SaaS breaches increased 300% year-over-year from September 2023 to 2024, according to Obsidian Security's 2025 SaaS Security Threat Report.

Since this surge in attacks has impacted organizations across all sectors, an airtight security posture is no longer a nice to have, it’s a must-have. One of the most popular and respected security frameworks is SOC 2. 

Navigating SOC 2 compliance can be difficult for any organization. The different SOC frameworks and report types can be confusing, criteria and requirements fuzzy, and auditing details vague. 

In this article, we strip away the jargon and explain the essentials of SOC 2 in clear and simple terms. Let's get to it.

What is SOC 2?

SOC 2 is a security framework that specifies how service organizations should safely store customer data. The American Institute of CPAs (AICPA) developed SOC 2 in 2010 to give CPAs and auditors more specific guidance for evaluating a service organization’s controls — and to help those service organizations establish trust with customers.

SOC 2 stands for “System and Organization Controls” and refers to both the security framework and the final report that’s issued at the end of a compliance audit. To “get a SOC 2” means to have a report in hand from an accredited CPA or auditor stating your company has completed an audit and meets SOC 2 requirements.

Being SOC 2 compliant is not legally required, unlike HIPAA or GDPR. But in recent years it has become table stakes for modern SaaS companies.

What's the difference between SOC 1 vs 2 vs 3?

SOC 2 isn't the only security framework created by the American Institute of Certified Public Accountants. They also developed SOC 1 and SOC 3. So what’s the difference between these auditing standards?

• SOC 1 reports are designed for organizations that impact a customer’s financial reporting, like payroll, claims, or payment processing companies. SOC 1 assures customers that their financial information is safe.
• SOC 3 is closer to SOC 2 in that both reports involve a CPA audit based on SSAE 18 standards, cover the same information, and certify your organization’s compliance. But SOC 2 reports include detailed descriptions of organization controls and systems, so they are usually private and not shared unless under an NDA.
• SOC 3 reports don’t go into as much detail and are meant to be shared with the general public, typically on the organization’s website. Because they lack the greater level of detail and privacy of a SOC 2 report, SOC 3 reports generally don’t satisfy customers who need to see a SOC 2 report before doing business with your company.

What are the SOC 2 Trust Services Criteria?

The AICPA built the SOC 2 framework on the foundation of five Trust Services Criteria (formerly called the Trust Services Principles).

They are: 

• Security: How do you protect data from data breaches?
• Availability: How do you ensure data is reliably available to those who need it?
• Processing integrity: How do you verify that information assets and systems operate the way they’re supposed to?
• Confidentiality: How do you limit data access, storage, and use?
• Privacy: How do you keep sensitive information and personally identifiable information (PII) private from unauthorized access?

The criteria you select for your SOC 2 report are what your organization will be evaluated against during your audit.

Note that Security is the only TSC that’s required for every SOC 2 report. The other four TSC are optional, and you’ll decide which to include based on the type of services you provide and your customers’ demands. 

Report types: SOC 2 Type 1 vs SOC 2 Type 2

There are two types of SOC 2 reports: Type I and Type II. 

• SOC 2 Type 1 report examines an organization’s security posture at a given point in time. It’s designed to determine whether the internal controls are both properly designed and sufficient for data protection. 
• SOC 2 Type 2 report evaluates how those internal controls perform over a specific period of time, typically anywhere between 3-12 months. 

Because a SOC 2 Type I is a point-in-time report, it’s often faster and less expensive to complete than a Type II report. Some Type I audits can be completed in just a few weeks. However, many customers are specifically requesting SOC 2 Type II reports from their service providers, which provide greater assurance of the quality of an organization’s security posture. 

For organizations that need a SOC 2 report urgently, we typically recommend a Type II report with a 3-month review window. It will save you from duplicate audits and provide potential customers the level of assurance they need. 

How to get SOC 2 compliance: 5 key steps

No two SOC 2 audits are alike. Every organization is different, the chosen Trust Services Criteria are different, and the internal security controls and systems are different. 

That said, SOC audits typically follow a similar set of steps. Here's a quick overview of the audit process.

Step 1: Deciding the report type and TSC

First, the organization decides which type of SOC 2 report they will pursue — a Type I or Type II — and which TSC they will include in the scope of their report. Remember, Security is the only required TSC. 

Step 2: Determine the audit window for Type II audit

Next, the audit window is determined. The AICPA recommends at least 6 months for Type II reports, but they can be done in as little as 3 months or as many as 12. 

Step 3: Preparing the documentation

Now you’ll need to decide which systems are within the scope of your audit and begin collecting documentation about those systems and controls to use as evidence during your audit. Your auditor will review all of this documentation, along with your systems and security controls, to determine your level of compliance with the TSC you’ve selected. 

Examples of documents your auditor will need are: 

• Information asset inventories
• User access controls and policies
• Risk management policies, risk assessments, and risk treatment plans
• Change management policies and procedures
• Code of conduct and ethics policies
• Security incident response and business continuity plans
• Maintenance records and system backup logs

Step 4: Completing a gap analysis and readiness assessment

Finally, you’ll complete a gap analysis and readiness assessment. Use the documents you’ve compiled to compare where your organization stands today with SOC 2 requirements. Where are the gaps you’ll need to fill in before your audit? 

A formal readiness assessment can provide useful insights into the state of your security posture. A SOC 2 auditor will perform its own gap analysis and provide specific recommendations for your organization based on the TSC you’ve selected for your audit. The final readiness assessment report will help identify which controls will appear in your final SOC 2 report and any vulnerabilities that could prevent you from meeting compliance requirements. 

Step 5: Select your auditor

Finally, you’ll select an accredited CPA or auditing firm and complete your SOC 2 audit, during which the auditor will test the operating effectiveness of your systems and controls. At the end of your audit, you’ll be issued your formal report.

To maintain compliance, a new audit is typically needed every 12 months. 

35+ free resources to simplify SOC 2

Security frameworks can be complicated. That’s why we built a one-stop SOC 2 information hub with everything you need to understand compliance.

Browse 35+ free resources to master the basics of SOC 2. Dive deeper into the audit process, get tips to simplify audit prep, and much more. Check out the complete SOC 2 Compliance Hub here. 

You can also browse our library of free SOC 2 policy templates, audit readiness checklists, evidence spreadsheets, ebooks, and more.