Learn · SOC Reports
What Is
SOC 2?
SOC 2 is an attestation framework from the AICPA: an independent licensed CPA firm examines a service organization's controls over customer data — against the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy — and issues a detailed report with an opinion. It is a report, not a certificate.
SOC stands for System and Organization Controls. There is no pass/fail score and no certificate — readers rely on the CPA firm’s written opinion, and on the detailed test results behind it.
Plain-English explainer · AICPA Trust Services Criteria · Last reviewed July 2026
SOC 2 is an attestation framework from the AICPA (American Institute of Certified Public Accountants) under which an independent licensed CPA firm examines a service organization’s controls over customer data — against the Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy — and issues a detailed report containing its opinion. It is a report, not a certificate. The framework exists to solve a trust problem at scale: modern companies hand critical data and operations to vendors, and every one of those customers needs assurance that the vendor protects what it holds. Instead of each customer auditing each vendor, the vendor undergoes one examination by a licensed CPA firm and shares the resulting report — usually under NDA — with any customer who asks. This page is the plain-English reference: what SOC 2 stands for, what the criteria cover, the difference between Type 1 and Type 2, who actually needs a report, and what “SOC 2 compliant” really means.
The Basics
What SOC 2 Stands For
SOC stands for System and Organization Controls — the AICPA’s name for its family of examinations of service organizations. (The acronym originally meant “Service Organization Control”; the AICPA renamed it, and the letters survived.) The “2” distinguishes this framework from its siblings: SOC 1 deals with controls relevant to financial reporting, SOC 3 is a public summary, and SOC 2 — the one this page covers — deals with controls over the security and handling of customer data.
Under the hood, a SOC 2 is an attestation engagement performed under the AICPA’s attestation standards (the SSAEs — specifically AT-C sections 105 and 205). Three sets of rules shape the result: the attestation standards govern how the auditor examines and reports; the description criteria (DC section 200) define what the company’s system description must contain; and the Trust Services Criteria (the 2017 criteria, with points of focus revised in 2022) are the yardstick the controls are measured against. You don’t need to memorise the citations — but they explain why every genuine SOC 2 report looks structurally similar no matter who wrote it.
“Attestation” is worth a plain-English beat, because it is the word that makes SOC 2 different from a certification. In an attestation engagement, management makes a written claim — our description of the system is accurate, and our controls meet the criteria — and the CPA firm independently examines that claim and reports on whether it holds up. The CPA profession is the vehicle deliberately: licensed firms are bound by independence rules, professional standards, and external oversight, which is what gives a customer in another country a reason to rely on a document they didn’t commission.
One consequence of being an attestation engagement matters more than the rest: only an independent, licensed CPA firm can perform a SOC 2 examination and sign the opinion. Consultants and compliance platforms can prepare you — often very well — but they cannot issue the report. Our guide on who can perform a SOC 2 audit covers exactly where that line sits.
Trust Services Criteria
The Five Trust Services Categories
A SOC 2 is not one fixed audit — you choose which categories the examination covers, based on what you promise customers. Security is always in scope; the other four are add-ons.
Security
Mandatory — in every SOC 2
The Common Criteria (CC1–CC9): governance and risk assessment, logical and physical access, system operations, change management, and risk mitigation — aligned with the 17 principles of the COSO internal-control framework. Every SOC 2 examination includes Security.
Availability
Optional
Whether the system is available for operation and use as committed — capacity planning, monitoring, backups, and disaster recovery. Commonly added by anyone selling against an uptime SLA.
Processing Integrity
Optional
Whether system processing is complete, valid, accurate, timely, and authorised. Most relevant to organizations that process transactions — payments, payroll, billing, claims.
Confidentiality
Optional
Whether information designated as confidential is protected through its lifecycle — encryption, access restriction, retention, and secure disposal. A frequent add-on when customer contracts include confidentiality commitments.
Privacy
Optional
Whether personal information is collected, used, retained, disclosed, and disposed of in line with the organization’s privacy notice and the criteria. The least commonly selected category — and not a substitute for legal privacy compliance.
