ReferenceUS · AICPA AttestationLast reviewed · April 23, 2026

SOC 2 Compliance Reference

A report issued by a licensed US CPA on your security controls. Not a certification.

At a glance

Free tool

Want a quick read on where you stand? Take the free 5-minute SOC 2 readiness checklist before your scoping call.

Open the SOC 2 checklist →

Who needs it

Any US-based B2B SaaS or cloud service provider selling to mid-market or enterprise buyers. There is no legal requirement; procurement teams ask for it during vendor due diligence.

The five criteria

Only Security is required. You add the others based on what you sell.

IDRequirementWhat it means in practice
CCSecurityAccess control, change management, monitoring, and incident response. Required for every SOC 2 engagement.
AAvailabilityAdd if you commit to uptime SLAs or your customers depend on the system being up.
PIProcessing IntegrityAdd if correctness of calculations or transactions is a core product promise (fintech, billing, etc.).
CConfidentialityAdd if you handle contractually confidential data distinct from personal data.
PPrivacyUsually handled under GDPR or CCPA instead. Not common in SOC 2 scopes.

Type I vs Type II

Type IType II
TestsWhether controls are designed properlyWhether they actually work over time
WindowPoint in timeMinimum 3 months (usually 6 or 12)
Timeline6–8 weeksObservation + 4–6 weeks audit
Buyer viewAccepted temporarilyThe standard they actually want

What people get wrong

SOC 2 is a certification.

It is an attestation report. No certificate exists, no official logo or badge is sanctioned by the AICPA.

A platform can get us SOC 2 ready in two weeks.

Tools speed up evidence collection. They cannot compress the 3-month observation window or issue the CPA opinion.

Template policies pass audits.

Sometimes. More often they get flagged when the auditor's tests don't match how your team actually operates.

FrameworkRelationshipPractical impact
ISO 2700160–70% policy overlapThe international complement. Most companies pursuing both run one integrated program.
HIPAALarge technical overlapSOC 2 Security covers most HIPAA Security Rule technical safeguards. Privacy Rule is HIPAA-only.
PCI-DSSSeparateRequired by card networks, not law. Shares baseline controls but tests differently.
ISO 42001AdjacentAI governance layer for AI-native companies. Sits alongside SOC 2, doesn't replace it.

Sources

2017 Trust Services Criteria (TSP Section 100)·AICPASOC 2 Examination Guide·AICPANIST Cybersecurity Framework 2.0·NISTSOC 2 vs ISO 27001 (our brief)·ShieldKey Solutions

Service

Our SOC 2 engagement

What we deliver and how we scope it.

Briefs

SOC 2 practitioner notes

Dated commentary from active engagements.

Talk to us

Book a scoping call

No deck, no pitch, under 30 minutes.

+1 (202) 793-7151Schedule a scoping call →