The AICPA's Service Organization Control framework requiring demonstrable key lifecycle management, certificate rotation policies, HSM usage, and comprehensive audit logging over an extended period.
SOC 2 Type II, developed by the AICPA, evaluates a service organization's controls over an extended period (typically 6-12 months) against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
For PKI, the Security and Confidentiality criteria are most relevant, requiring organizations to demonstrate robust cryptographic key management, certificate rotation policies, access controls, and comprehensive audit trails. Unlike Type I (which evaluates design at a point in time), Type II requires evidence that controls operated effectively throughout the audit period.
SOC 2 reports are increasingly required by enterprise customers evaluating SaaS and cloud providers. Organizations that can demonstrate mature certificate lifecycle management and key governance gain a significant competitive advantage in procurement processes.
Organizations must implement logical and physical access controls, including certificate-based authentication, to restrict access to sensitive systems and data.
Data transmitted over networks must be encrypted using TLS with properly managed certificates, requiring evidence of certificate rotation and configuration management.
Sensitive data at rest must be protected with strong encryption, requiring proper key management practices including secure key storage and rotation procedures.
Organizations must monitor systems for anomalies and security events, including certificate expiration alerts, unauthorized certificate changes, and key usage anomalies.
All changes to infrastructure, including certificate deployments, rotations, and revocations, must follow documented change management procedures with audit trails.
Systems must maintain availability through redundancy and recovery procedures, including backup certificate authorities and automated failover for PKI services.
The AICPA introduces the SOC 2 reporting framework, establishing Trust Services Criteria for evaluating service organization controls.
Major revision of the Trust Services Criteria, aligning with COSO 2013 and introducing more granular requirements for cryptographic controls.
Accelerated cloud migration drives widespread SOC 2 adoption, with enterprise customers increasingly requiring reports from all service providers.
Updated guidance emphasizes cryptographic key management, certificate rotation evidence, and HSM usage documentation within audit scope.
Auditors increasingly evaluate certificate lifecycle automation and key management maturity as part of SOC 2 Type II assessments.
SOC 2 Type II auditors evaluate PKI controls not just by design, but by their consistent operation over the audit period. Here are the critical areas:
Key lifecycle management must be demonstrated over the full audit period, with evidence of proper generation, distribution, storage, rotation, and destruction of cryptographic keys.
Auditors require evidence that certificate rotation policies are not only documented but consistently executed, with timestamps and audit logs for every rotation event.
For the Confidentiality criteria, auditors evaluate HSM usage and key protection mechanisms, requiring documentation of hardware security module configurations and access controls.
Every certificate operation — issuance, renewal, revocation, and key usage — must be logged with immutable audit trails that auditors can review for the entire assessment period.
Continuous audit evidence — Horizon provides continuous, immutable audit trails for all certificate operations, giving auditors the evidence they need for the full assessment period.
Automated rotation with full audit trail — Automated certificate rotation satisfies CC6.6 and CC6.7 requirements with complete, timestamped evidence of every rotation event.
Policy enforcement over time — Demonstrate control effectiveness over the audit period with enforced certificate policies, automated compliance checks, and exception tracking.
Auditor-ready dashboards & reports — Purpose-built dashboards and exportable reports designed for SOC 2 auditor review, reducing preparation time and audit friction.
