Skip to content
FortaRisks
Back to the glossaryCompliance and regulation

SOC 2

SOC 2 is a North American audit framework that attests to how well a service provider controls its customers' data. It rests on five trust criteria (security, availability, processing integrity, confidentiality, privacy) and produces an independent Type I or Type II audit report.

Updated on July 2, 2026

What is SOC 2?

SOC 2 (System and Organization Controls 2) is a framework defined by the AICPA, the body of American certified public accountants. It assesses how a service organization protects the data its customers entrust to it, against the Trust Services Criteria.

It has become the de facto standard for North American technology companies and SaaS providers: a SOC 2 report is often the first document a customer asks for before signing.

Why it matters for your organization

SOC 2 is above all a commercial accelerator. Without a report, a vendor gets stuck in the procurement processes of large accounts, which require it to approve a new provider. A clean report shortens sales cycles and reduces the number of security questionnaires to complete.

It is also an internal governance tool: preparing for a SOC 2 audit forces the organization to formalize its policies, access controls and incident management.

The five trust criteria

  • Security: the common, mandatory criterion, covering protection against unauthorized access.
  • Availability: systems are accessible as committed.
  • Processing integrity: processing is complete, accurate and authorized.
  • Confidentiality: information designated as confidential is protected.
  • Privacy: personal information is collected and processed in line with commitments.

Only security is mandatory; the other criteria are included depending on the nature of the service.

Where organizations most often fall short

The classic mistake is treating SOC 2 as a one-off project rather than an ongoing state. A Type II report covers a period: if controls slip after the audit, the next report will raise exceptions. Organizations also underestimate continuous evidence collection, which quickly becomes unmanageable without tooling.

Frequently asked questions

What is the difference between SOC 2 Type I and Type II?

Type I attests that controls are suitably designed at a point in time. Type II goes further: it verifies that those controls operate effectively over a period, usually three to twelve months. Customers most often require a Type II report, which is more rigorous and more credible.

Is SOC 2 a certification?

Not strictly. SOC 2 is not a certification but an attestation produced by an independent audit firm. There is no official logo: what matters is the report itself, which describes the controls tested and any exceptions the auditor noted.

Related resources

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.