SOC 2 TSC 2022 Framework, Assessment & Task Pack
We are pleased to announce that the fully structured SOC 2 TSC 2022 Framework, along with its aligned Assessment and Task Pack are now available.
This release represents a structural upgrade and a content refresh.
It was built to support defensible, repeatable SOC 2 delivery whether you are:
- An MSP or MSSP managing multiple client environments
- A vCISO standardizing delivery models
- A direct organization preparing for or maintaining its own SOC 2 report
Why This Update Was Necessary
SOC 2 remains one of the most requested assurance reports across SaaS and technology organizations.
But in practice, we consistently see structural issues that create audit friction:
- Criteria paraphrased instead of preserved
- Points of focus collapsed into generic checklist items
- Multiple enforceable obligations combined into single controls
- Assessment questions that do not trace cleanly to requirements
- Remediation tasks that are not aligned to specific obligations
- Rework during audit cycles due to structural ambiguity
These issues create interpretation drift — and interpretation drift creates audit risk, remediation cycles, and margin erosion for service providers.
SOC 2 is not difficult because it is conceptually complex. It becomes difficult when its structure is compromised.
How We Structured the SOC 2 TSC 2022 Framework
This release was built directly from the authoritative AICPA Trust Services Criteria (2022), preserving structure and enforceable language.
1️⃣ Authoritative Language Preserved
Criteria and applicable points of focus are retained in their original language.
We did not paraphrase or compress enforceable obligations. This ensures:
- Auditor-aligned terminology
- Reduced interpretation disputes
- Defensible documentation
- Alignment with official TSC language
2️⃣ Parent / Child Structural Integrity
Introductory COSO principles and criteria remain parent controls.
Discrete enforceable elements and applicable points of focus are structured as child controls.
Each subsection (a), (b), (c), etc. that represents an enforceable obligation is preserved as its own discrete child obligation.
This eliminates:
- Collapsed checklist implementations
- Hidden requirements within single controls
- Ambiguity in evidence attachment
- Audit scope confusion
It enables:
- Obligation-level traceability
- Clean mapping between criteria and evidence
- Repeatable delivery across environments
3️⃣ One Requirement → One Assessment Question
Each child control maps to a single assessment question.
We did not artificially expand or condense requirements.
When multiple enforceable elements exist within a requirement, they are structured clearly within a single question using subcomponents — preserving the integrity of the obligation while enabling operational assessment.
This supports:
- Accurate gap identification
- Cleaner remediation planning
- Audit-ready defensibility
- Reduced ambiguity during walkthroughs
4️⃣ Integrated Assessment & Task Pack
This release includes:
- The structured SOC 2 framework
- A mapped assessment aligned to each child obligation
- A task pack aligned to remediation and evidence workflows
This creates a clear lifecycle:
Criterion → Child Obligation → Assessment → Remediation Task → Evidence → Audit Traceability
For MSPs and MSSPs, this supports standardized multi-tenant delivery.
For direct organizations, this supports internal governance maturity and predictable audit outcomes.
What This Eliminates
By preserving authoritative structure and aligning it directly to assessment and remediation workflows, this release eliminates:
- Internal reinterpretation of SOC 2 criteria
- Checklist-style control collapse
- Structural ambiguity between requirements and controls
- Misalignment between assessments and remediation tasks
- Rework during audit cycles
- Inconsistent implementation across client environments
For MSPs and MSSPs, this means higher margin, lower rework, and scalable delivery.
For direct organizations, this means clearer auditor conversations and stronger documentation defensibility.
Who Should Leverage This Update
This update is especially relevant for organizations that:
- Deliver SOC 2 as a managed service
- Operate across multiple environments or business units
- Are preparing for their first Type I or Type II report
- Have experienced remediation cycles due to control ambiguity
- Want tighter alignment between governance and audit
Operationally, SOC 2 becomes complex when scale and interpretation intersect. This structure is designed to address both.
Why This Is a Structural Upgrade
SOC 2 audits depend on:
- Language precision
- Traceability
- Consistency
- Evidence clarity
When the framework, assessment, and remediation structure align directly to authoritative obligations, audit defensibility improves.
This release ensures:
- Clear lineage from criterion to evidence
- Reduced interpretation risk
- Scalable governance implementation
- Cleaner audit execution
The SOC 2 TSC 2022 Framework, Assessment, and Task Pack is now available in the platform to support consistent, defensible SOC 2 program delivery.
Important Clarification
This release supports SOC 2 compliance readiness and operational alignment.
SOC 2 reports (Type I or Type II) can only be issued by a licensed CPA firm in accordance with AICPA attestation standards. The framework, assessment, and task pack released on March 26 are designed to support readiness, governance alignment, remediation tracking, and audit preparation — but they do not constitute certification or replace an independent audit.
Additional improvements will be coming to allow further separation of controls to a more granular level as well as a way to more easily remove controls that are not identified as relevant by the final auditing AICPA firm. These updates will come in a future content structure update of the product later in 2026.
