Security
MandatoryThe only mandatory category, also called the Common Criteria. Protection of systems and data against unauthorised access, covering access controls, change management, and risk mitigation.
Compliance guide · ~10 min read · Updated June 2026
What is SOC 2?
SOC 2 (System and Organization Controls 2) is an AICPA attestation that evaluates how a service organisation protects customer data against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. A licensed CPA firm issues the report, and it is the default way SaaS and cloud providers prove their security to customers.
- Issuer
- AICPA
- Output
- Attestation report
- Criteria
- 5 (TSC)
- Types
- I and II
01 · Definition
What is SOC 2?
SOC 2 stands for System and Organization Controls 2. It is a framework from the American Institute of Certified Public Accountants (AICPA) for reporting on the controls a service organisation uses to protect customer data. A licensed CPA firm examines those controls against the Trust Services Criteria and issues a report with its opinion.
Unlike a certification, SOC 2 produces a detailed report rather than a certificate, and it is a restricted-use document shared with customers and prospects under NDA. For most SaaS and cloud businesses, a SOC 2 Type 2 has become the standard answer to the question every enterprise security team asks: "prove you protect our data."
"SOC 2 reports are designed to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization."
02 · The framework
The five Trust Services Criteria
SOC 2 is built on five Trust Services Criteria. Security is mandatory in every report; the other four are included only when they match the commitments you make to customers.
Availability
Whether the system is available for operation and use as committed. Relevant for organisations that make uptime or SLA commitments to customers.
Processing Integrity
Whether system processing is complete, valid, accurate, timely, and authorised. Relevant where the correctness of processing matters, such as transactions.
Confidentiality
Protection of information designated as confidential, from collection through disposal. Relevant when you handle sensitive business data beyond personal information.
Privacy
How personal information is collected, used, retained, disclosed, and disposed of, in line with your privacy notice and AICPA privacy criteria.
03 · Report types
SOC 2 Type 1 vs Type 2
SOC 2 comes in two report types. The difference is time: design at a moment, versus operation over a period.
Type 1
Assesses whether controls are suitably designed at a single point in time. Faster to obtain and useful to show intent, but it does not prove the controls actually operated.
Type 2
Assesses whether controls operated effectively over a period, typically 3 to 12 months. Carries far more weight with customers because it proves the controls worked over time.
Many organisations get a Type 1 first to demonstrate progress, then complete a Type 2 over the following observation window. Most enterprise buyers ultimately want to see a current Type 2.
04 · The SOC family
SOC 1 vs SOC 2 vs SOC 3
SOC 2 is one of three SOC reports. They answer different questions for different audiences.
| Report | Focus | Audience |
|---|---|---|
| SOC 1 | Controls relevant to financial reporting (ICFR) | Customers' auditors and finance teams |
| SOC 2 | Security and the other Trust Services Criteria | Customer security teams (under NDA) |
| SOC 3 | General-use summary of a SOC 2 | The public (marketing, websites) |
05 · The deliverable
What is in a SOC 2 report
A SOC 2 report is a substantial document, not a one-page certificate. It typically contains the auditor's opinion, management's assertion, a description of the system, and, for a Type 2, the detailed tests the auditor performed and their results.
- The independent auditor's opinion (unqualified, qualified, or adverse)
- Management's assertion about its system and controls
- A description of the system and its boundaries
- The controls mapped to the relevant Trust Services Criteria
- For Type 2, the tests of operating effectiveness and the results
06 · Comparison
SOC 2 vs ISO 27001
The two most common security assurances overlap heavily but differ in form. SOC 2 is an AICPA attestation report, strongest with North American and SaaS buyers. ISO 27001 is an internationally recognised, certifiable management-system standard.
SOC 2 gives customers a detailed report to review; ISO 27001 gives them a globally recognised certificate. Because their controls overlap, many organisations pursue both and reuse most of the same evidence. For the full breakdown, see ISO 27001 vs SOC 2 and our guide to what ISO 27001 is.
07 · Implementation
How to get SOC 2 compliant
Six steps from scoping to a renewed report. Remember the report itself comes from a CPA firm; everything before it is the work of standing up and evidencing the controls.
- 1
Define scope and criteria
Decide which Trust Services Criteria apply. Security is mandatory; add Availability, Processing Integrity, Confidentiality, or Privacy based on the commitments you make to customers.
- 2
Run a readiness assessment
Assess your current controls against the criteria, identify gaps, and decide whether to start with a Type 1 (point-in-time) or go straight for a Type 2 (over a period).
- 3
Remediate the gaps
Implement the missing controls: access management, change management, monitoring, vendor management, and the policies that back them. Assign owners and close gaps to a plan.
- 4
Operate and collect evidence
For a Type 2, run the controls over the observation period (commonly 3 to 12 months) and collect the evidence that shows they operated consistently.
- 5
Engage a CPA firm for the audit
A licensed CPA firm performs the examination and issues the report. Only an AICPA-accredited auditor can produce a SOC 2 report; software prepares you for it, it does not issue it.
- 6
Maintain and renew
SOC 2 is not one-and-done. Most customers expect a current Type 2 each year, so keep controls operating and evidence flowing between audit periods.
Get audit-ready faster
Run SOC 2 readiness as a scored assessment.
RiskWatch maps the Trust Services Criteria to a shared control library, runs the readiness assessment, tracks remediation to closure, and keeps the evidence your CPA firm will ask for, with SOC 2 cross-mapped to ISO 27001 and your other frameworks.
08 · Frequently asked
SOC 2, answered
The questions teams ask most on the road to their first report.
What is SOC 2?
SOC 2 (System and Organization Controls 2) is an auditing and reporting framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how a service organisation manages customer data against a set of Trust Services Criteria, and a licensed CPA firm issues a report on the design (and, for Type 2, the operating effectiveness) of those controls. It is the default proof point that SaaS and service providers use to demonstrate security to their customers.
What are the five Trust Services Criteria?
Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security (the Common Criteria) is mandatory in every SOC 2 examination; the other four are included only if they are relevant to the commitments the organisation makes to its customers. Most first SOC 2 reports cover Security alone or Security plus Availability and Confidentiality.
What is the difference between SOC 2 Type 1 and Type 2?
A Type 1 report assesses whether controls are suitably designed at a single point in time. A Type 2 report assesses whether those controls operated effectively over a period, typically 3 to 12 months. Type 1 is faster to obtain and shows intent; Type 2 carries far more weight with customers because it proves the controls actually worked over time. Many organisations start with a Type 1 and follow with a Type 2.
Is SOC 2 a certification?
No. SOC 2 is an attestation report issued by a CPA firm, not a certification like ISO 27001. There is no certificate and no certifying body; instead you receive an auditor's report describing your controls and the auditor's opinion. SOC 2 reports are also restricted-use documents, intended to be shared with customers and prospects under NDA rather than published openly.
What is the difference between SOC 1, SOC 2, and SOC 3?
SOC 1 reports on controls relevant to a customer's financial reporting (internal control over financial reporting). SOC 2 reports on controls relevant to security and the other Trust Services Criteria. SOC 3 is a short, general-use summary of a SOC 2 that can be shared publicly without an NDA. Most technology and SaaS companies need a SOC 2.
How long does it take to get SOC 2?
A Type 1 can often be achieved in a few months once gaps are closed. A Type 2 adds the observation period itself, commonly 3 to 12 months, during which the controls must operate. So a realistic timeline from a standing start to a first Type 2 report is often 6 to 12 months, depending on how mature your controls are when you begin.
What is the difference between SOC 2 and ISO 27001?
SOC 2 is an AICPA attestation report focused on the Trust Services Criteria, popular in North America and with SaaS buyers. ISO 27001 is an international, certifiable management-system standard for information security. SOC 2 produces a detailed report you share with customers; ISO 27001 produces a certificate recognised globally. They overlap heavily on controls, and many organisations pursue both. See our SOC 2 vs ISO 27001 comparison for the full breakdown.
Who needs a SOC 2 report?
Service organisations that store, process, or transmit customer data, especially SaaS and cloud providers, are the most common candidates. The trigger is usually commercial: enterprise customers and their security teams increasingly require a SOC 2 Type 2 before they will buy, so SOC 2 becomes a sales prerequisite as a company moves upmarket.
Primary references
From readiness to a clean report
Get SOC 2-ready with one scored assessment.
Trust Services Criteria mapped to a shared control library, a readiness assessment, remediation tracking, and the evidence your auditor expects. 30-day free trial, no credit card.
No credit card required · 30-day free trial · Cancel anytime