100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cybersecurity

SOC 2

IntermediateConcept4.1K learners

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates how well a service organization's controls protect customer data across security, availability, processing integrity, confidentiality,…

Definition

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates how well a service organization's controls protect customer data across security, availability, processing integrity, confidentiality, and privacy.

Overview

Unlike a certification, a SOC 2 report is an independent auditor's attestation, issued after examining an organization's controls — including areas like Identity and Access Management (IAM) and Encryption at Rest — against the AICPA's Trust Services Criteria. Security is the only mandatory criterion — organizations choose which of the remaining four (availability, processing integrity, confidentiality, privacy) apply to their business. A Type I report assesses whether controls are suitably designed at a single point in time, while a Type II report — generally considered more rigorous and more commonly requested by enterprise buyers — evaluates whether those controls operated effectively over a review period, typically 6 to 12 months. SOC 2 has become a de facto requirement for SaaS and cloud service vendors selling into enterprise customers in North America, similar to how ISO 27001 functions internationally. Because the report is confidential and shared under NDA with prospective customers rather than published publicly, it's typically requested during vendor security reviews and procurement. Understanding what SOC 2 covers — and how it differs from other frameworks — is part of the compliance landscape taught in Governance, Compliance & Career Readiness.

Key Concepts

  • Developed by the AICPA (American Institute of CPAs)
  • Evaluates controls against five Trust Services Criteria, with security mandatory
  • Type I assesses design at a point in time; Type II assesses effectiveness over a period
  • Delivered as a confidential audit report, not a public certification
  • De facto requirement for SaaS vendors selling to enterprise customers
  • Commonly requested during vendor security and procurement reviews

Use Cases

SaaS companies proving data security practices to enterprise prospects
Vendor risk assessments during enterprise procurement
Demonstrating operational maturity of access control and monitoring practices
Supporting sales cycles that require security documentation before contract signing
Benchmarking internal controls against an independent, recognized standard

Frequently Asked Questions