Is SOC 2 a certification or attestation? Why the distinction matters for buyers

Photo: Unsplash

Teams often ask whether they are “SOC 2 certified.” The precise answer: SOC 2 is an attestation—an independent CPA firm’s opinion on your controls—not a certifying-body certificate.

Related: What is SOC 2? · ISO 27001 vs SOC 2

---

Key takeaways

• You receive a SOC 2 report (Type 1 or Type 2), not a universal “SOC 2 certificate.”
• Only licensed CPA firms issue SOC reports under AICPA standards.
• Saying “SOC 2 certified” is common in sales—but “SOC 2 attested” or “we have a SOC 2 Type 2 report” is more accurate.
• ISO 27001 is a certifiable management system standard; SOC 2 is a point-in-time or period attestation.

---

SOC 2 is attestation, not certification

An attestation engagement produces a report describing:

• Scope (systems and TSC categories)
• Auditor procedures and opinion
• Control descriptions and test results (report type dependent)

There is no single global SOC 2 “seal” analogous to ISO’s certificate.

---

SOC 2 vs ISO 27001

	SOC 2	ISO 27001
Output	Attestation report	Certificate (via CB)
Issuer	CPA firm	Accredited certification body
Framework	AICPA TSC	ISMS + Annex A
Maintenance	New report periods / bridge letters	Surveillance audits

---

How to describe SOC 2 to customers

Preferred phrasing:

• “We have completed a SOC 2 Type 2 examination covering Security (and other TSC categories in scope).”
• “Our latest SOC 2 report is available under NDA.”

Avoid overstating: “certified by SOC 2” or “fully certified” without specifying report type and period.

---

Disclaimer (legal note)

Not legal or audit advice. Report structure and NDA terms vary by auditor and contract.