In practice, most first-time reports cover Security alone, or Security plus Availability and Confidentiality — the combination that maps to what a typical SaaS company promises in its contracts. Processing Integrity and Privacy are added when the business genuinely makes those commitments. For the criterion-by-criterion detail, see our guide to the Trust Services Criteria.
Report Types
Type 1 vs Type 2
Type 1 — a point in time
The auditor opines on whether your controls were suitably designed and implemented as of a single date — say, “as of 30 September.” It is a snapshot: the controls exist and, on paper and in walkthroughs, they should work. Nothing is tested over time.
Type 2 — a period of time
The auditor opines on design and operating effectiveness across a review period — typically 3 to 12 months. Controls are tested against samples drawn from the whole period, and the report discloses the test results, including any exceptions.
Enterprise buyers overwhelmingly ask for Type 2 — a snapshot says little about whether access reviews actually happened every quarter. A Type 1 still has a role as a first milestone: it proves the control set is in place while the Type 2 review period runs. The full trade-offs, including when a Type 1 is worth doing at all, are in SOC 2 Type 1 vs Type 2.
The SOC Family
SOC 1 vs SOC 2 vs SOC 3
SOC 1 — financial reporting controls
A SOC 1 examines controls relevant to customers’ financial reporting (ICFR). If your service can affect the numbers in a customer’s financial statements — payroll processing, fund administration, claims processing — their finance team and their financial-statement auditors will ask for a SOC 1, not a SOC 2.
SOC 2 — security and data-handling controls
A SOC 2 examines controls over security, availability, processing integrity, confidentiality, and privacy. Its readers are security teams, procurement, and vendor-risk functions deciding whether to trust you with their data. It is a restricted-use report, shared with customers and prospects — typically under NDA.
SOC 3 — the public summary
A SOC 3 is a general-use summary of a SOC 2 examination — same criteria, same auditor, but without the detailed system description and test results. Because it omits the sensitive detail, it can be posted publicly, which is why you see SOC 3 reports on vendors’ trust pages.
Who Needs It
Who Needs SOC 2 — and Is It Mandatory?
No law or regulator mandates SOC 2. It is demand-driven: buyers write it into procurement requirements, security questionnaires, and contracts, which makes it “commercially mandatory” for the vendors who want those deals. The honest test is not your industry — it is whether the organizations you sell to ask for it. In practice, the ones asked most often are:
- SaaS companies and cloud-hosted platforms holding customer data.
- Managed service providers (MSPs) and managed security providers with standing access to client environments.
- Data processors — analytics, BPO, support platforms — handling other companies’ customer records.
- Fintech infrastructure and payments-adjacent services, where both data sensitivity and buyer scrutiny run high.
- Any service organization whose enterprise prospects send security questionnaires that end with “please attach your SOC 2 report.”
The trigger moment is usually commercial, not regulatory: a first serious enterprise deal stalls in security review, or a renewal suddenly arrives with a vendor-risk questionnaire attached. Companies that wait for that moment end up running readiness under deal pressure; companies that see enterprise buyers on their roadmap tend to start earlier, so a report — or at least a Type 2 review period already underway — exists before procurement asks for it.
One note for Indian companies: Indian SaaS and IT-services firms selling into US and global enterprise face SOC 2 requests constantly — it has become table stakes in enterprise procurement. The framework itself does not change with geography: wherever the company operates, the examination still comes from a US-licensed CPA firm applying the same AICPA standards.
Compliance, Decoded
What “SOC 2 Compliant” Actually Means
Strictly speaking, there is no such official status. SOC 2 has no pass/fail certificate, no score, and no registry of compliant companies. What actually happens is that you undergo an examination and receive a report containing the CPA firm’s opinion — and the opinion is where the substance lives. An unmodified (“clean”) opinion says the description is fair and the controls were suitably designed — and, for Type 2, operated effectively. Opinions can also be qualified, adverse, or disclaimed, and individual test exceptions can appear even under a clean opinion.
