SOC 2
What it is
An attestation report performed by a licensed CPA firm under AICPA standards. It evaluates a service organization's controls against the Trust Services Criteria (TSC). Output is an opinion (Type I = design; Type II = design + operating effectiveness over a period).
Who uses it
U.S.-centric SaaS and service providers selling to enterprise customers. Often the first compliance report a startup pursues.
Why it matters
SOC 2 is the most-requested security report in B2B SaaS. Most junior GRC analysts in SaaS spend a large share of their time on evidence collection for SOC 2 Type II.
Structure
Required for every SOC 2 — protects against unauthorized access, disclosure, and damage.
Systems are available for operation and use as agreed (think uptime SLAs, capacity, BCP/DR).
Information designated confidential is protected (NDAs, encryption, retention, secure disposal).
System processing is complete, valid, accurate, timely, and authorized (input/processing/output controls).
Personal information is collected, used, retained, disclosed, and disposed of per the privacy notice.
Terminology
Beginner explanation
SOC 2 is not certification — it is an opinion letter from an auditor. The audit is mostly about producing evidence that you actually do what your policies say.
Practical examples
- An auditor samples 25 of the 400 production changes in the year and asks for evidence each was approved before deployment.
- A startup picks just Security and Availability for its first SOC 2 to keep scope tight.
Advanced notes
SOC 2 reports are restricted-use; SOC 3 is the public, marketing-friendly version. SOC 1 is for financial-reporting controls (think SOX), not security.
Practice this in a lab
An engineer sent you 5 pieces of 'evidence' for the quarterly access review control. Some are good, some aren't.
Build the checklist your team will use 6 weeks before SOC 2 fieldwork.
Test 'Quarterly user access review' for the Q3 period.
A new analytics vendor sent its SOC 2 Type II report. Decide: approve, approve with conditions, or reject.