SOC 2

Service Organisation Controls 2 (AICPA Trust Services Criteria)

CertificationUS

SOC 2 is an attestation framework (not a certification) based on the AICPA Trust Services Criteria. It evaluates a service organisation’s controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are restricted-use documents produced by independent CPA firms. Security is always required; the other four criteria are optional.

Trust Service Categories

Common Criteria (CC)

Type I & II

Report Types

Voluntary

No Direct Fines

Who Needs to Comply

Service Organisations

Cloud service providers (SaaS, PaaS, IaaS)
Data centres and infrastructure providers
Managed IT service providers
Payment processors and financial service providers
Any organisation storing, processing, or transmitting customer data

Key Distinctions

SOC 2 is an attestation report — not a certification
Type I: point-in-time assessment of control design
Type II: period assessment (3-12 months) of design and effectiveness
Reports are restricted-use (not publicly shared, unlike SOC 3)
No regulatory fines — compliance is market-driven and contractual

Key Compliance Areas

CC1-CC9

Security (Common Criteria)

Always required. Nine Common Criteria covering control environment, communication, risk assessment, monitoring, control activities, logical/physical access, system operations, change management, and risk mitigation.

Availability

Optional. Systems are available for operation and use. Covers uptime, capacity planning, disaster recovery, and operational continuity.

PI1

Processing Integrity

Optional. System processing is complete, valid, accurate, timely, and authorised. Covers data accuracy and completeness.

Confidentiality

Optional. Protecting confidential information by limiting access, storage, and use to authorised individuals.

Privacy

Optional. Protecting personally identifiable information (PII) and compliance with AICPA Generally Accepted Privacy Principles.

How Orizon Helps

Readiness Assessment

Evaluate your current security controls against SOC 2 Trust Services Criteria. Identify gaps in all nine Common Criteria and any additional categories you plan to include.

Criteria Selection

Determine which Trust Service Categories to include beyond Security (mandatory). Base selection on contractual obligations, customer expectations, and industry requirements.

Control Implementation

Design and implement controls addressing each applicable criterion. Document policies, procedures, and evidence of control operation.

Type I Examination

Engage a CPA firm for a Type I examination to validate control design at a point in time. Address any findings before proceeding to Type II.

Type II Examination

Conduct a Type II examination over 3-12 months to demonstrate sustained control effectiveness. This is what most enterprise customers require.

Continuous Monitoring

Maintain controls and evidence collection for annual SOC 2 renewals. Implement monitoring to detect control gaps between examination periods.

Official Sources

Assess Your Compliance

Expert guidance for your SOC 2 compliance journey.

Get Started