SOC 2 Type II
Service Organization Control - Trust Services Criteria
Standard Introduction
SOC 2 (Service Organization Control 2) Type II is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) for service organizations that store, process, or transmit customer data. It evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy based on the Trust Services Criteria (TSC). Unlike Type I reports which assess controls at a point in time, Type II reports examine the operational effectiveness of these controls over a period of time, typically 6-12 months.
SOC 2 Type II compliance has become essential for SaaS companies, cloud service providers, data centers, and other technology service organizations demonstrating their commitment to data security and privacy. The framework covers five Trust Services Criteria: Security (foundational, required for all), Availability, Processing Integrity, Confidentiality, and Privacy. Organizations choose which criteria apply based on their services. Independent CPAs conduct rigorous audits to verify controls are properly designed and operating effectively, providing assurance to customers, partners, and stakeholders that sensitive data is protected according to industry best practices.
Trust Services Criteria
Evaluates controls across five categories: security (always required), availability, processing integrity, confidentiality, and privacy.
Type II Over Time
Unlike point-in-time assessments, Type II examines the operating effectiveness of controls over a minimum 6-month period.
CPA-Issued Report
Only licensed CPA firms can issue SOC 2 reports under AICPA attestation standards, giving them legal weight and market credibility.
list_alt Trust Services Criteria
- Security (Common Criteria) — always required
- Availability — uptime and disaster recovery
- Processing Integrity — accurate, complete processing
- Confidentiality — protection of sensitive data
- Privacy — personal information handling
- Logical and physical access controls
- Change management and risk assessment
- Monitoring and incident response
Who Needs to Comply?
SaaS companies, cloud providers, data centers, and any technology service organization that stores or processes customer data. Increasingly expected by enterprise buyers during vendor due diligence.
Key Requirements
Control Environment
Demonstrate a commitment to integrity, ethical values, and competence. Define organizational structure, authority, and responsibility for internal controls.
Logical Access Controls
Implement role-based access, multi-factor authentication, and least-privilege principles. Regularly review and revoke access for terminated employees.
Change Management
Establish formal procedures for authorizing, testing, approving, and implementing changes to infrastructure, software, and configurations.
Incident Response
Define and test incident response procedures. Document incidents, root cause analysis, remediation actions, and communication to affected parties.
Vendor Management
Assess and monitor third-party service providers. Ensure sub-service organizations maintain controls consistent with your SOC 2 commitments.
Implementation Roadmap
Define scope and select Trust Services Criteria
Determine the systems, services, and locations in scope, then select which of the five TSC apply. Security (the Common Criteria, CC) is always required; add Availability, Processing Integrity, Confidentiality, or Privacy based on customer commitments and the nature of your service. Decide between a Type I (design at a point in time) and a Type II (operating effectiveness over a period) report, ideally guided by what your buyers expect.
Readiness assessment and gap analysis
Map your current controls to the selected TSC and identify gaps. A readiness assessment, often run with the CPA firm or a consultant, surfaces missing policies, weak access controls, and monitoring blind spots before the formal audit. Produce a prioritized remediation plan with owners and target dates.
Remediate gaps and implement controls and policies
Close identified gaps by implementing or formalizing controls: information security policies, MFA and least-privilege access, change management, logging and monitoring, vendor risk management, and an incident response plan. Ensure each control produces repeatable evidence, because auditors test what you can demonstrate, not what you intend.
Observation period and evidence collection (Type II)
For a Type II report, controls must operate over an observation period (typically 3-12 months, most commonly 6-12). Continuously collect evidence such as access reviews, change tickets, monitoring alerts, and training records. A Type I report skips this period and evaluates control design at a single point in time.
Audit fieldwork, report issuance, and annual renewal
A licensed CPA firm performs fieldwork, tests controls against the evidence, and issues the report containing the auditor's opinion, management assertion, system description, and tests of controls with results. Address any exceptions, then plan for annual renewal; bridge letters can cover gaps between report periods for customers.
Compliance Checklist
checklist Security / Common Criteria controls
checklist Access and Change Management
checklist Monitoring, Incident and Vendor Management
SOC 2 Type I vs Type II
Both report types cover the same Trust Services Criteria, but they differ in what they prove and how much assurance they give buyers. Use this comparison to decide which report fits your stage and customer expectations.
| Aspect | Type I | Type II |
|---|---|---|
| What it evaluates | Whether controls are suitably designed | Whether controls are designed and operating effectively |
| Time dimension | A single point in time | A period of time |
| Observation period | None; snapshot on a specific date | Typically 3-12 months, commonly 6-12 |
| Evidence rigor | Design evidence and walkthroughs | Sampled evidence tested across the whole period |
| Cost and effort | Lower; shorter engagement | Higher; ongoing evidence collection and longer fieldwork |
| Buyer confidence and market value | Moderate; a useful starting point | High; the standard most enterprise buyers expect |
| When to choose | Early stage or to show progress quickly | When buyers require proof of sustained control operation |
Common Misconceptions
SOC 2 is a certification you pass or fail.
SOC 2 is an attestation, not a pass/fail certification. A CPA firm issues a report with an opinion and detailed test results; buyers read the opinion and exceptions to judge the vendor rather than seeing a simple certified badge.
