What is SOC 2 Compliance?

SOC 2 stands for Service Organization Control 2, an audit framework written by the American Institute of CPAs (AICPA) for any company that holds or processes customer data on behalf of someone else. The report is produced by an independent CPA firm and is built around five Trust Service Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 comes in two flavours: Type I reports on whether the controls were designed correctly at a single point in time, and Type II reports on whether they operated effectively over a period — usually 6 or 12 months. Type II is what most enterprise buyers ask for.

SOC 2 isn't a certification in the way ISO 27001 or PCI DSS are. There's no "SOC 2 certificate" hanging on a wall. What you get is an attestation report — a long document, often 50-150 pages, in which an independent CPA firm describes the service organisation's controls, tests them, and gives an opinion on whether they meet the AICPA's standards. That report is then shared (usually under NDA) with prospective customers who want to see how the service organisation manages their data.

Who Issues a SOC 2 Report

A SOC 2 report can only be issued by a licensed CPA firm — in the US, that's a firm registered with the AICPA; in other jurisdictions, the equivalent professional body. The big four (Deloitte, EY, KPMG, PwC) all do SOC 2 work, as do many mid-tier firms (BDO, Grant Thornton, RSM) and a growing number of specialists who do nothing but SOC 2 and ISO 27001.

The CPA firm is the only one who can put their name to the audit opinion. Compliance-automation platforms (Vanta, Drata, Tugboat Logic, etc.) help the service organisation gather evidence and run the controls, but they can't issue the report itself — they hand the prepared evidence to the CPA firm, who reviews and attests.

The Five Trust Service Criteria

SOC 2 is built around five Trust Service Criteria (TSCs), and the service organisation chooses which ones to include in scope. Security is mandatory — every SOC 2 has to cover it. The other four are optional, and each one adds audit work and cost.

• Security. The common criteria, always in scope. Covers access control, change management, vulnerability management, incident response, and the broad set of controls that protect the system against unauthorised access. About 60-70% of the total SOC 2 effort.
• Availability. Optional. Covers uptime, disaster recovery, capacity planning, and the controls that keep the service running. Usually in scope for SaaS providers selling to enterprise.
• Processing Integrity. Optional. Covers whether the system processes data accurately, completely, and on time. Most relevant to payment processors, financial-services platforms, and anyone where wrong data has direct financial consequences.
• Confidentiality. Optional. Covers data that's confidential to the customer but isn't personal data — trade secrets, intellectual property, contracts. Important for B2B platforms.
• Privacy. Optional, and the heaviest one. Covers the collection, use, retention, and disclosure of personal information against the AICPA's privacy framework. Often overlaps with GDPR or CCPA obligations.

Most SOC 2 reports cover Security plus Availability and Confidentiality. Privacy is rarer; Processing Integrity is concentrated in a few industries.

Type I vs Type II

The difference between Type I and Type II is the time dimension.

Type I looks at whether the controls were designed appropriately and were in place at a specific date — say, 31 December 2026. The auditor reviews the documentation, walks through the controls, and gives an opinion on design. They don't test that the controls operated effectively over time. A Type I can be completed in 6-10 weeks once the controls are ready.

Type II looks at whether the controls operated effectively over a period — usually 6 or 12 months. The auditor samples evidence from across the period (logs, tickets, access reviews, change tickets, incident records) and gives an opinion on both design and operation. Most enterprise buyers ask for Type II because it's the version that proves the controls actually work in practice, not just on paper. A Type II takes 6-12 months of operating-period testing plus the audit fieldwork.

The pattern most service organisations follow: Type I in year one (to get something they can share with prospects quickly), then Type II covering the rest of the year. From year two onwards, annual Type II reports covering rolling 12-month periods.

SOC 2 vs ISO 27001 vs PCI DSS

SOC 2 lives in the same conceptual space as ISO 27001 and PCI DSS, but the three frameworks have different purposes and different audiences.

• SOC 2 is an American framework primarily aimed at US enterprise buyers evaluating SaaS and outsourcing providers. Output is a long-form attestation report. Audience is the buyer's procurement and security team.
• ISO 27001 is an international certification covering the design and operation of an information security management system (ISMS). Output is a one-page certificate plus a Statement of Applicability. Audience is global, with strongest recognition in Europe and APAC.
• PCI DSS is a vertical standard for organisations that handle payment card data. Output is a Report on Compliance (Level 1) or a Self-Assessment Questionnaire (Levels 2-4). Audience is acquirers, card schemes, and merchants who need to know their payment partner is safe.

There's a lot of overlap. ISO 27001 Annex A controls cover most of the same ground as the SOC 2 Security TSC. PCI DSS's 12 requirements overlap heavily with both. A service organisation that holds one of them has done most of the work for the others, and most CPA firms will give credit for prior audit work when scoping the SOC 2.

The practical question for most buyers is: which framework do you actually need from this vendor? A pure-SaaS vendor in the US is typically asked for SOC 2. A European or global vendor is typically asked for ISO 27001. A payment processor or anyone in the card-data path is asked for PCI DSS, and often for SOC 2 or ISO 27001 on top.

What's in a SOC 2 Report

A SOC 2 Type II report has a fairly standard structure:

• Section 1: Auditor's opinion. One or two pages. Says whether the auditor believes the controls were suitably designed (Type I) or were suitably designed and operating effectively (Type II) over the period.
• Section 2: Management's assertion. A statement from the service organisation's leadership that the description is accurate and the controls were in place.
• Section 3: System description. 20-40 pages describing the service — what it does, who uses it, the infrastructure, the data flows, the people, the controls. This is the section most buyers read first.
• Section 4: Trust Service Criteria and controls. The main body of the report. For each TSC, a table of the controls, the tests the auditor performed, and the results. Type II reports include sample sizes and any exceptions found.
• Section 5: Other information. Sometimes includes the service organisation's responses to identified exceptions, or context about future changes.

What It Costs

SOC 2 costs vary widely. A small SaaS company with a clean control environment, using a compliance-automation platform, working with a specialist CPA firm, can complete a Type I for around £15,000-£30,000 and a follow-on Type II for another £30,000-£60,000. Larger or more complex organisations, especially those with multiple products, regulated industries, or large engineering teams, can spend £100,000+ on the audit alone, plus internal staff time which typically runs 0.5-1 FTE-year of compliance work for the first cycle.

The compliance-automation platforms (Vanta, Drata, Secureframe, etc.) have brought the bottom of that range down substantially since 2020. For a 20-person SaaS company, the path from no compliance to Type II is genuinely 6-9 months and well under £50,000 all-in. That's been one of the major shifts in enterprise procurement — SOC 2 has gone from a luxury only the big platforms had to a baseline most B2B SaaS startups complete by Series B.

The Limits of SOC 2

SOC 2 has its critics, and the criticism has a kernel of truth. The framework is descriptive, not prescriptive — the service organisation decides what their controls are, and the auditor tests whether those controls are designed and operating as described. There's no list of mandatory controls the way PCI DSS has 12 numbered requirements. That gives flexibility, but it also means two SOC 2 reports for similar companies can look very different.

A clean SOC 2 Type II report tells you the service organisation has a documented set of controls and that those controls were observed to operate as described over the period. It doesn't tell you the controls are the right controls, or that they're sufficient for your specific use case. Buyers need to read the report (not just see the cover page) to understand what was actually tested.