What is SOC 2?

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how well a service organization protects customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Unlike ISO 27001, which results in a certificate, SOC 2 produces an independent auditor's report (attestation) issued by a licensed CPA firm. This report provides detailed information about your controls and whether they meet the criteria.

SOC 2 in a Nutshell

What: Auditing framework for service organizations
Who: Any company that stores, processes, or transmits customer data
Output: CPA auditor's report (not a certificate)
Standard: AICPA Trust Services Criteria
Recognition: Primarily North America, increasingly global

History and Background

SOC 2 emerged from the evolution of SAS 70 (Statement on Auditing Standards No. 70), which was replaced by the SOC framework in 2011. The AICPA created three SOC report types:

  • SOC 1: Internal controls over financial reporting (for service providers affecting client financial statements)
  • SOC 2: Controls relevant to security, availability, processing integrity, confidentiality, and privacy
  • SOC 3: Same criteria as SOC 2, but a simplified public report

SOC 2 has become the de facto standard for technology and SaaS companies demonstrating security to US enterprise customers.

The Five Trust Services Criteria

SOC 2 is built around five Trust Services Criteria (TSC). Security is always required; the other four are optional based on your services and customer needs.

1. Security (Required)

Also known as: Common Criteria
Focus: Protection against unauthorized access, use, or modification

Security is the foundation of every SOC 2 report. It covers:

  • Access controls (logical and physical)
  • System operations monitoring
  • Change management
  • Risk mitigation
  • Incident response

2. Availability (Optional)

Focus: System availability for operation and use as committed

Include this if you make uptime commitments (SLAs). It covers:

  • Performance monitoring
  • Disaster recovery
  • Business continuity
  • Incident handling for availability
  • Capacity management

3. Processing Integrity (Optional)

Focus: System processing is complete, valid, accurate, timely, and authorized

Include this if you process transactions or data that must be accurate. It covers:

  • Input validation
  • Processing accuracy
  • Output verification
  • Error handling

4. Confidentiality (Optional)

Focus: Information designated as confidential is protected as committed

Include this if you handle confidential business information (not personal data—that's Privacy). It covers:

  • Confidential data identification
  • Protection measures
  • Disposal procedures
  • Disclosure controls

5. Privacy (Optional)

Focus: Personal information is collected, used, retained, disclosed, and disposed of properly

Include this if you collect and process personal data. It covers:

  • Privacy notice
  • Consent mechanisms
  • Data subject rights
  • Third-party disclosures
  • Data retention and disposal
Which Criteria to Include?

Most organizations start with Security + Availability. Add Confidentiality if handling business secrets, Processing Integrity if doing financial calculations, and Privacy if you're the data controller (not just processor) for personal data.

Who Needs SOC 2?

SOC 2 is particularly important for service organizations—companies that provide services involving customer data. Common examples:

Industries Commonly Requiring SOC 2

  • SaaS Companies: Any cloud software provider
  • Cloud Service Providers: IaaS, PaaS providers
  • Data Centers: Colocation and managed hosting
  • Managed Service Providers: IT outsourcing, managed security
  • Payment Processors: Financial transaction handling
  • Healthcare Technology: EHR systems, health tech
  • HR/Payroll Providers: Employee data processors
  • Financial Services: Fintech, wealth management platforms

Signs You Need SOC 2

  • Enterprise customers ask for it in security questionnaires
  • You've lost deals because you don't have it
  • Your sales cycle is extended by security reviews
  • Competitors have SOC 2 and you don't
  • You're expanding into the US enterprise market

Benefits of SOC 2

1. Win Enterprise Deals

SOC 2 is table stakes for selling to US enterprises. Without it, you may not make it past procurement's security review. With it, you can satisfy security requirements with a single document rather than lengthy questionnaires.

2. Shorten Sales Cycles

Instead of weeks of back-and-forth on security questionnaires, you provide your SOC 2 report. Enterprise buyers know how to read them and trust the independent audit.

3. Competitive Differentiation

In crowded markets, SOC 2 sets you apart from competitors who can only say "we take security seriously" without third-party validation.

4. Improved Security Posture

The process of achieving SOC 2 forces you to formalize controls, document procedures, and address gaps. Most organizations emerge with genuinely better security.

5. Reduce Vendor Security Questionnaires

While you won't eliminate questionnaires entirely, a SOC 2 report answers 60-80% of typical questions, significantly reducing the burden.

6. Customer Trust

SOC 2 demonstrates commitment to security through independent verification, not just marketing claims.

Type I vs Type II Reports

SOC 2 comes in two flavors:

Aspect SOC 2 Type I SOC 2 Type II
What it assesses Design of controls at a point in time Design AND operating effectiveness over a period
Time period Single date 3-12 month period (typically 6-12)
Testing Inquiry, observation, inspection Inquiry, observation, inspection, re-performance, sample testing
Assurance level Lower (design only) Higher (design + operation)
Customer acceptance Some accept as interim step Strongly preferred/required
Timeline 2-4 months 6-15 months total
Cost $15,000-40,000 $30,000-100,000+

Most enterprise customers want Type II. Type I is acceptable as a stepping stone while you build the track record for Type II, but don't expect it to satisfy sophisticated buyers long-term.

What's in a SOC 2 Report?

A SOC 2 report typically contains:

Section 1: Auditor's Report

The CPA firm's opinion on whether your controls are suitably designed (Type I) and/or operating effectively (Type II). This is what customers look at first.

Section 2: Management's Assertion

Your company's statement that the system description is accurate and controls meet the criteria.

Section 3: System Description

Detailed description of your services, infrastructure, software, people, procedures, and data. This helps users understand what's being assessed.

Section 4: Trust Services Criteria and Controls

Mapping of the criteria to your specific controls and how they address each requirement.

Section 5: Tests of Controls (Type II only)

Description of testing procedures performed and results for each control. This is where exceptions are documented.

Section 6: Other Information (Optional)

Additional information provided by management, not covered by the auditor's opinion.

Getting Started with SOC 2

Step 1: Determine Scope

  • Which services/systems will be covered?
  • Which Trust Services Criteria apply?
  • What's your target timeline?

Step 2: Conduct Readiness Assessment

  • Map current controls to SOC 2 criteria
  • Identify gaps
  • Prioritize remediation

Step 3: Implement and Document Controls

  • Close identified gaps
  • Document policies and procedures
  • Implement monitoring and evidence collection

Step 4: Operate Controls (Type II)

  • Run controls for the observation period
  • Collect evidence continuously
  • Address any control failures promptly

Step 5: Undergo Audit

  • Select a CPA firm
  • Provide evidence and access
  • Address any findings
  • Receive your SOC 2 report
SOC 2 Compliance Trust Services