the difference matters. A Type I report is a point-in-time snapshot: on date X, were the controls designed appropriately? A Type II report covers an observation window, typically 6 or 12 months, and asks: did the controls operate effectively across that window? Type I can be issued after 30-60 days of readiness work. Type II requires you to actually live the controls — run access reviews on cadence, complete training on time, offboard within SLA — for the full window. Enterprise buyers (anyone with a real procurement function, anyone in financial services or healthcare, anyone whose data you touch in a regulated jurisdiction) will ask for Type II. Type I is a useful waypoint, not a destination.
SOC 2 is not a certification (that's ISO 27001). It is not a security standard with a fixed checklist (that's PCI-DSS). It is not a privacy regulation (that's GDPR, CCPA, DPDP). It is an opinion issued by an auditor about your controls, scoped to the criteria you and the auditor agreed on. Two SOC 2 reports are never identical, which is why buyers read them rather than tick a box.
Why a third of the audit lands on HR
Security people sometimes assume SOC 2 is a firewall, encryption, and pen-test affair. It is not. The TSC framework is built on the COSO Internal Control — Integrated Framework (Committee of Sponsoring Organizations, 2013), and COSO opens with 'Control Environment' — the tone, integrity, ethics, competence, accountability, and structure of the people who run the company. Every one of those is an HR artefact. That's why CC1 (control environment) is almost entirely HR-owned, CC2 (communication and information) leans heavily on HR for the internal communication portion, and CC6 (logical and physical access controls) cannot operate without HR feeding the identity provider every joiner, mover, and leaver event in real time.
In practice, when an auditor samples 100 controls across a SOC 2 Type II engagement, roughly 25-35 of them require HR-produced evidence — signed acknowledgements, training completion logs, background check records, provisioning approvals, termination timestamps, access review sign-offs. The audit fails or passes on HR's evidence discipline as much as on the security team's tooling.
The HR-owned controls, mapped to TSC
There is no canonical 'HR control list' — each auditor scopes slightly differently — but the table below is the working set you should expect in any reasonable SOC 2 Security engagement. The references (CC1.1, CC6.2, etc.) follow the 2017 TSC numbering, which is what every Big 4 and reputable boutique still uses.
| TSC Ref | Control intent | What HR owns | Evidence the auditor samples |
|---|---|---|---|
| CC1.1 | Integrity and ethical values | Code of conduct exists, is communicated, and acknowledged by every employee on hire and annually | Signed acknowledgement per employee, with date; sample of 25 employees |
| CC1.2 | Board oversight | HR contributes to the board pack on people risk (turnover, key-person, comp) | Board minutes or HR section of board pack across the audit window |
| CC1.3 | Organisational structure | Org chart maintained; reporting lines documented; segregation of duties evident | Current org chart + historical snapshots showing changes |
| CC1.4 | Commitment to competence | Job descriptions exist; hiring assesses competence; background checks are run pre-start | Job description + interview record + background check per sampled hire |
| CC1.5 | Accountability | Performance management process is documented and run; consequences for non-performance exist (PIP, termination) | Sample of completed reviews + PIP records + termination records |
| CC2.2 | Internal communication of information | Security awareness training delivered on hire and annually; policy updates communicated | Training completion log; comms log for material policy changes |
| CC2.3 | External communication | Confidentiality obligations communicated to candidates, contractors, and departing employees | NDA signed pre-interview/onboarding; exit confidentiality reminder |
| CC5.3 | Policies and procedures deployed | HR policy library exists, is versioned, and is accessible to staff | Policy version history; access logs showing staff can reach the wiki |
| CC6.2 | User access provisioned on authorised basis | Every new hire's access is requested by HR, approved by manager, granted by IT — with a ticket trail | Provisioning ticket per sampled new hire showing approval before grant |
| CC6.3 | User access modified when role changes | Internal transfers and promotions trigger an access review; old access is removed | Mover ticket per sampled internal move |
| CC6.5 | User access removed on termination | Termination in HRIS triggers automated de-provisioning across systems within SLA (typically same business day) | Termination record + de-provisioning logs with timestamps for each system |
| CC6.6 | Logical access for privileged users | Admin/root access list is reviewed; HR feeds the 'who is still an employee' signal | Quarterly privileged access review with sign-off |
| CC7.2 | System monitoring — anomalies | HR-driven anomalies (someone logging in after termination, access granted outside ticket flow) are caught and remediated | Sample of anomaly tickets with remediation evidence |
During scoping, your auditor will draft control statements. Read every one and ask: 'what artefact would I show you to prove this?' If the answer is 'an email' or 'a Slack thread,' rewrite the control. Auditors sample. If they cannot reconstruct what happened from durable, timestamped, attributable evidence, the control fails — even if you genuinely do the work.