So when someone says a company “is SOC 2 compliant,” what they can defensibly mean is: it holds a recent SOC 2 report — typically Type 2 — with an unmodified opinion. That is also how you should read the claim from a vendor: ask for the report, check the period and the opinion, and scan the exceptions rather than stopping at the phrase. Mature vendor-risk teams do exactly this — they log each vendor’s report period end date and chase the next report annually, which is why a stale report quietly creates friction at renewal time. Our guide to SOC 2 opinions and exceptions explains the four opinion types and how much weight exceptions deserve.
Inside the Report
What a SOC 2 Report Contains
The deliverable is a substantial document, and every genuine one follows the same shape — five sections:
- Section 1 — the independent service auditor’s report: the CPA firm’s opinion, the scope, the criteria, and the period covered. The page most readers should open first.
- Section 2 — management’s assertion: the service organization’s own written claim that the description is accurate and the controls were suitably designed (and, for Type 2, operating effectively).
- Section 3 — the system description: the services, infrastructure, software, people, procedures, and data in scope, written by management against DC section 200.
- Section 4 — the description of tests and results: the controls matrix showing each control, how the auditor tested it, and what the tests found — including any exceptions. The heart of a Type 2.
- Section 5 — other information (optional): management’s responses to exceptions, future plans, or additional context. The auditor expresses no opinion on this section.
Two parts of the system description reward close reading: the treatment of subservice organizations (the vendors your vendor relies on, and whether their controls are carved out), and the complementary user entity controls — the things the report assumes you, the customer, are doing. For a section-by-section walkthrough of where to look first and what the red flags are, the deep dive is how to read a SOC 2 report.
The Journey
How Organizations Get a SOC 2
- 1
Scope the examination
Choose the Trust Services Categories you will be examined against, define the system boundary (which products, infrastructure, and teams are in scope), and identify subservice organizations such as your cloud provider — and whether they are carved out of or included in the report.
- 2
Run a readiness (gap) assessment
Compare your current controls against the criteria, remediate the gaps — policies, access reviews, logging, vendor management, whatever is missing — and draft the system description. This is where most of the real work happens.
- 3
Operate controls and collect evidence
For a Type 2, the controls must run throughout the chosen review period — typically 3 to 12 months. Evidence accumulates as you operate: tickets, review records, logs, approvals.
- 4
Undergo the CPA firm’s examination
The licensed CPA firm performs fieldwork: walkthroughs, inquiries, inspection of evidence, and sample-based testing of each control. Exceptions found in testing are documented and discussed.
- 5
Receive the report — and repeat annually
The firm issues the report with its opinion. Because buyers expect current coverage, most organizations re-examine every year, with consecutive review periods and bridge letters covering any short gaps between them.
How long does all this take? Honestly: it depends on where your controls stand today. A typical first-time arc is a few months of readiness work, then the review period you choose for the Type 2, then fieldwork and reporting. Anyone quoting a universal total is guessing — the variables that actually move it, and the budget ranges, are covered in the SOC 2 timeline guide and the SOC 2 cost guide.
If you want help with the journey, this is what Tranquility Cybersecurity does: TCSA prepares organizations for SOC 2 — scoping, readiness, remediation, evidence — and coordinates the examination through empanelled, independent licensed CPA firms, with 500+ audits delivered across 250+ clients. Details on our SOC 2 services page.
Misconceptions
Five Things SOC 2 Is Not
- “SOC 2 is a certification.” No — it is an attestation examination that produces a report containing a CPA firm’s opinion. There is no certificate, no badge-issuing body, and no official register of “SOC 2 certified” companies.
- “SOC 2 is a security checklist.” The Trust Services Criteria are outcome-based criteria, not a prescribed control list. You design controls that meet the criteria for your system — two companies can satisfy the same criterion in different ways.
- “A compliance tool makes you SOC 2 compliant.” Automation platforms help you organise controls and evidence, and they genuinely reduce effort — but no tool can grant SOC 2 status. Only an independent licensed CPA firm’s examination produces the report.
