SOC 2

SOC 2 is an attestation framework published by the American Institute of Certified Public Accountants (AICPA) under its Trust Services Criteria (TSC). It is not a law, not a certification, and not government-issued — it is an opinion delivered by an independent CPA firm that a service organization’s controls meet the criteria the AICPA defines. North-American B2B buyers treat a SOC 2 Type II report as the entry ticket for any SaaS vendor that touches customer data.

The framework rests on five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. Most reports cover Security alone or Security + one or two add-ons. A SOC 2 audit comes in two flavors: Type I tests control design at a point in time; Type II tests operating effectiveness across a 3-to-12-month observation window, which is what buyers actually ask for.

Defining properties for security buyers:

• Common criteria CC1.4 and CC2.2 explicitly require evidence that personnel are made aware of their security responsibilities — historically satisfied with annual training completion logs.
• The bar is rising. Modern auditors increasingly accept — and sometimes request — behavioral evidence rather than completion-only certificates: did people do the right thing, not just click through a slide deck.
• No federal seal. Unlike ISO 27001 there is no certifying body — the auditor’s letter is the artifact.
• Cross-mapping. SOC 2 criteria map cleanly onto ISO 27001 Annex A controls, which is why many SaaS vendors pursue both in parallel.

Where SOC 2 meets human-risk work: the awareness criterion has historically been the weakest control in any SOC 2 package — easy to evidence with an LMS export, easy for an attacker to ignore. Replacing the LMS export with a behavioral-evidence trail does not change the audit outcome but materially improves the underlying control.