SOC 2 Provides Assurance To Customers

Frequently Asked Questions

SOC 2 – Questions and Answers

A SOC 2 report is an independent assurance statement on a service organisation's controls, based on the AICPA's Trust Service Criteria — security, availability, processing integrity, confidentiality, and privacy. An independent auditing firm assesses whether these controls are suitably designed (Type I) and, for a Type II report, whether they have operated effectively over a period of at least six months. This gives clients and their own auditors confidence in the reliability of outsourced processes.

The process begins with a description of the organisation and the systems in scope. The relevant Trust Service Criteria are then selected, and controls are mapped against them to show how each risk is mitigated. These controls are subsequently tested by the independent auditor — for their design (Type I) and, for a Type II report, for their operating effectiveness over a period of at least six months.

A Type I report assesses the design of the controls at a specific point in time: do the controls genuinely exist, not just on paper but in practice? A Type II report goes a step further, examining whether these controls have actually operated as described over a period of at least six months.

Primarily technology and SaaS providers that store, process, or transmit customer data — for example cloud platforms, data centres, or software vendors serving enterprise clients. Customers increasingly ask for proof that a vendor's security and privacy controls are reliable before signing a contract; confirmation from an independent auditor gives these customers the assurance they require.

Preparation usually takes several months. The underlying controls are often already in place in some form, but a proper description may be missing, or the organisation may lack the discipline or specific measures required. Once implemented, a Type II report requires an observation period of at least six months. Overall, organisations should generally allow around six to nine months to reach the final Type II report, with Type I taking a few months less.

SOC 1 focuses on controls relevant to a client's financial reporting, while SOC 2 focuses on security, availability, processing integrity, confidentiality, and privacy — making it the standard most relevant to technology and SaaS companies rather than financial service providers.

SOC 2 is issued under AICPA guidelines and is most widely recognised in the US, while ISAE 3402 is the international equivalent used across most other markets, including Europe. The two frameworks are closely aligned in structure and testing approach, and many service organisations produce a single combined report covering both standards to satisfy clients in multiple regions.

ISO 27001 certifies the information security management system as a whole, whereas SOC 2 provides an assurance statement on specific controls, addressed to a client or business partner. The key practical difference lies in the depth of testing: under SOC 2, a remediation plan is often not sufficient if a control fails to exist or has not operated effectively within the six-month period. This results in an exception being noted in the report and may also affect the assurance opinion itself, which could then include a qualification or, in the most serious cases, an adverse opinion.

Why Choose SOC 2?

SOC 2 is the most common Service Organisation Control report, together with ISAE 3402 / SOC 1 reporting. There are two types of reports, a Type I report and a Type II report. A Type I report is a report on design and existence of controls. A Type II also focuses on the operating effectiveness of controls during a predefined period.

SOC 2 Certification 
and Reporting

Close-up of multiple blue Ethernet cables plugged into a network switch with blue LED lights.

SOC 2 focuses on a business’s non-financial reporting controls as they relate to Security, Availability, Processing integrity, Confidentiality, and Privacy. These principles are outlined in the Trust Services Criteria. Each of the criteria has defined requirements (Points of Focus) that must be met to implement within the organisation to demonstrate adherence to the criteria.

SOC 2 Type I

Type I evaluates the design and existence of internal controls 
at a specific point in time, ensuring they are adequately structured 
to meet applicable criteria. This type of audit provides a snapshot 
of the controls in place, confirming their presence and suitability 
for safeguarding data.

SOC 2 Type II

In a Type II report, the external auditor reports on the suitability 
of the design and existence of controls and on the operating effectiveness of these controls during a predefined period. This implies that the external auditor performs a detailed examination of the internal controls of the service organisation and also examines whether all controls are operating effectively in accordance with predefined processes and controls for and procedures.

