SOC 2 stands for “Systems and Organizations Controls 2” and is sometimes referred to as SOC II. It is a framework designed to help software vendors and other companies demonstrate the security controls they use to protect customer data in the cloud. These controls are called the Trust Services Principles and include security, availability, processing integrity, confidentiality, and privacy.

For organizations evaluating SaaS or cloud services providers, compliance with SOC 2 is a minimum requirement. This is because it confirms to the customer that you have a certain level of maturity around security best practices.

What SOC 2 is not

It’s important to note that SOC 2 compliance is neither a legal requirement nor a proxy for actual security best practices. While the assessment covers the core departments and processes that interact with sensitive data, it’s not driven by HIPAA compliance or other regulations and standards.

Certification is performed by external auditors and not by the government, and the resulting report merely confirms that the processes you self declare are actually being followed in practice.

Nevertheless, the significance of the role of SOC 2 in data security cannot be underestimated. Understanding its origins can help to explain why.

SOC 2 evolved from the Statement on Auditing Standards (SAS) 70, an old audit that Certified Public Accountants (CPAs) used to assess the effectiveness of an organization’s internal controls.

While security was included under the umbrella of internal controls, it came to the attention of the American Institute of Certified Public Accountants (AICPA) that some organizations were offering SAS 70 reports as proof they were safe to work with. In response, AICPA replaced SAS 70 with the Statement on Standards for Attestation Engagements (SSAE) 16 report, which was later renamed Systems and Organizations Controls 1 (SOC 1).

A SOC 1 report gives your company’s user entities some assurance that their financial information is being handled safely and securely. SOC 1 reports come in two flavors: Type 1 and Type 2. A Type 1 report shows that your company’s internal financial controls are properly designed while a Type 2 report demonstrates that your controls operate effectively over a period of time (e.g., over a 12-month period).

Then in 2009, AICPA introduced SOC 2 as an audit report with a strict security focus and issued the five Trust Services Principles. These principles were defined as “a set of professional attestation and advisory services based on a core set of principles and criteria that address the risks and opportunities of IT-enabled system and privacy programs.”