What is SOC 2? Definition, Meaning and How It Works

If you sell software, host data, or provide services to other businesses, your prospects are almost certainly asking one question before they sign: “Do you have a SOC 2?”

What is SOC 2? It is a security attestation framework developed by the American Institute of Certified Public Accountants (AICPA) that gives enterprise buyers independent, third-party assurance that your systems and controls meet rigorous security standards. Unlike a self-reported questionnaire, a SOC 2 report is issued by a licensed CPA firm following a structured examination — making it the most credible security credential in the B2B technology market.

This guide from CertPro CPA LLC explains exactly what SOC 2 means, how it works, who needs it, and what the attestation process involves from start to finish.

Tl; DR:

Concern: With the SOC 2 attestation landscape becoming a baseline requirement in enterprise sales, service organizations find it hard to understand what SOC 2 actually means, who issues it, and why it differs from a certification.
Overview: SOC 2 is a security attestation framework developed by the AICPA that evaluates whether a service organization’s controls meet the Trust Services Criteria and a licensed CPA firm issues the report following an independent examination.
Solution: Service organizations should understand the five Trust Services Criteria, the difference between Type 1 and Type 2, and engage a licensed CPA firm like CertPro CPA LLC to scope and conduct the examination correctly from the start.

What is SOC 2?

SOC 2 is a security attestation framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates whether a service organization’s controls over security, availability, confidentiality, processing integrity, and privacy meet the AICPA’s Trust Services Criteria. A SOC 2 report is issued by a licensed CPA firm following an independent examination of those controls. It is not a certification it is a formal attestation.

What Does SOC 2 Stand For?

SOC 2 stands for System and Organization Controls 2. It is one of three reporting frameworks within the AICPA’s SOC Suite of Services — the others being SOC 1 (focused on internal controls over financial reporting) and SOC 3 (a public-facing summary report). SOC 2 is specifically designed for technology and cloud service organizations that store, process, or transmit customer data on behalf of other businesses.

The “2” in SOC 2 does not refer to a version number or a level of rigor. It distinguishes this report type from SOC 1, which addresses a different subject matter entirely. A SOC 2 report addresses the security and operational controls of a service organization’s systems — not their impact on a customer’s financial statements. For a full comparison of all three report types, see SOC 1 vs SOC 2 vs SOC 3.

What is the Purpose of SOC 2?

The purpose of SOC 2 is to give buyers, enterprise clients, and regulators independent, third-party assurance that a service organization’s systems are designed and operating with appropriate controls to protect customer data.

Before SOC 2 became the industry standard, enterprise buyers had no consistent way to evaluate the security posture of their vendors. Every procurement team ran its own security questionnaire. Every vendor filled out a different form. The process was inefficient, inconsistent, and produced no verifiable evidence.

SOC 2 replaced that fragmented approach with a single, standardized attestation — one that is issued by a licensed CPA firm, grounded in the AICPA’s Trust Services Criteria, and structured to be both rigorous and repeatable. When a service organization holds a current SOC 2 report, enterprise buyers can rely on it in place of a vendor security questionnaire — because the report was produced by an independent, licensed professional, not self-reported by the vendor. For a deeper look at what this means commercially, see Why is SOC 2 Important?

Who Created SOC 2?

SOC 2 was created by the AICPA — the American Institute of Certified Public Accountants — the same body that establishes auditing and attestation standards for the accounting profession in the United States. The framework is governed by AICPA AT-C Section 205, which establishes the standards for examination engagements, and the Trust Services Criteria (TSC), which define the specific control requirements that a SOC 2 engagement evaluates.

Only licensed CPA firms are authorized to issue SOC 2 reports under AICPA standards. CertPro CPA LLC is a licensed CPA firm — not a consulting company, not a software platform — and issues SOC 2 attestation reports directly under these standards.

What Does SOC 2 Cover?

SOC 2 evaluates a service organization’s controls across up to five Trust Services Criteria (TSC):

Security — the foundational criterion, required in every SOC 2 engagement. It evaluates whether the system is protected against unauthorized access, both logical and physical, and whether controls are in place to detect and respond to security incidents. The Security TSC is built on the Common Criteria — a set of control categories that form the baseline of every SOC 2 examination.

Availability — evaluates whether the system is available for operation and use as committed or agreed. Relevant for organizations whose customers depend on uptime guarantees, SLAs, or continuous service delivery.

Confidentiality — evaluates whether information designated as confidential is protected in accordance with the organization’s policies and commitments. Relevant for organizations handling proprietary business data, trade secrets, or sensitive client information.

Processing Integrity — evaluates whether system processing is complete, valid, accurate, timely, and authorized. Relevant for organizations processing financial transactions, healthcare data, or other scenarios where data accuracy and completeness are critical.

Privacy — evaluates whether personal information is collected, used, retained, disclosed, and disposed of in accordance with the organization’s privacy notice and applicable regulations.

Security is the only mandatory criterion. The remaining four are selected based on the nature of the services provided and the commitments made to customers. The selection of applicable TSC is one of the first decisions made when defining your SOC 2 audit scope with CertPro CPA LLC.