What 'evidence' really means to an auditor
This is the single most misunderstood part of SOC 2 readiness for HR teams. 'We do this' is not evidence. 'Here is our policy' is not evidence. Evidence has three components, and the auditor will reject anything that lacks one of them.
- 1ArtefactA durable object — a ticket, a record in the HRIS, a signed acknowledgement, a log line, a CSV export. Something that exists outside someone's head and outside ephemeral chat.
- 2TimestampWhen did it happen? The artefact must show the date the event occurred, and ideally also when it was reviewed. A signed code of conduct with no date is useless. A provisioning ticket closed 'sometime in Q3' is useless.
- 3Attributable reviewerWho looked at it and confirmed it was right? For access reviews this is the manager's sign-off. For provisioning it is the approver named on the ticket. 'The team' is not a reviewer. A named human is.
Auditors work by sampling. For most controls the sample size is around 25 items if the population is over 250, scaled down for smaller populations (typically 10 for 50-249, 5 for under 50, 100% for under 10). They pick the sample — you don't get to choose. If even one item in the sample fails, the control is qualified or excepted, and that exception lands in the final report your buyers will read.
For every control, the auditor wants three things: (1) the policy that says you do it, (2) a sample showing you did it on the dates they pick, (3) evidence the sample was reviewed by a second person. Three artefacts per control. Build the pipeline once and it runs forever.
Joiner-Mover-Leaver: the spine of the audit
If you do nothing else this year, automate Joiner-Mover-Leaver (JML). It is the single highest-leverage SOC 2 investment HR can make. JML is the discipline of treating every employment-status change as a trigger that fans out into provisioning, training, access changes, and de-provisioning actions across every system that holds company data. Done well, JML produces an unbroken audit trail without anyone manually generating evidence.
The Joiner flow
- Recruiter marks candidate 'offer accepted' in the ATS. This is the upstream signal — everything downstream depends on it being accurate.
- ATS pushes the new hire record to the HRIS (Rippling, Deel, BambooHR, Workday) with start date, role, manager, location, and employment type. If you don't have an ATS→HRIS integration, you have a SOC 2 problem disguised as a productivity problem.
- HRIS triggers the background check via integrated provider (Checkr, HireRight, Sterling, Veremark). Result is filed against the employee record before the start date. No clean check, no start.
- On Day -7, IT provisioning ticket auto-opens in the IdP (Okta, JumpCloud, Entra ID) listing the standard role-based access bundle. Manager approves in one click.
- On Day 0, IdP provisions accounts via SCIM to every downstream SaaS app. Provisioning timestamps are logged in the IdP — those logs are your evidence.
- On Day 1, the LMS (Lessonly, Workramp, KnowBe4, Vanta Training) assigns mandatory security awareness, code of conduct acknowledgement, and acceptable use policy. Completion deadline: Day 14.
- On Day 14, if any item is incomplete, the IdP suspends the user until completion. This is the 'enforce or it's just a suggestion' rule.
The Mover flow
Movers are where audits quietly fall apart. Someone moves from Support to Engineering, gets the new access they need, but nobody removes their old Zendesk admin role. Six months later the auditor pulls the Zendesk admin list, sees a name that no longer belongs to a Support employee, and you have an exception. The fix: every role change in the HRIS triggers a 'mover review' ticket that asks the new and old manager to confirm what access should be added and what should be removed. The IdP then enforces the delta.
The Leaver flow
- Manager submits resignation acceptance or termination decision in HRIS. Last working day field is mandatory.
- For voluntary leavers: scheduled de-provisioning at end of last working day. For involuntary terminations: immediate de-provisioning, ideally before the conversation ends.
- HRIS termination event fires a webhook to the IdP. IdP suspends primary account and triggers SCIM de-provisioning across every connected app.
- For non-SCIM apps (still common — Notion, Figma, Linear if not on enterprise plans, GitHub Enterprise without SAML, niche SaaS), a runbook ticket auto-generates listing every app to revoke manually, with a 24-hour SLA and a checkbox per app.
