Does SOC 2 Require Phishing Simulations? Your Complete Guide

Phishing simulations are a people-based control that help to demonstrate compliance with the trust service criteria for security.

Image depicting a phishing email with a person at their computer
Author profile photo
Sebastian Salla July 17, 2023 (Updated August 23, 2023)

Are you thinking about undergoing a SOC 2 assessment and trying to understand what you'll need to do to obtain a positive attestation from an AICPA-certified auditor? Well, you're in luck! In this article, we'll detail exactly what's needed, why, and how you can use phishing simulations to put your auditor at ease and provide assurances that you take security seriously.

Let's get straight to it and answer the question; Does SOC 2 require phishing simulations? The short answer is Yes. But like many things in life, SOC 2 audits aren't that black and white, and this does come with caveats.

Jump To The SOC 2 Phishing Simulation Requirement

What You'll Learn In This Article.

  • What SOC 2 is, why it's important, and who the intended audience of reports are.
  • How phishing simulations can help to demonstrate compliance with the trust service criteria for security.
  • Where phishing simulations fit into the defence-in-depth strategy for protecting employees.
  • How CanIPhish can help you run your first simulated phishing campaign.

The Purpose Of SOC 2

To truly understand the phishing simulation requirement, we need to remember that the purpose of a SOC 2 audit is to demonstrate to third-party customers, partners, or investors that the audited organization takes security seriously. To showcase this, SOC 2 contains five distinct trust service criteria that an auditor will use to assess an organization. Each criterion covers a fundamental security principle:

  1. Security: Ensures the audited organization protects their systems from both internal and external attackers.
  2. Availability: Ensures the audited organization is able to keep their system and data available in-line with customer expectations.
  3. Confidentiality: Ensures the audited organization is able to protect customer data from unauthorized access.
  4. Processing Integrity: Ensures the audited organization is able to ensure their system can provide complete and accurate outcomes.
  5. Privacy: Ensures the audited organization clearly communicates how customer data will be handled, retained, or disclosed.

Now third-party organizations won't just take your word for this. They rely on you engaging an AICPA-certified audit firm to conduct the SOC 2 assessment. Upon completion of the assessment, the engaged auditor will produce a SOC 2 attestation report which includes a section on whether the auditor found any adverse findings during their assessment.

Image depdicting an auditor presenting a SOC 2 findings report

It's crucial to know that SOC 2 assessments aren't pass or fail; your auditor will produce an attestation report regardless of whether you have absolutely no security controls or whether your controls are so strong that you could guard the secrets of Area 51!

It all comes down to adverse audit findings, which the auditor will call out at the beginning of the report. Each weakness or control gap within your organization can result in an unmitigated audit finding which will be one of the first things a prospective customer, partner, or investor will see. Naturally, once an audit finding is observed, the next question asked is why?

To understand the impact of audit findings, we need to go back to the purpose of undertaking a SOC 2 assessment in the first place. It's a way to build trust and credibility.

Image saying SOC 2 provides trust and credibility

For example, let's say you provide a software-as-a-service platform, and you're looking to streamline sales by providing customers with assurances that you take security seriously. You'll want your SOC 2 report to have no adverse audit findings. Each finding is a slight against your product and a potential reason for a customer not to proceed with a purchase. This example can be extended across a myriad of different use cases.

Are Phishing Simulations Required For SOC 2?

As we've discussed, SOC 2 comprises five trust service criteria, each covering a different security principle. To ensure that the intent of the principle is being met, auditors will test the design, implementation, and operating effectiveness of supporting controls.

Fortunately, for organizations looking to undergo a SOC 2 assessment, you can choose which criteria you want to be in scope of the assessment. Typically the scope includes the security, availability, and confidentiality trust service criteria at a minimum.

Image depicting all controls being met

Phishing simulations are a control needed to demonstrate compliance with the SOC 2 trust service criteria for security.

Phishing Simulations Are A People-Based SOC 2 Control

If we break a control down into its fundamental components, it's made up of various people, processes, and technologies. This is particularly important when it comes to security controls because a lapse in any of these could result in a deficiency that cyber criminals won't hesitate to exploit.

