SOC 2 is a widely used assurance framework for service organizations that handle customer data—especially SaaS, cloud, and outsourced IT providers. It is issued under AICPA attestation standards and evaluates controls against Trust Services Criteria (TSC).

Related guides:

Key takeaways

SOC 2 produces an independent auditor’s report, not a government “certification.”
Security is required; availability, confidentiality, processing integrity, and privacy are optional categories.
Type 1 tests control design; Type 2 tests operating effectiveness over time.
Buyers often request SOC 2 during enterprise security reviews.

What is SOC 2?

SOC 2 (Service Organization Control 2) assesses whether your organization’s controls meet selected TSC categories for systems that process customer data. The output is a SOC 2 report prepared by a licensed CPA firm.

Trust Services Criteria

Category	Typical focus
Security	Access, change management, risk, monitoring
Availability	Uptime, recovery, capacity
Confidentiality	Protection of confidential information
Processing integrity	Complete, valid, timely processing
Privacy	Personal information handling

See Understanding SOC 2 Trust Services Criteria.

Type 1 vs Type 2

Type 1: Are controls suitably designed at a point in time?
Type 2: Did controls operate effectively over a review period (often 6–12 months)?

Most enterprise buyers prefer Type 2 for ongoing assurance.

Get audit-ready with SecureSlate

SecureSlate automates evidence collection, control mapping, and audit workflows for SOC 2 and related frameworks.

Start free trial

Disclaimer (legal note)

General information only—not legal or audit advice. SOC 2 scope and criteria depend on your systems and contracts.

What is SOC 2? A practical guide to Trust Services Criteria and audit reports