A few years ago, I was working with a scrappy, fast-growing SaaS startup getting ready for their first SOC 2 audit. They had great tech, strong leadership, and loyal customers—what they didn’t have was a dedicated security team.
The CTO greeted me with a tired laugh and a spreadsheet labeled “SOC 2 Checklist?”—the question mark said it all. But when I asked where they were hosted and they said “GCP”, my job—and theirs—got significantly easier.
How GCP Accelerates SOC 2 – A Head Start for Compliance
As an Auditor, I love it when our clients use GCP.
Here’s the thing: when a startup runs on GCP and leverages its native services, I can often check off up to 30% of the control requirements before we’ve even kicked off fieldwork. Why? Because GCP itself is SOC 2 compliant, and its infrastructure and platform services are already audited. In auditor-speak, we call these inherited controls. In startup-speak? It’s work you don’t have to do from scratch.
If you can show me you’re using GCP’s Cloud IAM for access controls, Cloud Logging for audit trails, and encryption defaults for data protection, then we’re already standing on solid ground.
Don’t Reinvent SOC 2 Compliance: GCP’s Built-in Advantage
Most early-stage companies are running lean. Security is important, but when it comes down to shipping features or building a custom access review tool, it’s clear what’s going to win. That’s why leaning into GCP’s built-in controls is such a smart move. You get enterprise-grade security and compliance capabilities without having to build them from scratch.
For example:
- Cloud Audit Logs cover your logging and monitoring control requirements.
- Cloud IAM gives you principle-of-least-privilege enforcement.
- Resource Manager + Org Policies helps enforce compliance boundaries.
Document how you’ve configured these services, and suddenly you’ve turned “we don’t have this yet” into “yep, here’s how we meet that requirement.”
My Favorite Startups Are the Ones Who Work Smarter, Not Harder
I’ve had founders sheepishly show me spreadsheets they thought were inadequate, only for me to say, “Honestly, this is great—you’re using GCP in a best-practice way.” One company mapped its entire control set to GCP-native tools, complete with links to Terraform modules and screenshots of policies. They didn’t have a CISO. They didn’t have a security team. But they had something better: a smart use of cloud-native services and the humility to let the platform do the heavy lifting. They passed with flying colors.
The Auditor’s Cheat Code: GCP’s Shared Responsibility Model
Here’s what I wish more startups knew: not all controls are yours to own.
In GCP, there’s a shared responsibility model. Google handles the security of the cloud (physical data centers, hardware, base OS, etc.), and you handle security in the cloud (your apps, configurations, user access, etc.).
When you’re preparing for SOC 2, this means your responsibility footprint is smaller than you think.
Focus your energy on:
- How you configure and use GCP services
- Your internal policies and procedures
- How your team handles data and access
Let GCP carry the rest.
Using GCP wisely gives startups a strong foundation to build their control environment around.
From the auditor’s side of the table, here’s the inside scoop:
- GCP-native services cover many SOC 2 control requirements out of the box
- Leveraging these controls is expected and encouraged
- Doing so can make a 2-person startup look like a 100-person company when it comes to security maturity
Understanding Service vs. Subservice Organizations
In the context of SOC 2 reports, there are service organizations and subservice organizations.
What is a Service Organization?
The AICPA published a white paper describing service organizations a white paper describing service organizations as the following: “Entities often use business relationships with other entities to further their objectives. Network-based information technology has enabled, and telecommunications systems have substantially increased, the economic benefits derived from these relationships. For example, some entities (user entities) can function more efficiently and effectively by outsourcing tasks or entire functions to another organization (service organization). A service organization is organized and operated to provide user entities with the benefits of the services of its personnel, expertise, equipment and technology…”
What is a Subservice Organization?
ISACA published a blog describing subservice organizations, “When an enterprise selects a subservice organization, it needs to understand how the subservice organization’s operations can or will affect the enterprise and how it processes, stores and maintains any shared sensitive information. A subservice organization is a vendor whose controls and operational health affect the client organization’s operations. All subservice organizations are vendors; however, all vendors are not subservice organizations. An understanding of this relationship is typically gained through an assessment—specifically, a third-party risk analysis.”
Example: Many SaaS applications are built on top of IaaS environments like GCP. An example is a company providing a healthcare software solution to its clients. If the company uses GCP to host the application, GCP will provide physical security, environmental controls, and systems monitoring services for the service organization. In this case, the data analytics company is the service organization, and GCP is the subservice organization.
Which SOC 2 Controls is Google Cloud Responsible for?
Google Cloud provides a highly available, secure, and compliant environment to its customers. GCP provides physical and environmental controls to any company leveraging its infrastructure. In addition to those controls, GCP also offers the following:
- Data encryption at rest and in transit
- Application layer transit security
- Secure low-level infrastructure
- Secure service deployment
- Secure data storage
By leveraging GCP, many SOC 2 controls will be the responsibility of GCP. Our firm passes along savings to our clients when they use a subservice organization to address some of the SOC 2 criteria. The time saved associated with testing fewer controls is reflected by our fees.
