What Is SOC 2?

SOC 2 (System and Organization Controls 2) is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how well a service organization protects customer data based on five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy.

For most B2B SaaS companies selling to mid-market and enterprise customers, SOC 2 is the first compliance framework they pursue. It has become the baseline expectation for vendors handling customer data.

Why SOC 2 Exists

SOC 2 was created to give businesses a standardized way to evaluate the security practices of their service providers. Before SOC 2, every customer had their own security questionnaire with different questions and formats. SOC 2 provides a common language and a trusted third-party assessment.

Who Needs SOC 2

Any company that stores, processes, or transmits customer data may be asked for a SOC 2 report. This includes SaaS companies, cloud service providers, managed service providers, data analytics firms, and any organization that handles data on behalf of other businesses. If your sales team is fielding security questionnaires, SOC 2 likely simplifies the process.

SOC 2 vs ISO 27001

SOC 2 is a US-centric framework producing an audit report. ISO 27001 is an international standard resulting in a certificate. SOC 2 is criteria-based — you address specific trust service criteria. ISO 27001 is risk-based — you select controls based on identified risks. Many companies pursue both, starting with whichever their customers request first.

The SOC 2 Report

A SOC 2 report is issued by a licensed CPA firm after auditing your controls. It describes your system, the controls in place, and the auditor's opinion on whether those controls are designed effectively (Type 1) or operating effectively over time (Type 2). The report is shared with customers under NDA.

In the next lesson, we will dive into the Trust Service Criteria.