® 
SOC 2
Definition
SOC 2 is an American audit report demonstrating that a service provider meets security, availability, processing integrity, confidentiality, and privacy standards.
SOC 2 (Service Organization Control 2) is an American audit framework demonstrating that a service provider meets the AICPA Trust Services Criteria for security, availability, processing integrity, confidentiality and privacy. SOC 2 is particularly relevant for SaaS providers, cloud service providers and managed service providers serving US or international markets.
How does SOC 2 work?
A SOC 2 audit is performed by an independent CPA firm. Two types exist: Type I assesses security control design at a specific point in time. Type II assesses control effectiveness over a minimum 6-month period. Type II is significantly more valuable as it demonstrates controls actually work.
Difference from ISO 27001
ISO 27001 is an international certificate focusing on the information security management system. SOC 2 is an American audit report for the US market focusing on specific Trust Services Criteria. Many international organisations hold both.
Impact on organisations
US customers increasingly require SOC 2 reports as a precondition for procuring cloud services. Lacking a SOC 2 report can be a barrier to closing US deals.
Protection
Implement security measures meeting the Trust Services Criteria. Document policies, processes and procedures. Conduct a gap assessment before the audit.
How DEFION helps
DEFION supports SOC 2 audit preparation through Security Assessments evaluating current security posture against the Trust Services Criteria.