How SOC2 evidence works

SOC2 isn't a list of things to install. It's a set of Trust Services Criteria your auditor evaluates against — and they evaluate by reading the evidence you produce.

Criteria → controls → evidence

Each Trust Services Criterion (e.g. CC6.6 Encryption) is satisfied by one or more controls (e.g. Storage account encryption at rest). Each control is verified by collecting evidence from your environment.