SOC 2 Type II requires documented training evidence for AICPA Trust Services Criteria CC1.4 and CC2.2. Generic e-learning doesn't satisfy it. Our live sessions do — with individual attendance records for your auditor's file.
CC1.4 — Commitment to Competence. Management must ensure personnel are trained to perform their responsibilities securely. Auditors look for documented training completion rates across all employees — not just IT.
CC2.2 — Internal Communication. Security policies and awareness must be communicated throughout the organisation. Training logs, phishing simulation results, and policy acknowledgment records are direct evidence auditors test under CC2.2.
What SOC 2 Actually Requires. Security (Common Criteria CC1–CC9) is mandatory for every SOC 2 report. Training evidence is not optional — it's a control that must demonstrate operating effectiveness over the audit period. A Type II auditor will test whether your training programme actually ran, who completed it, and whether completion was documented at the individual level.
Type I vs Type II — Why the Distinction Matters for Training. Type I reports assess control design at a point in time. Type II reports assess whether controls operated effectively over 6–12 months. Enterprise buyers increasingly demand Type II specifically because Type I tells them controls existed on paper, not that they worked in practice. Training completion logs with timestamps, phishing simulation results, and policy acknowledgment records are the primary evidence for the human-element controls auditors test under CC2.2. A one-time training event before a Type I audit does not satisfy Type II — you need documented, recurring training evidence across the full observation period.
A convincing fake login page for your SaaS product captures executive credentials. Attackers use them to access customer data stored in your system. SOC 2 CC6.8 (logical access) doesn't protect against credentials stolen via social engineering. Your incident response window starts from the moment staff recognise something is wrong.
The Complete BEC Guide →
Attackers research your org structure, impersonate a vendor or executive, and send urgent wire-transfer requests to your finance team. The payment goes out before the fraud is detected. For SOC 2 orgs handling enterprise client data, BEC against finance is the fastest path to a reportable incident under CC7.4.
AI Voice Phishing & Deepfake CFO Scams 2026 →
A departing employee's SaaS credentials are not revoked during offboarding. 30 days later, those credentials are used to access the system. CC6.3 and CC6.4 require access revocation procedures — but the human element (HR, managers not notifying IT) is where this control fails. This is a top finding in SOC 2 Type II audits.
Cyber Insurance Renewal 2026: What Underwriters Require →
A practical IR playbook covering the first 72 hours of a security incident: containment, evidence preservation, notification thresholds, and stakeholder communication. Used by SOC 2 audit-ready teams.
Download the IR Playbook →Yes. AICPA Trust Services Criteria CC2.2 requires internal communication of security policies and awareness — this is satisfied by live, instructor-led sessions where attendance is documented at the individual level. Our sessions provide a session summary, individual attendance records, and completion timestamps that map directly to the CC2.2 control description. Passively watched e-learning videos without individual tracking do not satisfy this standard.
Every session includes: (1) a session summary document with date, duration, topic, and instructor name; (2) individual attendance records with employee name, timestamp, and session ID; (3) optional signed policy acknowledgment forms. These three artefacts together constitute the training evidence auditors test under CC1.4 and CC2.2.
Annual training is the baseline — most auditors expect to see training completed within the audit observation period. For Type II, you need documented evidence of training across the full period (typically 6–12 months), which means booking training early in your audit cycle rather than just before the examination. New hire onboarding training is also required under CC1.4, so ongoing hiring means ongoing training obligations.
Phishing simulations satisfy the technical testing component of CC2.2 but not the training requirement. Auditors want to see two things: (1) that personnel received training on how to recognise phishing and social engineering, and (2) that the organisation tested whether training translated into changed behaviour (simulation results). A complete SOC 2 training programme combines live instruction with documented phishing simulations and policy acknowledgments.
Yes. Type I requires evidence that controls are designed appropriately and were in place at the point of assessment. Training completion logs and policy acknowledgments are evidence of controls designed to address CC1.4 and CC2.2. Many companies use a Type I assessment as a gap analysis while building toward Type II — training evidence from this period becomes the baseline for your Type II observation window.
One Business tier session satisfies your SOC 2 training obligation under CC1.4 and CC2.2 — with individual attendance records for your audit file. $900 flat, unlimited participants.