Does SOC 2 require phishing simulation?

SOC 2 does not name phishing simulation as a specific required control, but the Trust Services Criteria - particularly CC1.4 (commitment to competence), CC2.2 (internal communication of information security policies), and CC5.3 (deployment of control activities) - are routinely interpreted by auditors to expect documented security awareness training that includes phishing simulation. In practice, almost no SOC 2 Type II report passes without evidence of a phishing simulation program.

What evidence do SOC 2 auditors want for phishing training?

Standard auditor requests include: a written security awareness policy approved by management, a list of phishing simulation campaigns run during the audit period with dates and target populations, click-through and reporting rate metrics, evidence of remediation training assignment for users who clicked, completion rates for assigned training and screenshots or exports demonstrating the program is operating as documented. Most SOC 2 auditors will accept a single PDF exported from a phishing simulation platform, provided it covers the period in question.

How often does SOC 2 require phishing simulation?

SOC 2 doesn't prescribe a frequency, but Type II reports examine whether controls operate effectively over the audit period (typically 6 or 12 months). Quarterly is the floor most auditors accept; monthly is preferred and is now the common practice in mature programs. Annual phishing testing is increasingly treated as inadequate by auditors and almost always by cyber insurers.

Which SOC 2 Trust Services Criteria apply to phishing simulation?

Primarily the Common Criteria: CC1.4 (commitment to competence), CC2.2 (internal communication of objectives and responsibilities), CC2.3 (external communication), CC5.1-CC5.3 (control activities), and where applicable CC6.1 (logical access). Service organizations whose SOC 2 scope includes the Confidentiality and Privacy categories will also see references to awareness training in those sections. Phishing simulation evidence typically maps to CC1.4 and CC2.2.

Does SOC 2 require training for contractors and third parties?

If contractors have access to systems or data within the scope of the report, yes - training must extend to them and the SOC 2 evidence should show their inclusion. Auditors look for completeness of population: a control that excludes a meaningful subset of in-scope users is a finding. The scope typically also includes any contractor or third party with employee-equivalent access, regardless of employment status.

SOC 2 Phishing Simulation Requirements: 2026 Guide

SOC 2 doesn't have a paragraph that says "you must run phishing simulations." That's the source of most confusion in the market. The Trust Services Criteria are written at a higher level of abstraction than HIPAA or PCI; they describe principles and let the auditor judge whether the controls in place satisfy them. In 2026, the controls auditors expect to see - for any organization handling customer data on a SaaS platform - include a documented phishing simulation program with auto-assigned remediation. The ambiguity isn't whether you need phishing simulation; it's where the evidence belongs in your audit deliverable.

Where phishing simulation maps in SOC 2

The relevant Common Criteria, in the AICPA's 2017 framework as updated:

CC1.4 - Commitment to Competence. Management establishes processes to attract, develop and retain competent individuals. Auditors interpret this to require demonstrable workforce security competence - and that competence must be measured, not assumed. Phishing simulation results are the most common measurement.
CC2.2 - Internal Communication. The entity internally communicates information necessary to support the functioning of internal control. Security awareness policy and training delivery sit here.
CC2.3 - External Communication. Awareness expectations communicated to vendors and external parties also touched by the system.
CC5.1-CC5.3 - Control Activities. The deployment, automation and selection of policies and procedures, including those that depend on human behavior.
CC6.1 - Logical and Physical Access. Where applicable, training that supports password and authentication hygiene.

If your SOC 2 scope extends to the Confidentiality, Availability, Processing Integrity or Privacy categories, you'll see additional criteria that touch awareness training depending on which categories are in scope.

What auditors will actually ask for

The standard SOC 2 Type II evidence request package covering phishing simulation and security awareness training includes:

The written security awareness policy. Approved by management, with a version date, an owner and a review cadence. If your policy hasn't been reviewed in three years, that's a finding.
A list of phishing simulation campaigns conducted during the audit period. Date, target population (department/headcount), template category, difficulty level.
Click-through and reporting rate per campaign. Trend chart over the audit period preferred.
Evidence of remediation training assignment for users who clicked. Screenshots, exports or a written description of the auto-assignment workflow.
Training completion rates. By cohort if you segment, with a written explanation of any non-completion follow-up.
Population completeness. The total list of in-scope users compared against the list of users included in the program. Discrepancies must be explained.
New-hire training records. Evidence that new employees receive awareness training within a defined window of starting (typically 30 or 60 days, depending on policy).
A sample of training content. Auditors verify that the content matches the policy.
Reporting to leadership. Cadence, format and a sample report. CC2.2 expects this; the absence of executive reporting is a recurring finding.

Common SOC 2 findings around phishing training

Patterns that show up in qualified opinions and management letters:

Population gaps. Contractors with employee-equivalent access not included in the program.
Executive carve-outs. Leadership team excluded from simulations. Now treated as a finding by most auditors.
Stale policy. A policy from 2019 in an environment that has changed substantially.
Annual-only frequency. "Once a year" doesn't demonstrate effective operation over a 6 or 12 month audit period.
Manual remediation. Users who click are "talked to" but no documented training is delivered. Difficult to evidence as effective.
Disconnected systems. The phishing platform, the LMS and the HRIS don't share user lists, so the same person appears in three systems with three statuses.

