Back to Blog
SOC 2 9 min read

What Is SOC 2? The Complete Guide for Software Companies

SOC 2 is the security audit standard that enterprise buyers demand. Learn what it covers, who needs it, and what the audit process actually looks like.

Key Takeaways
  • SOC 2 is an auditing standard created by the AICPA that evaluates how a service organization protects customer data.
  • It is organized around five Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, and Privacy.
  • Security (the Common Criteria) is mandatory; the other four are optional and chosen based on your product and customer demands.
  • Type I audits assess design at a point in time; Type II audits assess operating effectiveness over 6–12 months.
  • A SOC 2 report is not a certification — it is an auditor opinion letter shared under NDA with customers and prospects.

In this guide

  1. What SOC 2 Is
  2. Who Created It and Why
  3. The Five Trust Service Criteria
  4. Type I vs Type II
  5. Who Needs SOC 2
  6. What Auditors Actually Check
  7. How to Prepare

What SOC 2 Is

SOC 2 — short for System and Organization Controls 2 — is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It defines the criteria that third-party auditors use to evaluate whether a software company's information security controls are designed and operating effectively.

Unlike a checklist certification such as ISO 27001, SOC 2 produces an audit report — a formal opinion letter written by a licensed CPA firm — describing how your systems handle security, availability, confidentiality, processing integrity, and privacy. Customers share that report with their own security teams and procurement departments as evidence that you can be trusted with their data.

The standard became the de-facto requirement for selling B2B SaaS in North America, and is increasingly demanded by enterprise buyers in Europe, Australia, and India. If a Fortune 500 procurement team sends you a security questionnaire, the first question is almost always "Do you have a SOC 2 Type II report?"

Who Created It and Why

The AICPA created the original SAS 70 auditing standard in 1992 to evaluate financial service providers. As cloud computing grew, enterprise buyers needed a way to assess whether SaaS vendors were protecting their data — not just processing financial transactions. In 2011 the AICPA replaced SAS 70 with the SSAE 16 family, which introduced SOC 1, SOC 2, and SOC 3 as distinct report types.

SOC 2 was designed specifically for technology and cloud service providers. The AICPA updated the Trust Service Criteria in 2017 (TSC 2017) — the version in use today — to reflect modern risks including logic access, change management, and risk assessment. The 2017 criteria introduced the Common Criteria (CC) numbering system that auditors reference when writing their reports.

Because the AICPA owns the standard, only licensed CPA firms can issue SOC 2 reports. Compliance software vendors, consultants, and internal teams can help you prepare, but the report itself must come from an accredited audit firm.

The Five Trust Service Criteria

SOC 2 is organized around five Trust Service Criteria (TSC). Security is mandatory for every SOC 2 engagement. The other four are selected based on your product commitments and the concerns your customers raise.

Security (Common Criteria, CC1–CC9) covers logical access, change management, risk assessment, incident response, monitoring, and physical security. These 33 criteria form the backbone of every SOC 2 report. Availability (A1.1–A1.3) covers whether your system operates as committed — relevant for SaaS products with uptime SLAs. Confidentiality (C1.1–C1.2) covers how you protect information designated as confidential — relevant for platforms that store sensitive client data such as legal documents or financial records. Processing Integrity (PI1.1–PI1.5) covers whether processing is complete, accurate, timely, and authorized — relevant for payment processors and data pipelines. Privacy (P1–P8) covers how personal information is collected, used, retained, and disposed of — relevant for any product collecting end-user PII.

Most B2B SaaS startups scope their first SOC 2 to Security only. Companies with uptime-sensitive products often add Availability. Those handling healthcare or financial data frequently add Confidentiality. Privacy is typically added when the customer base includes European data subjects or when the product has a strong consumer component.

Type I vs Type II

A SOC 2 Type I report assesses whether your controls are suitably designed as of a specific date — a snapshot. An auditor reviews your policies, system descriptions, and control configurations and writes an opinion on whether they address the relevant Trust Service Criteria. Type I reports typically take 4–8 weeks to complete and cost $15,000–$30,000 for a straightforward SaaS company.

A SOC 2 Type II report covers the same controls but evaluates whether they operated effectively over an observation period — typically 6 or 12 months. Auditors collect evidence throughout the period (log samples, change tickets, access review records) and test whether controls performed consistently. Type II reports cost $20,000–$60,000 and are the version enterprise buyers actually require.

Most companies pursue Type I first to get something in hand quickly, then transition to Type II. If you have 12 months of solid operating history, you can skip Type I and go straight to Type II. The observation period for your first Type II can be as short as 6 months.

