AlignTrust
Compliance & Regulation

SOC 2

A widely used US security audit framework for service organisations that demonstrates how data is protected across five Trust Services Criteria.

What Is SOC 2?

SOC 2 (System and Organization Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how a service organisation — typically a SaaS company or cloud provider — manages customer data across five Trust Services Criteria (TSC):

  1. Security: Information and systems are protected against unauthorised access
  2. Availability: Systems are available for operation as committed
  3. Processing Integrity: System processing is complete, accurate, and timely
  4. Confidentiality: Information designated as confidential is protected appropriately
  5. Privacy: Personal information is collected, used, retained, and disclosed in line with commitments

Security is mandatory; the other four criteria are included based on relevance to your business.

SOC 2 Type I vs Type II

  • Type I: A point-in-time assessment. Confirms controls are designed appropriately as of a specific date.
  • Type II: A period-in-time assessment (typically 6–12 months). Confirms controls were operating effectively throughout the period.

Type II reports carry more weight — they demonstrate that controls weren't just documented, but actually worked consistently over time. Most enterprise customers require SOC 2 Type II.

Why SOC 2 Matters for SaaS Companies

Enterprise buyers increasingly require SOC 2 reports before signing vendor contracts. It answers the question "how do you handle our data?" with an independent, audited answer — not just a self-assessed security questionnaire.

SOC 2 is particularly valuable for:

  • SaaS companies selling to US enterprise or mid-market customers
  • Cloud service providers
  • Any organisation that processes or stores customer data

The Road to SOC 2

  1. Define scope — which systems and services are in scope?
  2. Conduct a readiness assessment — identify gaps against the TSC
  3. Implement required controls — technical and procedural
  4. Collect evidence — logs, policies, configurations, access reviews
  5. Engage a licensed CPA firm to conduct the audit
  6. Receive and share your SOC 2 report with customers

A first SOC 2 Type II typically takes 9–18 months to achieve.

Related Terms

ISO 27001Compliance FrameworkSecurity Risk AssessmentData Classification
← Back to Security Glossary