What SOC 2 attestation actually entails

SOC 2 is an attestation report, not a certification, that shows a service provider manages customer data according to a set of trust principles. It is most common in North America and increasingly expected of any company that handles customer data in the cloud. If you sell software or services to businesses, a customer has probably already asked you for it, or will.

What SOC 2 actually is

SOC 2 is built on the American Institute of Certified Public Accountants (AICPA) framework, and reported on by a licensed CPA firm. That is the first thing to understand: it produces an independent auditor’s report, not a badge. The report describes your controls and gives the auditor’s opinion on them, and you share it with customers, usually under a non-disclosure agreement, as evidence that you handle their data responsibly.

The report is structured around five Trust Services Criteria:

• Security (the common criteria, always required)
• Availability
• Processing integrity
• Confidentiality
• Privacy

You include the criteria that matter for the service you provide. Many companies start with security alone and add others as customer demand grows.

Type I vs Type II

This is the distinction that trips people up:

• Type I assesses whether your controls are suitably designed at a single point in time. It is a snapshot: the controls exist and look right on the day.
• Type II assesses whether those controls actually operated effectively over a period, usually three to twelve months. It is the harder, more credible report, because it proves the controls did their job over time, not just on audit day.

Most customers asking for SOC 2 mean Type II. Type I is often a sensible first step on the way there, especially if you are early in your program.

SOC 2 vs ISO 27001

	SOC 2	ISO 27001
Type	Attestation report	Certification
Issued by	Licensed CPA firm	Accredited certification body
Output	A report shared under NDA	A public certificate
Common with	North American customers	International customers
Basis	Trust Services Criteria	A managed ISMS plus Annex A controls

The good news is they overlap heavily on the underlying controls. If your customers want both, you do not run two separate programs; you build a strong control set once and map it across, which is far less work than it sounds when planned from the start.

What the process looks like

A typical SOC 2 journey runs in a few stages: scope the service and choose your criteria, run a readiness assessment to find the gaps, implement and document the controls, then operate them through an observation period (for Type II) before the CPA firm performs the audit and issues the report.

The part teams underestimate is the observation period. For Type II, your controls have to be genuinely running, with evidence, for months. You cannot retrofit that the week before the audit, which is exactly why building real controls early pays off.

How to approach it

As with any framework, the cleanest path is to build security that genuinely works and let the report describe it, rather than assembling paperwork to pass. That is how we approach compliance and certification: readiness, control implementation, and audit support, with the same team that can run the penetration testing your customers and the report will expect. And if you are weighing SOC 2 against the international route, it is worth reading what ISO 27001 adds, since many companies end up wanting both.