What is SOC 2 Compliance?

SOC 2 (Service Organization Controls 2) is a security framework with a set of compliance requirements geared toward technology-based companies that use cloud-based storage of customer data.

SOC 2 compliance is both an audit procedure and criteria, as well as a voluntary compliance standard that specifies how an organization should manage internal controls and protect customer data.

SOC 2 Compliance Automation

SOC 2 Trust Service Principles

The AICPA (The American Institute of Certified Public Accountants) developed a set of criteria to be used when evaluating an organization’s design and operating effectiveness of controls relevant to the Trust Service Principles:





Processing Integrity​

Processing Integrity





Organizations can choose one or more of these TSPs to include in the scope of their SOC 2 report, depending on their particular business operations. It is important to note, however, that Security is mandatory. During a SOC 2 audit, the auditor will assess an organization's security posture related to the Trust Service Principles that are included in the scope of their audit. Each TSP has specific requirements that companies meet with their internal controls.

The SOC 2 Bible

Everything you need to know about compliance

Type I versus Type II

Type I’ and ‘Type II’ are popular topics in the world of SOC 2 compliance. But what exactly do they mean? How do they differ? Let’s break it down.

There are two types of SOC 2 audit reports that an organization can choose to undergo

SOC 2 Type I

A SOC 2 Type I reports on the suitability of the design of an organization’s relevant trust service criteria controls. Therefore, it reports at a point in time with a specified date (and a shorter time to be audit-ready).

SOC 2 Type II

A SOC 2 Type II reports on the suitability of the design and operating effectiveness of an organization’s relevant trust service criteria controls. Therefore, it reports over a period of time, usually a three-to twelve-month period is advised by the AICPA.
woman explaining soc 2 compliance

Who Needs a SOC 2 Report?

Do you really need a SOC 2 report? As mentioned, SOC 2 compliance is not mandatory, however it applies to technology-based service providers that store, process, or transmit customer data in the cloud. It is in the best interest of the organization, to ensure security protocols are in place and operating effectively to protect their customers’ data.

More and more companies are seeking SOC 2 reports with an ever-expanding digital world and the security risks that come with it. Importantly, more customers and prospects are asking for a SOC 2 report as a requirement in order to do business with technology-based organizations





Marketing and Sales

Human Resource



Payment service providers

Data center hosting providers

Business Intelligence

What are the Benefits
of SOC 2 Compliance?

There are many reasons why organizations need a SOC 2 report. Let’s take a look at the importance of SOC 2 compliance!!

Meet customer demands

Meet customer

Many potential customers, especially those in the US, demand an organization’s SOC 2 report before doing any business or even proceeding with sales discussions. Therefore, without SOC 2, companies are likely to lose deals and fail to reach full potential. Maintaining SOC 2 compliance also plays a major role in customer retention.
Boost customer trust and sales

Boost customer
trust and sales

Demonstrating SOC 2 allows you to stand out amongst other players in the market that are not SOC 2 compliant, giving customers the confidence that their sensitive data is safe and that they are partnering with a company that takes information security seriously. And so, a SOC 2 report boosts sales and enables a faster sales cycle.

Prevent security risks

security risks

SOC 2 ensures that there are no gaps in your organization’s security posture and improves risk management. Therefore, SOC 2 significantly reduces any chance of a data breach, human error or other security risks, as well as their consequences. A data breach can lead to financial and reputational damage.


SOC 2 Controls

SOC 2 controls are the processes, procedures, and systems that your organization has in place to protect customer data, according to the SOC 2 criteria. SOC 2 controls are based on the five Trust Service Principles that organizations include in their SOC 2 audit report and therefore, your organization’s list of controls will depend on your specific SOC 2 report scope.

For each TSP included in your SOC 2 audit, there is a list of criteria. Controls are what you implement to meet those criteria, and the auditor is attesting to the design and/or operating effectiveness of those controls.
While there are many controls associated with each of the five TSPs, controls associated with the common criteria, Security, include common IT general controls:

Control Environment

These SOC 2 controls relate to a commitment to integrity and ethical values.

