SOC 2 (System and Organization Controls 2) is an attestation report issued by an independent, licensed CPA (the "service auditor") that examines whether a service organization's controls meet the AICPA's Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy. It is widely used by SaaS providers, data centers, and other technology vendors to give customers assurance over how they protect data and operate systems.
It is important to be precise: SOC 2 is not a certification and not a law. It is a professional attestation engagement governed by AICPA standards (the SSAE 18 attestation standards, AT-C sections 105 and 205) in the United States. There is no government regulator behind it and no pass/fail certificate — the deliverable is a report containing the CPA's opinion, management's description of its system, and management's written assertion.
What is a SOC 2 report, exactly?
A SOC 2 report is the output of an examination engagement in which a CPA evaluates a service organization's system and the controls relevant to one or more Trust Services categories. The report typically contains:
- The independent service auditor's opinion on whether controls were suitably designed (and, for Type 2, operating effectively).
- Management's written assertion about its system and controls.
- Management's description of the system being examined.
- For Type 2, the auditor's description of tests of controls and results.
Because it conveys a practitioner's opinion rather than a guarantee, SOC 2 is an attestation, not a certification. Only a licensed CPA firm can perform the examination and issue the report.
What are the five Trust Services Criteria?
SOC 2 is built on the AICPA's 2017 Trust Services Criteria (with revised points of focus, 2022), organized into five categories:
- Security — protection of information and systems against unauthorized access, use, or damage. Expressed through the common criteria (CC) and the only category that must be included in every SOC 2 examination.
- Availability — the system is available for operation and use as committed or agreed.
- Processing Integrity — system processing is complete, valid, accurate, timely, and authorized.
- Confidentiality — information designated as confidential is protected.
- Privacy — personal information is collected, used, retained, disclosed, and disposed of in line with the organization's commitments.
Beyond security, the other four categories are included only if relevant to the services and commitments being reported on.
What is the difference between Type 1 and Type 2?
SOC 2 reports come in two types that differ in what — and over what period — the auditor evaluates:
- Type 1 — reports on whether controls are suitably designed at a specific point in time (as of a single date). It does not test whether controls actually operated.
- Type 2 — reports on whether controls are suitably designed and operating effectively throughout a defined review period, commonly 3 to 12 months. The auditor tests controls across that period.
A Type 2 report provides a higher level of assurance because it demonstrates controls worked over time, not just that they existed on a single date. Customers frequently request Type 2 for ongoing vendor due diligence.
Who is SOC 2 for?
SOC 2 is designed for service organizations — entities that operate systems or handle data on behalf of their customers ("user entities"). Typical examples include SaaS platforms, cloud and managed-service providers, data centers, and other technology and outsourcing vendors.
Reports are commonly requested by a service organization's customers, prospects, and their auditors as part of vendor risk management and procurement. A SOC 2 is a restricted-use report: it is intended for the service organization, its existing or prospective customers, and parties with sufficient understanding of the system — not for unrestricted public distribution.
How does the SOC 2 audit process work?
At a high level, a SOC 2 examination follows these stages:
- Scoping — management defines the system, the services in scope, and which Trust Services categories apply (Security is always included).
- System description and assertion — management documents its system and provides a written assertion about its controls.
- Auditor examination — the CPA evaluates control design and, for Type 2, tests operating effectiveness over the review period by inspecting evidence and sampling populations.
- Reporting — the auditor issues an opinion (unqualified, qualified, adverse, or a disclaimer) within the SOC 2 report.
Reports are point-in-time or period-specific; organizations typically renew them annually so customers always have a current report.
How does SOC 2 relate to SOC 1, SOC 3, and ISO 27001?
SOC 2 sits within the AICPA's broader SOC suite and is sometimes confused with related frameworks:
- SOC 1 — examines controls relevant to a user entity's internal control over financial reporting (ICFR). Different objective from SOC 2.
- SOC 3 — covers the same Trust Services Criteria as SOC 2 but in a short, general-use report that can be distributed freely (e.g., posted publicly). It omits the detailed control descriptions and test results found in a SOC 2.
- ISO/IEC 27001 — an international standard resulting in a formal certification of an information security management system (ISMS), covering the whole organization. SOC 2, by contrast, is a US/AICPA attestation scoped to specific systems and the selected Trust Services categories. Many organizations pursue both.
Frequently asked questions
Is SOC 2 a certification?
No. SOC 2 is an attestation report containing a licensed CPA's opinion. There is no "SOC 2 certificate." Frameworks like ISO 27001 issue certifications; SOC 2 does not.
Is SOC 2 a law or government regulation?
No. SOC 2 is a professional attestation framework developed by the AICPA (a US accounting body) and governed by its standards (SSAE 18 / AT-C sections 105 and 205). It is not legislation and is not enforced by a government regulator.
Who can perform a SOC 2 audit?
Only an independent, licensed CPA firm (the "service auditor") can perform the examination and issue a SOC 2 report under AICPA attestation standards.
Do all five Trust Services Criteria have to be included?
No. Security (the common criteria) is mandatory in every SOC 2 examination. Availability, Processing Integrity, Confidentiality, and Privacy are included only if relevant to the services and commitments being reported on.
What is the difference between SOC 2 Type 1 and Type 2?
Type 1 assesses whether controls are suitably designed at a single point in time. Type 2 assesses whether they are suitably designed and operating effectively over a period (commonly 3–12 months), providing higher assurance.
What is the difference between SOC 2 and SOC 3?
Both use the same Trust Services Criteria. SOC 2 is a detailed, restricted-use report; SOC 3 is a short, general-use summary that can be distributed publicly without the detailed control descriptions and test results.