SOC 2 Type 1 vs SOC 2 Type 2

SOC 2 comes in two forms, and understanding the difference is essential before beginning an engagement.

SOC 2 Type 1 evaluates whether a service organization’s controls are suitably designed to meet the applicable Trust Services Criteria at a single point in time. It answers the question: are the right controls in place as of this date?

SOC 2 Type 2 evaluates whether those controls are operating effectively over a defined observation period — typically six to twelve months. It answers the question: have these controls actually been functioning as intended, consistently, throughout this period? For a full breakdown of how Type 2 works and why it is the enterprise standard, see SOC 2 Type 2.

Most enterprise clients will accept a Type 1 report as an interim measure but will require a Type 2 report before entering into long-term contracts or processing sensitive data. CertPro CPA LLC conducts both Type 1 and Type 2 examinations under AICPA standards.

What is a SOC 2 Report?

A SOC 2 report is the formal document issued by a licensed CPA firm at the conclusion of a SOC 2 examination. It is not a certificate or a badge — it is an attestation report with a specific, standardized structure defined by the AICPA.

A complete SOC 2 report contains:

• The CPA firm’s opinion — the auditor’s formal conclusion on whether the service organization’s controls meet the applicable Trust Services Criteria
• Management’s assertion — a statement from the service organization’s management confirming the accuracy of their system description and their representation of their controls
• The system description — a detailed description of the service organization’s system, including the services it provides, the infrastructure it uses, the software it runs, the people involved, and the procedures it follows
• A description of tests and results — for Type 2 reports, a detailed account of every control tested, the testing procedure applied, and the results observed
• Any exceptions — documented instances where a control was found not to be operating effectively during the observation period

SOC 2 reports are confidential documents shared under NDA. For details on how long a report remains current, see SOC 2 Report Validity.

Who Needs a SOC 2 Report?

Any service organization — a company that provides services to other businesses that affect those businesses’ internal controls or data environments — is a candidate for SOC 2. In practice, the following categories of organizations are most frequently required to hold a current SOC 2 report:

• SaaS companies selling to enterprise buyers, healthcare organizations, financial institutions, or government entities
• Cloud infrastructure and hosting providers, including managed service providers and data center operators
• Fintech and payments companies where security, processing integrity, and availability are directly tied to customer trust
• Healthcare technology vendors handling electronic health records, patient data, or insurance claims
• Business process outsourcing (BPO) providers including payroll processors and HR platforms
• Data analytics and AI companies where customer data is ingested, processed, and returned in transformed form
• Any vendor whose enterprise procurement team requires it as a standard qualification condition

How Does the SOC 2 Attestation Process Work?

A SOC 2 engagement with CertPro CPA LLC follows a structured sequence:

1. Scoping — defining the system boundaries, the applicable Trust Services Criteria, the observation period (for Type 2), and the services and infrastructure within scope. Read more: SOC 2 Audit Scope.
2. Readiness Assessment — a gap analysis that identifies control deficiencies before the formal examination begins. Read more: SOC 2 Readiness Assessment.
3. Policies and Procedures — the service organization implements documented controls, policies, and evidence collection processes. Read more: SOC 2 Policies and Procedures.
4. Observation Period — for Type 2 engagements, controls must operate consistently throughout the defined observation period.
5. Fieldwork — CertPro CPA LLC’s licensed CPAs conduct the SOC 2 audit, testing controls against the applicable Trust Services Criteria through inspection, inquiry, observation, and re-performance.
6. Report Issuance — CertPro CPA LLC issues the formal SOC 2 report, including the auditor’s opinion and, for Type 2, the detailed test results.

The full timeline from scoping to report issuance typically ranges from three to six months for a first-time Type 2 engagement. For guidance on how frequently audits recur, see SOC 2 Audit Frequency.

What is the Difference Between SOC 2 and ISO 27001?

SOC 2 and ISO 27001 both address information security and are commonly requested by enterprise buyers. They are not the same and are not interchangeable.

SOC 2 is a US-origin attestation framework governed by the AICPA. It results in a report — not a certificate — issued by a licensed CPA firm. It is most commonly required by US-based enterprise buyers and in regulated sectors like healthcare and finance.

ISO 27001 is an international standard published by the International Organization for Standardization, resulting in a publicly displayable certificate. It is most commonly required in international markets, particularly Europe, the Middle East, and Asia-Pacific.

Many organizations pursue both. CertPro CPA LLC issues SOC 2 attestation reports and supports ISO 27001 certification engagements. See our full SOC 2 compliance service page for details.

Start Your SOC 2 Attestation with CertPro CPA LLC

CertPro CPA LLC is a licensed CPA firm that issues SOC 2 attestation reports under AICPA AT-C Section 205. We conduct Type 1 and Type 2 examinations across all five Trust Services Criteria for SaaS companies, cloud providers, fintech platforms, healthcare technology vendors, and B2B service organizations of all sizes.

Explore the full SOC 2 hub for detailed guidance on every aspect of the SOC 2 process.

Ready to begin? Contact CertPro CPA LLC to scope your SOC 2 engagement.

FAQ