When to Use GCP’s SOC 2 vs. Getting Your Own
Occasionally, we get asked by our clients, “GCP already has a SOC 2, and we leverage its infrastructure, can’t we just share GCP’s SOC 2 when we get asked for our SOC 2?”
When leveraging GCP as an IaaS, GCP is responsible for some of the controls to meet the SOC 2 criteria, but your SaaS company is likely responsible for other controls to meet the SOC 2 criteria. Your client’s auditors may ask for assurance that the controls that are your company’s responsibility are designed and operating effectively.
You can try sharing the GCP SOC 2 in lieu of your own, but be prepared for further questions from your clients and stakeholders. If sharing the Google Cloud SOC 2 report satisfies security-related questions from prospects and stakeholders, then great. If not, then your company may need its own SOC 2 report.
What Is a Carve-Out Report & How Does it Work?
If you leverage GCP’s infrastructure and receive your own SOC 2, the controls that are the responsibility of GCP will be “carved-out” of your report. That means that your report will reference the controls that are GCP’s responsibility, but they will not be tested within your report unless you receive an inclusive report. A company’s SOC 2 report includes only controls and testing of controls that are the company’s responsibility to meet the applicable SOC 2 Trust Services Criteria.
Using the carve-out method, a service organization will describe the services it provides as well as those provided by each sub-service organization. Then, the SOC report for the service organization will include testing of only the controls that are the service organization’s responsibilities. The report should also include any vendor risk management or monitoring controls in place to ensure the subservice organization is fulfilling its obligations.
Do We Save on SOC 2 Compliance by Utilizing GCP?
GCP is compliant with many security frameworks and standards. By using GCP or another IaaS provider, companies leverage a subservice organization’s (GCP’s) controls to build a SOC 2 compliant application. By leveraging GCP, the number of SOC 2 controls that are a service organization’s responsibility will be fewer than if the service organization were responsible for all the applicable SOC 2 controls themself.
SOC 2 Risk Management & Subservice Organization Monitoring
What can go wrong with vendor risk management? A recent example is the Target data breach.
What Happened in the Target Breach?
In late 2013, attackers stole credit and debit card information for over 40 million customers, and personal data (names, phone numbers, emails) of 70 million more. The breach cost Target hundreds of millions of dollars in losses, lawsuits, and reputational damage. But here’s the kicker: The initial point of compromise was not Target itself—it was a third-party HVAC vendor.
How the HVAC Vendor Caused a Meltdown
The attackers gained access through credentials stolen from Fazio Mechanical Services, a small Pennsylvania-based refrigeration and HVAC contractor that had access to Target’s network for electronic billing and project management.
Once inside, the attackers moved laterally within Target’s internal network, eventually deploying malware to point-of-sale (POS) systems, enabling them to harvest payment card data during the holiday shopping season.
The Lesson: Weak Vendor Controls = Huge Risk
This breach perfectly illustrates the risks of inadequate vendor management and a weak third-party risk program.
Target failed to:
- Segment internal networks properly to limit vendor access
- Monitor access and detect unusual behavior from third-party accounts
- Assess and enforce strong security requirements for vendors
It also highlights why frameworks like SOC 2 require careful consideration of subservice organizations—especially under the Complementary Subservice Organization Controls (CSOCs) section. Had Target performed better risk management procedures on Fazio Mechanical Services, it’s possible the breach could have been averted.
The AICPA’s SSAE 18 guidance includes monitoring of subservice organizations.
Service organizations must have monitoring controls in place for any third-party (subservice organization) being used. The monitoring controls should include reviewing compliance reports, such as SOC 1 and SOC 2 reports or cloud compliance audits, from subservice organizations and ensuring there are no significant control gaps that could affect the service organization’s service offering.
If a compliance report (e.g., SOC 1, SOC 2, ISO) is not available from a subservice organization, reviews may include Google searches, security questionnaires, and limited controls testing performed by the service organization or its auditor.
Your GCP SOC 2 Compliance Roadmap: Next Steps
If you’re a startup looking to become SOC 2 compliant and you’re on GCP, good news—you’re partway there. Just don’t forget to document, configure wisely, and resist the urge to rebuild what Google already nailed. And hey, if your SOC 2 prep spreadsheet still has a question mark in the title? Don’t worry. You’re probably doing better than you think. Need help mapping your GCP configurations to SOC 2 controls? I’ve seen what works—and what auditors are actually looking for. Reach out, and I’m happy to share some real-world examples.
Please contact us at Linford & Company if you would like to discuss your adoption of a subservice organization and the impact that might have on the scope and fees associated with your SOC 2 compliance audit.
This article was originally published on 6/9/2024 and was updated on 5/21/25.
Rob started with Linford & Co., LLP in 2011 and helps lead the HITRUST and ISO practices as well as performs SOC audits, NIST 800-171, and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 800 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.