- “SOC 2 covers GDPR and privacy law.” Different instruments. The Privacy category examines controls over personal information against the AICPA’s criteria; it is not a legal-compliance opinion on GDPR, India’s DPDP Act, or any other statute.
- “One report lasts forever.” Reports describe a specific period. In practice buyers treat a report as stale once it is roughly 12 months past the period end — which is why organizations run annual re-examinations.
SOC 2 & ISO 27001
The Closest Sibling: ISO 27001
The framework SOC 2 is most often weighed against is ISO 27001 — and the core difference is the instrument, not the substance. ISO 27001 is a certifiable standard for an information security management system: an accredited certification body audits you and issues a certificate, valid over a three-year cycle with surveillance audits in between. SOC 2 is an attestation: a CPA firm examines you and issues a detailed report tied to a specific period. The underlying controls overlap heavily, which is why many organizations run both on a single control set — commonly with SOC 2 answering US enterprise buyers and ISO 27001 answering buyers elsewhere. The full comparison, including when to do which first, is in SOC 2 vs ISO 27001.
What Is SOC 2 — Common Questions
The questions people actually ask about SOC 2, answered plainly.
What is SOC 2 in simple terms?
SOC 2 is an independent audit report on how a company protects customer data. A licensed CPA firm examines the company’s controls — security practices, access management, monitoring, and so on — against the AICPA’s Trust Services Criteria, then issues a detailed report with its opinion. Customers read that report instead of each having to audit the vendor themselves.
What does SOC 2 stand for?
SOC stands for System and Organization Controls, the AICPA’s name for its family of service-organization examinations (it originally meant “Service Organization Control”). The “2” distinguishes it from SOC 1, which covers controls relevant to financial reporting, and SOC 3, which is a public summary of a SOC 2.
What is SOC 2 compliance?
There is no official “SOC 2 compliant” status — no certificate, no pass/fail score. An organization undergoes an examination and receives a report containing a CPA firm’s opinion. In practice, “SOC 2 compliant” is shorthand for holding a recent SOC 2 report, typically Type 2, with an unmodified (“clean”) opinion.
What is the difference between SOC 2 Type 1 and Type 2?
A Type 1 report covers the suitability of control design at a single point in time — a snapshot. A Type 2 report covers both design and operating effectiveness over a review period, typically 3 to 12 months, with sample-based testing and disclosed results. Enterprise buyers overwhelmingly ask for Type 2, because it shows the controls actually operated, not just that they existed.
Is SOC 2 mandatory?
No law mandates SOC 2. It is contract- and procurement-driven: enterprise buyers require it in security reviews and vendor contracts, which makes it commercially mandatory for vendors who want those deals. If your buyers ask for it, you effectively need it; if they never do, you don’t.
Who needs SOC 2?
Any service organization that holds or processes customer data and whose buyers ask for independent assurance — most commonly SaaS companies, cloud-hosted platforms, MSPs, data processors, and fintech infrastructure providers. It is especially common for companies selling into US and global enterprise, including Indian SaaS and IT-services firms, where a SOC 2 request is now standard in procurement.
Is SOC 2 a certification?
No. SOC 2 is an attestation: a licensed CPA firm examines your controls and expresses an opinion in a report. No body “certifies” you, there is no certificate to frame, and “SOC 2 certified” is technically inaccurate shorthand. This differs from ISO 27001, which is a certifiable standard with an actual certificate issued by an accredited certification body.
How long is a SOC 2 report valid?
A SOC 2 report never formally expires — it describes a specific period. In practice, buyers treat a report as stale once it is roughly 12 months past the end of its period, which is why most organizations undergo a re-examination every year, with consecutive review periods. Short gaps between a report’s period end and a customer’s reporting date are typically covered by a bridge letter from management.
Related reading: the Learn hub, how to read a SOC 2 report, opinions & exceptions, bridge letters, Type 1 vs Type 2, and the Trust Services Criteria. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours