What is SOC 2?
SOC 2 (System and Organization Controls 2) is a framework defined by the AICPA, the body of American certified public accountants. It assesses how a service organization protects the data its customers entrust to it, against the Trust Services Criteria.
It has become the de facto standard for North American technology companies and SaaS providers: a SOC 2 report is often the first document a customer asks for before signing.
Why it matters for your organization
SOC 2 is above all a commercial accelerator. Without a report, a vendor gets stuck in the procurement processes of large accounts, which require it to approve a new provider. A clean report shortens sales cycles and reduces the number of security questionnaires to complete.
It is also an internal governance tool: preparing for a SOC 2 audit forces the organization to formalize its policies, access controls and incident management.
The five trust criteria
- Security: the common, mandatory criterion, covering protection against unauthorized access.
- Availability: systems are accessible as committed.
- Processing integrity: processing is complete, accurate and authorized.
- Confidentiality: information designated as confidential is protected.
- Privacy: personal information is collected and processed in line with commitments.
Only security is mandatory; the other criteria are included depending on the nature of the service.
Where organizations most often fall short
The classic mistake is treating SOC 2 as a one-off project rather than an ongoing state. A Type II report covers a period: if controls slip after the audit, the next report will raise exceptions. Organizations also underestimate continuous evidence collection, which quickly becomes unmanageable without tooling.