Let's use a few email-related examples to demonstrate the different types of controls we need in-place.

  • A people-related security deficiency is that employees are particularly susceptible to phishing because they've never been trained on how to spot a phish.
  • A process-related security deficiency is that employees never report phishing attempts. They instead just let the emails sit in their inbox.
  • A technology-related security deficiency is the lack of an email filtering solution to reduce the number of phishing emails that land in employee inboxes.

Image depicting an auditor showcasing people-based SOC 2 controls

When we look at this from another perspective, we can also see how each of these controls can be used in a continuous feedback loop, where phishing simulations are a people-based control. A lapse in one can put into question the effectiveness of other related controls.

Phishing Simulations Are A Practical Training Exercise

We can practice theory for as long as we want, but the true test is a practical exercise. This holds firm in cyber security. It's for this exact reason that organizations run periodic penetration tests, business continuity tabletop exercises, or disaster recovery exercises. When we practically test a control, we can understand its effectiveness and whether it needs improvement.

This is why phishing simulations hold such high importance when it comes to SOC 2 and other security-related compliance frameworks. Sure, we can conduct annual security awareness training, which theoretically teaches employees about what phishing is, why it's dangerous, and how it's performed. But when an employee receives an actual phishing email, any theoretical knowledge is typically back-of-mind.

"Everyone has a plan until they get punched in the mouth." - Mike Tyson

In this case, phishing is that punch, and we need employees to have muscle memory of what phishing looks like, so they can unconsciously spot and report suspected phishing attempts. Phishing simulations provide this muscle memory, and like a gym workout, the more frequently we train, the more effective the muscle becomes.

To this end, we typically see organizations run frequent phishing simulations, of varying difficulty, depending on the risk profile of an employee and the role they fulfill within the organization.

How Often Should Phishing Simulations Be Conducted?

The risk profile of each employee should dictate the frequency of phishing simulations. For example, if an employee has administrative access or is more prone to clicking on phishing emails than the average employee, they should participate in more frequent phishing simulations.

Employees who are well-trained in phishing should participate in phishing simulations of increasing difficulty to ensure they can spot the most advanced phishing threats using techniques such as domain spoofing, URL obfuscation, and much more.

As a point of reference, we typically see standard employees participate in quarterly to monthly phishing simulations, with employees who present a higher risk profile participating in monthly to weekly phishing simulations.

How To Get Started

When it comes to phishing simulations, you have a few options. You can use open-source tools such as GoPhish, commercial tools such as CanIPhish, or a security consultancy that provides a managed service. Depending on your approach, you can expect to pay a different type of cost, whether purely in terms of human capital, a mixture of human and financial, or entirely financial. The team at CanIPhish has performed a detailed market analysis of the costs associated with running these training programs.

Regardless of the cost, it's important never to run phishing simulations in isolation. Always couple phishing simulations with relevant, targeted, and ideally gamified training to help guide employees on their learning journey. By coupling phishing simulations with security awareness training, you'll demonstrate your ability to meet SOC 2 controls and provide employees with a practical training experience.


Phishing simulations are an essential control to demonstrate that the SOC 2 criteria for security is being met. Aside from SOC 2, it has the added benefit of protecting your organization against phishing.

Before we wrap up, I'd like to leave you with some final tips that any organization can follow:

  • Use relevant simulated phishing material that's personalized to the services your organization uses on a day-to-day basis.
  • Ensure phishing is localized to the language that your employees speak.
  • Weigh the human and financial costs of running phishing simulations and security awareness training before choosing your preferred provider.
  • Always couple phishing simulations with security awareness training. Ideally, this should be completely automated and integrated.
  • Target higher-risk employees for more frequent phishing simulations. They're the ones who pose the highest risk to your organization.

To run a phishing simulation, create a free account and access the CanIPhish Cloud Platform. We speak from experience. CanIPhish has used its own platform to obtain a SOC 2 attestation report and demonstrate that employees regularly receive phishing simulations and security awareness training.

If you have any questions, don't hesitate to contact the CanIPhish team.

Avatar profile photo
Written by

Sebastian Salla

A Security Professional who loves all things related to Cloud and Email Security.