What is SOC 2?
An AICPA attestation that proves a service organisation’s controls meet the Trust Service Criteria — the report enterprise buyers ask SaaS vendors for.
Definition
SOC 2 (System and Organization Controls 2) is an attestation report defined by the AICPA that evaluates how well a service organisation’s controls meet the five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality and Privacy. Security is mandatory; the rest are included based on scope.
Issued by a licensed CPA firm, a SOC 2 report is the de facto trust signal in B2B SaaS — enterprise procurement teams routinely require it before approving a vendor. Reports come in two forms: Type 1 (controls at a point in time) and Type 2 (controls operating effectively over a period).
The five Trust Service Criteria
Security (required)
Protection of systems against unauthorised access.
Availability
Systems are available for operation and use as committed.
Processing Integrity
Processing is complete, valid, accurate and timely.
Confidentiality
Information designated confidential is protected.
Privacy
Personal information is collected and handled per commitments.
Who needs to comply?
SaaS companies, cloud service providers and any organisation that stores or processes customer data on behalf of enterprise clients — especially those selling into the US market.
How ISpectra helps
ISpectra runs the full SOC 2 program — readiness assessment, policy and control implementation, a free VAPT, mock audit and auditor coordination — getting most clients to a Type 1 report in 6–8 weeks with a 98% first-attempt pass rate.
Talk to an advisor