SOC 2 is an attestation report on a service organisation’s controls, written by an independent licensed CPA firm against the AICPA Trust Services Criteria. It is not a certification and carries no pass mark. Australian technology companies are usually asked for it when they sell to United States customers.
There is no SOC 2 certificate. The label gets used loosely in sales decks, but a SOC 2 engagement ends in an auditor’s report and an opinion, not a pass. A licensed CPA firm examines your controls against criteria you have committed to, and writes up what it found. For an Australian software company the question is rarely whether SOC 2 is good practice. It is whether a buyer in the United States has made it a condition of the deal.
This guide sets out what the report actually is, the criteria it tests against, the difference between the two report types, what it costs and how long it takes, and where it sits next to ISO 27001. Each section links to a deeper article in the SOC 2 series.
Is SOC 2 a certification, or something else?
It is an attestation report. SOC 2 is produced under the AICPA attestation standards (SSAE No. 18, examination engagements under AT-C section 205) and signed by an independent licensed CPA firm. There is no certificate, no score and no pass mark. The deliverable is the firm’s report describing your controls and its opinion on whether they meet the criteria. People say “SOC 2 certified”. The accurate phrase is that a service organisation has a SOC 2 report. What SOC 2 is covers the mechanics in full.
What is SOC 2 built on? The Trust Services Criteria
SOC 2 is measured against the AICPA Trust Services Criteria, organised into five categories. Security, the common criteria, is mandatory in every SOC 2. The other four are in scope only where your business makes commitments in those areas. The 2022 revision updated the points of focus that sit beneath the criteria, not the criteria themselves, and those points of focus are considerations, not a checklist every entity must meet. The Trust Services Criteria explained works through each one.
| Category | What it covers | When it applies |
|---|---|---|
| Security (common criteria) | Protection of systems and data against unauthorised access and disclosure | Mandatory in every SOC 2 |
| Availability | Systems are available for operation and use as committed | Where you commit to uptime or availability |
| Processing Integrity | Processing is complete, valid, accurate, timely and authorised | Where you process transactions for a customer |
| Confidentiality | Information designated confidential is protected | Where you hold confidential customer information |
| Privacy | Personal information is handled in line with your privacy notice | Where you handle personal information |
Type I or Type II: which report do you need?
Two report types exist and they answer different questions. A Type I report tests whether your controls are suitably designed at a single point in time. A Type II report tests whether those controls operated effectively over a period, commonly three to twelve months. Type II is what most customers eventually ask for, because design on paper is not the same as the control working for half a year. A Type I is a reasonable first step, not the destination. SOC 2 Type I vs Type II sets out when each makes sense.
| Type I | Type II | |
|---|---|---|
| Tests | Control design at a point in time | Control design and operating effectiveness |
| Covers | A single date | A period, commonly 3 to 12 months |
| What it shows | Controls are suitably designed | Controls operated effectively over time |
| Typical use | A starting point | What most customers want to see |
How long does SOC 2 take, and what does it cost?
Readiness comes first, then the audit. Cybernion scopes readiness and gap work at four to eight weeks; a Type II then needs an observation period of six to twelve months before the CPA firm can report on it. Those figures are indicative and depend on the size of your environment and how much is already in place. Cost sits in two places: building and running the controls, and the CPA firm’s audit fee. There is no published price for either; both scale with scope and the number of Trust Services categories in the report. How long SOC 2 takes and what drives SOC 2 cost go further.
SOC 2 or ISO 27001?
Different instruments for the same goal of proving security to a buyer. ISO 27001 certifies an information security management system against a fixed international standard on a three year cycle. SOC 2 reports against your own control commitments and is usually renewed every year. The AICPA publishes an official mapping of the 2017 Trust Services Criteria to ISO/IEC 27001, so much of the underlying control work and evidence carries across. Neither substitutes for the other, and which one you need is set by where your customers are. ISO 27001 vs SOC 2 compares them side by side.
Do Australian companies actually need SOC 2?
Not by law. SOC 2 is not mandated by any Australian regulation; it is a commercial requirement that customers impose. The pattern is clear: SOC 2 is the common ask when you sell to United States companies, while ISO 27001 is asked for more often in Europe, Asia and Australian government tenders. Plenty of Australian SaaS companies end up carrying both, because their customer base spans both worlds. SOC 2 for Australian SaaS looks at when to pursue it.
How do you get ready for a SOC 2 audit?
Readiness is preparation, not the audit itself. The same firm cannot both build your controls and issue the opinion on them; independence sits at the centre of an attestation. Readiness work means a gap analysis against the criteria you intend to report on, designing and documenting the controls, writing the policies, and setting up evidence collection so the Type II period produces a clean record. The CPA firm then performs the examination and writes the report. Cybernion provides SOC 2 readiness through to the audit; the SOC 2 readiness checklist is a practical starting point.
Frequently asked questions about SOC 2
No. SOC 2 is not required by any Australian law. It is a commercial requirement that customers, most often in the United States, make a condition of doing business.
No. SOC 2 is an attestation report written by a licensed CPA firm under the AICPA standards. There is no certificate and no pass mark; the deliverable is the firm’s report and opinion.
A Type II report covers a defined period, commonly three to twelve months. Customers generally expect a fresh report each year covering the most recent period, so SOC 2 is treated as an annual exercise.
Largely yes. The AICPA publishes an official mapping of the Trust Services Criteria to ISO/IEC 27001, so much of the control work and evidence carries across. Neither report substitutes for the other.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- AICPA, 2017 Trust Services Criteria (with Revised Points of Focus 2022), TSP section 100, 2022
- AICPA, SOC 2 reporting guidance, AICPA
- AICPA, Mapping of the 2017 Trust Services Criteria to ISO/IEC 27001, AICPA
Last updated: 21 June, 2026