SOC 2 (System and Organization Controls 2) is an attestation report that demonstrates how well a service organization protects customer data. Defined by the American Institute of Certified Public Accountants (AICPA), it is produced by an independent CPA firm that examines an organization’s controls against a set of trust services criteria.
SOC 2 has become the de facto trust credential for technology and service providers, especially in North America, where customers routinely request it during due diligence.
This page is part of our GRC frameworks hub. For the broader discipline, see our complete guide to governance, risk, and compliance.
The five trust services criteria
SOC 2 is built on five criteria. Security (the common criteria) is mandatory and underpins every report; the other four are included based on relevance to the services offered:
- Security — protection against unauthorized access (always included).
- Availability — the system is available for operation and use as committed.
- Processing integrity — processing is complete, valid, accurate, and timely.
- Confidentiality — information designated as confidential is protected.
- Privacy — personal information is collected, used, retained, and disclosed appropriately.
Type I vs Type II
A Type I report assesses whether controls are suitably designed at a single point in time. A Type II report goes further, testing whether those controls operated effectively over a period — typically three to twelve months.
See the latest GRC Webinars (Updated Daily!)
Type II carries far more weight with customers because it demonstrates sustained operation, not just a snapshot, and is the report most enterprises expect from their vendors.
The audit process
Unlike ISO 27001, SOC 2 produces a report, not a certificate. An organization scopes the relevant criteria, implements and documents controls, then engages a CPA firm to perform the examination.
For a Type II, the auditor tests evidence across the observation window. The result is a detailed report shared under NDA with customers and prospects, rather than a public mark.
How SOC 2 fits a GRC program
SOC 2 exercises every GRC discipline: defining controls (compliance management), collecting evidence continuously, and demonstrating they operate over time (audit). Because its controls overlap heavily with ISO 27001 and the NIST CSF, organizations cross-map them to avoid duplicate work. The automation-first platforms in our compliance management software directory are widely used to reach and maintain SOC 2 with minimal manual effort.
Frequently asked questions
What is SOC 2?
SOC 2 is an attestation report, defined by the AICPA, in which an independent CPA firm examines a service organization’s controls against the trust services criteria — security, availability, processing integrity, confidentiality, and privacy — to demonstrate how it protects customer data.
What is the difference between SOC 2 Type I and Type II?
Type I assesses whether controls are suitably designed at a point in time; Type II tests whether they operated effectively over a period (typically 3–12 months). Type II is more rigorous and is what most enterprise customers expect.
Is SOC 2 a certification?
No. SOC 2 results in an auditor’s report shared with customers, not a certificate. People often say “SOC 2 certified” informally, but the correct term is a SOC 2 report or attestation.
How long does SOC 2 take?
A Type I can often be achieved in a few months. A Type II additionally requires an observation period of three to twelve months during which controls must operate, so the full timeline is longer.