Who Needs SOC 2

Any B2B software company that stores, processes, or transmits customer data and sells to enterprises effectively needs SOC 2. The most common triggers are: a Fortune 500 prospect puts SOC 2 in their security requirements; your sales team is losing deals because you can't answer security questionnaires; or your company is preparing to enter regulated industries like healthcare, finance, or government.

Startups typically encounter their first SOC 2 request between $1M and $5M ARR, when they begin closing mid-market deals. At Series A or B, most investors also expect to see a compliance roadmap. Indian SaaS companies selling to US or EU customers are increasingly required to provide SOC 2 reports as part of vendor onboarding, alongside data processing agreements and GDPR compliance documentation.

Companies that don't need SOC 2 yet include pure consumer apps with no B2B customers, very early-stage startups whose buyers are other small companies without security requirements, and internal tools never shared outside the organization.

What Auditors Actually Check

Auditors from your chosen CPA firm assess three things: (1) whether you have written policies and procedures that address each criterion, (2) whether your technical controls are configured to enforce those policies, and (3) whether you can provide evidence that those controls worked during the observation period.

Common evidence requests include: user access lists showing only active employees have access to production systems; screenshots of MFA being enforced on all admin accounts; change management tickets showing code reviews and approvals before deployment; quarterly access review records; incident response runbooks and post-mortems; penetration test reports; security awareness training completion records; and vendor risk assessments for your critical SaaS tools.

The auditor will also interview your engineering, HR, and security leads to verify that the policies described on paper reflect actual operating practice. A company that has written a great information security policy but whose engineers have never read it will struggle to answer those questions.

How to Prepare

Preparation typically follows three phases. First, conduct a readiness assessment (gap analysis): compare your current controls against the TSC requirements and document what's missing. Second, remediate gaps: implement the missing controls, write or update policies, and establish the operational cadence (access reviews, change approvals, security training) that produces audit evidence. Third, run the observation period: operate your controls consistently for 6–12 months while collecting evidence continuously.

Compliance automation platforms like AuditPath dramatically reduce the manual work of evidence collection by integrating with AWS, GitHub, Okta, and other tools to pull control evidence automatically. Instead of exporting spreadsheets before each audit, your evidence library is continuously populated and your auditor can access it through a shared portal.

The single most important thing you can do before engaging an auditor is to define your system scope carefully. A narrower scope (specific product, specific environment) means fewer controls to implement, less evidence to collect, and lower audit fees. Many startups over-scope their first engagement and spend months implementing controls for systems that a well-scoped audit wouldn't require.

Frequently Asked Questions

Is SOC 2 a certification or a report?
SOC 2 is a report, not a certification. There is no SOC 2 "badge" or registry. The output is a formal audit report written by a licensed CPA firm. Companies share this report (usually under NDA) with customers and prospects as evidence of their security posture. Some compliance software vendors issue a "SOC 2 certified" badge as marketing shorthand, but the correct term is "SOC 2 attested" or "SOC 2 audited."
How often does SOC 2 need to be renewed?
SOC 2 Type II reports cover a specific observation period, typically 12 months. Enterprise customers expect you to have a current report covering the last 12 months. In practice, this means running a continuous audit cycle: your new observation period starts the day after your last one ends. Most companies engage their auditor on a recurring annual basis to maintain a fresh report at all times.
Can a non-US company get SOC 2?
Yes. SOC 2 is an AICPA standard but it applies to any organization that provides services to US customers or any market where buyers demand it. Indian, European, and Australian SaaS companies commonly obtain SOC 2 reports. The audit must be performed by a licensed US CPA firm, but many of these firms have global offices or partner networks that can conduct fieldwork locally.
What is the difference between SOC 2 and ISO 27001?
SOC 2 is an audit report issued by a CPA firm against AICPA criteria; ISO 27001 is a certification issued by an accredited certification body against ISO standards. SOC 2 is predominantly required by US enterprise buyers; ISO 27001 is more common in Europe, the Middle East, and Asia-Pacific. The two frameworks overlap significantly in controls but differ in structure and the nature of the output. Many companies pursuing global enterprise sales eventually hold both.
How much does SOC 2 cost for a 20-person startup?
For a 20-person SaaS startup with a focused scope (Security TSC only, single product, AWS-hosted), total first-year costs typically run $30,000–$70,000. This includes auditor fees ($20,000–$40,000 for Type II), readiness consulting ($5,000–$15,000 if used), and compliance tooling ($3,000–$12,000/year). Costs rise with scope complexity, number of systems, and the number of Trust Service Criteria included.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free

Related Articles

SOC 2

SOC 2 Type I vs Type II: Key Differences Explained

SOC 2

SOC 2 Trust Service Criteria: All 5 Categories Explained

SOC 2

SOC 2 Certification Cost: Full Breakdown for 2026