SOC 2 is an attestation report, defined by the AICPA, on the controls a service organisation has in place relevant to the Trust Services Criteria (TSC). It is the standard proof of security for SaaS and cloud vendors — especially selling into the US. A licensed CPA firm performs the examination and issues an opinion; this guide explains the framework and process and does not reproduce AICPA licensed material.
The five Trust Services Criteria (TSC)
| Criterion | Mandatory? | What it covers |
|---|---|---|
| Security (Common Criteria) | Yes — always in scope | Protection of systems and data against unauthorised access |
| Availability | Optional | System uptime, performance and resilience commitments |
| Processing Integrity | Optional | Processing is complete, valid, accurate, timely and authorised |
| Confidentiality | Optional | Information designated as confidential is protected |
| Privacy | Optional | Personal information is collected, used, retained and disposed of per commitments |
Security is always included; you add the other criteria based on the commitments you make to customers. Do not over-scope — align the report to what buyers actually ask about.
The Common Criteria (CC1–CC9)
The Security criterion is expressed through nine Common Criteria, which map closely to the COSO internal-control framework:
| Series | Focus |
|---|---|
| CC1 | Control environment (governance, integrity, org structure, accountability) |
| CC2 | Communication and information |
| CC3 | Risk assessment |
| CC4 | Monitoring activities |
| CC5 | Control activities |
| CC6 | Logical and physical access controls |
| CC7 | System operations (detection, monitoring, incident response) |
| CC8 | Change management |
| CC9 | Risk mitigation (including vendor/third-party risk) |
Type I vs Type II
| Type I | Type II | |
|---|---|---|
| What it attests | Controls are suitably designed at a point in time | Controls operated effectively over a period |
| Observation period | A single date | Typically 3–12 months |
| Effort | Faster to obtain | Requires an evidence window |
| Buyer preference | Acceptable as a first step | Increasingly the expectation for enterprise deals |
Readiness-to-report process
- Scope: select the Trust Services Criteria and the systems/services in scope.
- Readiness assessment: map current controls to the criteria and identify gaps.
- Remediate: implement missing controls (policies, access, monitoring, change, vendor management).
- Define the observation period (for Type II) and begin collecting evidence continuously.
- Engage a licensed CPA firm to perform the examination.
- Auditor tests controls, gathers evidence and issues the report with an opinion.
- Share the report under NDA with customers; repeat annually.
Control examples by area
- Access: SSO, MFA, least-privilege, periodic access reviews, timely deprovisioning.
- Change management: peer review, testing, approvals, separation of duties.
- Operations: logging, monitoring/alerting, vulnerability management, incident response with defined SLAs.
- Risk & governance: risk assessments, security policies, security-awareness training, board/leadership oversight.
- Vendor risk: due diligence, contracts, periodic reassessment of critical subservice organisations.
- Availability (if in scope): backups, DR, capacity monitoring, SLAs.
Evidence auditors collect
- Security policies and the risk assessment.
- Access-provisioning tickets, access reviews and terminations.
- Change tickets with approvals and testing evidence.
- Monitoring/alerting configurations and incident records.
- Vulnerability scans, penetration-test reports and remediation.
- Vendor/subservice-organisation assessments and SOC reports.
- Security-awareness training completion.
- Backup and (if in scope) DR test evidence.
- HR onboarding/offboarding and background-check records.
Report structure
- Section 1: Independent service auditor’s report (the opinion).
- Section 2: Management’s assertion.
- Section 3: System description (services, infrastructure, people, data, processes).
- Section 4: Trust Services Criteria, the controls, tests performed and results (Type II).
- Section 5 (optional): other information provided by management.
Common gaps
- Starting the evidence clock too late for a Type II observation period.
- Access reviews and offboarding performed inconsistently.
- Change management without evidence of review/approval.
- No formal vendor/subservice-organisation risk management.
- Incident response undocumented or untested.
- Over-scoping criteria that customers never asked for.
SOC 2 vs ISO 27001 vs SOC 1
| What it is | Best for | |
|---|---|---|
| SOC 2 | AICPA attestation on TSC controls | Proving security to (mainly US) customers |
| ISO 27001 | Certifiable information-security management system | Globally recognised certification |
| SOC 1 | Attestation on controls relevant to financial reporting (ICFR) | Service orgs affecting clients’ financial statements |
Frequently asked questions
Need help with SOC 2?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
