Glossary
>
SOC 2

SOC 2

SOC 2 is a cybersecurity and compliance framework that evaluates how well an organisation protects customer data across five key trust principles.

Our Services

SOC 2 is a cybersecurity and compliance framework that evaluates how well an organisation protects customer data across five key trust principles.

Expanded Definition

SOC 2 - short for Service Organisation Control 2 is an auditing standard developed by the American Institute of CPAs (AICPA). It assesses whether a company has effective controls in place to keep customer information secure, available, and private.

Unlike technical certifications, SOC 2 focuses on policies, processes, and operational practices. An independent auditor reviews how the organisation handles data over time (Type II) or at a specific moment (Type I). The end result is a formal SOC 2 report that businesses often share with clients or partners to demonstrate trustworthiness.

SOC 2 revolves around five Trust Services Criteria (TSC):

  1. Security (required)
  2. Availability
  3. Processing Integrity
  4. Confidentiality
  5. Privacy

Not every organisation needs all five criteria, but security is mandatory for every SOC 2 audit.

Why It Matters

SOC 2 matters because it signals that your organisation takes data protection seriously. It’s often a requirement for companies working with enterprise clients—especially in SaaS, cloud hosting, fintech, and healthcare.

A SOC 2 report reassures customers that your internal processes meet industry-recognised security standards. It reduces perceived risk, builds trust, and can speed up procurement or vendor onboarding. For many growing companies, achieving SOC 2 is a major milestone that opens doors to larger clients.

When It’s Relevant / Common Use Cases

SOC 2 is most relevant for service providers that store, process, or transmit customer data. This includes SaaS products, cloud service providers, managed IT companies, HR platforms, payment processors, and more.

You’ll often encounter SOC 2 during vendor due-diligence checks, security questionnaires, or enterprise sales cycles. Many organisations pursue SOC 2 proactively to mature their security posture and standardise internal processes.

Examples / Analogies

Think of SOC 2 like a third-party inspection for your company’s security practices. Just as a restaurant undergoes a health inspection to prove it handles food safely, a tech company undergoes a SOC 2 audit to prove it handles customer data responsibly.

Another example: If a business wants to use a new SaaS tool, they might ask for the vendor’s SOC 2 report to confirm the tool meets their security expectations.

Related Terms

  • SOC 1
  • SOC 3
  • ISO 27001
  • Trust Services Criteria
  • Compliance Audit

TL;DR Summary

SOC 2 is a widely recognised compliance standard that verifies an organisation’s ability to protect customer data. It evaluates internal security controls across defined trust principles and results in a formal report often required by enterprise clients. If you handle sensitive customer information, SOC 2 is a key step in proving your reliability and security maturity.

Share this post
Framework
// Test your defences

Get started with Adversify

Get a quote

More glossary posts

View all
Assumed Breach

Assumed breach is a penetration testing method where testers begin with internal access to simulate what attackers could do after getting in. It reveals weaknesses in detection, response, and internal controls, helping organisations strengthen real-world cyber resilience.

Blue Teaming

Blue teaming is the practice of defending an organisation against cyberattacks by continuously monitoring systems, identifying suspicious activity, and taking action to prevent or mitigate security incidents.

Purple Teaming

Purple teaming is a collaborative security exercise where offensive (red team) and defensive (blue team) experts work together to improve an organisation’s detection, response, and overall security effectiveness.