eastbaycyber

What Is SOC 2?

Glossary 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Definition

SOC 2 is a reporting framework based on the Trust Services Criteria and assessed by an independent CPA firm. In practical terms, it results in an attestation report about whether a company’s controls are appropriately designed and, in a Type II report, whether they operated effectively over a defined period.

SOC 2 is an attestation framework for service organizations that evaluates whether they have controls in place for security and, if in scope, availability, processing integrity, confidentiality, and privacy. In practice, SOC 2 is commonly used by SaaS providers, cloud vendors, and other service companies to show customers they manage risk in a structured way and can support vendor due diligence with independent audit evidence.

How SOC 2 works

SOC 2 is often misunderstood as a simple badge. It is better understood as an independent attestation of controls.

A company first defines the scope of the environment and which criteria apply. From there, it documents policies, procedures, technical safeguards, and operational evidence. An audit firm then reviews that control set and issues a report.

The Trust Services Criteria

SOC 2 engagements are built around the following criteria:

  • Security — the required baseline category in every SOC 2 engagement
  • Availability — whether systems are available as committed or agreed
  • Processing Integrity — whether processing is complete, valid, accurate, timely, and authorized
  • Confidentiality — whether confidential information is protected
  • Privacy — whether personal information is collected, used, retained, disclosed, and disposed of appropriately

Not every organization includes all five. Many start with Security only, then add other categories based on customer expectations or service model.

Type I vs. Type II

This is the distinction most buyers care about.

SOC 2 Type I

A Type I report assesses whether controls are suitably designed at a point in time. It answers the question: does the organization appear to have the right control framework in place on the audit date?

SOC 2 Type II

A Type II report goes further. It assesses whether controls were operating effectively over a review period, often several months. It answers the more useful question: are these controls not only designed, but actually being followed consistently?

For vendor due diligence, Type II is usually considered stronger evidence.

What gets reviewed

A SOC 2 review typically examines controls such as:

  • User access provisioning and deprovisioning
  • MFA and privileged access management
  • Change management and code deployment controls
  • Logging and monitoring
  • Incident response procedures
  • Vendor management
  • Risk assessments
  • Backup and recovery practices
  • Security awareness training
  • Policy governance and periodic review

The exact control set depends on the organization’s services and scope. A SaaS company, for example, may emphasize cloud infrastructure, identity, software development, and customer data handling.

The output

The result is a formal report prepared by the auditing firm. It usually includes:

  • The scope of the engagement
  • Management’s description of the system
  • The criteria in scope
  • The auditor’s opinion
  • Control descriptions
  • Tests performed
  • Results and any exceptions noted

This report is often shared under NDA during sales, procurement, or partner due diligence.

Why SOC 2 matters

SOC 2 matters because it gives customers, partners, and internal stakeholders a structured way to assess whether a service organization has meaningful control design and evidence behind its claims.

For many buyers, a SOC 2 report helps answer questions like:

  • Does this vendor have formal security controls?
  • Are those controls documented and repeatable?
  • Has an independent auditor tested them?
  • Are exceptions being identified and addressed?

For the organization being audited, the process often forces improvements in:

  • Access control discipline
  • Evidence collection
  • Control ownership
  • Change management
  • Risk tracking
  • Incident response readiness

That is why SOC 2 is often valuable even before the report is shared externally.

When you’ll encounter SOC 2

SOC 2 comes up most often in business-to-business environments, especially where one company is trusting another with systems or data.

During vendor security reviews

If you buy SaaS, managed services, or cloud-based business tools, you will likely ask vendors for a SOC 2 report. Security teams use it as one input into third-party risk evaluation.

For a broader view of vendor assessment, see what is third party risk management.

In SaaS sales cycles

If you sell software to mid-market or enterprise customers, expect security questionnaires that ask whether you have a SOC 2 Type II report. For many buyers, it is part of the minimum due diligence package.

When building a security program

Organizations often pursue SOC 2 as an early maturity milestone. The process forces teams to formalize access control, change management, evidence collection, incident response, and governance.

If you are comparing compliance and assurance frameworks, you may also want what is iso 27001.

In board, customer, and insurer conversations

Leaders may reference SOC 2 as a shorthand indicator that security controls have been externally reviewed. It is not a guarantee of safety, but it is a recognizable signal of operational discipline.

What SOC 2 does and does not mean

SOC 2 is useful, but it should be interpreted correctly.

What it does mean

A SOC 2 report indicates that an independent auditor reviewed the organization’s control environment within a defined scope. It shows that the company has documented controls and, for Type II, evidence that those controls operated over time.

What it does not mean

It does not mean the organization is breach-proof, secure in every area, or universally approved for all use cases. A narrow scope can leave important systems out. A clean report also does not replace your own risk review, architecture review, or contract requirements.

In short, SOC 2 is evidence, not immunity.

Common SOC 2 control areas

Although every environment differs, SOC 2 programs often center on several recurring themes:

Access control

Organizations are expected to define who can access systems and data, how access is approved, and how it is removed when no longer needed. This often includes MFA, periodic reviews, and tighter controls over privileged accounts.

For teams improving account hygiene, a password manager like 1Password can naturally support stronger credential handling and reduce unsafe password sharing during day-to-day operations.

Change management

SOC 2 reviews usually examine whether system and application changes are approved, tested, and tracked before reaching production. This is especially important for SaaS providers whose software changes frequently.

Monitoring and incident response

Logging, alert review, incident handling, and evidence preservation are common focus areas because they show whether the organization can detect and respond to operational or security issues in a controlled way.

Endpoint and system protection

Auditors may also review how the organization protects company-managed devices and systems used to support the service. On smaller teams, endpoint tools such as Malwarebytes may be part of that broader control environment, though a product alone is never enough to satisfy SOC 2 expectations.

Bottom line

SOC 2 is an attestation framework used to show that a service organization has established controls around security and related trust criteria. You will most often encounter it in SaaS procurement, enterprise sales, and third-party risk reviews. For practitioners, the real value is not the badge effect. It is the operational discipline required to make the report defensible.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.