SOC 2 incident response tabletop
SOC 2 incident response tabletop — evidence your Type II auditor accepts.
SOC 2 Trust Services Criteria CC7.4 and CC7.5 ask about your incident response capability — how it's designed, how it's tested, and whether it actually operates. Annual Tabletop produces the tested-evidence artifact your Type II auditor asks for.
What this page covers
A practitioner-level guide, not a keyword page.
- What CC7.4 and CC7.5 actually ask you to demonstrate.
- A SOC 2-anchored scenario library.
- An AAR structured around CC7 evidence.
- How this stacks with HIPAA if you're dual-scope.
SOC 2 Type II is not the regulation most SMB security leads wake up thinking about, but it's the one that determines whether their bigger customers will renew. The CC7 series — specifically CC7.4 and CC7.5 — asks whether the org has a working incident response process and whether it's tested.
Annual Tabletop's SOC 2 scenario set exercises the portions of IR that auditors focus on: detection hand-off, escalation authority, containment decision-making, and customer notification. Atlas runs constrained-decision injects that force the team to exercise actual decision-making, not paper-drill roleplay.
The AAR is structured to be read by a SOC 2 auditor. Participants, scope, timestamped decisions, gaps identified, remediation actions. The CC7 crosswalk is on the cover so your auditor can check the box without reading the whole document.
Recommended scenarios
Start with these.
- Business Email CompromiseIntro
Wire Fraud via BEC — The Auditor's Favorite SMB Scenario
A finance lead authorizes a $187K wire to a 'new vendor' after a CEO email thread that turns out to be a BEC. Run the response your SOC 2 / cyber-insurance underwriter wants documented.
- SOC 2 CC7.4/CC7.5
- HIPAA §164.308
- FFIEC
- PCI 12.10
FAQ
Questions practitioners ask
Does SOC 2 require a tabletop specifically?
SOC 2 is principle-based. CC7.4 and CC7.5 ask for a tested, operating IR capability. A tabletop is one of the most common ways to demonstrate the test; interviews with your auditor will reveal which forms of evidence they accept.How often?
Annually at minimum. Many auditors now expect at least one full tabletop during the observation period, plus lighter-touch drills. The product is designed around that cadence.Does this work for the new 2022 SOC 2 criteria?
Yes. The crosswalk tracks the current TSC version.What if I'm also under HIPAA?
One exercise covers both. The AAR carries both crosswalks so you don't run duplicate tabletops.