What Is SOC 2?
The compliance framework that SaaS companies and service providers can't avoid — explained without the jargon. What it covers, how it works, and what an audit actually involves.
What Is SOC 2?
SOC 2 is a framework for proving that your organisation handles customer data securely. It was developed by the American Institute of Certified Public Accountants (AICPA) and is the de facto standard for SaaS companies and service providers.
SOC stands for System and Organization Controls. A SOC 2 report is the result of an independent audit by a licensed CPA firm, examining whether your controls meet the Trust Services Criteria — a set of principles covering security, availability, processing integrity, confidentiality, and privacy.
Unlike ISO 27001, which prescribes a management system, SOC 2 is flexible about how you implement controls. Two companies with very different setups can both achieve a clean SOC 2 report, as long as their controls address the relevant criteria.
The Five Trust Services Criteria
SOC 2 is built around five categories. Security is mandatory — the other four are optional and depend on what's relevant to your service.
SecurityRequired
Protection against unauthorised access — both physical and logical. Covers firewalls, access controls, intrusion detection, and more. This is the baseline for every SOC 2 report.
AvailabilityOptional
The system is available for operation and use as committed. Covers uptime, disaster recovery, incident handling, and performance monitoring.
Processing IntegrityOptional
System processing is complete, valid, accurate, timely, and authorised. Important if you process transactions or calculations on behalf of customers.
ConfidentialityOptional
Information designated as confidential is protected as committed. Covers encryption, access restrictions, and data classification.
PrivacyOptional
Personal information is collected, used, retained, disclosed, and disposed of in line with your privacy commitments and relevant regulations.
Type 1 vs Type 2
SOC 2 reports come in two types. The difference is straightforward:
Point-in-Time
Are your controls suitably designed as of a specific date?
- Snapshot of control design
- Faster to achieve (1–3 months)
- Good starting point
- Less weight with buyers
Over a Period
Are your controls operating effectively over a period of time?
- Typically 3–12 month observation window
- Proves controls work in practice
- What most buyers want to see
- Renewed annually
Who Needs SOC 2?
SOC 2 originated in North America but is now expected globally — especially if you sell to US-based companies. It's most relevant for:
SaaS & Cloud Service Providers
- You store, process, or transmit customer data
- Prospects ask for your SOC 2 report during procurement
- Enterprise deals stall without it
Managed Service Providers & IT Companies
- You have privileged access to client environments
- Clients need assurance that their data is protected
- Differentiates you from competitors
Any Business Selling to Enterprises
- Security questionnaires are eating your sales team's time
- A SOC 2 report answers most vendor assessment questions upfront
- Reduces friction in the sales cycle
The Audit Process
A SOC 2 audit is performed by an independent CPA firm. You can't self-assess or use a non-CPA auditor. Here's how it works:
Readiness & Scoping
- Define which Trust Services Criteria to include
- Identify the systems and services in scope
- Perform a gap assessment against the criteria
- Implement or remediate controls to close gaps
Observation Period (Type 2 only)
- Controls must be operating for a minimum of 3 months
- 6–12 months is more common and carries more weight
- Collect evidence that controls are working consistently
- Maintain logs, records, and documentation throughout
The Audit
- The CPA firm examines your controls and evidence
- Interviews key personnel
- Tests a sample of control activities
- Issues a report with their opinion
Annual Renewal
- SOC 2 reports cover a specific period — they expire
- Most organisations renew annually
- Subsequent audits are typically smoother and less costly
Benefits of SOC 2
- Close deals faster. A SOC 2 report replaces weeks of security questionnaires and vendor assessments.
- Unlock enterprise markets. Many large organisations won't consider vendors without a current SOC 2 report.
- Strengthen your security posture. The process forces you to formalise controls you may already have informally.
- Build customer trust. An independent auditor's opinion carries more weight than self-reported security claims.
- Competitive advantage. In crowded markets, SOC 2 differentiates you from competitors who can't demonstrate compliance.
- Reduce risk. Formalised controls and regular audits catch gaps before they become incidents.
FAQ
A Type 1 audit typically takes 1–3 months from readiness to report. A Type 2 audit requires a minimum 3-month observation window (6–12 months is more common), plus the audit itself. Plan for 6–12 months end-to-end for your first Type 2.
For a small company, expect £20,000–£60,000 for the first year including readiness work, tooling, and the audit. Subsequent years are typically less as the foundation is already in place. Costs vary significantly based on scope, complexity, and choice of auditor.
No. SOC 2 produces an auditor's report with an opinion, not a certificate. You receive a report stating whether your controls are suitably designed (Type 1) or operating effectively (Type 2). There is no pass/fail — but a qualified or adverse opinion is essentially a fail.
ISO 27001 is a certifiable international standard for an information security management system. SOC 2 is an attestation report based on an independent CPA audit. ISO 27001 is more common in Europe, SOC 2 in North America. Many organisations pursuing both find significant overlap — about 80% of the controls are similar.
SOC 2 reports are restricted-use documents — they're intended for the organisation, its auditor, and prospective customers under NDA. You can say you have a SOC 2 report publicly, but the report itself shouldn't be posted online. Some companies share it via a secure portal or on request.
It depends on your market. If your customers are primarily US-based or enterprise SaaS buyers, they'll likely want a SOC 2 report regardless of your ISO 27001 certification. The good news is that the work overlaps significantly, so achieving both is more efficient than doing either alone.
Thinking About SOC 2?
We help UK businesses prepare for SOC 2 audits — from scoping and gap analysis to control implementation and auditor coordination. Let's talk about where you are and what you need.