In depth
SOC 2 (System and Organization Controls 2) is an attestation report developed by the American Institute of Certified Public Accountants (AICPA) that evaluates a service organisation's controls against the Trust Services Criteria (TSC): Security (mandatory), Availability, Processing Integrity, Confidentiality and Privacy. A SOC 2 report is the de-facto trust signal for SaaS vendors selling into North American enterprise — almost every Fortune 500 procurement team asks for a current Type 2 report before signing.
Two report types exist. SOC 2 Type 1 is a point-in-time assessment: the auditor evaluates whether the controls described in management's assertion are suitably designed as of a specific date. SOC 2 Type 2 is the meaningful one: the auditor evaluates whether the controls operated effectively over a period (typically six to twelve months) by sampling evidence across that window. A Type 1 is acceptable for a first audit cycle; sophisticated procurement teams will not accept anything less than a 12-month Type 2 in steady state.
The Security TSC (Common Criteria, CC1 through CC9) covers the COSO-aligned control environment, communication, risk assessment, monitoring, change management, logical access, system operations, and change management. CC7 (System Operations) and CC8 (Change Management) are where penetration-testing and vulnerability-management evidence land. CC6 covers logical and physical access. Each control needs a control description, a control owner, evidence of operation, and audit-ready documentation of any exceptions.
Timeline to first SOC 2 Type 2: typically six-to-nine months of readiness work (gap assessment, policy authorship, tool deployment, control implementation), a Type 1 to lock in the design opinion, six-to-twelve months of operating period, then the Type 2 fieldwork (four-to-eight weeks) and final report. Total elapsed time is rarely under twelve months. See SOC 2 Type 2 timeline and cost and SOC 2 Type 2 vs. Type 1.
Two report types exist. SOC 2 Type 1 is a point-in-time assessment: the auditor evaluates whether the controls described in management's assertion are suitably designed as of a specific date. SOC 2 Type 2 is the meaningful one: the auditor evaluates whether the controls operated effectively over a period (typically six to twelve months) by sampling evidence across that window. A Type 1 is acceptable for a first audit cycle; sophisticated procurement teams will not accept anything less than a 12-month Type 2 in steady state.
The Security TSC (Common Criteria, CC1 through CC9) covers the COSO-aligned control environment, communication, risk assessment, monitoring, change management, logical access, system operations, and change management. CC7 (System Operations) and CC8 (Change Management) are where penetration-testing and vulnerability-management evidence land. CC6 covers logical and physical access. Each control needs a control description, a control owner, evidence of operation, and audit-ready documentation of any exceptions.
Timeline to first SOC 2 Type 2: typically six-to-nine months of readiness work (gap assessment, policy authorship, tool deployment, control implementation), a Type 1 to lock in the design opinion, six-to-twelve months of operating period, then the Type 2 fieldwork (four-to-eight weeks) and final report. Total elapsed time is rarely under twelve months. See SOC 2 Type 2 timeline and cost and SOC 2 Type 2 vs. Type 1.