SOC 2® refers to a report issued by an independent auditor that states that an organization's data management practices are meeting a set of criteria issued by the AICPA. A SOC 2 is one of the most common 'certifications' (technically, it is an examination) that service organizations can obtain and is becoming a requirement for security-conscious enterprises that rely on cloud service providers, such as software as a service (SaaS) vendors. A SOC 1® refers to outsourced financial controls and a SOC 3® is a public facing SOC 2 report.
SOC stands for System and Organization Controls, and is based on five main Trust Services Criteria, or TSCs (described below). Unlike more prescriptive frameworks such as PCI DSS and ISO 27001, the SOC 2 allows organizations to identify relevant controls to show how they are meeting each Criteria. Organizations can receive a SOC 2 Type 1 or a SOC 2 Type 2 attestation report.
● A Type 1 refers to an audit as of a point in time and the auditor will assess the design of the controls and whether they adequately cover the criteria.
● A Type 2 adds an additional audit to assess whether controls have been operating over a period of time.