SOC 2
SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates how well a service organization's controls protect customer data across security, availability, processing integrity, confidentiality,…
Definition
SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates how well a service organization's controls protect customer data across security, availability, processing integrity, confidentiality, and privacy.
Overview
Unlike a certification, a SOC 2 report is an independent auditor's attestation, issued after examining an organization's controls — including areas like Identity and Access Management (IAM) and Encryption at Rest — against the AICPA's Trust Services Criteria. Security is the only mandatory criterion — organizations choose which of the remaining four (availability, processing integrity, confidentiality, privacy) apply to their business. A Type I report assesses whether controls are suitably designed at a single point in time, while a Type II report — generally considered more rigorous and more commonly requested by enterprise buyers — evaluates whether those controls operated effectively over a review period, typically 6 to 12 months. SOC 2 has become a de facto requirement for SaaS and cloud service vendors selling into enterprise customers in North America, similar to how ISO 27001 functions internationally. Because the report is confidential and shared under NDA with prospective customers rather than published publicly, it's typically requested during vendor security reviews and procurement. Understanding what SOC 2 covers — and how it differs from other frameworks — is part of the compliance landscape taught in Governance, Compliance & Career Readiness.
Key Concepts
- Developed by the AICPA (American Institute of CPAs)
- Evaluates controls against five Trust Services Criteria, with security mandatory
- Type I assesses design at a point in time; Type II assesses effectiveness over a period
- Delivered as a confidential audit report, not a public certification
- De facto requirement for SaaS vendors selling to enterprise customers
- Commonly requested during vendor security and procurement reviews