ARCS/Crosswalks/ARCS / SOC 2 Crosswalk
ARCS / SOC 2 Trust Services Criteria Crosswalk
Overview
This crosswalk maps ARCS control families to the AICPA Trust Services Criteria used in SOC 2 examinations. It does not establish normative equivalence and does not convert ARCS conformance into SOC 2 compliance.
ARCS addresses the lifecycle, custody, classification, preservation, verification, and governed non-creation of automated interaction records. This crosswalk shows where those domains align with SOC 2 criteria.
Interpretive status
This crosswalk is for control interpretation, program design, and assurance alignment. It is not a substitute for the Trust Services Criteria, not a SOC 2 readiness checklist, not an attestation opinion, and not part of the normative ARCS control text.
Framework scope
The Trust Services Criteria are organized across five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is always present through the Common Criteria (CC1 through CC9).
Additional scoped criteria may include A1 for Availability, PI1 for Processing Integrity, C1 for Confidentiality, and P1 through P8 for Privacy.
ARCS relevance
SOC 2 evaluates whether relevant controls are suitably designed and operating effectively. ARCS supplies lifecycle and custody structure for automated records that modern systems generate, retain, route, export, and preserve. SOC 2 provides assurance over controls; ARCS provides the record-governance architecture those controls operate upon.
Selected mappings
Table A maps each ARCS control family to the most relevant SOC 2 Common Criteria and, where appropriate, the additional category criteria. The mapping is directional and explanatory. It is intended to aid interpretation and control design, not to claim one-to-one criterion equivalence.
| ARCS Family | SOC 2 Criteria | Crosswalk note |
|---|---|---|
| ARCS-LIF | CC3, CC5, CC7, C1, P4 | ARCS-LIF governs retention, deletion, expiry, and lifecycle transitions for interaction records. SOC 2 addresses risk assessment, control activities, operations, and disposal of confidential or personal information, but does not independently define a lifecycle model for automated interaction records as a governed class. |
| ARCS-CUS | CC2, CC3, CC9 | ARCS-CUS maps where records exist across operator, vendor, subprocessor, and integrated environments. SOC 2 addresses communication, information flows, risk identification, and third-party risk, but does not require a record-specific custody surface inventory. |
| ARCS-TAX | CC2, CC5, PI1, C1, P3, P7 | ARCS-TAX classifies record types, origins, sensitivity, and governance posture. SOC 2 requires relevant information, control activities, and, where scoped, confidentiality, processing integrity, and privacy quality practices. ARCS adds a formal taxonomy for interaction records and related artifacts. |
| ARCS-OPB | CC1, CC2, CC3, CC9 | ARCS-OPB defines the operator's governance boundary across systems, vendors, and flows. SOC 2 addresses governance environment, communication, risk assessment, and external-party risk, but does not define operator boundary in record-behavior terms. |
| ARCS-PUB | CC2, CC5, PI1, C1, P4 | ARCS-PUB governs export, disclosure, downstream transfer, and other publish-boundary events. SOC 2 addresses controlled information handling and scoped outputs, but ARCS adds governance for post-export lifecycle consequences and derivative retention exposure. |
| ARCS-NCR | CC3, CC5, CC7, P2, P4 | ARCS-NCR governs auditable non-creation and non-retention postures. SOC 2 can evaluate collection, use, retention, and disposal controls, especially in privacy scope, but does not define a distinct control domain for proving that certain record classes are never created. |
| ARCS-PV | CC5, CC7, CC9, P4 | ARCS-PV governs hold, suspension of deletion, and coordinated preservation across systems when legal, regulatory, or investigative duties arise. SOC 2 addresses operational and control processes around information handling, but does not define preservation override as a distinct custody-governance discipline. |
| ARCS-VER | CC4, CC5, CC7 | ARCS-VER governs testing, attestation, and evidentiary verification that lifecycle and custody controls operate as documented. SOC 2 evaluates design and operating effectiveness; ARCS specifies what must be verified about record custody and lifecycle posture. |
| ARCS-AGT | CC6, CC7, CC8, PI1 | ARCS-AGT governs agent-specific artifact classes, memory boundaries, tool traces, and execution-linked outputs that may become governed records. SOC 2 addresses access, operations, change, and processing integrity, but ARCS adds agent-specific record-governance semantics. |
| ARCS-DEL | CC6, CC7, CC8, CC9, PI1, P2, P4 | ARCS-DEL governs delegated actions, governed persistence, cross-session memory, and autonomy-linked record consequences. SOC 2 covers related areas of access, operations, change, third-party risk, and scoped privacy practices, but does not independently govern delegation chains or persistent agent memory as custody variables. |
The criteria references above reflect the published Trust Services Criteria structure and are used here as interpretive anchors rather than as claims of exact criterion satisfaction.
Outside scope
The additional scoped criteria sharpen parts of the ARCS relationship but do not eliminate the governance gap ARCS addresses. A1 is relevant where retained records affect resilience or recovery planning. PI1 is relevant where records influence completeness, validity, accuracy, timeliness, or authorization of processing. C1 is relevant where interaction records themselves are confidential information. P1 through P8 are relevant where records contain personal information and create obligations around notice, choice, collection, use, retention, disclosure, access, quality, monitoring, and enforcement.
None of those criteria independently define a general lifecycle-and-custody model for automated interaction records across systems.