Home
>
Infosec Essentials
>
What Is SOC 2?

What Is SOC 2?

March 17, 2026
1 min
What Is SOC 2? Compliance and audit guide
In This Article
Example H2
Key takeaways:
  • SOC 2 is an auditing framework, not a government regulation. Compliance is voluntary, but increasingly expected by enterprise buyers.
  • SOC 2 audits are conducted by licensed CPA firms and assess controls across five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy.
  • SOC 2 Type 1 evaluates whether controls are in place at a point in time. SOC 2 Type 2 evaluates whether those controls operated effectively over a period (typically 6–12 months).
  • For data security teams, SOC 2 is most relevant to the Security and Confidentiality criteria, both of which depend on knowing where sensitive data lives and how it moves across your environment.

What is SOC 2?

SOC 2 is a security and compliance framework that evaluates how a service organization protects the data it handles on behalf of its customers.

Developed by the American Institute of Certified Public Accountants (AICPA), SOC 2 is not a product you buy or a checklist you fill out. It is an independent audit that results in a formal report, one that tells your customers, partners, and prospects whether your security controls are actually working.

Why SOC 2 Compliance Matters

For B2B SaaS companies and cloud service providers, SOC 2 has quietly become a table-stakes requirement. If you're selling to enterprises, particularly in industries like financial services, healthcare, or legal, a prospect's security team will almost certainly ask for your SOC 2 report during due diligence.

The stakes are real. A missing or outdated report can delay or kill a deal. But beyond sales, SOC 2 compliance drives something more valuable: A structured process for identifying and closing gaps in your security controls before they become incidents.

From a data security perspective specifically, achieving SOC 2 compliance pushes organizations to answer hard questions: Who has access to sensitive data? How is it encrypted? How would you know if it left your environment without authorization? These are questions that data loss prevention (DLP) and data security posture management (DSPM) programs are designed to answer, and SOC 2 creates the organizational pressure to ask them.

How SOC 2 Works

SOC 2 is built around five principles called the Trust Service Criteria (TSC). Organizations do not need to address all five; they select the criteria most relevant to their business. Security is the only mandatory category.

  • Security: The system is protected against unauthorized access, both logical and physical. This includes access controls, encryption, network monitoring, and incident response procedures.
  • Availability: The system is available for operation as committed. This covers uptime, disaster recovery, and business continuity planning.
  • Processing Integrity: System processing is complete, accurate, and authorized. Relevant primarily to organizations that process financial or transactional data.
  • Confidentiality: Information designated as confidential is protected throughout its lifecycle. This requires data classification, encryption, and controlled access, areas where DSPM plays a direct role.
  • Privacy: Personal information is collected, used, retained, and disclosed in conformity with the organization's privacy notice and applicable regulations like GDPR and CCPA.

An independent CPA firm evaluates your controls against whichever criteria you select. The result is a SOC 2 report, which you can share with customers and prospects under a non-disclosure agreement.

SOC 1 vs. SOC 2: What Is the Difference?

SOC 1 and SOC 2 serve different purposes, and the distinction matters.

SOC 1 addresses internal controls over financial reporting. It is relevant for service organizations whose operations directly affect their clients' financial statements, such as payroll processors or loan servicers. The primary audience is financial auditors.

SOC 2 addresses security, availability, processing integrity, confidentiality, and privacy. It is relevant for cloud providers, SaaS companies, managed service providers, and any organization that processes or stores data on behalf of customers. The primary audience is security and procurement teams. If your customers are asking about your data security practices, SOC 2 is almost certainly the report they want. SOC 1 answers a different question entirely.

There is also a SOC 3 report, which contains the same underlying assessment as SOC 2 but is designed for public distribution. It is a simplified summary without the detailed control descriptions that SOC 2 provides.

What SOC 2 Compliance Requires in Practice

SOC 2 compliance requirements are not prescriptive by design. The AICPA defines what outcomes you need to demonstrate, not the specific tools or processes you must use to achieve them. That gives organizations flexibility, but it also means the work of scoping and implementing controls falls on you.

