High-profile data breaches have grown in frequency and severity over the last few years, and in 2023 alone, there were more data breaches in the US than ever before.
The consequences of these inevitable security incidents often stretch beyond consumers, impacting businesses themselves. A single data breach can cost millions—not to mention the incalculable cost of reputational damage and the loss of customer trust. As a result, data and identity security have become a top priority for most organizations today.
Several security standards and certifications have emerged as benchmarks for organizations to demonstrate their dedication to protecting data. Among these, a Service Organizations Controls (SOC) report stands out as one of the most well-regarded, particularly SOC 2, which focuses on protecting customer data.
This article explains what a SOC 2 report is, how it differs from SOC 1, its compliance requirements and criteria, and the SOC 2 audit process. With this information, your organization can thoroughly prepare itself for SOC 2 compliance and even achieve ongoing SOC 2 compliance.
What is a SOC 2 report?
Developed in 2010 under the American Institute of Certified Public Accountants (AICPA) guidelines, a SOC 2 report evaluates an organization’s information security measures. This type of audit examines the controls an organization has in place to protect the systems and services its customers and partners use to make sure they can prevent unauthorized access and security breaches.
With specific criteria for managing customer data, protecting privacy, and securing networks against vulnerabilities, SOC 2 is a powerful report for organizations to showcase their commitment to cybersecurity by proving their reliability and trustworthiness in handling sensitive information.
Organizations typically pursue SOC 2 compliance to strengthen their security posture, gain a competitive edge, expedite deal closures, and attract new business.
SOC 1 vs SOC 2
Choosing between a SOC 1 report and a SOC 2 report depends largely on the nature of the service provided and the specific needs of the organization and its clients regarding assurance of operational and data security practices.
SOC 1 Reports primarily focus on a service organization’s internal controls over financial reporting. This type of audit is important for entities that need to ensure the controls at a service organization do not adversely affect their financial statements. SOC 1 reports are particularly relevant for organizations that handle or impact the financial transactions of their clients.
SOC 2 Reports are centered around data protection and operational controls relevant to security, availability, processing integrity, confidentiality, and privacy. This type of audit is important for users who require assurance about the security and operational effectiveness of the systems used by a service organization to process and safeguard data. SOC 2 reports can be further divided into Type I (controls at a specific point in time) and Type II (controls over a period of time).
SOC 2 Type I report vs SOC 2 Type II report
When opting for SOC 2 compliance, organizations can choose between two types of reports: SOC 2 Type I and SOC 2 Type II. Each serves a different purpose and offers varied levels of assurance to stakeholders.
SOC 2 Type I reports provide a snapshot of an organization’s systems and the suitability of its control design at a specific point in time. They provide an initial overview and are particularly useful for organizations that must quickly demonstrate their commitment to security standards.
For example, a SOC 2 Type I Report may be useful for newer companies seeking to establish trust with potential clients or partners without extensive waiting periods.
SOC 2 Type II reports provide a more dynamic analysis by examining these controls over a longer period, typically three to twelve months. They not only assess the controls’ design but also how well they function consistently over time.
This report is more rigorous and offers a deeper level of assurance to customers by demonstrating the controls’ existence and effectiveness in action.
Deciding between a SOC 2 Type I and Type II report often comes down to the organization’s specific goals, the level of assurance their clients need, and practical considerations like cost and timeline.
While a Type I report can be obtained relatively quickly, a Type II report (although more time-consuming and costly) can be necessary for establishing long-term relationships with clients who want proof of effective security practices.
Starting with a Type II report is a strategic choice for many organizations. It saves time and resources by bypassing the need for a Type I report and providing the extensive evidence of compliance that many clients demand as quickly as possible.
What are SOC 2 compliance requirements?
At its core, SOC 2 compliance is about following principles that ensure customer data security, availability, processing integrity, confidentiality, and privacy.
What are Trust Services Criteria?
The Trust Services Criteria (TSC) form the foundation of the SOC 2 framework. Developed by the AICPA, they are the standards against which an organization’s security posture is assessed during a SOC 2 audit.
The five TSCs include:
- Security: This requirement focuses on protecting information from unauthorized access and breaches. It forms the core of every SOC 2 report and is thus mandatory. Security measures under this requirement include physical and digital safeguards to prevent unauthorized entry/access and data theft.
- Availability: This requirement ensures that the systems are available for operation and use as stipulated. It involves maintaining performance, uptime, and continuity of services, which are critical for employees and clients who depend on these systems for their daily activities.
- Processing Integrity: This requirement ensures that the systems perform their intended function in an accurate, timely, and authorized manner. Processing integrity is vital for maintaining the correctness and reliability of operational processes and system outputs.
