Cyberattacks targeting SaaS companies skyrocketed by 300% last year, according to Obsidian Security's 2025 SaaS Security Threat Report.

Since this surge in attacks has impacted organizations across all sectors, an airtight security posture is no longer a nice to have, it’s a must-have. One of the most popular and respected cybersecurity frameworks is SOC 2. 

SOC 2 is a popular cybersecurity framework, but it’s not always easy to navigate. Between the different SOC frameworks and report types, vague terminology, and unfamiliar audit processes, it’s no wonder many companies feel overwhelmed. This guide breaks it all down in plain English, so you can understand what SOC 2 is, why it matters, and how to get audit-ready faster.

What is SOC 2?

SOC 2, short for System and Organization Controls 2, is a security framework developed by the American Institute of CPAs (AICPA). It was created to help service organizations — especially cloud-based companies — demonstrate that they can securely manage and protect customer data.

When companies talk about "getting a SOC 2," they’re referring to receiving an official report from an accredited auditor or CPA that confirms the company’s internal controls meet the requirements defined in the SOC 2 framework. These controls are based on a specific set of criteria designed to assess how well an organization safeguards information and maintains privacy, confidentiality, and operational reliability.

Unlike legal frameworks like HIPAA or GDPR, SOC 2 isn’t a regulatory requirement. However, it’s become a practical necessity for SaaS providers and other technology vendors that want to sell into regulated industries, move upmarket, or close enterprise deals.

What's the difference between SOC 1 vs 2 vs 3?

SOC 2 isn't the only security framework created by the American Institute of Certified Public Accountants. They also developed SOC 1 and SOC 3. So what’s the difference between these auditing standards?

• SOC 1 reports reports are focused on financial reporting and are relevant to organizations that impact customer accounting, such as payroll processors or claims systems, SOC 1 assures customers that their financial information is safe.
• SOC 2 reports focus on operational and security controls and are the most common option for SaaS and technology companies.
• SOC 3 is essentially a high-level version of SOC 2. They cover the same criteria but exclude the detailed descriptions of controls and results. Because they are designed for public distribution, SOC 3 reports are often shared on company websites, but they generally do not satisfy customers who need a deeper understanding of how your security program actually works.

What are the SOC 2 Trust Services Criteria?

SOC 2 audits evaluate your organization against one or more of the Trust Services Criteria, which define how you protect, manage, and monitor customer data.

They are: 

• Security: How do you protect data from data breaches?
• Availability: How do you ensure data is reliably available to those who need it?
• Processing integrity: How do you verify that information assets and systems operate the way they’re supposed to?
• Confidentiality: How do you limit data access, storage, and use?
• Privacy: How do you keep sensitive information and personally identifiable information (PII) private from unauthorized access?

The criteria you select for your SOC 2 report are what your organization will be evaluated against during your audit.

Note that Security is the only TSC that’s required for every SOC 2 report. The other four TSC are optional, and you’ll decide which to include based on the type of services you provide and your customers’ demands. 

Report types: SOC 2 Type 1 vs SOC 2 Type 2

There are two types of SOC 2 reports: Type I and Type II, and choosing the right one is one of the first decisions you’ll need to make.

A SOC 2 Type I report is a point-in-time assessment that evaluates whether your controls are properly designed. It’s faster to complete and often used by early-stage companies looking to respond quickly to customer requests or unblock deals.

A SOC 2 Type II report goes further. It examines not just the design of your controls, but whether they’ve been operating effectively over a set period of time, usually between three and twelve months. This makes it more rigorous and more valuable to customers evaluating your long-term security posture.

Because a SOC 2 Type I is a point-in-time report, it’s often faster and less expensive to complete than a Type II report. Some Type I audits can be completed in just a few weeks. However, if your customers are requesting SOC 2, they are most likely expecting a Type II report, which provides greater assurance of the quality of your organization’s security posture. 

For organizations that need a SOC 2 report urgently, we typically recommend a Type II report with a 3-month review window. It will save you from duplicate audits and provide potential customers the level of assurance they need.

The SOC 2 compliance process: 5 key steps

No two SOC 2 audits are alike. Every organization is different, the chosen Trust Services Criteria are different, and the internal security controls and systems are different. 

That said, SOC audits typically follow a similar set of steps. Here's a quick overview of the audit process.

Step 1: Deciding the report type and TSC

First, the organization decides which type of SOC 2 report they will pursue — a Type I or Type II — and which TSC they will include in the scope of their report. Remember, Security is the only required TSC. 

Step 2: Determine the audit window for Type II audit

Next, if you’re pursuing a Type II audit, you’ll define your audit window. The AICPA recommends a minimum of six months, but many companies opt for a three-month window for their first report to speed things up.

Step 3: Preparing the documentation

Once your scope is defined, the documentation process begins. This is where you gather the evidence your auditor will need to verify that your controls are in place and functioning. Your auditor will review all of this documentation, along with your systems and security controls, to determine your level of compliance with the TSC you’ve selected. 

Examples of documents your auditor will need are: 

• Information asset inventories
• User access controls and policies
• Risk management policies, risk assessments, and risk treatment plans
• Change management policies and procedures
• Code of conduct and ethics policies
• Security incident response and business continuity plans
• Maintenance records and system backup logs

Step 4: Completing a gap analysis and readiness assessment

Finally, you’ll complete a gap analysis and readiness assessment. Use the documents you’ve compiled to compare where your organization stands today with SOC 2 requirements. Where are the gaps you’ll need to fill in before your audit? 

A formal readiness assessment can provide useful insights into the state of your security posture. A SOC 2 auditor will perform its own gap analysis and provide specific recommendations for your organization based on the TSC you’ve selected for your audit. The final readiness assessment report will help identify which controls will appear in your final SOC 2 report and any vulnerabilities that could prevent you from meeting compliance requirements. 

Step 5: Select your auditor

Finally, you’ll select an accredited CPA or auditing firm and complete your SOC 2 audit, during which the auditor will test the operating effectiveness of your systems and controls. At the end of your audit, you’ll be issued your formal report.

To maintain compliance, a new audit is typically needed every 12 months. 

35+ free resources to simplify SOC 2

To help make the process easier, we’ve created a SOC 2 Compliance Hub with more than 35 free resources. You’ll find customizable policy templates, audit readiness checklists, evidence spreadsheets, downloadable guides, and more. These tools are designed to help teams of all sizes understand what’s required, close security gaps, and stay organized throughout the audit process.

You can also browse our library of free SOC 2 policy templates, audit readiness checklists, evidence spreadsheets, ebooks, and more.