GH GambleHub

SOC 2: Safety Control Criteria

1) SOC 2 in a nutshell

SOC 2 is an independent assessment of how an organization designs (Design) and executes (Operating) controls according to the AICPA Trust Services Criteria (TSC).
In iGaming, this increases the confidence of regulators/banks/PSP/partners and simplifies TPRM.

Report types:
  • Type I - one instantaneous state (for a specific date): whether the controls are correctly designed.
  • Type II - for the period (usually 6-12 months): do the controls work stably in practice (with samples).

2) Trust Services Criteria (TSC) and how to read them

The base domain is Security (Common Criteria). The rest are optionally added to the area:
CriterionPurposeExamples of auditor's questions
Security (CC)Protection against unauthorized accessMFA, RBAC/ABAC, SoD, logs, vulnerability management
AvailabilityAvailability by goalDR/BCP, RTO/RPO, SLO monitoring, incident management
ConfidentialityProtect sensitive dataClassification, encryption, masking, export controls
Processing IntegrityCompleteness/accuracy/timeliness of processingData quality control, reconciliations, end-to-end tests
PrivacyPII Privacy LoopLegitimate grounds, RoPA, DSAR, retention, CMP

3) Control model and mandatory elements (Security - CC)

Governance & Risk: information security policy, risk register, goals, roles/RACI, training.
Access Control: RBAC/ABAC, SoD, JIT/PAM, passwords/MFA, SCIM/IGA provisioning, offboarding ≤ 15 min.
Change & SDLC: DevSecOps, SAST/DAST/DS, IaC scanning, CAB, depletion logs, rollbacks.
Logging & Monitoring: centralized logs (WORM + signature), SIEM/SOAR, KRI alerts.
Vuln & Patch - Identify/Classify Process, SLA to High/Critical, Confirm Deployment.
Incident Response: playbook, RACI, war-room, post-mortems and CAPAs.
Vendor/TPRM: due diligence, DPA/SLA, right to audit, vendor monitoring.

4) Extended criteria (A, C, PI, P)

Availability (A)

SLO/SLA and dashboards; DR/BCP (RTO/RPO), annual tests; capacity/cross-region; availability incident process.

Confidentiality (C)

Data classification; Encryption at rest/in transit (KMS/HSM) PII tokenization; export control (signature, log); retention.

Processing Integrity (PI)

Data quality control: schemes/validations, deduplication, reconciliation; monitoring of task start-up; Manage changes to pipelines.

Privacy (P)

Privacy policy; RoPA/legal grounds; CIW/consent; DPIA/DSAR; masking/retention; tracker/SDK audit.

5) SOC 2 mapping ↔ your policies/controls

ISO 27001/ISMS → covers the basis of CC (risk management, policies, logs, vulnerabilities).
ISO 27701/PIMS → closes many Privacy criteria.
Internal sections: RBAC/Least Privilege, Password Policy and MFA, Log Policy, Incidents, TPRM, DR/BCP - directly mappable to TSC.

💡 It is recommended to create a correspondence matrix: "TSC item → policy/procedure → control → → evidence metric."

6) Catalog of controls and examples of evidence

For each control: ID, purpose, owner, frequency, method (auto/manual), sources of evidence.

Examples (fragment):
  • 'SEC-ACCESS-01 '- MFA for admin accesses → IdP report, screenshots of settings, selection of logs.
  • 'SEC-IGA-02 '- Offboarding ≤ 15 min → SCIM logs, dismissal tickets, blocking log.
  • 'SEC-LOG-05 '- Immutable logs (WORM) → configs, hash chains, export samples.
  • 'AVAIL-DR-01 '- Annual DR test → test protocol, actual RTO/RPO.
  • 'CONF-ENC-03 '- KMS/HSM key management → rotation policy, KMS audit.
  • 'PI-DATA-02 '- Reconciliation of payments → reconciliation reports, incidents, CAPAs.
  • 'PRIV-DSAR-01 '- SLA by DSAR → query register, timestamps, response templates.

7) Procedures (SOPs) to maintain SOC 2

SOP-1 Incidents: detection → triage → containment → RCA → CAPA → report.
SOP-2 Change Management: PR→CI/CD→skany→CAB→deploy→monitoring→otkat/fiksy.
SOP-3 Vulnerabilities: intake→klassifikatsiya→SLA→verifikatsiya report fiksa→vypusk.
SOP-4 Accesses: JML/IGA, quarterly re-certification, SoD blocks, JIT/PAM.
DR/BCP SOP-5: annual tests, partial exercises, publication of RTO/RPO facts.
SOP-6 Exports/privacy: whitelisting, signature/log, retention/deletion.

