Glossary · Frameworks & standards

What is SOC 2?

Also known as: SOC 2 report, Service Organization Control 2, SOC2

SOC 2 is an attestation report, defined by the AICPA, that evaluates how a service organization protects customer data against five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. An independent CPA firm issues the report, making it the standard proof of security posture for SaaS and cloud vendors in North America.

Key takeaways

  • SOC 2 is an attestation, not a certification, issued by a licensed CPA firm.
  • Built on the AICPA Trust Services Criteria; security (the common criteria) is mandatory, the other four are optional.
  • Comes in two flavors: Type I (design at a point in time) and Type II (operating effectiveness over a period).
  • Most commonly requested by enterprise buyers of SaaS and cloud services in the US.
  • Continuous evidence collection and control monitoring make audits faster and cheaper.

What does a SOC 2 report cover?

SOC 2 is structured around the AICPA Trust Services Criteria (TSC). Every SOC 2 report covers the Security category, often called the common criteria, which addresses access controls, change management, risk mitigation, and incident response. Organizations then choose to add any of four optional categories based on the commitments they make to customers.

  • Security - protection of systems and data against unauthorized access (mandatory).
  • Availability - systems are available for operation and use as committed.
  • Processing integrity - processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality - information designated confidential is protected.
  • Privacy - personal information is collected, used, retained, and disposed of in line with commitments.

The criteria map closely to the Trust Services Criteria framework and overlap heavily with the controls in ISO 27001.

How does the SOC 2 process work?

A SOC 2 engagement is performed by an independent licensed CPA firm. The organization first defines its system boundary and the criteria in scope, implements controls, and collects evidence that those controls operate. The auditor then tests the controls and issues an opinion - unqualified (clean), qualified, adverse, or a disclaimer.

Most teams begin with a readiness assessment or gap analysis, remediate findings, and then enter the formal audit. The heavy lifting is evidence: access reviews, change tickets, vulnerability scans, security training records, and vendor reviews must be gathered consistently.

Platforms that perform continuous control monitoring and automated evidence collection reduce this burden dramatically. CATAAM additionally pairs each control with live security signal from internal attack surface management and breach and attack simulation, so evidence reflects how systems actually behave.

SOC 2 vs ISO 27001

SOC 2 and ISO 27001 both demonstrate strong information security, but they differ in form. SOC 2 is a US-centric attestation report describing controls and an auditor opinion; ISO 27001 is an internationally recognized certification of a management system (an ISMS) granted by an accredited registrar.

SOC 2 is prescriptive about outcomes against the Trust Services Criteria but flexible about implementation, while ISO 27001 requires a documented risk-treatment process and a Statement of Applicability. Many organizations pursue both because their control sets overlap substantially, letting evidence be reused across audits.

Who needs SOC 2 and common pitfalls

SOC 2 is most relevant to SaaS, cloud, data-hosting, and managed-service providers whose customers depend on them to safeguard data. It is frequently a gating requirement in enterprise procurement and security questionnaires.

Common pitfalls include scoping too broadly, treating SOC 2 as a one-time project rather than an ongoing program, collecting evidence only at audit time, and ignoring vendor risk. A Type II report in particular requires controls to operate consistently across the entire observation window, so a single lapse can become an exception.

Frequently asked questions

Is SOC 2 a certification?
No. SOC 2 is an attestation report issued by a licensed CPA firm, not a certification. You receive an auditor's opinion and report rather than a certificate from a standards body.
How long does it take to get a SOC 2 report?
A Type I can often be completed in a few months after controls are in place. A Type II adds an observation period - commonly three to twelve months - during which controls must operate before the audit.
What is the difference between SOC 1, SOC 2, and SOC 3?
SOC 1 addresses controls relevant to financial reporting, SOC 2 addresses security and the other Trust Services Criteria for a restricted audience, and SOC 3 is a public-facing, summarized version of a SOC 2.
How long is a SOC 2 report valid?
A SOC 2 report covers a stated period and is generally treated as current for about twelve months. Customers usually expect a new report each year, so most organizations run continuous annual audits.

Authoritative sources

← Back to the glossary