Knowledge Center / SOC 2
AICPA · Global

SOC 2 (AICPA)

An attestation report on controls relevant to security, availability and privacy.

SOC 2 is an attestation report, defined by the AICPA, on the controls a service organisation has in place relevant to the Trust Services Criteria (TSC). It is the standard proof of security for SaaS and cloud vendors — especially selling into the US. A licensed CPA firm performs the examination and issues an opinion; this guide explains the framework and process and does not reproduce AICPA licensed material.

The five Trust Services Criteria (TSC)

CriterionMandatory?What it covers
Security (Common Criteria)Yes — always in scopeProtection of systems and data against unauthorised access
AvailabilityOptionalSystem uptime, performance and resilience commitments
Processing IntegrityOptionalProcessing is complete, valid, accurate, timely and authorised
ConfidentialityOptionalInformation designated as confidential is protected
PrivacyOptionalPersonal information is collected, used, retained and disposed of per commitments

Security is always included; you add the other criteria based on the commitments you make to customers. Do not over-scope — align the report to what buyers actually ask about.

The Common Criteria (CC1–CC9)

The Security criterion is expressed through nine Common Criteria, which map closely to the COSO internal-control framework:

SeriesFocus
CC1Control environment (governance, integrity, org structure, accountability)
CC2Communication and information
CC3Risk assessment
CC4Monitoring activities
CC5Control activities
CC6Logical and physical access controls
CC7System operations (detection, monitoring, incident response)
CC8Change management
CC9Risk mitigation (including vendor/third-party risk)

Type I vs Type II

Type IType II
What it attestsControls are suitably designed at a point in timeControls operated effectively over a period
Observation periodA single dateTypically 3–12 months
EffortFaster to obtainRequires an evidence window
Buyer preferenceAcceptable as a first stepIncreasingly the expectation for enterprise deals

Readiness-to-report process

  1. Scope: select the Trust Services Criteria and the systems/services in scope.
  2. Readiness assessment: map current controls to the criteria and identify gaps.
  3. Remediate: implement missing controls (policies, access, monitoring, change, vendor management).
  4. Define the observation period (for Type II) and begin collecting evidence continuously.
  5. Engage a licensed CPA firm to perform the examination.
  6. Auditor tests controls, gathers evidence and issues the report with an opinion.
  7. Share the report under NDA with customers; repeat annually.

Control examples by area

  • Access: SSO, MFA, least-privilege, periodic access reviews, timely deprovisioning.
  • Change management: peer review, testing, approvals, separation of duties.
  • Operations: logging, monitoring/alerting, vulnerability management, incident response with defined SLAs.
  • Risk & governance: risk assessments, security policies, security-awareness training, board/leadership oversight.
  • Vendor risk: due diligence, contracts, periodic reassessment of critical subservice organisations.
  • Availability (if in scope): backups, DR, capacity monitoring, SLAs.

Evidence auditors collect

  • Security policies and the risk assessment.
  • Access-provisioning tickets, access reviews and terminations.
  • Change tickets with approvals and testing evidence.
  • Monitoring/alerting configurations and incident records.
  • Vulnerability scans, penetration-test reports and remediation.
  • Vendor/subservice-organisation assessments and SOC reports.
  • Security-awareness training completion.
  • Backup and (if in scope) DR test evidence.
  • HR onboarding/offboarding and background-check records.

Report structure

  • Section 1: Independent service auditor’s report (the opinion).
  • Section 2: Management’s assertion.
  • Section 3: System description (services, infrastructure, people, data, processes).
  • Section 4: Trust Services Criteria, the controls, tests performed and results (Type II).
  • Section 5 (optional): other information provided by management.

Common gaps

  • Starting the evidence clock too late for a Type II observation period.
  • Access reviews and offboarding performed inconsistently.
  • Change management without evidence of review/approval.
  • No formal vendor/subservice-organisation risk management.
  • Incident response undocumented or untested.
  • Over-scoping criteria that customers never asked for.

SOC 2 vs ISO 27001 vs SOC 1

What it isBest for
SOC 2AICPA attestation on TSC controlsProving security to (mainly US) customers
ISO 27001Certifiable information-security management systemGlobally recognised certification
SOC 1Attestation on controls relevant to financial reporting (ICFR)Service orgs affecting clients’ financial statements
How CyberSigma helps
We run your SOC 2 readiness — scoping the right criteria, closing control gaps, and building the evidence framework — then coordinate with the CPA firm through the Type I or Type II examination so the report lands without surprises.

Frequently asked questions

What is the difference between SOC 2 Type I and Type II?
Type I attests that controls are suitably designed at a point in time; Type II attests they operated effectively over a period. Enterprise buyers increasingly prefer Type II.
Is SOC 2 a certification?
Not exactly — it is an attestation report with an auditor’s opinion, not a certificate. You share the report itself as proof.
SOC 2 vs ISO 27001 — which do I need?
SOC 2 is favoured by US buyers; ISO 27001 is a globally recognised certification. Many companies pursue both; the underlying controls overlap heavily.

Need help with SOC 2?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.