AICPA TSC, DC200, COSO, CIS Controls, CSA CCM, COBIT, ISAE 3402, ISAE 3000 — 924 obligations across the complete SOC 2 ecosystem. AuditDSS maps them all and tells you exactly where you stand.
924
SOC 2 obligations
8
Frameworks
320+
Regulatory frameworks
146,445+
Scored obligations
Every compliance team knows they need SOC 2. But most treat it as a single certification with a single set of controls. In reality, SOC 2 is built on an ecosystem of 8 interconnected frameworks. The Trust Services Criteria (TSC) define WHAT must be controlled — but they're built on COSO's 17 principles. DC200 defines WHAT must be described in your system description. CIS Controls and CSA CCM tell you HOW to implement security controls. COBIT provides the IT governance structure. And ISAE 3402/3000 define what your auditor actually examines.
Most companies discover these connections when their auditor asks a question they can't answer. AuditDSS maps every connection before that happens.
That's what AuditDSS does.
924 obligations across 8 frameworks, scored and ready. AuditDSS is the only platform that decomposes ALL of them and shows how they connect.
Updated March 2026 — new frameworks added regularly
58 criteria across Security, Availability, Processing Integrity, Confidentiality, and Privacy. The core of every SOC 2 examination.
27 description criteria. Defines what must be included in your system description — the foundation of every SOC 2 report.
95 obligations across 5 components and 17 principles. TSC Common Criteria (CC1-CC9) map directly to COSO. This is the foundation.
153 prescriptive safeguards across 18 control families. The most actionable security control framework — tells you exactly what to implement.
197 cloud-specific control objectives. Essential for SaaS companies — maps directly to TSC criteria.
263 IT governance objectives across 5 domains. Provides the management framework that makes controls sustainable.
56 obligations. Defines Type 1 and Type 2 assurance reports. This is what your auditor follows when examining your controls.
75 obligations. The broader assurance standard that ISAE 3402 sits within. Covers evidence, materiality, and reporting.
Score your organisation against all 58 TSC criteria. Gap analysis tells you exactly what's missing — not just 'you need better access controls', but which specific CC criteria you fail and why.
Generate your system description using all 27 DC200 criteria. AuditDSS ensures your description covers infrastructure, software, people, procedures, data, subservice organisations, and complementary user entity controls.
The embedding layer surfaces relevant CIS Controls (153 safeguards) and CSA CCM controls (197 objectives) for every TSC gap. Not generic recommendations — prescriptive controls mapped to your specific criteria failures.
Map your existing evidence to the 56 ISAE 3402 obligations your auditor will examine. See exactly which controls have evidence and which gaps remain before your Type 2 examination window opens.
Firewall configs, SIEM logs, vulnerability scan results, access control records, and encryption settings. AuditDSS maps your security evidence to specific TSC criteria (CC6, CC7, CC8), CIS Controls safeguards, and CSA CCM control objectives simultaneously.
Information security policies, acceptable use policies, incident response plans, business continuity plans, and change management procedures. Direct evidence for COSO principles, COBIT governance objectives, and TSC Common Criteria CC1-CC5.
Background check records, training completion, org charts, board minutes, risk committee documentation, and code of conduct acknowledgments. Maps to COSO control environment (CC1), TSC criteria, and COBIT governance domain (EDM).
Vendor risk assessments, SOC 2 reports from subservice organisations, cloud configuration reviews, and SLA documentation. Evidence for DC200 criteria DC6 (complementary user entity controls), DC7 (subservice organisations), and CSA CCM supply chain controls.
You don't need to build a separate evidence library for each framework. You need one platform that maps your existing evidence to obligations across TSC, COSO, CIS, CSA CCM, COBIT, and ISAE simultaneously. That's what AuditDSS does — and it's why auditors love working with our clients.
Most compliance platforms tell you what you must do to avoid penalties. AuditDSS also tells you what you gain by complying.
Pre-mapped evidence across all ${totalSoc2Obligations} obligations. Know your gaps before the auditor arrives.
Reduce SOC 2 preparation from 6-12 months to weeks by knowing exactly what's needed from day one.
One control can satisfy TSC, CIS, CSA CCM, and COBIT simultaneously. AuditDSS shows every overlap.
SOC 2 is table stakes for enterprise deals. Certified companies close deals 40% faster.
Demonstrate comprehensive compliance that goes beyond checkbox SOC 2 — show the full ecosystem.
Stop paying consultants to map frameworks manually. AuditDSS has already decomposed all ${totalSoc2Obligations} obligations.
The most common SOC 2 candidates. Map your cloud infrastructure against TSC criteria and CSA CCM controls. Generate your DC200 system description. Know your audit readiness score before engaging an auditor.
Manage the full SOC 2 program from one workspace. See how a single control satisfies multiple criteria across TSC, CIS, and CSA CCM. Track evidence collection against ISAE 3402 requirements.
Use Advisor Mode to assess clients across the complete SOC 2 ecosystem. The obligation-level decomposition means no criteria gets missed. Generate audit-ready workpapers with evidence mapping.
Don't know where to start? AuditDSS shows you the 58 TSC criteria, prioritised by risk, with specific CIS Controls telling you exactly what to implement. From zero to audit-ready, structured.
Answer a few questions, discover every regulation that applies to your business
Not just 'you need SOC 2' but 924 specific obligations across 8 frameworks, scored by risk
See exactly where you're compliant and where you're exposed
Deterministic document generation for system descriptions, security policies, and procedures. Every clause traced to TSC criteria and COSO principles.
Company Mode for your own compliance. Advisor Mode for consultants managing multiple clients.
Discover which frameworks apply to your business in minutes — or book a walkthrough to see AuditDSS in action.
Building GRC, security, or audit technology? AuditDSS provides the compliance intelligence layer for SIEM, vulnerability management, policy management, and audit workflow platforms. Contact us about integration partnerships