Communication and Information

This includes SOC 2 controls related to the internal and external use of quality information to support the functioning of internal control.

Risk Assessment

This requests the identification and assessment of risk relating to objectives.

Monitoring Activities

Controls related to the performance of ongoing and separate evaluations to determine deficiencies of controls and communicate those to the correct parties.

Control Activities

These relate to the control activities contributing to risk mitigation and policy and procedure establishment.

Logical and Physical Access Controls

Related to the implementation of logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet its objectives.

System Operations

SOC 2 controls related to the use of detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities and (2) susceptibilities to newly-discovered vulnerabilities.

Change Management

Controls related to the authorization, design, development, testing, approval, and implementation of changes to infrastructure, data, software, and procedures to meet its objectives.
SOC 2 Report

Risk Mitigation

Identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions.

Who Can Perform a
SOC 2 Audit?

A SOC 2 audit can only be performed by an independent auditor at a licensed CPA firm, specifically one that specializes in information security. It is also important to keep in mind that you should choose an auditor that has experience in your particular industry. SOC 2 audits are regulated by the AICPA.

Is SOC 2 a

SOC 2 is, in fact, not a certification. SOC 2 is an attestation. SOC 2 auditors do not certify that your organization has met SOC 2 requirements. Your SOC 2 auditor will provide his expert opinion on whether or not he agrees with management’s assertion relating to the design (Type I) and operating effectiveness (Type II) of your controls.

The SOC 2 Compliance Process

Choosing a SOC 2 partner

Choosing a SOC 2 partner for audit-preparation

For startups, first-timers and companies that do not have an in-house security and compliance specialist, expert and hands-on guidance during the audit-preparation process is much needed. Companies need to understand the specific SOC 2 requirements, any compliance gaps, and much more, in order to achieve SOC 2 compliance efficiently.

Identifying the scope

Identifying the scope

Organizations need to identify which of the five Trust Service Principles to include in your audit. The controls that will be monitored will depend on these TSPs. A fixed list of controls is not best practice, as every organization is different. Therefore, a customized list of controls should cover specific risks that are relevant to your business operations. Organizations also need to decide on the reporting period in the case of a SOC 2 Type II report.

Selecting an auditor

Selecting an auditor

Only a licensed and independent CPA firm that specializes in IT audits can conduct a SOC 2 audit. The firm must comply with all the guidelines and updates provided by the AICPA. It is important to select an auditor that understands the specific industry of your organization and has extensive experience with SOC 2 audits, as well as experience with companies similar in size. Audit costs and timeframes will be dependent on the chosen audit firm.

Readiness assessment​

Readiness assessment

The readiness assessment determines whether or not your organization is ready for the official audit. A gap analysis will identify if your security posture meets the standards of the SOC 2 criteria and any remediation necessary will take place.

The SOC 2 audit​

The audit

After a company undergoes its observation period, in the case of a SOC 2 Type II report, the official audit will take place. The auditor will assess the controls in place, specifically whether they are operating in the manner that has been stated by management and if they comply with the criteria of SOC 2. The service auditor will issue the organization’s SOC 2 Type I or SOC 2 Type II report with details of the testing results.

Soc 2 Report results​

Report results

A SOC 2 report is an examination. The attestation report provides the auditor’s opinion, attesting whether the internal controls of a service organization are in place and meet the criteria of the Trust Service Principles. This is the reason why there is no pass or fail of SOC 2, but rather a professional opinion in the eyes of the auditor.



Organizations need to renew their SOC 2 report annually in order for the report to remain valid. The golden rule is that a SOC 2 audit should be scheduled every 12 months. Companies should be continuously monitoring their relevant controls throughout the year and keeping policies and procedures updated. Pro-Tip: Have a SOC 2 compliance checklist in place!​

soc 2 crash course