What is SOC 2?

Service Organisation Control (SOC 2) is a framework that is used to help organisations maintain information security and assure clients of their ability to protect sensitive data, particularly those operating or looking to operate in the US market.  It is published by the American Institute of Certified Public Accountants (AICPA), and involves a CPA auditing against a selection of up to 5 trust services criteria (TSC) and subsequently producing a report on your information security processes and controls.   This report is not intended to be public facing, and can only be shared with specific interested parties, such clients, prospective clients, and auditors, in order to demonstrate to these parties that your organisation handles information securely.  

It is important to note that SOC 2 is an attestation, not a certification, and there is no concept of a SOC 2 ‘pass’ or ‘fail’.  The output of a SOC 2 audit is the report described above, which you will receive regardless of your organisation’s level of compliance with the framework’s requirements.  The CPA firm performing the audit will, however, provide an opinion on your alignment with the selected TSC.  If the auditor does not identify any significant issues, you will receive an ‘unqualified’ report.  However, if there are significant issues and findings raised during the audit, you may receive a ‘qualified’ report.