For the Security criterion alone, a SOC 2 audit will typically examine:

  • Logical access controls, including how access is provisioned, reviewed, and revoked
  • Encryption of data in transit and at rest
  • Network security architecture and monitoring
  • Vulnerability management and patch cadence
  • Incident detection and response procedures
  • Change management processes for production systems
  • Security awareness training for employees

The Confidentiality criterion adds requirements around data classification, sensitive data handling, and the controls in place to ensure that confidential information is only accessible to authorized parties. This is where organizations without strong data visibility programs often struggle: you cannot protect what you cannot see. A DSPM solution gives security teams the continuous inventory of where sensitive data lives, across cloud storage, SaaS applications, and data pipelines, that the Confidentiality criterion demands.

Who Performs a SOC 2 Audit?

SOC 2 audits must be performed by a licensed CPA or CPA firm. The auditor must be independent of the organization being examined; you cannot audit yourself.

Beyond the licensing requirement, selecting the right auditor matters. Look for firms with specific experience in technology and cloud environments. A generalist accounting firm with no SaaS or infrastructure background will struggle to evaluate the technical controls that modern service organizations rely on.

The audit process typically includes a readiness assessment (sometimes called a gap analysis), a formal audit period, and the issuance of the final SOC 2 report. For Type 2, expect the full process to take six to twelve months from kickoff to completed report.

SOC 2 in Practice: Two Scenarios

Scenario 1: A SaaS company preparing for enterprise sales

A mid-market HR software company has been selling to SMBs without a SOC 2 report. When they pursue their first Fortune 500 deal, the prospect's security team puts the SOC 2 report on the mandatory requirements list. The company engages an auditor, goes through a readiness assessment, and discovers that their access review process is informal and undocumented. They formalize the process, implement quarterly reviews, and eighteen months later, close the enterprise deal with a clean Type 2 report in hand.

Scenario 2: A data breach traced back to a gap SOC 2 would have caught

A B2B cloud storage provider suffers a breach after an attacker exploits a misconfigured storage bucket. Post-incident analysis reveals that no process existed to regularly audit data access permissions. Had the organization been pursuing SOC 2 compliance, particularly the Confidentiality and Security criteria, the access controls assessment would have flagged this gap. DSPM tooling, which continuously maps data exposure across cloud environments, would have surfaced the misconfiguration in real time.

SOC 2 and AI Security: What Organizations Need to Know

AI tools have introduced a compliance challenge that SOC 2 was not originally designed to address, but one it is increasingly being used to evaluate. As organizations adopt large language models, AI assistants, and automated data pipelines, the question of where sensitive data goes and who can access it has become significantly harder to answer.

SOC 2 does not have an AI-specific criterion. What it does have are the Confidentiality, Privacy, and Security criteria, and all three are directly relevant to how organizations govern AI usage. The core problem is data exposure. When an employee pastes customer records into an AI tool, uploads a contract to an LLM-powered assistant, or connects a business application to an AI agent, sensitive data leaves the controlled environment that SOC 2 auditors assess. If your SOC 2 scope assumes data stays within defined systems and boundaries, AI adoption can quietly invalidate that assumption.

For SOC 2 compliance specifically, organizations using AI tools need to address a few areas that auditors are beginning to scrutinize:

  • Access controls for AI systems. Who can connect AI tools to internal data sources? SOC 2's Security criterion requires that access is provisioned based on least privilege, and AI integrations are no exception.
  • Data classification and input governance. The Confidentiality criterion requires that sensitive data is identified and protected. That protection needs to extend to what employees are permitted to input into AI tools, and whether controls exist to enforce those boundaries.
  • Logging and auditability. SOC 2 auditors expect evidence that access to sensitive data is logged and reviewable. Many AI tools offer limited audit trail capabilities, which creates a gap organizations need to close before an audit.
  • Third-party risk. AI vendors are third parties, and SOC 2 requires organizations to assess the controls of vendors who handle their data. If an AI tool processes customer data, your SOC 2 program needs to account for how that vendor protects it.

SOC 2 and Data Security: The Connection

SOC 2 is fundamentally a data protection framework. It asks: do you have the controls in place to keep customer data secure, confidential, and available? For organizations that have invested in DLP and DSPM, many of the controls that SOC 2 auditors look for are already in place or partially addressed.