What a SOC-2-passing program looks like

The minimum-credible-program checklist:

Written, dated, version-controlled policy approved by management, reviewed annually.
Quarterly minimum, monthly preferred phishing simulations across email, with SMS and voice as the modern expansion. Multi-channel campaigns are increasingly asked about even where SOC 2 doesn't mandate them.
Auto-assigned remediation training for users who fail. Behavior-triggered training is the part that elevates a program above attendance theatre.
Population completeness - all in-scope employees and contractors included, with documented rationale for any exclusions.
New-hire onboarding training within a defined window.
Quarterly reporting to executive leadership or risk committee.
One-click report mechanism for real phishing, like the Bait & Phish Outlook add-in, with a documented workflow for triage.
Single-source-of-truth reporting export covering the audit period, ready to hand to your auditor.

Documentation hygiene that makes audits painless

Three operational habits separate organizations that breeze through SOC 2 awareness-control testing from organizations that scramble:

Run a single platform with one canonical export. If your auditor has to triangulate across three systems to assemble evidence for one criterion, you've created your own problem. Bait & Phish exports a single PDF covering campaigns, click rates, training completion and population - in the format auditors actually consume.
Pin the policy and the metrics where the auditor can find them. A shared drive folder with a clear name beats a Slack thread every time.
Keep a quarterly leadership-report archive. Auditors love seeing a cadence; a folder with four quarters of dated reports is the easiest possible evidence for CC2.2.

The Type I vs Type II distinction

SOC 2 reports come in two flavors and the awareness-training evidence differs between them:

Type I evaluates the design of controls at a point in time. For awareness training this means: do you have a documented program, a defined frequency, an assigned owner and a content library? You do not need to demonstrate the program has run for any length of time.
Type II evaluates the operating effectiveness of controls over a period (typically 6-12 months). This is where the evidence burden shifts substantially: you need contemporaneous campaign logs, completion records, remediation evidence and reporting cadence demonstrated across the entire period. A program that only ran once in twelve months will not pass Type II awareness testing.

Most organizations move from Type I to Type II within their first year of SOC 2. Building the awareness program for Type II from the start is much cheaper than rebuilding it on the second pass.

What auditors look at when sampling

SOC 2 testing is sample-based, not exhaustive. For awareness training, auditors typically:

Sample a few new hires and verify they completed onboarding training within the documented window.
Sample one or two phishing simulation campaigns and inspect the dates, target list, click rates and remediation assignments.
Sample one or two users who clicked and verify they completed the assigned training.
Inspect the policy and verify it has been reviewed in the audit period.
Inspect a leadership-reporting artifact and verify the cadence claimed in the policy was actually followed.

If any single sample fails - a new hire who never completed onboarding, a clicker who never received remediation, a quarter without a campaign - that's typically a finding. The fix isn't to argue with the auditor; the fix is to operate the program consistently so no sample exposes a gap.

SOC 2 and cyber insurance - same evidence, different audience

The phishing-program evidence you collect for SOC 2 is approximately the evidence cyber insurers ask about at renewal - see what cyber insurers ask about phishing training. Build the package once and use it twice. The Bait & Phish reporting suite is designed around this alignment, so the same export package satisfies both audiences without rework.

Where Bait & Phish fits

Bait & Phish supports SOC 2-aligned awareness programs out of the box: continuous monthly phishing simulations across email, SMS and voice; auto-assigned remediation training the moment a user clicks; new-hire onboarding training delivered automatically; multi-language content for global organizations; and an auditor-ready PDF export covering the full Type II audit period in a single click. We've been operating since around 2010, and our customers include organizations across SaaS, healthcare, financial services and government - every one of them facing the same evidence requests every audit cycle.

If you have a SOC 2 audit coming up and your current program isn't producing the evidence you need, start a free trial with up to 25 users - no credit card - and run your first SOC-2-grade campaign this week. For full deployment to a larger user population, see pricing or contact us to scope.

Trust Services Categories beyond Security

Most SOC 2 reports include the Security category at minimum, often with one or more of the four optional categories: Availability, Processing Integrity, Confidentiality and Privacy. Awareness-training evidence remaps slightly when those optional categories are in scope.

Confidentiality: awareness training should include data-handling content specifically about confidential information classes. Auditors will look for content references in the curriculum.
Privacy: training must include privacy-specific content covering personal information handling, consent and breach notification expectations. The Privacy category criteria reference workforce training directly (P5.1, P5.2 in the AICPA framework).
Processing Integrity: awareness content should reference accuracy, completeness and timeliness expectations relevant to in-scope processing.

If your scope includes Privacy, plan for an extra evidence layer: localized privacy-specific training content, often broken out by jurisdiction depending on where in-scope individuals reside.

See also: Phishing training compliance comparison across SOC 2, HIPAA, PCI DSS, NIST CSF, ISO 27001, GDPR and NIS2 - side-by-side table of clauses, expected cadence and audit posture.

This post is informational and does not constitute audit, legal or compliance advice. Your specific audit scope, criteria and evidence requirements will depend on your auditor and report type - consult them for binding guidance.

Related compliance guides

28jan