eastbaycyber

SOC 2: Definition, How It Works, and When You’ll Encounter It

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

SOC 2 is an independent auditor’s report on a service provider’s controls, aligned to AICPA Trust Services Criteria (TSC).

SOC 2 is one of the most common artifacts you’ll see in vendor risk management and security procurement: it’s an independent assurance report evaluating a service organization’s controls against the AICPA Trust Services Criteria (TSC). It’s not a certification and it’s not “pass/fail”—the value comes from understanding the scope, Type I vs Type II, exceptions, and the complementary user entity controls (CUECs) you must implement on your side.

SOC 2 definition (what it is—and what it isn’t)

SOC 2 (System and Organization Controls 2) is an independent auditor’s report evaluating whether a service organization has designed and operated controls aligned to the AICPA Trust Services Criteria: Security (required), and optionally Availability, Processing Integrity, Confidentiality, and Privacy.

Key nuance: SOC 2 is assurance, not certification. There’s no universal “SOC 2 compliant” stamp that guarantees security outcomes. The report is meant to help customers assess third‑party risk using structured evidence.

How SOC 2 works

SOC 2 is designed to let customers and prospects evaluate a vendor’s control environment in a consistent format—especially for SaaS platforms, cloud services, and managed providers.

1) Trust Services Criteria (TSC) define the control “themes”

SOC 2 reports are organized around the AICPA Trust Services Criteria:

  • Security (Common Criteria / CC) (required): access controls, change management, risk assessment, incident response, monitoring, and more.
  • Availability (optional): uptime commitments, DR/BCP, capacity planning, resilience monitoring.
  • Processing Integrity (optional): whether processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality (optional): protection of confidential info (classification, encryption, handling, retention).
  • Privacy (optional): personal data collection/use/retention/disposal and related notices/consent.

SOC 2 doesn’t force specific tools (e.g., “must use vendor X”). Instead, it evaluates whether controls exist, whether they’re designed appropriately, and (for Type II) whether they operated effectively over time.

2) SOC 2 Type I vs Type II (snapshot vs operating period)

You’ll typically see one of two SOC 2 report types:

  • SOC 2 Type I: evaluates whether controls are suitably designed as of a specific date (point-in-time).
  • SOC 2 Type II: evaluates design and operating effectiveness over a defined period (commonly 3–12 months).

Practical takeaway: For most procurement and security compliance decisions, SOC 2 Type II is the meaningful artifact because it includes evidence that controls operated consistently.

3) Scope is what makes (or breaks) the report’s usefulness

Scope is where SOC 2 is most often misunderstood. A SOC 2 report covers:

  • Specific systems and services
  • Defined locations and environments
  • A clear control boundary (what the vendor controls vs what’s outsourced)
  • Which TSC categories are included (Security only vs Security + others)
  • A defined Type II period (start/end dates)

A vendor can truthfully say “SOC 2 Type II” while the scope is narrow enough that it doesn’t cover the product or environment you plan to use. Always confirm that the in-scope system name matches what you’re buying.

4) What you’ll see inside a SOC 2 Type II report

A full SOC 2 Type II report typically includes:

  • Management’s assertion
  • Auditor’s opinion
  • System description (how the service is built and operated)
  • Controls mapped to criteria
  • Tests of controls and results (what was sampled/tested and outcomes)
  • Exceptions (control failures / deviations) and the context around them

Seeing exceptions is not automatically disqualifying. What matters: severity, frequency, root cause, affected criteria, remediation plan, and whether the exceptions touch high-impact areas like privileged access, logging, or incident response.

5) Subservice organizations: carve-out vs inclusive

Most vendors depend on subservice organizations (cloud hosting, ticketing, monitoring, payroll, etc.). SOC 2 reports describe how these dependencies are treated:

  • Carve-out method: subservice provider controls are excluded from the vendor auditor’s testing; you rely on the subservice provider’s own assurance and the vendor’s vendor-management controls.
  • Inclusive method: some subservice controls are included in testing (less common today).

Practical takeaway: Carve-outs are common. If a critical service is carved out, ensure the vendor can provide assurance for that dependency and explain how they monitor and manage it.

For related due diligence, you may also want a baseline understanding of what “MDR” is when evaluating security providers; see: what is mdr.

6) Complementary User Entity Controls (CUECs) matter more than most people think

SOC 2 reports commonly list CUECs—controls you (the customer) must implement for the vendor controls to remain effective. Examples include:

  • Enabling SSO/MFA
  • Restricting admin access and enforcing least privilege
  • Configuring logs and alerting integrations
  • Managing your own endpoint security posture
  • Handling user provisioning/deprovisioning correctly

If your organization doesn’t implement the CUECs, you may not actually be getting the security assurances you think you are from the vendor’s SOC 2.

