SOC 2
sock TOO
An auditing standard that evaluates whether a company's systems meet trust service criteria for security, availability, and confidentiality.
SOC 2 is an audit framework created by the American Institute of CPAs. It evaluates how a company protects customer data across five trust service criteria: security, availability, processing integrity, confidentiality, and privacy.
For SaaS companies selling to enterprises, SOC 2 is table stakes. Enterprise buyers will not sign a contract without it. The audit examines your internal controls: how you manage access, encrypt data, handle incidents, and monitor systems. An independent auditor reviews your policies and tests whether you actually follow them.
There are two types. Type I is a point-in-time snapshot: your controls are designed properly as of a specific date. Type II covers a period, usually 6-12 months, and proves you consistently followed those controls. Type II is what enterprise buyers want. Companies selling internationally often pursue ISO 27001 certification alongside SOC 2. Healthcare companies handling patient data also need HIPAA compliance.
Examples
A startup begins selling to enterprise customers.
The first enterprise prospect asks for a SOC 2 report. The startup does not have one yet. They engage an auditor and spend four months preparing for a Type I audit.
A SaaS company completes its annual audit.
The auditor issues a SOC 2 Type II report covering the past 12 months. The sales team adds the SOC 2 badge to the security page and shares the report under NDA with prospects.
An engineering team implements access controls.
To pass the SOC 2 audit, the team implements role-based access control, enables MFA for all employees, and sets up automated logging of access to production systems.
Frequently asked questions
What is the difference between SOC 2 Type I and Type II?
Type I evaluates your controls at a single point in time. Type II evaluates them over a period of 6-12 months. Type II is more rigorous and is what enterprise buyers typically require.
How long does it take to get SOC 2 certified?
A Type I audit takes 2-4 months of preparation plus the audit itself. A Type II audit requires another 6-12 months of operating under those controls before the auditor can issue the report.
Related terms
An international standard for information security management systems that provides a framework for managing and protecting sensitive data.
The US federal law that sets standards for protecting sensitive patient health information from disclosure.
A security standard for any organization that handles credit card data, requiring specific controls to protect cardholder information.
The US federal program that standardizes security assessment and authorization for cloud services used by government agencies.
Want the complete playbook?
Picks and Shovels is the definitive guide to developer marketing. Amazon #1 bestseller with practical strategies from 30 years of marketing to developers.