- On Day +1, an exception report runs: any account belonging to a terminated employee that is still active. The report should be empty. If it isn't, that's a CC6.5 exception waiting to happen.
The single most common SOC 2 finding in the HR domain is 'access not removed within the documented SLA after termination.' Pick an SLA you can actually meet — 24 hours for non-critical systems, immediate for production/admin/finance — write it into the policy, and engineer the JML pipeline to enforce it. Don't write an SLA your process can't keep.
Background checks done audit-proof
Background checks (BGC) are deceptively simple to get wrong. The control is not 'we run background checks.' The control is 'we run a documented, role-appropriate, jurisdiction-compliant background check before access to systems is granted, and we retain evidence of the result for the audit window.' Each clause hides a failure mode.
| Role tier | Minimum BGC scope | Re-check cadence |
|---|---|---|
| Standard employee, no production data access | Identity verification + right-to-work + employment history (last 5 years) | On hire only |
| Engineer / Ops with production access | Above + criminal record (jurisdiction-appropriate) + education verification | On hire + every 3 years for highly privileged |
| Finance, payroll, treasury | Above + credit check (where lawful) + sanctions/PEP screening | On hire + annual sanctions re-screen |
| Executives, board | Full enhanced + media check + directorship search | On hire + biennial |
- Use an integrated BGC vendor (Checkr, HireRight, Sterling, Veremark, Zinc) that posts results back to the HRIS — no PDFs in someone's inbox.
- Get candidate consent in writing before initiating. In the US, FCRA requires a stand-alone disclosure plus written authorisation; in the UK/EU, you need a lawful basis under GDPR Art. 6 and explicit safeguards for criminal data under Art. 10.
- Treat the start date as conditional on a clean check. If a check returns adverse information, run the FCRA 'pre-adverse / adverse action' two-letter sequence (US) or equivalent in your jurisdiction. Document the decision.
- Never grant production system access before the check clears. The auditor will sample provisioning timestamps against BGC clearance timestamps.
- Apply the same standard to contractors who will touch production data. SOC 2 does not distinguish between W-2 and 1099 — the control follows the access, not the tax form.
- Retain results for the legal retention period (varies — typically minimum 1 year post-employment under FCRA; longer under most EU regimes; check with employment counsel).
Security awareness training that survives sampling
Auditors will sample training completion. They'll pick 25 employees, ask for their training completion records covering the audit window, and expect to see (a) onboarding security training completed within X days of start, (b) annual refresher completed within the calendar year, (c) records of any phishing simulation or role-specific add-on. The killer is the long tail — five out of 25 will be missing if you didn't enforce.
- 1Pick the contentKnowBe4, Hoxhunt, Living Security, Vanta Training, or a custom course built in your LMS. Content quality matters less than completion rates and reporting cleanliness.
- 2Assign on Day 1 via HRIS eventTriggered automatically — no human assigns courses. Deadline: 14 days from start date.
- 3Annual refresher on a single datePick one date each year (e.g. 'Security Month — every October'). Universal deadline simplifies sampling. Don't assign by anniversary — auditors hate cross-referencing.
- 4Enforce, don't remindAfter deadline + 7 days of grace, IdP suspends the account. Two emails from compliance@ before that, then the user is locked out until the course is done. Productivity recovers within hours; the control holds for a year.
- 5Export evidence quarterlyPull a CSV of completion status per active employee at the end of each quarter. File it. That CSV is what the auditor will sample against.
Quarterly access reviews without the spreadsheet pain
Quarterly user access reviews (UAR) are the most operationally painful SOC 2 control to run by hand and the easiest to automate badly. The intent: every quarter, every manager confirms that every direct report's access to every in-scope system is still appropriate. Done in spreadsheets, this is a soul-destroying exercise that produces low-quality sign-offs. Done in a UAR tool (Vanta, Drata, Sprinto, Secureframe, Conductor One, Lumos, or a workflow built on your IdP's certification feature) it takes each manager 10-20 minutes a quarter.
- Define the in-scope systems list. Start with anything that holds customer data, production infrastructure, or financial data. Typically 8-15 systems for a Series A-C SaaS company.
- Tag each entitlement with risk: read-only / standard / admin. Admin entitlements get extra scrutiny and named approval.
- On the first day of each quarter, the tool snapshots access per user per system and routes a review task to each user's manager.