How to read a SOC 2 report (fast checklist)

Use this quick SOC 2 checklist to triage a report efficiently:

  • Report type & period: is it Type II and what are the exact dates?
  • Scope: does the system/product/environment match what you’re buying?
  • TSC categories included: Security only or also Availability/Confidentiality/Privacy/etc.?
  • Subservice orgs: which providers are carved out? any critical dependencies?
  • Exceptions: count, severity, affected controls, remediation timeline
  • CUECs: what must your team configure or operate?

If you’re only offered a “SOC 2 certificate,” a web badge, or a one-page attestation, request the full report under NDA.

When you’ll encounter SOC 2

SOC 2 most often appears when someone needs credible, standardized evidence of a vendor’s controls.

1) Vendor security reviews and procurement

Typical triggers:

  • Onboarding a SaaS platform that stores company data
  • Outsourcing IT operations (managed service provider, SOC, MDR)
  • A business unit wants to adopt a tool quickly and security needs a gating artifact

What to do next (buyer/customer): - Ask for the latest SOC 2 Type II report and a bridge letter if the period end date is old - Confirm the scope includes your intended service/environment (production vs sandbox; region; hosting model) - Review exceptions against your risk tolerance (e.g., privileged access, logging, incident response, change control)

2) Sales cycles for SaaS and service providers

SOC 2 becomes table stakes as soon as you sell to mid-market and enterprise buyers. Security questionnaires often ask:

  • “Do you have SOC 2 Type II?”
  • “Which Trust Services Criteria are included?”
  • “Can you share the full report under NDA?”

What to do next (vendor/service provider): - Choose Security-only vs Security + other TSC categories based on customer requirements and data types - Build evidence collection into normal operations (tickets, change approvals, access reviews) - Track third-party dependencies and maintain their assurance artifacts

3) Compliance mapping and due diligence

SOC 2 is frequently used as supporting evidence for:

  • Customer security requirements
  • Internal audits
  • M&A and investment diligence
  • Cyber insurance underwriting (as one input among many)

Important nuance: SOC 2 does not automatically satisfy any specific regulation. It may support a security compliance story, but it’s not a direct substitute for regulatory requirements.

4) Incident response and trust conversations

After a security incident, customers may ask for:

  • The latest SOC 2 report
  • Evidence of incident response controls
  • Confirmation of remediation and whether it impacts audited controls

SOC 2 can structure those conversations, but it won’t prove “no breach occurred” or guarantee future security.

Practical vendor questions (copy/paste)

Use these in intake forms or email during vendor risk management:

1) Please provide your latest SOC 2 Type II report (full report) under NDA.
2) What is the report period end date? Do you have a bridge letter for the gap to present?
3) What systems/products and hosting environments are in scope for the report?
4) Which Trust Services Criteria are included (Security only, or also Availability/Confidentiality/Privacy/etc.)?
5) List subservice organizations and whether the carve-out method is used.
6) Please summarize any exceptions and remediation status (including dates).
7) Provide the list of Complementary User Entity Controls (CUECs) we must implement.

Practical next steps: make the SOC 2 “real” in your environment

A SOC 2 report is strongest when you operationalize what it assumes—especially the CUECs. Two common areas to tighten quickly:

  • Endpoint controls: If your CUECs assume secure endpoints, align your endpoint stack and policies accordingly. If you’re comparing tools, see best antivirus for windows business endpoints 2026.
  • Identity + password hygiene: If your CUECs assume strong authentication and access control, enforce MFA and reduce shared passwords. For teams evaluating tools, consider a business-grade password manager like 1Password via Try 1Password →.
  • SOC 1: Controls relevant to financial reporting (ICFR). Common for payroll and billing providers.
  • SOC 3: Public, high-level report with much less detail than SOC 2—often insufficient for real risk assessment.
  • AICPA: Defines SOC reporting standards and Trust Services Criteria.
  • Trust Services Criteria (TSC): Security/Availability/Processing Integrity/Confidentiality/Privacy.
  • Type I / Type II: Type I is point-in-time design; Type II includes operating effectiveness over time.
  • Bridge letter: Management letter addressing the gap since the report end date (not equivalent to audit testing).
  • CUECs: Customer responsibilities required for the vendor’s controls to be effective.
  • Subservice organization: A vendor used to deliver the service; often carved out of scope.

This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.