ComplianceSOC2Azure

SOC 2 Compliance for Azure: A Practical Guide

What SOC 2 means for your Azure environment, which controls apply, and how to automate evidence collection for your next audit.

3 min read

SOC 2 and Azure: What You Need to Know

SOC 2 (Service Organization Control 2) is an auditing framework developed by the AICPA. It evaluates an organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy — the five Trust Services Criteria (TSC).

If your organization provides cloud-based services and your customers ask for a SOC 2 report, you need to demonstrate that your Azure infrastructure meets these criteria.

The Five Trust Services Criteria

Security (Common Criteria)

The most fundamental TSC — and the one that applies to every SOC 2 engagement. Security controls protect against unauthorized access, both physical and logical.

Azure-relevant controls include:

  • Identity and access management (MFA, RBAC, PIM)
  • Network security (NSGs, firewalls, private endpoints)
  • Encryption (at rest with AES-256, in transit with TLS 1.2+)
  • Logging and monitoring (Activity logs, diagnostic settings)
  • Vulnerability management (Defender for Cloud, security assessments)

Availability

Controls ensuring systems are available for operation as committed. In Azure terms:

  • SLA tracking and uptime monitoring
  • Disaster recovery configuration
  • Backup policies and testing
  • Capacity planning and auto-scaling
  • Incident response procedures

Processing Integrity

Controls ensuring system processing is complete, valid, accurate, and timely:

  • Data validation rules
  • Error handling and retry logic
  • Transaction logging
  • Quality assurance processes

Confidentiality

Controls protecting information designated as confidential:

  • Data classification policies
  • Encryption for sensitive data
  • Access controls based on data sensitivity
  • Secure data disposal procedures

Privacy

Controls related to personal information collection, use, retention, and disposal:

  • Privacy policy implementation
  • Consent management
  • Data retention and deletion
  • Subject access request handling

Automating SOC 2 Evidence

The biggest pain point in SOC 2 audits isn't fixing issues — it's producing evidence. Auditors need screenshots, configuration exports, and documentation for every control.

Automated compliance monitoring addresses this by:

  1. Continuous assessment — Controls are evaluated on every scan, not just during audit season
  2. Control mapping — Each security check is mapped to specific SOC 2 criteria
  3. Evidence generation — Pass/fail status with supporting data for each control
  4. PDF export — Audit-ready reports with control status and evidence

Instead of spending weeks preparing for an audit, you export a report that shows current compliance status across all applicable criteria.

What Unsave Covers

Unsave maps its 103 security checks to SOC 2 Trust Services Criteria, focusing on the Security (Common Criteria) domain — the controls most directly affected by Azure configuration:

  • CC6.1-6.8: Logical and physical access controls → RBAC, MFA, Conditional Access checks
  • CC7.1-7.5: System operations → Monitoring, alerting, change management checks
  • CC8.1: Change management → Activity log ingestion, change tracking

Your SOC 2 compliance score updates with every assessment, giving you continuous visibility instead of point-in-time snapshots.

Automate SOC 2 evidence collection for Azure. Try Unsave free at unsave.io.