Skip to main content
Daniel J Glover
Back to Blog

SOC 2 secure controls in 2025

5 min read
IT SecurityComplianceSOC 2

For organisations handling sensitive customer data, SOC 2 compliance remains the gold standard for demonstrating security controls. But the landscape is shifting rapidly. New threats, evolving regulations, and emerging technologies like AI are driving significant updates to both the SOC 2 framework and the supporting control frameworks that map to it.

Understanding the SOC 2 Framework

The SOC 2 framework was developed by the American Institute of Certified Public Accountants (AICPA) to provide assurance about a service provider's cybersecurity controls. According to Sprinto, it's a voluntary compliance standard designed to protect sensitive customer data collected and processed by service organisations.

The framework is built on five Trust Services Criteria (TSC):

  1. Security (required) - Protection against unauthorized access
  2. Availability - Systems are operational and usable as committed
  3. Confidentiality - Information designated as confidential is protected
  4. Processing Integrity - System processing is complete, accurate, and authorized
  5. Privacy - Personal information is collected, used, and retained appropriately

While only Security is mandatory, most organisations pursuing SOC 2 include multiple criteria based on their business model and customer expectations.

Key SOC 2 Updates for 2024-2025

Increased Auditor Scrutiny

Forvis Mazars reports that auditors are expected to intensify their scrutiny of inherent risk areas, leading to more meticulous examination of potential vulnerabilities. This means:

  • More detailed evidence requirements for control effectiveness
  • Greater focus on actual implementation versus documented policies
  • Deeper testing of technical controls, not just process controls

Zero Trust Integration

OCD Tech highlights that changes in SOC 2 compliance for 2025 include updates related to Zero Trust architecture. Organisations can no longer rely on perimeter-based security models. Auditors are increasingly expecting to see:

  • Identity verification at every access point
  • Microsegmentation of networks
  • Continuous authentication and authorisation
  • Least-privilege access models

AI and Automation Considerations

As AI becomes embedded in business processes, SOC 2 audits are evolving to address:

  • AI governance frameworks and model risk management
  • Automated control monitoring and its reliability
  • Data handling in AI training pipelines
  • Bias and fairness considerations for AI-driven decisions

The Secure Controls Framework (SCF): 2024-2025 Updates

The Secure Controls Framework is an open-source meta-framework that maps controls across multiple compliance standards, including SOC 2/TSC. It's become an essential tool for organisations managing multiple compliance requirements.

Version 2024.1: STRM Integration

This release introduced Set Theory Relationship Mapping (STRM) per NIST IR 8477, providing:

  • More precise mapping between control frameworks
  • Better identification of control gaps
  • Improved efficiency in multi-framework compliance

Version 2024.2: Major Enhancements

This moderate update brought several significant changes:

PPTDF Applicability Tagging

Controls are now tagged based on People, Processes, Technology, Data & Facilities applicability. This helps organisations:

  • Assign controls to the right teams
  • Identify which controls require technical implementation versus policy changes
  • Plan remediation efforts more effectively

MSP/MSSP Secure Practices Baseline (SCF-M)

Perhaps the most significant addition is the SCF-M sub-control set, designed to help organisations perform Cybersecurity Supply Chain Risk Management (C-SCRM) assessments of their Managed Service Providers (MSP) and Managed Security Service Providers (MSSP).

This reflects the growing recognition that supply chain security is critical. Your security posture is only as strong as your weakest vendor.

Version 2025.1.1: Global Privacy Expansion

The latest release added support for the India Digital Personal Data Protection Act (DPDPA), continuing the SCF's expansion to cover global privacy regulations.

Practical Implications for Security Teams

1. Continuous Compliance Is Now Expected

The traditional "point-in-time" approach to SOC 2 is giving way to continuous monitoring. Bright Defense notes that organisations need systems that can demonstrate ongoing compliance, not just compliance at audit time.

Recommendations:

  • Implement automated control monitoring
  • Maintain continuous evidence collection
  • Conduct regular internal assessments between audits

2. Supply Chain Risk Management Is Non-Negotiable

With the SCF-M baseline now available, there's no excuse for not assessing your service providers. Key questions to ask:

  • Do your MSPs/MSSPs have their own SOC 2 reports?
  • How do you monitor vendor security posture continuously?
  • What's your process for vendor security incidents?

3. AI Governance Needs Attention Now

If you're using AI in your operations - and most organisations are, whether they realise it or not - you need governance frameworks in place. This includes:

  • Documenting AI use cases and risk assessments
  • Establishing model validation and monitoring procedures
  • Defining acceptable use policies
  • Creating incident response procedures for AI failures

4. Zero Trust Isn't Optional

Sprinto's SOC 2 updates guide emphasizes that Zero Trust principles are becoming baseline expectations. Start with:

  • Identity and access management modernisation
  • Network segmentation projects
  • Continuous verification mechanisms

Looking Ahead

The trajectory is clear: SOC 2 compliance is becoming more rigorous, more continuous, and more comprehensive. Organisations that treat compliance as a checkbox exercise will struggle. Those that build security into their DNA - using frameworks like SCF to create coherent, mappable control environments - will thrive.

The good news? Better tools and frameworks are available to help. The challenge is commitment: investing in the people, processes, and technology to make compliance a continuous practice rather than an annual scramble.

Ready to Strengthen Your Compliance Posture?

Navigating SOC 2, ISO 27001, or GDPR requirements can be complex. My IT Compliance services help organisations build sustainable compliance programmes - from gap analysis through audit preparation.

Get in touch to discuss your compliance challenges and how we can work together.

Share this post

DG

Daniel J Glover

IT Leader with experience spanning IT management, compliance, development, automation, AI, and project management. I write about technology, leadership, and building better systems.

Related Posts

22 March 2026

Compliance Automation Strategy

How IT leaders can automate compliance monitoring to reduce audit burden, cut costs and maintain continuous regulatory readiness.

Let's Work Together

Need expert IT consulting? Let's discuss how I can help your organisation.

Get in Touch