How to Obtain SOC 2Certification

01
Understand Trust Services Criteria
Familiarise yourself with the five Trust Services Criteria—security, availability, processing integrity, confidentiality, and privacy—to determine which are applicable to your organisation’s services.
02
Conduct a Gap Analysis
Assess your current internal controls and practices against the SOC 2 requirements to identify any gaps 
that need to be addressed before the audit.
03
Perform a Gap Analysis
Analyze your existing controls against SOC 2 requirements to identify any deficiencies or areas needing improvement before the audit.
04
Implement Necessary Controls
Design and implement the required internal controls 
to address identified gaps, ensuring they align with the Trust Services Criteria and are effective in managing risks.
05
Engage an Independent Auditor
Select a qualified external auditor with experience in SOC 2 audits to assess your organisation’s controls, providing an objective evaluation of your compliance.
06
Prepare for the Audit
Gather relevant documentation and evidence of your implemented controls, and ensure that your team 
is ready to demonstrate the operational effectiveness 
of these controls during the audit process, whether 
for Type I or Type II certification.

Why You Should Register an SOC 2 Report?

Registering an SOC 2 report enhances your organisation's credibility 
by demonstrating a commitment to data security and effective risk management practices. It provides clients and stakeholders with assurance that you have implemented robust internal controls 
to protect sensitive information, fostering trust and confidence in your services. Additionally, an SOC 2 report can help you comply with industry regulations and standards, making it easier to attract new business opportunities.To register, please fill out the form on our website, providing information about your organisation and its report.

Frequently 
Asked QuestionsSOC 2

What is the implication of SOC 2 for my organisation?

For a SOC 2 certification, or better; a SOC 2 assurance opinion on the Trust Services Criteria, a Service Organisation Control report is required. This report should be audited by an external auditor. The auditor issues a SOC 2 (ISAE 3000) Type I or SOC 2 Type II assurance report, which is included in the SOC report. This report should be prepared in accordance with the Trust Service Criteria. All controls are required to be included and should be auditable. Generally, this requires more registration of controls and more discipline to work in accordance with these controls.

Why is the demand for SOC 2 increasing?

For a SOC 2 certification, or better; a SOC 2 assurance opinion on the Trust Services Criteria, a Service Organisation Control report is required. This report should be audited by an external auditor. The auditor issues a SOC 2 (ISAE 3000) Type I or SOC 2 Type II assurance report, which is included in the SOC report. This report should be prepared in accordance with the Trust Service Criteria. All controls are required to be included and should be auditable. Generally, this requires more registration of controls and more discipline to work in accordance with these controls.

Are we able to prepare a SOC 2 report?

For a SOC 2 certification, or better; a SOC 2 assurance opinion on the Trust Services Criteria, a Service Organisation Control report is required. This report should be audited by an external auditor. The auditor issues a SOC 2 (ISAE 3000) Type I or SOC 2 Type II assurance report, which is included in the SOC report. This report should be prepared in accordance with the Trust Service Criteria. All controls are required to be included and should be auditable. Generally, this requires more registration of controls and more discipline to work in accordance with these controls.

Is it appropriate that my client requires and SOC 2 report?

For a SOC 2 certification, or better; a SOC 2 assurance opinion on the Trust Services Criteria, a Service Organisation Control report is required. This report should be audited by an external auditor. The auditor issues a SOC 2 (ISAE 3000) Type I or SOC 2 Type II assurance report, which is included in the SOC report. This report should be prepared in accordance with the Trust Service Criteria. All controls are required to be included and should be auditable. Generally, this requires more registration of controls and more discipline to work in accordance with these controls.

What is the advantage of SOC 2 for my organisation?

For a SOC 2 certification, or better; a SOC 2 assurance opinion on the Trust Services Criteria, a Service Organisation Control report is required. This report should be audited by an external auditor. The auditor issues a SOC 2 (ISAE 3000) Type I or SOC 2 Type II assurance report, which is included in the SOC report. This report should be prepared in accordance with the Trust Service Criteria. All controls are required to be included and should be auditable. Generally, this requires more registration of controls and more discipline to work in accordance with these controls.

Access More Information

Learn more about the impact and requirements of SOC 2.