What is SOC 2 Compliance?

The Three Types of SOC 2 Reports

SOC 2 reports come in two types, which are frequently confused.

SOC 2 Type I assesses whether an organization's security controls are suitably designed to meet the applicable Trust Service Criteria at a specific point in time. It answers the question: 'Does this organization have controls in place that, if operated effectively, would protect customer data?' It does not assess whether those controls are actually operating effectively. A Type I report is like assessing whether a fire suppression system is correctly installed — not whether it actually works.

SOC 2 Type II assesses both the design and the operating effectiveness of controls over a defined period, typically 6-12 months. The auditor tests controls throughout the observation period to verify they are operating as designed. A Type II report answers: 'Has this organization's security controls actually operated effectively over the past year?' This is the meaningful report for vendor security evaluation. When organizations request SOC 2 compliance evidence from vendors, they should specify Type II — a Type I report confirms design, not performance.

The Five Trust Service Criteria

SOC 2 is organized around five Trust Service Criteria. Security — also called the Common Criteria — is required for all SOC 2 examinations. Availability, Processing Integrity, Confidentiality, and Privacy are optional criteria that organizations include based on the nature of the services they provide and customer requirements.

The Security criteria cover the controls protecting against unauthorized access — logical and physical access controls, change management, risk management, and incident response. Every SOC 2 report addresses Security. Organizations that provide services where system availability is critical — cloud infrastructure, SaaS applications — typically include Availability. Organizations handling regulated personal data typically include Privacy. Organizations handling confidential business information typically include Confidentiality.

SOC 2 in Vendor Risk Assessment

SOC 2 reports are the primary mechanism through which organizations evaluate the security of their service providers — particularly SaaS vendors, cloud service providers, and managed service providers. A SOC 2 Type II report demonstrates that a service organization's security controls have been independently audited over a sustained period and provides direct evidence of control effectiveness rather than control documentation.

For organizations conducting vendor risk assessments — including pre-acquisition diligence of acquired companies' vendor relationships — SOC 2 reports are often the most efficient way to establish a baseline level of confidence in a vendor's security posture. Engaging a service organization that itself holds SOC 2 Type II certification demonstrates that its security controls have been independently validated — a meaningful positive indicator of security program maturity.

Related: SOC 2 in a Broader Compliance Program

SOC 2 is one trust framework among several. Organizations subject to multiple compliance regimes typically benefit from a compliance risk assessment that identifies overlapping control requirements across SOC 2, ISO 27001, HIPAA, PCI DSS, and other applicable frameworks — reducing duplicate effort and exposing controls that satisfy multiple obligations simultaneously. For organizations that lack internal compliance program management capacity, Compliance as a Service (CaaS) delivers ongoing compliance operations through a managed service model rather than internal hires.

Real-World Example: The Limits of SOC 2 as Security Evidence

In a 2023 Cloudskope due diligence engagement, a target organization presented a current SOC 2 Type II report as evidence of security posture. A review of the report revealed four exceptions — individual control failures noted by the auditor during the observation period. One exception noted that privileged access reviews had not been conducted for 8 months of the 12-month observation period. Another noted that employee access was not revoked within policy-required timeframes for three terminated employees. The report was real, current, and showed a clean overall opinion — but the exceptions told a more nuanced story about access governance maturity. The SOC 2 report provided the starting point for a more detailed investigation, not a clean bill of health.