A compliance automation tool alone gives you a SOC 2.
Automation platforms streamline evidence collection, but only a licensed CPA firm can perform the engagement and issue a SOC 2 report. The tool supports the process; it does not replace the independent auditor's opinion.
SOC 2 requires all five Trust Services Criteria.
Only Security, the Common Criteria, is mandatory. Availability, Processing Integrity, Confidentiality, and Privacy are added selectively based on your service and customer commitments, so many valid reports cover only Security.
Once you have a SOC 2, you are done.
SOC 2 is ongoing. Type II reports cover a defined period and are renewed, usually annually, with continuous evidence collection in between. Bridge letters cover the gap between periods so customers see uninterrupted assurance.
Penalties & Enforcement
No legal penalties — SOC 2 is a market-driven attestation. However, failing to obtain or maintain a SOC 2 report can result in lost deals, especially with enterprise and financial sector customers who require it contractually.
Frequently Asked Questions
What are the five Trust Services Criteria and which are required?
expand_more
The five TSC are Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security, known as the Common Criteria (CC), is always required and forms the foundation of every SOC 2. The other four are optional and are included based on the commitments you make to customers and the nature of your service.
What is the difference between a SOC 2 Type I and a Type II report?
expand_more
A Type I report evaluates whether controls are suitably designed at a single point in time. A Type II report goes further and tests whether those controls operated effectively over a period, typically 3-12 months. Type II carries more weight with buyers because it demonstrates sustained operation rather than a snapshot.
How long does it take to get a SOC 2 report?
expand_more
A Type I can often be completed in a few months once controls are in place. A Type II adds the observation period (commonly 6-12 months) plus audit fieldwork, so a first Type II frequently takes six months to a year end to end. Readiness work and remediation before the audit drive most of the variability.
What is the observation period?
expand_more
The observation period is the window during which a Type II auditor evaluates whether controls operated effectively. It is typically 3-12 months, most commonly 6-12. Throughout this period you must continuously generate and retain evidence, because the auditor samples activity across the whole window rather than testing a single date.
Who can issue a SOC 2 report, and why does it have to be a CPA?
expand_more
Only a licensed CPA firm can issue a SOC 2 report. SOC 2 is an AICPA attestation performed under the SSAE 18 standard (specifically AT-C 205), and that framework reserves the attest engagement for CPAs. A report from a consultant or automation vendor alone is not a valid SOC 2; the CPA firm signs the opinion.
What is in a SOC 2 report and how should buyers read it?
expand_more
A SOC 2 report contains the auditor's opinion, management's assertion, a description of the system, and the tests of controls with their results. Start with the opinion: an unqualified (clean) opinion is best, while a qualified opinion flags one or more control problems. Then read the tests-of-controls section for exceptions and how management responded.
What is the difference between SOC 2, SOC 1, and SOC 3?
expand_more
SOC 1 addresses controls relevant to a customer's financial reporting. SOC 2 addresses controls over Security and the other Trust Services Criteria and is the standard for SaaS and technology vendors. SOC 3 is a short, public-facing summary of a SOC 2 that omits the detailed tests, making it suitable for websites and marketing.
How does SOC 2 compare to ISO 27001?
expand_more
Both address information security, but SOC 2 is an AICPA attestation resulting in a report with an auditor opinion, while ISO 27001 is an international standard resulting in a certification of your information security management system. SOC 2 is common in North America; ISO 27001 is favored globally. Many organizations pursue both and reuse overlapping controls.
What common control gaps cause exceptions?
expand_more
Frequent causes of exceptions include incomplete or missing access reviews, terminated users not deprovisioned promptly, changes deployed without documented approval, gaps in logging or alerting, missing evidence for a control that exists in practice, and unassessed critical vendors. Most exceptions stem from evidence discipline rather than a genuine absence of controls.
How much does a SOC 2 cost?
expand_more
Costs vary with scope, chosen TSC, and company size. Beyond the CPA firm's audit fee, budget for readiness assessments, remediation, compliance tooling, and internal staff time. A Type II typically costs more than a Type I because of the longer engagement, and the observation period adds ongoing evidence-collection effort throughout the year.
How often must a SOC 2 be renewed, and what is a bridge letter?
expand_more
SOC 2 Type II reports cover a defined period and are typically renewed annually so coverage stays continuous. Because a new report is not issued the day the prior period ends, a bridge letter (or gap letter) from management covers the interval between the last report's end date and the current date, reassuring customers that controls remain in place.
As an enterprise buyer, what should I look for in a vendor's SOC 2 report?
expand_more
Confirm it is a Type II covering a recent, continuous period and issued by a reputable CPA firm. Check that the scope and TSC match the services you use, look for an unqualified opinion, and read the exceptions and management responses. Also verify the system description reflects the product you buy, and request a bridge letter if the report period has lapsed.
Official Documentation
SOC 2 Trust Services Criteria
PDF • 4.5 MB • English • 2017 TSC + Updates
AICPA Official Resources
External Link • aicpa.org • SOC 2 Framework
SOC 2 Readiness Toolkit
ZIP • 22 MB • Gap Assessment & Control Templates