Skip to content
Infilux AppSec Logo
Glossary · SOC 2

What is SOC 2?

SOC 2 (System and Organisation Controls, Type 2) is an AICPA-defined audit report on a service organisation's controls measured against the five Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy. A licensed CPA firm performs the audit and issues the report. SOC 2 is the de facto requirement for B2B SaaS vendors selling into US enterprise; it provides reasonable assurance to your buyers that you operate the controls you claim to.

SOC 2 comes in two flavours. Type 1 attests that controls are designed effectively as of a specific date — useful as a starting point but a weak signal. Type 2 attests that controls operated effectively over a period (typically 6–12 months) — the version enterprise buyers actually want. Most security teams skip Type 1 and target Type 2 directly with an initial observation period of 3–6 months.

Security is the only mandatory Trust Services Criterion ('Common Criteria' — CC1 through CC9). The other four — Availability, Processing Integrity, Confidentiality, Privacy — are optional and chosen based on what your service actually does. A B2B data-platform vendor typically includes Security + Availability + Confidentiality; a payments processor adds Processing Integrity; a healthcare-adjacent service adds Privacy.

The audit examines design and operation of controls. The CPA firm samples evidence — access reviews, change management tickets, vendor risk assessments, incident response records, vulnerability-scan outputs, employee security training completion. The output is a public-facing report you can share with prospects (under NDA in most cases) that runs typically 50–80 pages.

Key points

  • Five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, Privacy.
  • Type 1 = design only; Type 2 = design + operating effectiveness over 3–12 months.
  • Audited by a licensed CPA firm (not by AICPA itself).
  • De facto requirement for US SaaS enterprise sales.
  • Report is reusable with multiple prospects (under NDA) — replaces dozens of security questionnaires.

Frequently asked

SOC 2 Type 1 vs Type 2 — which should we get first?+
Type 2. Type 1 is a snapshot of design only — auditors note 'controls are designed properly as of <date>' but don't test that they actually operated. Most enterprise buyers won't accept Type 1 alone. Time-pressured teams sometimes get Type 1 as a marketing artefact while running the 3-month observation window for Type 2.
How much does a SOC 2 Type 2 audit cost?+
Audit fee alone: USD $15K–$50K depending on firm and scope. Tooling (GRC platform, evidence-collection automation): USD $5K–$30K / year. Internal effort to prepare: 200–600 hours for a first-time audit. Total first-year cost typically USD $40K–$150K; subsequent years drop ~40% as evidence collection becomes routine.
How is SOC 2 different from SOC 1?+
SOC 1 is about internal controls over financial reporting — auditors of your customers' financial statements rely on it. SOC 2 is about security and operational controls — your customers' security teams rely on it. Same auditor framework, different control set, different audience.

Related services

SOC 2 ComplianceGRC Compliance PlatformISO 27001 Compliance

Continue learning

VAPTEASMRed TeamingSOC as a ServiceDark Web MonitoringGRC ComplianceISO 27001Zero TrustMITRE ATT&CK