- Confidentiality: This requirement protects confidential information from unauthorized access and disclosure. It involves controls for how sensitive data is accessed, transmitted, and stored.
- Privacy: This requirement involves appropriately handling personal information to protect against unauthorized access or use. Privacy controls focus on how personal data is collected, used, retained, disclosed, and disposed of in accordance with the company’s privacy notice and principles.
During a SOC 2 audit, an independent auditor evaluates how well an organization meets these requirements by implementing various internal controls. While the security requirement is always evaluated (often referred to as the “common criteria” because its principles overlap with the other criteria), the other four requirements are optional and chosen based on the organization’s specific business practices and their clients’ needs.
What are AICPA SOC 2 requirements?
The AICPA is the governing body that sets the auditing standards used during SOC 2 examinations.
These criteria are supplemented by the AICPA’s “points of focus,” which are not mandatory but serve as supportive guidelines to help organizations implement controls. These points focus on key areas like access controls, configuration management, and vendor management, giving organizations detailed guidance on improving their security measures.
Upon successfully completing a SOC 2 attestation, an organization can use and display the AICPA’s SOC 2 logo to signify compliance and enhance the organization’s credibility and trustworthiness in handling sensitive data securely.
Who needs SOC 2 compliance?
If your organization handles any customer data—whether storing, processing, or transmitting it—achieving SOC 2 compliance is likely essential. SOC 2 sets rigorous security standards that help secure your operations as your business grows. Most companies seek a SOC 2 report to assure clients that their sensitive data is protected.
Regarded as the gold standard for security assurance, a SOC 2 report not only demonstrates your commitment to maintaining strong security measures but also improves your competitive edge, potentially boosting sales and improving your market position.
SOC 2 compliance requirements
While the security requirement is always assessed during a SOC 2 audit, the other four TSCs are optional. Each requirement has its own criteria for assessing whether controls are implemented and working as intended.
SOC 2 security requirements
Also called the “common criteria,” the security requirement of SOC 2 compliance assesses how well organizations protect customer information, from creation to storage. To meet these standards, organizations must implement identity security measures like access controls that protect data against risks like unauthorized access or removal, unapproved changes, destruction or improper use, and disclosure without permission.
| Criteria | Description |
| CC1 – Control Environment | Evaluates whether the organization prioritizes integrity and security within its operational practices. |
| CC2 – Communication and Information | Assesses the presence and communication of policies and procedures that ensure security, both internally and with external partners. |
| CC3 – Risk Assessment | Reviews how the organization identifies, analyzes, and manages risks, and how it monitors changes that might impact those risks. |
| CC4 – Monitoring Controls | Examines how the organization monitors, evaluates, and communicates the effectiveness of its security controls |
| CC5 – Control Activities | Checks whether appropriate controls, processes, and technologies are implemented to minimize security risks. |
| CC6 – Logical and Physical Access Controls | Looks at whether the organization uses encryption and other measures to control who can access data and restrict physical access to critical infrastructure. |
| CC7 – Systems Operations | Analyzes the monitoring of systems to ensure proper functionality, and evaluates incident response and disaster recovery plans. |
| CC8 – Change Management | Ensures that any significant changes to systems are tested and approved before implementation to avoid security lapses. |
| CC9 – Risk Mitigation | Investigates how the organization mitigates risks through effective business processes and vendor management. |
SOC 2 privacy requirements
Designed to protect Personally Identifiable Information (PII) against unauthorized access and breaches, the privacy requirement emphasizes the need for security measures like access governance, two-factor authentication, and encryption to protect personal data.
Privacy, as defined in this context, focuses exclusively on personal information, distinguishing it from the confidentiality requirement, which covers a broader range of sensitive data.
| Criteria | Description |
| P1 – Management | Overarching governance of data protection policies and practices within the organization. |
| P2 – Notice | Informing individuals about privacy practices and the types of personal information collected, used, and disclosed. |
| P3 – Choice and Consent | Obtaining explicit consent from individuals before collecting, using, or disclosing their information. |
| P4 – Collection | Ensuring that personal information is collected legally and from reliable sources. |
| P5 – Use, Retention, and Disposal | Detailing how personal information is used, how long it is retained, and the procedures for its safe disposal. |
| P6 – Access | Allowing individuals to access their personal information held by the organization and make corrections if necessary. |
| P7 – Disclosures to Third Parties | Managing how and to whom personal information is disclosed, ensuring it aligns with privacy policies. |
| P8 – Security | Implementing physical and electronic measures to protect personal information from unauthorized access and breaches. |
| P9 – Quality | Maintaining accurate, complete, and relevant personal information as required for the purposes for which it is used. |
| P10 – Monitoring and Enforcement | Regularly reviewing compliance with privacy policies and practices and addressing any issues identified. |
SOC 2 availability requirements
The availability requirement in SOC 2 focuses on ensuring that an organization’s systems and the services provided to its customers are accessible as needed. This is important for maintaining operational continuity and meeting performance expectations and involves controls covering business continuity planning, disaster recovery, data backs, and system capacity monitoring.
