SOC 2
An auditing standard defining requirements for security, availability, processing integrity, confidentiality and privacy for service providers.
What is SOC 2?
SOC 2 (System and Organization Controls 2) is an auditing standard developed by AICPA (American Institute of Certified Public Accountants) that evaluates security controls at service providers. SOC 2 is particularly popular among technology companies and SaaS providers as an attestation that an organisation has implemented appropriate controls to protect customer data.
SOC 2 is based on five Trust Services Criteria. Security - protection against unauthorised access (the only mandatory criterion). Availability - the system is available in accordance with SLA. Processing Integrity - data is processed completely and correctly. Confidentiality - data designated as confidential is appropriately protected. Privacy - personal data is processed in accordance with the privacy policy.
A SOC 2 Type I report evaluates the design of controls at a point in time. A SOC 2 Type II report evaluates the operating effectiveness of controls over a period (typically 6-12 months) and is considerably more valuable. The audit is conducted by an independent auditing firm (CPA firm).
Why does it matter?
SOC 2 has become the de facto standard in B2B relationships with technology vendors - enterprise customers increasingly require a SOC 2 Type II report as a condition of doing business. For SaaS companies serving clients in the US and Western Europe, having SOC 2 can be a market entry requirement.
Related topics
Related terms
Related SEQRED services
Need help in this area?
Our experts will help you assess the risk and plan next steps.