SOC 2
What is SOC 2?
SOC 2An AICPA attestation standard in which an independent auditor evaluates a service organization's controls against Trust Services Criteria.
SOC 2 (System and Organization Controls 2) is an attestation engagement defined by the American Institute of Certified Public Accountants (AICPA) under SSAE 18. It evaluates a service organization's controls relevant to the Trust Services Criteria: Security (always required), Availability, Processing Integrity, Confidentiality, and Privacy. Reports are issued as Type 1 (design of controls at a point in time) or Type 2 (operating effectiveness over a period, typically 3 to 12 months). SOC 2 is widely used by SaaS, cloud, and managed-service providers to demonstrate control maturity to customers under NDA. It is not a certification; the result is an auditor's opinion contained in the SOC 2 report.
● Examples
- 01
A SaaS startup completing a SOC 2 Type 1 report focused on Security and Confidentiality during its first audit year.
- 02
An enterprise vendor providing an annual SOC 2 Type 2 report covering Security and Availability to enterprise customers.
● Frequently asked questions
What is SOC 2?
An AICPA attestation standard in which an independent auditor evaluates a service organization's controls against Trust Services Criteria. It belongs to the Compliance & Frameworks category of cybersecurity.
What does SOC 2 mean?
An AICPA attestation standard in which an independent auditor evaluates a service organization's controls against Trust Services Criteria.
How do you defend against SOC 2?
Defences for SOC 2 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for SOC 2?
Common alternative names include: Service Organization Controls 2.