Skip to main content
> SOC 2

System and Organization Controls 2

Demonstrating security practices to customers through independent attestation

Established: 2010 (Trust Services Criteria updated 2017) Last Updated: 2017 (current Trust Services Criteria) Scope: Global
5 Categories
Trust Criteria

What is SOC 2 and do you need it?

SOC 2 is an attestation report issued by a licensed CPA firm that examines your security controls against the [AICPA Trust Services Criteria](https://www.aicpa-cima.com/resources/download/2017-trust-services-criteria-with-revised-points-of-focus-2022). It is not a law or a certification; it is an auditor's opinion on whether your controls are suitably designed (Type I) or operating effectively over time (Type II). SOC 2 is voluntary, but for SaaS companies, MSPs, and data processors, enterprise customers routinely require a current Type II report before signing a vendor agreement. Security is the one required category. You choose whether to add Availability, Processing Integrity, Confidentiality, or Privacy based on what your customers need to see.

// What is SOC 2?

SOC 2 is an auditing framework developed by AICPA for service organizations demonstrating their security controls to customers and stakeholders. Unlike prescriptive standards like PCI-DSS, SOC 2 provides criteria-based requirements allowing organizations flexibility in how they implement controls.

The framework evaluates controls across five Trust Service Criteria: Security (required), plus optional categories for Availability, Processing Integrity, Confidentiality, and Privacy. Organizations choose which criteria to include based on their services and customer expectations.

SOC 2 reports come in two types: Type I assesses control design at a point in time, while Type II examines both design and operating effectiveness over a period (typically 6-12 months). Enterprise customers increasingly require Type II reports as vendor qualification criteria.

// Inside the Regulation

SOC 2 evaluates controls against the Trust Service Criteria (TSC), which define the characteristics of reliable systems. Security is always included; organizations select additional criteria based on their service commitments.

1

Security (Common Criteria)

CC Series

The foundation of every SOC 2 examination, covering how the organization protects information and systems against unauthorized access.

CC1: Control Environment

Management's commitment to integrity and security, organizational structure, and accountability mechanisms.

CC2: Communication and Information

How security information is communicated internally and externally, including policies and incident communication.

CC3: Risk Assessment

Processes for identifying, analyzing, and managing risks to achieving security objectives.

CC4: Monitoring Activities

Ongoing evaluation of controls and communication of deficiencies to appropriate parties.

CC5: Control Activities

Policies and procedures ensuring management directives are carried out, including technology controls.

CC6: Logical and Physical Access

Controls restricting logical and physical access to systems and facilities based on authorization.

CC7: System Operations

Detection of anomalies and security events, incident management, and recovery procedures.

CC8: Change Management

Controls ensuring changes to infrastructure and applications are authorized, tested, and documented.

CC9: Risk Mitigation

Controls addressing risks from vendors, business disruptions, and other external factors.

2

Availability

A Series

Optional criteria evaluating whether systems are available for operation as committed.

A1: Availability Commitments

Controls supporting system availability including capacity planning, backup, recovery, and incident response.

3

Processing Integrity

PI Series

Optional criteria assessing whether system processing is complete, accurate, timely, and authorized.

PI1: Processing Integrity Commitments

Controls ensuring data processing achieves intended results without unauthorized modification.

4

Confidentiality

C Series

Optional criteria for protecting information designated as confidential.

C1: Confidentiality Commitments

Controls protecting confidential information throughout its lifecycle including collection, use, and disposal.

5

Privacy

P Series

Optional criteria addressing personal information collection, use, retention, and disclosure.

P1-P8: Privacy Principles

Controls covering notice, choice, collection, use, access, disclosure, quality, and monitoring of personal information.

Note: Type I reports assess whether controls are suitably designed at a specific point in time. Type II reports evaluate both design and operating effectiveness over a period (typically 6-12 months). Enterprise customers generally require Type II reports, as they demonstrate controls actually work over time, not just on paper.

// Who Must Comply

  • 1 SaaS and cloud service providers serving enterprise customers
  • 2 Data centers and hosting providers
  • 3 Managed service providers (MSPs) and managed security service providers (MSSPs)
  • 4 Payment processors and fintech companies
  • 5 HR and payroll service providers
  • 6 Any service organization where customers require security assurance

// Key Requirements

Security Controls

Implement controls protecting against unauthorized access, including access management, encryption, and monitoring

Policies & Procedures

Document security policies and operational procedures governing all in-scope systems

Continuous Monitoring

Monitor systems for security events, anomalies, and control failures with defined response procedures

Vendor Management

Assess and monitor third-party vendors with access to systems or data in scope

Change Management

Control changes to infrastructure, applications, and configurations through formal processes

Incident Response

Maintain and test incident response procedures for security events and breaches

// Enforcement & Penalties

SOC 2 is a voluntary framework. There are no direct regulatory penalties. However, the business consequences of failing to achieve or maintain SOC 2 certification can be significant, as enterprise customers increasingly require it for vendor qualification.

Maximum Penalty

No regulatory fines (voluntary framework)

Examples:

  • Loss of enterprise sales opportunities requiring SOC 2 reports
  • Removal from vendor qualification for existing customers
  • Increased scrutiny and custom security assessments from prospects
  • Higher cyber insurance premiums without attestation

// Cyber Insurance Impact

SOC 2 Type II reports demonstrate security program maturity to cyber insurers, often resulting in more favorable terms. Insurers view current SOC 2 attestation as evidence of baseline security practices. Organizations without SOC 2 may face additional underwriting scrutiny or higher premiums, particularly in the technology and services sectors.

// Common Questions

What is the difference between SOC 2 Type I and Type II?

A Type I report evaluates whether your controls are suitably designed at a single point in time. A Type II report goes further, covering both design and operating effectiveness over a defined audit period, typically three to twelve months. Enterprise customers generally require Type II because it demonstrates that your controls actually worked over time, not just that they existed on the day an auditor visited. Most organizations pursue Type I first to confirm readiness, then move to Type II in the following audit cycle.

Is SOC 2 legally required?

No. SOC 2 is a voluntary framework created by the AICPA and carries no direct regulatory mandate. The pressure to obtain it is commercial rather than legal. Enterprise buyers, insurance carriers, and procurement teams increasingly require a current SOC 2 Type II report to qualify vendors. For SaaS companies and managed service providers, the absence of a SOC 2 report is often a deal-blocker in larger sales cycles.

What are the five Trust Service Criteria categories?

The 2017 Trust Services Criteria (updated with revised points of focus in 2022) define five categories. Security (the Common Criteria) is required in every SOC 2 examination. The four optional categories are Availability, Processing Integrity, Confidentiality, and Privacy. You add optional categories based on the commitments you make to customers in your service agreements. A cloud storage provider would typically include Availability and Confidentiality; a payment processor might add Processing Integrity.

How long does it take to get a SOC 2 report?

A Type I report can take three to six months from a standing start: time to implement controls, document policies, and work through a readiness assessment, followed by the audit itself. A Type II report adds the observation period on top of that, commonly another three to twelve months. Total time from zero to a first Type II report is often nine to eighteen months. Organizations that begin with a gap assessment can shorten the readiness phase by focusing effort where controls are actually missing.

How do I get ready for a SOC 2 audit?

Begin with a SOC 2 gap assessment, which measures your current controls against the Trust Services Criteria in scope and surfaces what is missing or undocumented before the auditor's fieldwork. It is a readiness step, separate from the SOC 2 examination itself, which must be performed by a licensed CPA firm.

// Related Frameworks

// Industries That Need SOC 2

These industries commonly require SOC 2 compliance as part of their regulatory obligations.

Guide last reviewed: June 16, 2026

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Or call us directly at (445) 273-2873