- Manager confirms 'keep' or 'revoke' per entitlement. Revokes generate a ticket to the IdP/system owner with a 5 business-day SLA.
- On Day 14 of the quarter, any incomplete reviews escalate to the manager's manager. On Day 21, to the CISO and the Head of People.
- On Day 30, the review is closed. The tool produces a tamper-evident report with sign-offs, revocations, and exceptions. That report is your audit evidence.
Contractors, interns, and the scope trap
'They're not full-time, so SOC 2 doesn't apply' is one of the most reliable ways to fail an audit. SOC 2 scope follows access, not employment classification. If a contractor, intern, agency worker, or vendor employee can log into a system in scope, every HR-owned control applies to them: BGC before access, signed confidentiality and acceptable use, security training within the same window, provisioning under approval, quarterly access review, termination de-provisioning under SLA. The HRIS often doesn't manage contractors, which is the root cause of most contractor-related findings — the JML pipeline depends on the HRIS as the source of truth, so contractors fall through the gap.
Either (a) put contractors in the HRIS with a contractor employment type, (b) use a contractor management system (Deel, Remote, Worksuite) that integrates to the IdP via SCIM, or (c) write a documented manual JML runbook for contractors with mandatory ticket evidence per joiner and per leaver. Option (a) is best. Option (c) is the bare minimum to pass.
The eight findings that kill audits
- Termination access removal >24 hours after last day — CC6.5 exception. Fix: HRIS → IdP webhook, no human in the loop.
- Background check missing for a sampled employee — CC1.4 exception. Fix: pre-start BGC as a hard gate; integrate the BGC vendor to HRIS.
- Training completion below 95% in the sample — CC2.2 exception. Fix: enforce via IdP suspension at deadline + 7 days.
- Quarterly access review with no evidence of remediation — CC6.3 exception. Fix: the review must produce a ticket per revocation with an owner and a close date.
- Provisioning before manager approval (access granted, ticket back-filled) — CC6.2 exception. Fix: IdP cannot grant without an approved ticket. Make the workflow refuse.
- Contractor on production access with no BGC and no signed AUP — CC1.4 / CC6.2 exception. Fix: contractor pipeline above.
- Code of conduct acknowledgement missing for sampled hires — CC1.1 exception. Fix: HRIS task on Day 1 with hard deadline; status visible to the manager.
- Privileged access list contains a name that left the company — CC6.6 / CC7.2 exception. Fix: quarterly privileged review separate from the standard UAR; exception report runs daily.
A 90-day readiness plan
- 1Days 1-14 — Scope and gapPick auditor and Trust Services Criteria (Security alone is the right starting choice). Pull the control matrix. Map every HR-owned control to its current evidence source. Mark each green/amber/red. Identify the top three reds.
- 2Days 15-30 — Policy stackRefresh or write: Code of Conduct, Acceptable Use, Information Security Policy (HR sections), Background Check Policy, Security Awareness Training Policy, Access Provisioning Policy, Termination Policy. Each is dated, versioned, and approved by a named owner.
- 3Days 31-45 — Tooling wiringIntegrate ATS → HRIS → IdP → SaaS apps via SCIM. Integrate BGC vendor → HRIS. Stand up the LMS with the mandatory bundle. Pick a UAR tool and configure the first quarterly review.
- 4Days 46-60 — Re-baselineRun a clean joiner cycle for every new hire. Sweep historical gaps: re-run BGCs missing for current staff (where lawful and contractually permitted), close the training tail, push everyone through a fresh acknowledgement of the refreshed Code of Conduct.
- 5Days 61-75 — Dry-run samplingPick 10 random employees yourself. Pretend to be the auditor. For each HR control, find the evidence. Time how long it takes. Anything over five minutes is a problem — fix the evidence trail, not your own search skills.
- 6Days 76-90 — Readiness reviewWalk the auditor's pre-audit consultant (most firms offer this) through your control matrix and evidence sources. Close their findings. Schedule the audit window. Start the Type II clock.
