What Does SOC2 Actually Mean?
SOC2 stands for Service Organization Control 2. It is an auditing standard created by the American Institute of Certified Public Accountants (AICPA) under the Trust Services Criteria framework. A SOC2 report is an independent auditor's assessment of whether a company's information security controls are properly designed (Type 1) and effectively operating (Type 2).
Unlike ISO 27001, which is a certification you earn, SOC2 produces a report — a formal attestation by a licensed CPA firm. That report is typically shared under NDA with customers, prospects, and investors who need to verify your security posture before trusting you with their data.
The key phrase: “only licensed CPA firms can issue SOC2 attestation reports.” Security consultants, vCISOs, and pen test firms can help you prepare, but only a CPA firm can sign the final report.
Who Needs SOC2?
SOC2 is commercially required — not legally mandated — but that distinction has blurred significantly. If you answer yes to any of these questions, you likely need SOC2:
- Do enterprise customers ask for your SOC2 report during procurement?
- Does your SaaS store, process, or transmit customer data?
- Are you trying to close deals with Fortune 1000 companies, healthcare organizations, financial institutions, or government agencies?
- Are you raising Series A or later funding and investors are asking about your security posture?
- Do you provide managed services, cloud hosting, or data processing to other businesses?
The short answer: any B2B company selling to mid-market or enterprise buyers will encounter SOC2 requirements. Enterprise procurement teams routinely block vendor approvals without a current SOC2 Type 2 report.
The 5 Trust Services Criteria
SOC2 is built on five Trust Services Criteria (TSC). Only the Security criterion is mandatory — the others are added based on what your customers care about.
The system is protected against unauthorized access (both physical and logical). This covers access controls, encryption, firewalls, incident response, and vendor management. Always required.
The system is available for operation and use as committed or agreed. Covers uptime commitments, disaster recovery, and business continuity. Add if your SLA promises specific uptime guarantees.
System processing is complete, valid, accurate, timely, and authorized. Relevant for payment processors, data transformation platforms, and any system where data accuracy is contractually critical.
Information designated as confidential is protected. Covers data classification, NDA enforcement, encryption of confidential datasets, and destruction policies. Common addition for legal tech, HR software, and financial platforms.
Personal information is collected, used, retained, disclosed, and disposed of according to commitments. Covers notice, consent, data subject rights, and CCPA/GDPR alignment. Add if you handle significant volumes of consumer PII.
Most startups begin with Security only. Adding Availability is common for SaaS with SLA commitments. Adding all 5 TSC increases audit cost and scope significantly — only add what your customers contractually require.
SOC2 Type 1 vs Type 2
| Feature | Type 1 | Type 2 |
|---|---|---|
| What it tests | Controls are suitably designed at a point in time | Controls operated effectively over 6-12 months |
| Timeline | 4-12 weeks total | 9-18 months total (includes observation period) |
| Cost | $8,000–$40,000 | $15,000–$150,000+ |
| Buyer acceptance | Accepted by some buyers as interim step | Required by most enterprise buyers |
| Best for | Quick compliance need, budget constraint, stepping stone to Type 2 | Enterprise sales, regulated industries, ongoing compliance |
How Long Does SOC2 Take?
Timeline depends on your current readiness, the audit type, and which firm you choose. Here are realistic benchmarks:
How to Find a SOC2 Auditor
Since only CPA firms can issue SOC2 reports, your auditor must hold an active CPA license. Beyond that, look for:
- AICPA membership — confirms they operate under peer review
- Industry experience — an auditor who has worked with companies like yours will scope more accurately
- GRC platform familiarity — if you use Vanta or Drata, find an auditor who integrates with it
- Transparent pricing — get written estimates before committing, not vague ranges
- Partner involvement — confirm senior staff will work your engagement, not just junior associates
Frequently Asked Questions
What does SOC2 stand for?
SOC2 stands for Service Organization Control 2. It is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how service organizations manage customer data based on the five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Who is required to get SOC2 certification?
SOC2 is not legally mandated, but it is commercially required for many B2B technology companies. Enterprise buyers, Fortune 500 procurement teams, healthcare organizations, financial institutions, and government agencies routinely require SOC2 Type 2 reports before signing vendor contracts. Series A funding rounds increasingly require or expect it. If you sell software or services that store or process customer data, you likely need SOC2.
What is the difference between SOC2 Type 1 and Type 2?
SOC2 Type 1 assesses whether your security controls are suitably designed at a single point in time. It is faster (4-12 weeks) and cheaper. SOC2 Type 2 evaluates whether those controls operated effectively over an observation period, typically 6-12 months. Most enterprise buyers and regulated industries require Type 2. Many companies get Type 1 first as a stepping stone to Type 2.
How long does SOC2 take to complete?
SOC2 Type 1 typically takes 4-12 weeks from readiness assessment to final report. SOC2 Type 2 takes 9-18 months total: 2-4 months for readiness and remediation, then a 6-12 month observation period, then 4-8 weeks for the auditor to prepare the final report. Boutique specialist firms often complete Type 1 in 6-8 weeks and Type 2 in 9-12 months.
How much does a SOC2 audit cost?
SOC2 audit costs vary widely. For a seed-stage startup (under 50 employees, AWS infrastructure, security TSC only): Type 1 costs $8,000-$20,000 and Type 2 costs $15,000-$40,000. For a mid-size company (100-500 employees): Type 2 costs $40,000-$120,000. Large enterprises with Big 4 auditors can pay $150,000-$400,000. Using a GRC platform like Vanta or Drata can reduce costs by 20-30% by automating evidence collection.
Can only CPA firms perform SOC2 audits?
Yes. SOC2 reports are attestation engagements governed by AICPA standards (AT-C Section 205). Only licensed CPA firms are authorized to issue SOC2 reports. Cybersecurity consultants, vCISOs, and non-CPA security firms can perform readiness assessments, but they cannot issue the final SOC2 attestation report. Always verify your auditor holds an active CPA license.
What are the 5 Trust Services Criteria?
The five Trust Services Criteria are: (1) Security — protection against unauthorized access, the only mandatory TSC; (2) Availability — system availability for operation and use as agreed; (3) Processing Integrity — system processing is complete, valid, accurate, timely, and authorized; (4) Confidentiality — designated confidential information is protected; (5) Privacy — personal information is collected, used, retained, disclosed, and disposed of properly. Most companies include Security plus 1-2 additional TSC based on their customers' requirements.
Does SOC2 expire?
SOC2 Type 2 reports cover a specific observation period, typically 12 months. They do not technically 'expire,' but buyers treat reports older than 12-18 months as outdated. Most companies undergo annual SOC2 audits to maintain continuous coverage. SOC2 Type 1 reports are point-in-time and most buyers consider them stale after 6-12 months.