8) Preparation for audit: Type I → Type II

1. TSC gap analysis: coating matrix, list of missing controls.
2. Policies and procedures: update, appoint owners.
3. Unified evidence storage: logs, IdP/SIEM reports, tickets, export of samples (with signatures).
4. Internal Readiness Audit: audit questionnaire run, sample capture.
5. Type I (date X): show the design of controls and the fact of launch.
6. Observation period (6-12 months): continuous collection of artifacts, closure of finds.
7. Type II: provide samples for the period, operational efficiency report.

9) Metrics (KPI/KRI) for SOC 2

KPI:
  • MFA adoption = 100%
  • Offboarding TTR ≤ 15 min
  • Patch SLA High/Critical closed ≥ 95% on time
  • DR tests: execution of schedule = 100%, actual RTO/RPO normal
  • Coverage by logging (WORM) ≥ 95% of critical systems
KRI:
  • PII access without 'purpose' = 0
  • SoD disorders = 0
  • Incidents notified later than regulations = 0
  • High/Critical re-vulnerabilities> 5% - escalation

10) RACI (enlarged)

ActivityBoard/CEOCISO/ISMSSecurityPrivacy/DPOSRE/ITData/BIProduct/EngLegal/ComplianceInternal Audit
SOC Area 2A/RRCCCCCCI
Catalogue of controlsIA/RRCRRRCI
Evidence-storageIA/RRRRRRCI
Readiness/ext. auditIRRRRRRCA/R
External auditIRRRRRRCI
CAPA/remediationIA/RRRRRRCC

11) Checklists

11. 1 Readiness (before Type I)

  • Scope (TSC and Systems) locked
  • Policies/procedures are current and approved
  • Control owners and metrics assigned
  • Prototype evidence storage ready (logs, IdP/SIEM reports, tickets)
  • Incident tabletop and DR mini-test performed
  • Risks and SoD matrix confirmed

11. 2 Follow-up period (between I and II)

  • Weekly sampling/log export
  • Monthly KPI/KRI Report
  • SLA Vulnerability Closure
  • Quarterly Rights Re-Certification
  • DR/BCP test as planned

11. 3 Before Type II

  • Complete set of evidence per period (per control)
  • Incident/Vulnerability Register and CAPA
  • Management Review Report (Period Totals)
  • Updated mapping matrix TSC↔kontroli

12) Frequent mistakes and how to avoid them

"Policies without practice": show logs, tickets, DR/incident protocols - not only documents.
Weak logging: without WORM/signatures and clear event semantics, auditing is more difficult.
There is no re-certification of rights: the risk of "hanging" access is a critical minus.
Incomplete Vendor Scope: SOC 2 sees the chain - add TPRM, DPA/SLA, audit rights.
One-time jerk without routine: implement JMA/dashboards and monthly reporting.

13) Roadmap (12-16 weeks → Type I, another 6-12 months → Type II)

Weeks 1-2: TSC gap analysis, Scope, owners, work plan.
Weeks 3-4: update policies/procedures, build control directory and mapping matrix.
Weeks 5-6: set up logs (WORM/signature), SIEM/SOAR, SLA vulnerabilities/patches, IdP/MFA, IGA/JML.
Weeks 7-8: DR/BCP minimum tests, TPRM updates (DPA/SLA), incident rehearsal.
Weeks 9-10: evidence-storage, KPI/KRI reporting, internal readiness-audit.
Weeks 11-12: final edits, auditor reservations, Type I.
Next: weekly collection of artifacts, quarterly → Type II reviews at the end of the period.

TL; DR

SOC 2 = clear Scope TSC → the catalog of control with owners and metrics → evidence on Design & Operating → continuous logs / SIEM / IGA/DR/TPRM → Readiness → Type I → the observation period → Type II. Do "provability by default" - and audit will take place without surprises.

Contact

Get in Touch

Reach out with any questions or support needs.We are always ready to help!

Start Integration

Email is required. Telegram or WhatsApp — optional.

Your Name optional
Email optional
Subject optional
Message optional
Telegram optional
@
If you include Telegram — we will reply there as well, in addition to Email.
WhatsApp optional
Format: +country code and number (e.g., +380XXXXXXXXX).

By clicking this button, you agree to data processing.