Tooling: what to buy, what to build
| Layer | What it does | Representative vendors | HR-built alternative? |
|---|---|---|---|
| HRIS | Source of truth for employment status, role, manager | Rippling, Deel, BambooHR, HiBob, Workday, Personio | No. Don't build this. |
| IdP / SSO | Centralises authentication; pushes accounts via SCIM | Okta, JumpCloud, Entra ID, Google Workspace | No. |
| BGC | Runs and stores background checks with audit trail | Checkr, HireRight, Sterling, Veremark, Zinc | No — regulatory exposure. |
| LMS / training | Assigns, tracks, enforces security training | KnowBe4, Hoxhunt, Vanta Training, Workramp | Possible for very small teams using Google Forms + a tracker, but doesn't survive Type II sampling. |
| Compliance automation | Continuously monitors controls, collects evidence, runs UARs | Vanta, Drata, Sprinto, Secureframe, Thoropass | Possible with engineering effort; rarely worth it under Series C. |
| Ticketing | Provisioning and de-provisioning workflow with approvals | Jira Service Management, Linear, ServiceNow, Halp | Yes — most companies already have this. |
How SOC 2 overlaps with ISO 27001 and GDPR
If you're going to be audited against more than one framework, the HR controls overlap heavily. ISO 27001:2022 Annex A includes the 'People controls' (A.6) — screening (A.6.1), terms and conditions of employment (A.6.2), disciplinary process (A.6.4), responsibilities after termination (A.6.5), confidentiality agreements (A.6.6), and information security awareness, education, and training (A.6.3). Build the SOC 2 evidence pipeline correctly and you have ~80% of ISO 27001's people controls covered.
GDPR overlap is more nuanced. GDPR (and DPDP, CCPA, UK GDPR, LGPD) governs lawful basis, transparency, data subject rights, cross-border transfer, and processor relationships — none of which is SOC 2's concern unless you scope in the Privacy TSC. But the BGC, training, and HRIS data flows you build for SOC 2 are also processing activities under GDPR, which means each needs a lawful basis (Art. 6), a retention period, a record in your Article 30 register, and (for BGC criminal data in the EU) Article 10 safeguards. Build the data map once; serve both frameworks.
FAQ
Frequently asked questions
Do we need SOC 2 if we're pre-seed or seed?
Almost never. SOC 2 readiness is a 3-6 month investment and 25-60k USD in audit fees alone. If no enterprise buyer is blocking on it, defer. Use the Vanta/Drata 'pre-SOC 2 hygiene' phase to build the JML and training discipline so the audit is short when you do run it.
Type I or Type II first?
Type I if a single deal is blocked on 'do you have SOC 2.' Type II in every other case — buyers will discount a Type I within months. The cost difference is small (audit fees are similar); the time difference is the observation window itself.
Can we self-attest?
No. SOC 2 is an attestation by a licensed CPA firm. Self-attestation against the TSC is sometimes called a 'SOC 2 gap assessment' and is useful internally, but it is not a SOC 2 report.
Who in HR should own this day-to-day?
Below 250 employees: typically the Head of People, supported by an external consultant or compliance automation vendor. 250-1,000: a People Operations lead, with the CISO as the cross-functional partner. 1,000+: a dedicated People Compliance role, often jointly reporting to People and Security.
What happens if we fail a control?
An exception is noted in the final report. One or two exceptions in a Type II are not deal-breakers if you can show a remediation plan with dates. Five or more — or any exception in CC6 (access controls) — will cost you deals. Prioritise CC6 ruthlessly.
How long does an audit take?
Type I: 4-8 weeks from kickoff. Type II: the observation window (6-12 months) plus a 6-10 week reporting period. Plan the calendar accordingly — most companies run Type II October-to-September and receive the report by November.
References & further reading
- AICPA — Trust Services Criteria (2017, with 2022 points of focus update) — AICPA
- AICPA — SOC 2 Reporting on Controls at a Service Organization — AICPA
- COSO — Internal Control — Integrated Framework (2013) — Committee of Sponsoring Organizations
- ISO/IEC 27001:2022 — Annex A People Controls (A.6) — ISO
- US FCRA — Background screening employer obligations — US Federal Trade Commission
- ICO — Employment Practices and Data Protection (UK GDPR) — UK Information Commissioner's Office
- European Data Protection Board — Guidelines on processing in the employment context — EDPB
- NIST SP 800-53 Rev. 5 — Personnel Security (PS) control family — NIST
Read next
All playbooksForget the 99 articles. There are 12 GDPR obligations that show up in normal HR work — DSARs, lawful basis, retention, transfers, breach reporting — and most…
A workable AI policy isn't a ban and isn't a free-for-all. Here's the four-tier model — green, yellow, red, prohibited — with the language, examples, and…
The documentation discipline that protects employees, managers, and the company in equal measure. What to write, when, in what system — and what never to put…