What is SOC 2?
SOC 2 (System and Organisation Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how organisations manage customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. It has become the de facto standard for demonstrating security and compliance to enterprise customers, particularly in the cloud and SaaS industry.
Unlike ISO 27001 which specifies what controls to implement, SOC 2 is an audit — a qualified third-party auditor examines your controls and issues a report attesting to their design and effectiveness. This report is then shared with customers and prospects as evidence of your security posture.
Why Was SOC 2 Created?
SOC 2 evolved from the older SAS 70 standard, which was originally designed for financial audits of service organisations. As cloud computing grew in the 2000s, enterprises increasingly needed assurance that their cloud vendors were handling data securely — but SAS 70 was too financially focused and not fit for purpose. The AICPA introduced the SOC reporting framework in 2011, replacing SAS 70 with three report types: SOC 1, SOC 2 and SOC 3.
SOC 2 was specifically designed to address the security, availability and confidentiality concerns of cloud and technology service providers. Today it is requested by enterprise procurement and security teams as a standard part of vendor due diligence — a SOC 2 report is effectively a prerequisite for selling to enterprise customers in the US and increasingly globally.
| Standard Body | AICPA — American Institute of Certified Public Accountants |
| Current Version | 2017 Trust Services Criteria (updated 2022) |
| Mandatory or Voluntary | Voluntary — but effectively mandatory for enterprise sales |
| Geography | USA — widely accepted globally |
| Audit period | Type I — point in time · Type II — typically 6–12 months |
| Official Resource | aicpa.org |
SOC 2 Type I vs Type II
There are two types of SOC 2 reports — Type I and Type II. Understanding the difference is critical because they provide very different levels of assurance.
| Report type | What it covers | Assurance level | Typical use |
|---|---|---|---|
| Type I | Controls are suitably designed at a specific point in time | Lower — design only, no operating effectiveness testing | First-time audit, quick credibility signal, stepping stone to Type II |
| Type II | Controls are suitably designed AND operating effectively over a period (typically 6–12 months) | Higher — proves controls actually worked over time | Enterprise procurement, customer due diligence, ongoing compliance |
The Five Trust Services Criteria
SOC 2 audits are structured around five Trust Services Criteria (TSC). Security is the only mandatory criterion — organisations choose which additional criteria to include based on their business model and customer requirements.
| Criterion | Required? | Focus | Typical for |
|---|---|---|---|
| Security (CC) | Yes | System protected against unauthorised access, use or modification — the Common Criteria (CC) covers logical and physical access, change management, risk mitigation and monitoring | All organisations |
| Availability (A) | Optional | System available for operation and use as committed — covers uptime, performance monitoring, incident handling and disaster recovery | SaaS, infrastructure providers |
| Processing Integrity (PI) | Optional | System processing complete, valid, accurate, timely and authorised — covers quality assurance, processing monitoring and error handling | Fintech, payment processors |
| Confidentiality (C) | Optional | Information designated as confidential protected as committed — covers encryption, access controls and disposal of confidential information | B2B SaaS handling sensitive business data |
| Privacy (P) | Optional | Personal information collected, used, retained, disclosed and disposed in conformity with commitments — covers notice, consent, access and data quality | Consumer apps, healthcare, HR tech |
SOC 2 Common Criteria — Key Control Categories
The Security criterion (Common Criteria) is the most comprehensive and forms the backbone of every SOC 2 audit. It is organised into nine control categories.
| Category | Name | Key focus areas |
|---|---|---|
| CC1 | Control environment | COSO principles — integrity, ethical values, board oversight, organisational structure, accountability |
| CC2 | Communication and information | Internal and external communication of information relevant to security objectives |
| CC3 | Risk assessment | Risk identification, analysis and response — fraud risk, change risk, vendor risk |
| CC4 | Monitoring activities | Ongoing and separate evaluations — internal audit, deficiency identification and remediation |
| CC5 | Control activities | Policies and procedures to mitigate risks — technology controls, policy deployment |
| CC6 | Logical and physical access | Identity and access management, MFA, privileged access, physical security, encryption at rest and in transit |
| CC7 | System operations | Vulnerability management, monitoring for anomalies, incident response, problem management |
| CC8 | Change management | Authorisation, design, testing and deployment of infrastructure and software changes |
| CC9 | Risk mitigation | Vendor and business partner risk management — due diligence, contracts, ongoing monitoring |
The SOC 2 Audit Process
| Stage | What happens | Typical duration |
|---|---|---|
| 1. Readiness assessment | Gap analysis against Trust Services Criteria — identifies missing controls before the formal audit | 4–8 weeks |
| 2. Remediation | Implement missing controls, document policies and procedures, configure monitoring and logging | 2–6 months |
| 3. Audit window (Type II) | Controls operate and evidence is collected over the observation period — auditor reviews logs, configurations, access reviews, vendor assessments | 6–12 months |
| 4. Fieldwork | Auditor conducts walkthroughs, reviews evidence, interviews personnel and tests controls | 4–8 weeks |
| 5. Report issuance | Auditor issues SOC 2 report including opinion, description of system, control testing results and any exceptions noted | 2–4 weeks |
Securitora Assessment
SOC 2 Type II is the most important compliance certification for any cloud or SaaS company selling to enterprise customers. It is not a checkbox exercise — a well-executed SOC 2 programme genuinely improves security posture and gives prospects and customers meaningful assurance. The biggest mistake organisations make is treating SOC 2 as a one-time project rather than an ongoing programme — controls must operate continuously and evidence must be collected throughout the year, not just before the audit.
| Recommended for | SaaS companies, cloud providers, managed service providers — any organisation storing customer data |
| Difficulty to implement | Medium — well-defined criteria but requires continuous evidence collection and programme management |
| Best used with | ISO 27001 · NIST CSF 2.0 · CSA CCM (for cloud-specific controls) |
| Official resource | aicpa.org → |