DLP controls govern how sensitive data moves, enforcing policies that prevent unauthorized sharing, exfiltration, or exposure. DSPM provides continuous visibility into where sensitive data lives, who has access, and whether that posture aligns with policy. Together, these capabilities directly support the Security, Confidentiality, and Privacy criteria that are central to most SOC 2 audits.

Put simply: organizations that have invested in data-centric security controls tend to have a smoother SOC 2 audit experience because the evidence the auditor needs already exists.

Frequently Asked Questions

What is SOC 2 certification?

Technically, SOC 2 issues a report rather than a certificate. When people refer to "SOC 2 certification," they typically mean the process of completing a SOC 2 audit and receiving a clean audit opinion. Some auditors do issue a letter of certification alongside the report, but the SOC 2 report itself is the authoritative document.

How do you get SOC 2 certification?

The process involves four broad stages: scoping (deciding which Trust Service Criteria to include and what systems are in scope), readiness assessment (identifying gaps between your current controls and SOC 2 requirements), remediation (closing those gaps), and the formal audit. The audit is conducted by an independent CPA firm, which then issues the SOC 2 report.

What is the difference between SOC 2 Type 1 and Type 2?

Type 1 evaluates whether your controls are properly designed at a point in time. Type 2 evaluates whether those controls operated effectively over a defined observation period, usually six to twelve months. Enterprise buyers typically require Type 2.

How long does it take to get SOC 2 compliant?

For a Type 1 report, organizations that are reasonably mature can often complete the process in three to six months. A Type 2 report requires a minimum observation period, so the total timeline is typically twelve to eighteen months from the start of the readiness process to the issuance of the final report.

Is SOC 2 required by law?

No. SOC 2 is a voluntary framework. However, enterprise customers in regulated industries frequently require their vendors and service providers to maintain a current SOC 2 report as a condition of doing business.

What is SOC 2.0?

"SOC 2.0" is not an official designation. The term occasionally appears informally to reference the current, updated version of the SOC 2 framework or to describe the maturation of a SOC 2 program over time. If a vendor uses this term, it is worth asking what they mean specifically.

Does passing a SOC 2 audit mean a company cannot be breached?

No. SOC 2 assesses whether appropriate controls are in place and operating effectively. It does not guarantee that those controls will prevent every incident. A clean SOC 2 report is evidence of a mature security program, not an insurance policy against compromise.

How does SOC 2 relate to other compliance frameworks like ISO 27001 or HIPAA?

There is meaningful overlap. SOC 2 and ISO 27001 both address information security controls, though ISO 27001 is an international standard and results in a certification rather than a report. HIPAA is a U.S. regulation specific to healthcare data, and achieving SOC 2 compliance can satisfy many of the technical safeguard requirements HIPAA demands, but they are not interchangeable. Organizations subject to HIPAA need to address both.

On-Demand Demo

See how Cyberhaven delivers smarter, real-time security that safeguards sensitive information and simplifies compliance. Experience the future of data protection.

Watch now

Insider Risk Management: The O'Reilly® Guide to Proactive Data Security

Discover why legacy DLP fails against the AI-Accelerated Insider and how to build a program that moves from paranoia to preparedness.

Download now

Traditional DLP failed. Modern DLP doesn’t have to.

Data Loss Prevention For Dummies® - A practical guide to modern DLP that understands how data moves, how it's used, and how to protect it.

Download now
Portraits of three professionals with company logos AWS, Upwind, and WIZ below each respectively, against a blue background.

Watch the 2025 Data Defense Forum

AI-era DLP strategies from
Joe Sullivan & Fortune 500 security leaders
Watch now
Text reading 'The DLP Disconnect' with 'The DLP' in bold blue and 'Disconnect' in italic blue on a white background.

Why Decades of DLP Investment still Aren't Paying Off

77% of security leaders say data sprawl makes breaches inevitable
Get report
Blue wireframe illustration of a downward arrow integrated with a cube shape on a white background.

Why Legacy DLP fails

The fundamental flaws in traditional DLP approaches
Learn more

See

Watch on-demand demos

Learn

Explore resources

Meet

Talk to an expert

Connect with Cyberhaven