SOC 2
Overview
SOC 2 (System and Organization Controls 2) is an auditing procedure developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how organizations manage customer data. It focuses specifically on security, availability, processing integrity, confidentiality, and privacy — known as the Trust Service Criteria (TSC).
SOC 2 is the dominant compliance framework for cloud service providers, SaaS companies, and data processors. Unlike ISO 27001 (which is a management system standard), SOC 2 is an attestation report — a third-party auditor evaluates and reports on an organization’s controls.
Trust Service Criteria (TSC)
| Criterion | Description |
|---|---|
| Security (Common Criteria) | Protection against unauthorized access (required for all SOC 2) |
| Availability | Systems and processing are available for operation |
| Processing Integrity | Processing is complete, accurate, timely, and authorized |
| Confidentiality | Information designated as confidential is protected |
| Privacy | Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments |
SOC 2 Report Types
| Type | Description | Scope |
|---|---|---|
| Type I | Controls are designed appropriately at a point in time | Design only |
| Type II | Controls are operating effectively over a period (typically 6-12 months) | Design + operating effectiveness |
Type II is the industry standard — most customers and regulators require Type II reports.
SOC 2 Process
- Scope definition — determine which TSC apply, what systems are in scope
- Gap assessment — compare current controls against TSC requirements
- Remediation — implement missing controls and documentation
- Audit — licensed CPA firm conducts the examination
- Report — auditor issues SOC 2 report with findings
Key Requirements
- Control objectives must be defined for each applicable TSC
- Evidence collection — documentation, logs, screenshots, interviews
- Management letter — auditor’s opinion on fairness of the report
- Complementary user entity controls (CUECs) — controls the customer must also implement
Relationship to Other Frameworks
- ISO 27001 — Many organizations pursue both; ISO provides the management system, SOC 2 provides the attestation
- NIST CSF — NIST CSF helps build the controls that SOC 2 audits
- GDPR — SOC 2 privacy criterion helps demonstrate GDPR compliance
- technologies/security-frameworks/iso-27001.md | ISO 27001 — management system standard
- technologies/security-frameworks/nist-csf.md | NIST Cybersecurity Framework — risk management framework