| Criteria | Description |
| A1 – Capacity Monitoring and Management | Maintains and evaluates current processing capacity to manage demand and support implementation of additional capacity as needed. |
| A2 – Infrastructure and Environmental Controls | Manages and monitors environmental protections, data backups, recovery infrastructure, and software to ensure operational objectives are met. |
| A3 – Disaster Recovery Testing | Regularly tests recovery plan procedures to ensure systems can recover from disruptions in alignment with organizational objectives. |
SOC 2 processing integrity requirements
This requirement aims to ensure that data processing activities in the cloud are conducted accurately, timely, validly, and are properly authorized. The processing integrity requirement is critical for organizations to maintain the reliability and trustworthiness of their systems and services.
To achieve this, organizations can employ quality assurance measures and use specific SOC tools designed to monitor and verify the integrity of data processing.
| Criteria | Description |
| PI1 – Information Relevance and Quality | Ensures relevant, quality information is obtained, used, and communicated to support the objectives related to processing. |
| PI2 – Control Over Inputs | Implements controls over system inputs to ensure completeness and accuracy, resulting in products, services, and reports that meet the entity’s objectives. |
| PI3 – Processing Policies and Procedures | Establishes policies and procedures over system processing to ensure the outcomes meet the entity’s objectives. |
| PI4 – Output Management | Policies and procedures are in place to ensure outputs are delivered completely, accurately, and timely, according to specifications. |
| PI5 – Storage of Data Elements | Implements policies and procedures to store inputs, processing items, and outputs accurately and timely, aligning with system specifications. |
SOC 2 confidentiality requirements
The confidentiality requirement is essential for protecting sensitive information from unauthorized access and disclosure. It ensures that confidential data—like intellectual property, financial details, and other business-sensitive information—is securely managed throughout its lifecycle.
To meet this requirement, organizations must implement rigorous access controls and privilege management to restrict data access to authorized personnel only.
| Criteria | Description |
| C1 – Identification and Maintenance of Confidential Information | Ensures that confidential information is accurately identified and maintained to safeguard its confidentiality throughout its lifecycle. |
| C2 – Disposal of Confidential Information | Establishes procedures for the secure disposal of confidential information to prevent unauthorized access or disclosure after it is no longer needed. |
Learn about SOC 2 audits
SOC 2 controls and attestations vary for each organization, and every company designs its own controls based on the TSC it chooses to meet. During a SOC 2 audit, an independent auditor checks if these controls meet SOC 2 standards.
After the audit, the auditor prepares a report detailing how the company’s systems and processes align with SOC 2 requirements. Every organization that undergoes a SOC 2 audit receives a report, regardless of the audit outcome.
Here are the specific terms auditors use to report on audit results:
- Unqualified: The company met all audit requirements.
- Qualified: The company met audit requirements with some exceptions that need addressing.
- Adverse: The company did not meet the audit requirements.
- Disclaimer of Opinion: The auditor could not obtain sufficient information to determine if the requirements were met.
Now let’s take a closer look at some of the frequently asked questions about the SOC 2 audit process.
How long does a SOC 2 audit take?
The duration of a SOC 2 audit can vary significantly based on several factors, including the type of report being prepared and the specific timeframe chosen for the audit window.
For a SOC 2 Type II report, the audit window could be three, six, or nine months. This is the period during which the organization collects evidence and documents the performance of its controls. The length of this phase is predetermined and is an important component of the audit because it reflects the operational effectiveness of controls over a specific period.
The actual audit process typically lasts between five weeks and three months. This phase’s duration depends on the audit’s scope, the number of controls being tested, and other logistical factors.
During this period, the auditor engages in several key activities:
- Setting Deliverables: The auditor outlines the necessary deliverables and control tests based on the selected TSC.
- Evidence Collection: The auditor gathers and reviews documentation, conducts interviews with relevant team members, and collects necessary evidence.
- Report Writing: After collecting and evaluating all the information, the auditor compiles the findings into a formal SOC 2 report. This report concludes with the auditor’s opinion on whether the organization passed the audit.
Who performs a SOC 2 audit?
