Library / Jurisdictions
SOC 2

SOC 2 (Trust Services Criteria)

An attestation framework developed by the AICPA covering security, availability, processing integrity, confidentiality, and privacy of service organisations.

At a glance
Authority
AICPA (American Institute of CPAs)
Type
Type I (point-in-time) or Type II (period of operation)
Vendor monitoring
Required (CC9.2 Vendor and Business Partner Management)

SOC 2 (Service Organisation Control 2) is an attestation framework, not a regulation. A SOC 2 report is the work product of a CPA firm attesting to a service organisation's controls against the AICPA Trust Services Criteria. It is the dominant framework for B2B SaaS vendors demonstrating security posture in the US market.

Type I vs Type II

  • SOC 2 Type I evaluates the design of controls at a point in time.
  • SOC 2 Type II evaluates the design and operating effectiveness of controls over a period (typically 6-12 months).

Type II is the more meaningful attestation; Type I is often a starting point for a vendor pursuing Type II.

The Trust Services Criteria

There are five Trust Services Categories. Security (the Common Criteria, "CC") is mandatory in any SOC 2 engagement. The other four are optional but commonly added by mature vendors:

  • Security — Common Criteria. Protects against unauthorised access.
  • Availability — System availability for operation.
  • Processing Integrity — System processing is complete, valid, accurate, timely, and authorised.
  • Confidentiality — Information designated as confidential is protected.
  • Privacy — Personal information is collected, used, retained, disclosed, and disposed of in conformity with the entity's privacy notice.

The Common Criteria CC9.2 — Vendor and Business Partner Management is the criterion most directly relevant to vendor monitoring. It requires the entity to:

  • Establish requirements for vendors and business partners.
  • Assess them on a defined basis.
  • Address risk through appropriate controls.

What auditors actually look for

A SOC 2 audit doesn't require a specific tool, but it does require evidence:

  • A vendor inventory with criticality classifications.
  • Onboarding diligence (questionnaires, attestation review, contract review).
  • Ongoing monitoring on a defined cadence.
  • Evidence of action taken in response to material vendor changes.
  • Termination procedures.

Failure modes are well-known: the inventory is stale, monitoring evidence stops appearing two months after the prior audit, vendors that should be in scope are missing.

How vendors use their SOC 2

For a customer evaluating a vendor:

  • Get a copy of the report, not just the certificate. The certificate confirms a report exists; the report shows what was actually examined and any exceptions found.
  • Check the period. A Type II report covers a defined observation period. If it ended six months ago, ask for the bridge letter — a brief statement from the vendor confirming no material changes have occurred since.
  • Read the exceptions and management response. Exceptions are normal; the vendor's response shows whether they take them seriously.
  • Check the scope. SOC 2 reports describe which systems and which trust services categories were covered. A vendor's "core platform" being in scope doesn't automatically include their newer mobile product.

Companion frameworks

  • SOC 1 — focused on financial reporting controls.
  • SOC 3 — public-facing version of SOC 2 (less detail).
  • ISO 27001 — a parallel framework with international standing; many vendors hold both.
  • HITRUST — healthcare-focused certification building on multiple frameworks.

For vendor monitoring, SOC 2 Type II is the most common single artefact, but the more sophisticated vendors carry several.

Related references