Compliance · SOC 2
SOC 2 CC1.4 + CC2.2 awareness training and Type II evidence.
Vigil covers the human-layer Common Criteria your SOC 2 auditor tests, phishing simulation, role-based awareness, BEC and deepfake training, and the continuous-evidence trail Type II requires.
Where Vigil fits in the SOC 2 Trust Services Criteria
| TSC reference | What auditors test | Vigil coverage |
|---|---|---|
| CC1.4 | Competent personnel, including training programmes. | Training catalogue + per-employee completion records. |
| CC2.2 | Internal communication of security responsibilities. | Policy-attestation module + role-based training tracks. |
| CC2.3 | External communication (customers, vendors). | External-stakeholder training + reporting evidence. |
| CC6.6 | External threats, including social engineering. | AI phishing, vishing and deepfake simulation. |
| CC7.2 | Monitoring of system components. | Continuous human-risk score + trended dashboard. |
| CC7.4 | Incident response. | Reporting training + incident-timeline evidence log. |
Built for the Type II observation period
Type II auditors want evidence the controls were operating effectively across the full observation window, not just on the day of fieldwork. Vigil's continuous-control timeline shows quarter-by-quarter training delivery, simulation results and remediation rates, so any sample the auditor pulls lands on real, time-stamped activity.
Works alongside your GRC platform
Vigil exports SOC 2 evidence as CSV, PDF and structured JSON, drop directly into Vanta, Drata, Secureframe, Sprinto, OneTrust, or Tugboat Logic. Enterprise plans support webhook ingest so evidence flows in continuously.
SOC 2 + Vigil, common questions
Which SOC 2 Trust Services Criteria cover security awareness training?
The relevant Common Criteria are CC1.4 (the entity demonstrates a commitment to attract, develop, and retain competent individuals, including ongoing training), CC2.2 (internal communication of information security responsibilities), and CC2.3 (external communication). Most SOC 2 auditors test these through training records, attestations and phishing-simulation evidence.
Is SOC 2 Type I or Type II, does training evidence differ?
Type I tests design as of a point in time; Type II tests operating effectiveness over a period (typically 3 12 months). For Type II, auditors want a continuous record across the observation window, quarterly phishing campaigns, monthly completion summaries, time-stamped policy attestations. Vigil's evidence pack supports both, with the Type II view turned on by default.
What does an SOC 2 auditor specifically ask for during fieldwork?
Training programme documentation, per-employee completion records covering the observation period, phishing simulation campaign results, evidence of training updates as threats change, and evidence of remediation when staff fail simulations. Vigil produces every artefact as a download or via the auditor portal.
Can Vigil pre-populate the SOC 2 control matrix in our GRC tool?
Yes. Vigil exports CSV and structured JSON evidence that maps to controls in Vanta, Drata, Secureframe, Sprinto, OneTrust and Tugboat Logic. Enterprise plans include direct webhook integration so evidence ingests automatically.
How does Vigil handle the BEC and social-engineering scope SOC 2 auditors increasingly probe?
Vigil ships AI-personalised BEC simulations, voice-cloned vishing and deepfake video-call simulations as standard. Auditors who probe beyond basic phishing typically accept these as evidence of mature awareness, particularly for service organisations handling financial data.
Does this work for SOC 2 + ISO 27001 dual-track compliance?
Yes. Vigil's evidence pack maps the same training and simulation events to both SOC 2 CC1.4/CC2.2 and ISO 27001 A.6.3 simultaneously. One programme, two compliance outputs.
Walk into your SOC 2 audit with CC1.4 evidence already done.
30-day free trial. No credit card. Type II-ready evidence on day 1.