SOC 2® is developed by the AICPA (American Institute of CPA’s) and defines criteria for the management of user organizations’ data based on the trust service principles – The trust service principles relate to security, availability, processing integrity, confidentiality and privacy. SOC 2® is a registered trademark of the AICPA. This sites is for information purposes only.

SOC 2 reports are unique to each organization. Each service organization designs its own controls in line with specific business practices and selects one, some or more of the trust principles. An ISAE 3000 SOC 2 reports provides user organizations (along with supervisory authorities, regulators or business partners) with information about how a service provider manages customer data.

There are two types ofSOC 2reports; a SOC 2 Type I describes a vendor’s systems and a service auditor confirms whether the control design is suitable to meet relevant trust principles and a SOC 2 Type II which also details the operational effectiveness of those systems. In an ISAE 3000 SOC 2 the test of the controls on operational effectiveness by the service auditor is also included.

ISAE 3402 SOC 1 type 2 reports relate solely to controls at a service organization that impact the user entity’s internal controls over financial reporting. An ISAE 3402 SOC 1 report addresses the trust services principles only within the limited context of financial reporting. An ISAE 3402 type 2 will typically only cover the security framework as it relates to financial reporting, the information infrastructure and processing integrity in relation to financial process. Subjects such as backup and business continuity are generally only covered marginally in an ISAE 3402 type 2 report.

In the management description of the system of a service organization the following components are included; the infrastructure (the network, hardware components and virtualization software); software (operating system, applications and utilities); procedures followed by employees to control security and data (information in systems, including transaction data, databases and individual files).

In the management description typically a control framework is included which describes the control objectives and how these control objectives are achieved by the individual controls. In an ISAE 3000 SOC 2 the framework is based on the trust service principles; a set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. The five trust services principles are;