Skip to main content
Home
OverviewAbout ThoughtwaveThoughtwave GroupOur TeamPartnerships & CertificationsTrust & CertificationsCareers
OverviewAI & Generative AIData Analytics & EngineeringCybersecurity SolutionsIT Managed ServicesApplication ModernizationDigital Enterprise ApplicationsIT Workforce Solutions
Accelerators
Integrations
OverviewHealthcare & PharmaBanking & FinanceRetail & LogisticsGovernment
OverviewSwarmHRPathway AIKittieGenie AIBillsGenie AIPropertyGenie AI
OverviewAnswersInsightsComparisonsCase StudiesWhite PapersCorporate UpdatesFrom the C-SuiteAuthors
Get Started

What is SOC 2 compliance?

TL;DR

SOC 2 is a compliance attestation defined by the AICPA that evaluates a service organization's controls against the Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. It is not a certification — it is an attestation report issued by an independent CPA firm. SOC 2 matters because enterprise customers, especially in regulated industries, expect SaaS and technology vendors to demonstrate a mature controls posture before they will sign a contract. A SOC 2 Type 2 report, with a defined audit period and operational evidence, is the standard artifact enterprise procurement teams ask for.

The short version

  • SOC 2 is an attestation report, not a certification.
  • The Trust Services Criteria cover security, availability, processing integrity, confidentiality, and privacy.
  • Type 1 evaluates control design at a point in time; Type 2 evaluates operational effectiveness over a period.
  • SOC 2 Type 2 is the enterprise procurement standard.

The longer explanation

What SOC 2 is

The American Institute of CPAs (AICPA) defines SOC 2 (System and Organization Controls 2) as a framework for evaluating a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy. A SOC 2 engagement produces an attestation report issued by an independent CPA firm.

The Trust Services Criteria (TSC) are the specific control categories:

  • Security (the one criterion every SOC 2 report includes — often called the Common Criteria).
  • Availability — systems are available for operation and use as committed.
  • Processing Integrity — system processing is complete, valid, accurate, timely, and authorized.
  • Confidentiality — information designated confidential is protected.
  • Privacy — personal information is collected, used, retained, disclosed, and disposed of per commitments.

Organizations choose which criteria are in scope. Security is always included; the others are optional based on what the service does.

Type 1 vs Type 2

A Type 1 report describes the service organization's system and the design of its controls at a specific point in time. It answers: "Are the right controls in place?"

A Type 2 report adds operational effectiveness testing over a defined period, typically 6 or 12 months. It answers: "Did the controls actually operate as designed across the full audit period?" Enterprise customers almost always want Type 2 because it demonstrates sustained control operation, not just a point-in-time snapshot.

Organizations often go Type 1 first to validate the design, then run operations for 6-12 months and get Type 2. Some skip Type 1 entirely and go straight to Type 2 after building adequate operational history.

What SOC 2 actually tests

The auditor evaluates:

  • Policies and procedures. Written, approved, reviewed periodically.
  • Access control. Who has access to what, reviewed regularly, promptly revoked on termination.
  • Change management. Production changes go through review and testing.
  • Incident management. Incidents are tracked, evaluated, and resolved.
  • Monitoring and logging. Systems are monitored; anomalies investigated.
  • Vendor management. Third parties handling data have their own security posture validated.
  • Risk management. Formal risk assessment and remediation.
  • Business continuity and disaster recovery. Tested plans, documented RTOs.

The specific controls tested depend on the auditor's approach, the organization's documented control objectives, and the TSC criteria in scope.

Typical timeline

For a reasonably mature organization:

  • Months 1-2. Readiness assessment, control-gap remediation planning.
  • Months 3-6. Controls implementation and policy authoring.
  • Month 6. Type 1 audit (2-4 week engagement).
  • Months 7-18. Operate the controls. Collect evidence continuously.
  • Month 18. Type 2 audit (4-8 week engagement, covering the prior 12 months).

Starting from scratch adds 3-6 months on the front end. Mature organizations can compress the timeline.

SOC 2 in the broader compliance picture

SOC 2 often runs alongside ISO 27001 (international), HIPAA (if healthcare data), PCI-DSS (if payment cards), and increasingly NIST SP 800-171 or FedRAMP (if federal contracting). Many controls overlap; a good readiness program maps once to all relevant frameworks and implements controls that satisfy the union.

How Thoughtwave approaches this

Our cybersecurity practice runs SOC 2 readiness and ongoing-compliance engagements as part of broader GRC programs. We focus on the controls that auditors actually test and the evidence that satisfies examiner review — not every clause in the guidance.

For deeper context, see our Cybersecurity Solutions service and our managed SOC services.

Frequently asked questions

SOC 2 Type 1 vs Type 2 — what's the difference?
Type 1 attests to the design of controls at a point in time. Type 2 attests to the operational effectiveness of those controls over a defined audit period, typically 6-12 months. Enterprise buyers almost always ask for Type 2; Type 1 is useful as an interim step while preparing for Type 2.
How long does SOC 2 take?
For a reasonably mature organization with existing security practices: 3-6 months to get ready for a Type 1, then 6-12 months of operational history for a Type 2. For an organization starting from scratch, add another 3-6 months to build the foundational controls. The audit itself runs 4-8 weeks.
Is SOC 2 a certification?
No. SOC 2 is an attestation — an independent CPA firm issues a report describing what they examined and what they found. There is no certification body. Enterprises sometimes call SOC 2 a 'certification' colloquially, but the distinction matters legally and in how the attestation is represented in contracts.

Related resources

Related Services

Industries

Case Study

AI case resolution copilot for retail safety

Next Step

Book a consultation
RT
Ramesh Thumu

Founder & President, Thoughtwave Software

Reviewed by Thoughtwave Editorial

Last updated April 22, 2026