SOC 2 Type II
Service Organization Control - Trust Services Criteria
Standard Introduction
SOC 2 (Service Organization Control 2) Type II is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) for service organizations that store, process, or transmit customer data. It evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy based on the Trust Services Criteria (TSC). Unlike Type I reports which assess controls at a point in time, Type II reports examine the operational effectiveness of these controls over a period of time, typically 6-12 months.
SOC 2 Type II compliance has become essential for SaaS companies, cloud service providers, data centers, and other technology service organizations demonstrating their commitment to data security and privacy. The framework covers five Trust Services Criteria: Security (foundational, required for all), Availability, Processing Integrity, Confidentiality, and Privacy. Organizations choose which criteria apply based on their services. Independent CPAs conduct rigorous audits to verify controls are properly designed and operating effectively, providing assurance to customers, partners, and stakeholders that sensitive data is protected according to industry best practices.
Scope
Applicable to organizations of all sizes and industries, covering the protection of confidentiality, integrity, and availability.
Structure
Follows the High Level Structure (HLS), ensuring seamless integration with other ISO management standards like ISO 9001.
Certification
Organizations can achieve accredited certification after successfully completing an external audit of their ISMS.
list_alt Core Requirements (Clauses 4-10)
- Context of the organization
- Leadership & Commitment
- Planning & Risk Assessment
- Support & Awareness
- Operation
- Performance evaluation
- Continual Improvement