SOC 2 (Service Organization Control 2)
Last reviewed · By Chad Griffith
SOC 2 (Service Organization Control 2) is an attestation framework developed by the American Institute of Certified Public Accountants (AICPA) for evaluating a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports come in two types: Type I (point-in-time evaluation of control design) and Type II (evaluation of operating effectiveness over a period, typically 6-12 months). SOC 2 is widely required by enterprise customers as a vendor security baseline. Reports are confidential and shared under NDA, distinguishing SOC 2 from public certifications like ISO 27001.
Frequently Asked Questions
What are the five Trust Services Criteria in SOC 2?
(1) Security (mandatory) — protection against unauthorized access; (2) Availability — system uptime and performance commitments; (3) Processing Integrity — system processes data completely, accurately, and timely; (4) Confidentiality — protection of confidential information; (5) Privacy — collection, use, retention, disclosure, and disposal of personal information per the AICPA Privacy Management Framework. Most organizations include Security plus 1-2 additional categories based on customer demands.
What is the difference between SOC 2 Type I and Type II?
Type I evaluates whether controls are suitably designed at a single point in time. Type II evaluates whether controls are operating effectively over a defined period (typically 6 months for first audit, then 12 months annually). Type II is more credible for enterprise customers but requires evidence of operating controls over time. A first-time SOC 2 typically follows the path: Type I, then Type II 6 months later, then annual Type II thereafter.
What evidence is required for SOC 2 Type II?
Evidence categories vary by control but commonly include: access reviews (quarterly or semi-annual), change management records, incident response logs, security awareness training records, vendor risk assessments, BAAs/DPAs, encryption attestations, vulnerability scan reports, penetration test reports, backup and disaster recovery test records, and continuous monitoring evidence. Auditors test samples across the audit period.
How does SOC 2 differ from ISO 27001?
SOC 2 is an AICPA-developed US-centric attestation report tested against the Trust Services Criteria; the report is confidential and shared with customers under NDA. ISO 27001 is an international standard (ISO/IEC) for information security management systems (ISMS); certification is publicly listed. SOC 2 reports tend to be more detailed about specific controls; ISO 27001 emphasizes the management system around controls. Many organizations pursue both for global enterprise customer requirements.
Authoritative sources
Related terms
FileFlo classifies and tracks compliance documents against rule packs that map directly to the regulators referenced above. Run a free CFR-cited audit →