SOC 2 (Service Organization Control 2) is an auditing framework developed by the AICPA that evaluates a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports assess both the design and operating effectiveness of these controls over a period of time (typically 6-12 months).
SOC 2 is built on the Trust Services Criteria (TSC):
Security (required): The system is protected against unauthorized access, both physical and logical. Covers access controls, change management, risk assessment, monitoring, and incident response.
Availability (optional): The system is available for operation and use as committed. Covers uptime, disaster recovery, business continuity, and performance monitoring.
Processing Integrity (optional): System processing is complete, valid, accurate, timely, and authorized. Covers data processing controls and quality assurance.
Confidentiality (optional): Information designated as confidential is protected as committed. Covers data classification, encryption, access restrictions, and disposal.
Privacy (optional): Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments. Covers GDPR/CCPA-aligned privacy controls.
Type I vs Type II:
Enterprise customers overwhelmingly prefer Type II because it proves controls actually work, not just that they exist on paper.
SOC 2 is the de facto security standard for SaaS and cloud service providers. Without it:
SOC 2 maps to the RGA (Risk Governance and Assurance) domain. Mission RGA-B02 (Compliance Program Build) delivers SOC 2 readiness. The Perpetual Compliance Assurance (PCA) methodology treats SOC 2 as continuous compliance, not an annual fire drill. CDA automates evidence collection from day one so audit periods produce reports, not panic.