Framework mapping

Stay ready for SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report reviews

Map SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report to the controls and evidence your team already maintains, keep the record current between cycles, and answer auditors, customers, and security reviewers with traceable proof without rebuilding the record each time.

Request a 15-minute walkthrough Browse the library

Requirements

Mapped controls

162

Evidence specs

205

Test assertions

Sources

Domains

Automated

Published by AICPA & CIMALatest: 2017 Trust Services Criteria (With Revised Points of Focus – 2022) + 2018 SOC 2 Description Criteria (With Revised Implementation Guidance – 2022) + Illustrative SOC 3 Report public metadata (current as of 2026-03-25)Mapping updated Mar 25, 2026View official source

Evidence automation

How SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report Evidence Gets Collected

Aurora maps framework requirements to evidence specifications with defined collection methods, cadence, and integration sources.

Collection methods

162evidence specs defined

13automated8%151manual

Collection cadence

164 scheduled

5P3Y14P1Y1P3M2P6M10Daily1Weekly2Monthly24Quarterly23Semi-annual82Annual

Connected sources

AwsAzureGcpGithubGoogle WorkspaceIntuneJamf ProJumpcloudKnowbe4Microsoft Entra M365OktaQualysRipplingSplunk Hec ReceiverTenable IoTrinetWizWorkday

Control depth

Control Domains Mapped for SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report

Each mapped control carries evidence specifications, test assertions, and implementation guidance. Overlapping controls are reused across frameworks.

62of 88

Aurora controls mapped

Coverage

70%

Control domains

20 domains

Governance

Access Control

Vendor Management

Business Continuity

Data Protection

Privacy

Physical Security

Secure SDLC

Risk Management

Monitoring

Configuration Management

Vulnerability Management

Incident Response

Application Controls

Quality Management

Training

Training & Awareness

Network Security

Change Management

Secure Software Development

At a glance

What Teams Need to Know About SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report

Best for

Teams aligning to a published standard without rebuilding controls and evidence for each review cycle.

Reviewers expect

Mapped requirements, linked evidence, approval history, and structured exports for SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report reviews.

Where teams stall

Rebuilding control mappings and chasing evidence for each SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report review cycle instead of reusing a current record.

Governed exports

Control matrix
Evidence package
Reviewer portal access
Audit-period exports

Lifecycle signals

How Aurora Keeps SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report Current

Automated signals track evidence freshness, detect coverage gaps, and surface upcoming deadlines so teams stay ahead of review windows.

Evidence freshness tracking

Alerts when evidence artifacts approach expiration

Automation gap detection

Identifies controls without automated evidence collection

Training assignments

Links training requirements to framework controls

Assessment readiness

Tracks question coverage and approved answers

Calendar deadlines

Review window and renewal date tracking

Regulatory frameworks

Incident response timelines

Regulatory notification and response window tracking

Regulatory frameworks

Remediation tracking

Gap-to-fix workflows with owner assignment

Policy governance

Approval workflows, version tracking, and clause mapping

From request to handoff

How Teams Stay Review-Ready Between Cycles

Aurora turns one named framework request into a repeatable operating motion your team can maintain between audits, buyer reviews, and renewals.

Scope the exact version

Start with the SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report version your reviewer or buyer already asked for so the record matches the request in front of you.

Reuse the controls you already trust

Map overlapping requirements to the same governed control library instead of rebuilding the program around one framework.

Keep proof current between cycles

Attach evidence with owners, freshness expectations, and reminders so the package stays current while the business keeps moving.

Capture approvals and decisions

Keep policy approvals, exceptions, and review history linked to the same record so reviewers see the operating context, not just files.

Hand off a clean reviewer package

Share structured access or export a scoped package with mappings, evidence context, and timestamps already intact.

See It with Your Framework Compare Plans

Supported versions

Mapped Versions of SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report

Latest

2017 Trust Services Criteria (With Revised Points of Focus – 2022) and 2018 SOC 2 Description Criteria (With Revised Implementation Guidance – 2022) and Illustrative SOC 3 Report public metadata (current as of 2026-03-25)

Source

Requirements

Controls

162

Evidence

205

Tests

Sources

Domains

Coverage request

Need a Framework We Do Not List Yet?

If one customer, auditor, or regulator requirement is the only thing holding up the deal, bring it. Aurora can scope the overlap, confirm the rollout path, and talk through prioritizing that onboarding inside the same control, evidence, and governed-sharing system your team already runs.

Exact framework and versionExpected review windowCurrent controls and evidence

What we work through

Version-specific feasibility

We look at the exact SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report version or adjacent requirement set in scope so there is no ambiguity about what has to be supported.

Control and evidence overlap

We identify how much of the work can ride on the controls, approvals, and evidence your team already maintains in Aurora.

Onboarding priority and rollout path

If it is launch-critical, we will discuss what prioritization would look like with sales instead of leaving your team guessing.

Discuss Framework Coverage Browse All Frameworks

Common questions

SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report Questions, Answered Plainly

How does this fit alongside the frameworks we already run?

Aurora maps each framework into the same governed control and evidence system, so teams expand coverage without rebuilding the entire record.

How quickly can we support the next review cycle?

Tell us about the framework version and review window you need to support. Aurora helps your team move from mapped controls to traceable proof without rebuilding the package from scratch.

What does the reviewer actually receive?

Reviewers get structured access to the mapped record, linked evidence, approvals, and point-in-time exports instead of a loose collection of attachments.

Does Aurora replace the auditor or assessor?

No. Aurora keeps the work current, traceable, and ready to share. Auditors, assessors, and regulators remain independent.

Aurora does not guarantee certification, audit outcomes, or reviewer decisions. It organizes, tracks, and shares the evidence and mappings your team maintains.

Live walkthrough

Preparing for SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report review?

Share the version your reviewer asked for. We will show how Aurora maps SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report into your existing control library, keeps evidence current, and gives reviewers a clean handoff.

Request a 15-minute walkthrough

Browse integrations

15-minute walkthrough. No obligation. See Aurora applied to your workflow with the exact outputs reviewers receive. (No compliance guarantees.)