Skip to main content
> SOC 2

System and Organization Controls 2

Demonstrating security practices to customers through independent attestation

Governing Body: American Institute of Certified Public Accountants (AICPA)
Established: 2010 (Trust Services Criteria updated 2017) Last Updated: 2017 (current Trust Services Criteria) Scope: Global
5 Categories
Trust Criteria

// What is SOC 2?

SOC 2 is an auditing framework developed by AICPA for service organizations demonstrating their security controls to customers and stakeholders. Unlike prescriptive standards like PCI-DSS, SOC 2 provides criteria-based requirements allowing organizations flexibility in how they implement controls.

The framework evaluates controls across five Trust Service Criteria: Security (required), plus optional categories for Availability, Processing Integrity, Confidentiality, and Privacy. Organizations choose which criteria to include based on their services and customer expectations.

SOC 2 reports come in two types: Type I assesses control design at a point in time, while Type II examines both design and operating effectiveness over a period (typically 6-12 months). Enterprise customers increasingly require Type II reports as vendor qualification criteria.

// Inside the Regulation

SOC 2 evaluates controls against the Trust Service Criteria (TSC), which define the characteristics of reliable systems. Security is always included; organizations select additional criteria based on their service commitments.

1

Security (Common Criteria)

CC Series

The foundation of every SOC 2 examination, covering how the organization protects information and systems against unauthorized access.

CC1: Control Environment

Management's commitment to integrity and security, organizational structure, and accountability mechanisms.

CC2: Communication and Information

How security information is communicated internally and externally, including policies and incident communication.

CC3: Risk Assessment

Processes for identifying, analyzing, and managing risks to achieving security objectives.

CC4: Monitoring Activities

Ongoing evaluation of controls and communication of deficiencies to appropriate parties.

CC5: Control Activities

Policies and procedures ensuring management directives are carried out, including technology controls.

CC6: Logical and Physical Access

Controls restricting logical and physical access to systems and facilities based on authorization.

CC7: System Operations

Detection of anomalies and security events, incident management, and recovery procedures.

CC8: Change Management

Controls ensuring changes to infrastructure and applications are authorized, tested, and documented.

CC9: Risk Mitigation

Controls addressing risks from vendors, business disruptions, and other external factors.

2

Availability

A Series

Optional criteria evaluating whether systems are available for operation as committed.

A1: Availability Commitments

Controls supporting system availability including capacity planning, backup, recovery, and incident response.

3

Processing Integrity

PI Series

Optional criteria assessing whether system processing is complete, accurate, timely, and authorized.

PI1: Processing Integrity Commitments

Controls ensuring data processing achieves intended results without unauthorized modification.

4

Confidentiality

C Series

Optional criteria for protecting information designated as confidential.

C1: Confidentiality Commitments

Controls protecting confidential information throughout its lifecycle including collection, use, and disposal.

5

Privacy

P Series

Optional criteria addressing personal information collection, use, retention, and disclosure.

P1-P8: Privacy Principles

Controls covering notice, choice, collection, use, access, disclosure, quality, and monitoring of personal information.

Note: Type I reports assess whether controls are suitably designed at a specific point in time. Type II reports evaluate both design and operating effectiveness over a period (typically 6-12 months). Enterprise customers generally require Type II reports, as they demonstrate controls actually work over time, not just on paper.

// Who Must Comply

  • 1 SaaS and cloud service providers serving enterprise customers
  • 2 Data centers and hosting providers
  • 3 Managed service providers (MSPs) and managed security service providers (MSSPs)
  • 4 Payment processors and fintech companies
  • 5 HR and payroll service providers
  • 6 Any service organization where customers require security assurance

// Key Requirements

Security Controls

Implement controls protecting against unauthorized access, including access management, encryption, and monitoring

Policies & Procedures

Document security policies and operational procedures governing all in-scope systems

Continuous Monitoring

Monitor systems for security events, anomalies, and control failures with defined response procedures

Vendor Management

Assess and monitor third-party vendors with access to systems or data in scope

Change Management

Control changes to infrastructure, applications, and configurations through formal processes

Incident Response

Maintain and test incident response procedures for security events and breaches

// Enforcement & Penalties

SOC 2 is a voluntary framework—there are no direct regulatory penalties. However, the business consequences of failing to achieve or maintain SOC 2 certification can be significant, as enterprise customers increasingly require it for vendor qualification.

Maximum Penalty

No regulatory fines (voluntary framework)

Examples:

  • Loss of enterprise sales opportunities requiring SOC 2 reports
  • Removal from vendor qualification for existing customers
  • Increased scrutiny and custom security assessments from prospects
  • Higher cyber insurance premiums without attestation

// Cyber Insurance Impact

SOC 2 Type II reports demonstrate security program maturity to cyber insurers, often resulting in more favorable terms. Insurers view current SOC 2 attestation as evidence of baseline security practices. Organizations without SOC 2 may face additional underwriting scrutiny or higher premiums, particularly in the technology and services sectors.

// How Breach Craft Helps

We help organizations achieve SOC 2 compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of SOC 2.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Vulnerability Assessment

Comprehensive security scanning and risk prioritization.

Learn more

// Related Frameworks

ISO 27001 NIST CSF HIPAA

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873