SOC 2 audits are specialized examinations that require a specific skill set and authoritative status. They can only be conducted by a licensed Certified Public Accountant (CPA) firm or an agency that has been accredited by the AICPA.
This ensures that the audits are performed to a high standard and that the auditors have a deep understanding of the TSC and related auditing procedures.
One of the fundamental requirements of an auditor conducting a SOC 2 audit is complete independence. The auditor or auditing firm must not have any existing relationship with the service organization being audited to ensure that the results are unbiased and objectively assessed.
How to prepare for a SOC 2 audit
Preparing for a SOC 2 audit is a structured process that requires careful planning and execution. The preparation phase can vary greatly in duration, from as little as two weeks to as much as nine months, depending on the complexity of the organization’s systems and the readiness of their controls.
Here are the key steps involved in preparing for a SOC 2 audit:
- Choose Report Type: Begin by deciding whether you need a Type I or Type II SOC 2 report.
- Select TSC: Choose which of the five TSC you will include in your audit.
- Determine Scope and Timeline: Define the scope of the audit by identifying the systems that will be evaluated and determining the timeframe over which the controls will be assessed.
- Conduct a Gap Analysis: Perform a comprehensive analysis to compare the current state of your systems and controls against the SOC 2 requirements to identify areas of non-compliance.
- Remediate Identified Gaps: Address the identified gaps by implementing changes or improvements to your controls.
- Compile Documentation: Gather and organize all relevant evidence that proves compliance with the selected TSC.
- Complete a Readiness Assessment: Before the formal audit begins, you may opt to conduct a readiness assessment to review your systems and controls and confirm if they are likely to meet SOC 2 compliance criteria.
After these preparatory steps, your organization should be well-positioned to start the SOC 2 audit process.
How much does a SOC 2 audit cost?
The cost of a SOC 2 audit can vary significantly based on several factors, including the type of report required, the size and complexity of the organization, and the state of the organization’s current information security practices.
- SOC 2 Type I: For small to midsize companies, costs typically range from $7,500 to $15,000. For larger businesses, the cost can range from $20,000 to $60,000.
- SOC 2 Type II: For small to midsize companies, costs typically range from $12,000 to $20,000. For larger businesses, costs can range from $30,000 to $100,000.
These figures represent the audit costs alone and do not include the potentially significant expenses associated with preparing for the audit. Organizations should also consider the ongoing costs associated with maintaining SOC 2 compliance, which may include regular updates to security measures and periodic re-auditing to renew the SOC 2 certification.
More about SOC 2 Requirements
Understanding SOC 2 requirements is essential for organizations to establish and demonstrate compliant information security practices.
Are SOC 2 Type 1 and Type 2 requirements the same?
No, SOC 2 Type 1 and Type 2 requirements are not the same. While both types evaluate the design of controls related to security, availability, processing integrity, confidentiality, and privacy, the scope and duration of their assessment differ:
- Type 1 focuses on the suitability of the design of controls at a specific point in time.
- Type 2 assesses the operational effectiveness of these controls over a designated review period, typically ranging from three to twelve months.
What is a SOC 2 compliance report?
A SOC 2 compliance report is a detailed document produced by an independent auditor after assessing an organization’s adherence to the relevant TSC. The compliance report outlines whether the organization has effectively implemented and maintained the controls necessary for the protection of data managed on behalf of clients.
It serves as proof of compliance and is used to demonstrate the organization’s commitment to data security and privacy to stakeholders.
What are the SOC 2 common criteria?
The SOC 2 common criteria refer to the security requirement of the TSC, which is a mandatory component of any SOC 2 audit. This category, also known as the common criteria, encompasses controls related to:
- Network and information security
- System operations
- Access management
- Change management
- Risk mitigation
- Privacy
- Processing integrity
- Operational availability
- Other aspects critical to maintaining the security and integrity of the systems handling customer data
These criteria are essential for ensuring that an organization’s information security practices meet the high standards expected in industries dealing with sensitive data.
Achieve Ongoing SOC 2 Compliance
Achieving SOC 2 compliance is no easy feat—especially if your organization relies on manual processes to gather evidence, conduct user access reviews, and communicate with application owners.
With Veza your organization can conduct user access reviews and audits quickly, more accurately, and with less human intervention. Veza’s Access Platform provides pre-configured assessment templates that address entitlements, privileged access, misconfigurations, and other areas that might impact data security.
As a robust platform for demonstrating compliance, Veza provides easy access to evidence of attestations and clear insights into user access rights and roles. With Veza, you can enforce least privilege and compliance with access reviews based on the effective permissions of identities.
Learn more about how Veza can help your organization demonstrate compliance with SOC 2 and other frameworks.
