SOC 2 is an independent attestation report on how a service organisation manages customer data, written by a licensed CPA firm against the AICPA Trust Services Criteria. It is not a certification and there is no pass mark. What you receive is the auditor’s report and opinion, not a certificate.
Plenty of vendors say they are “SOC 2 certified”. No one is. SOC 2 is a report a licensed accounting firm writes about your controls, not a certificate a body awards, and the difference shows the moment a customer’s procurement team reads the cover page.
Is SOC 2 a certification?
No. SOC 2 is an attestation report produced under the American Institute of Certified Public Accountants (AICPA) attestation standards, specifically SSAE No. 18 and examination engagements under AT-C section 205. An independent licensed CPA firm performs the examination and issues an opinion. There is no certificate, no badge and no pass mark. SSAE 18 is the standard the auditor works to; SOC 2 is the report that comes out the other end. When a vendor claims to be “SOC 2 certified”, what they actually hold is a report, and the useful questions to ask are which type, what scope, and what the auditor’s opinion said.
What does a SOC 2 report assess?
It assesses your controls against the Trust Services Criteria, the AICPA’s control framework for service organisations. There are five categories: Security, Availability, Processing Integrity, Confidentiality and Privacy. Security, known as the common criteria or the CC series, is mandatory in every SOC 2. The other four are in scope only where your organisation has made commitments in those areas, so a business that promises uptime brings Availability in, and one that handles personal information may bring Privacy in. The criteria carry points of focus, but those are considerations that help you apply each criterion, not a mandatory checklist, and not all of them apply to every entity.
| Category | What it covers | When it is in scope |
|---|---|---|
| Security (common criteria) | Protection of systems and data against unauthorised access | Always, in every SOC 2 |
| Availability | Systems are available for operation and use as committed | Where you commit to uptime or availability |
| Processing Integrity | Processing is complete, valid, accurate and timely | Where you process transactions for customers |
| Confidentiality | Information designated confidential is protected | Where you hold confidential customer information |
| Privacy | Personal information is collected, used and disposed of as committed | Where you handle personal information |
What is the difference between Type I and Type II?
Type I reports on whether your controls are suitably designed at a single point in time. Type II reports on whether those controls operated effectively across a period, commonly 3 to 12 months. Type I tells a customer the design looks right today. Type II tells them it held up over months of real operation. Type II is what most customers ask for, and it is the one that carries weight in a vendor security review. A common path is a Type I first to confirm the design, then a Type II covering the months that follow, though many organisations go straight to a Type II once their controls are running.
| Type I | Type II | |
|---|---|---|
| What it tests | Control design | Control design and operating effectiveness |
| Timing | A point in time | A period, commonly 3 to 12 months |
| What a customer learns | The controls are designed properly | The controls worked over the period |
| Usual demand | Sometimes, as a first step | The report most customers ask for |
Who can see a SOC 2 report?
A SOC 2 report is restricted use. It is meant for the service organisation and specified parties who understand the system, typically existing and prospective customers and their auditors, usually under a non disclosure agreement. It is not a public document, which is why you will not find a company’s SOC 2 report on its website. The public, general use version is SOC 3, a shorter report a company can hand out or publish freely. If you want something to show the market, SOC 3 is the one to share. SOC 2 is the one you give a customer who asks under NDA.
Do Australian companies need SOC 2?
No Australian law mandates SOC 2. It is a commercial requirement, and it is the report customers ask for most when you sell into the United States, where SOC 2 is the established trust signal for software and cloud vendors. For Australian and European buyers, and in most Australian government and enterprise tenders, ISO 27001 is asked for more often. So the trigger is your market, not your location. An Australian SaaS company with United States customers is the typical case where SOC 2 becomes the cost of doing business.
How does SOC 2 compare with ISO 27001?
They are different instruments aimed at the same goal, showing customers you manage information securely. ISO 27001 certifies a management system, an ISMS, against a fixed international standard on a three year cycle. SOC 2 is a report against your own control commitments, mapped to the Trust Services Criteria, typically renewed each year. One ends in a certificate from an accredited body; the other ends in a CPA firm’s opinion. The useful part for anyone weighing both is that the AICPA publishes an official mapping of the Trust Services Criteria to ISO/IEC 27001, so much of the control work and evidence carries across. Neither replaces the other, but doing one makes the second cheaper. For the full picture, see ISO 27001 vs SOC 2.
How do you get ready for a SOC 2 audit?
Readiness is the work before the CPA firm arrives: deciding which Trust Services categories are in scope based on what you have promised customers, designing and documenting the controls, then running them long enough to produce evidence. A gap analysis against the criteria comes first, then control design and documentation, then evidence collection, and only then the external examination. For a Type II, the controls have to operate across the observation period before the auditor can opine, so the calendar, not the effort, often sets the pace. As an indicative guide, Cybernion scopes readiness and gap work at around 4 to 8 weeks and a Type II observation window at 6 to 12 months, though both depend on scope and how mature your controls already are. Our SOC 2 readiness service covers that preparation through to the audit.
No. It is an attestation report a licensed CPA firm issues under the AICPA standards. There is no certificate and no pass mark, the deliverable is the auditor’s report and opinion.
No. No Australian law requires it. It is a commercial requirement, most often asked for when selling to United States customers, while ISO 27001 is asked for more often in Australian and European tenders.
A report covers a point in time for Type I or a period for Type II. There is no fixed expiry, but customers expect a recent report, so most organisations renew annually with a Type II covering the year.
Yes. The AICPA publishes an official mapping of the Trust Services Criteria to ISO/IEC 27001, so much of the control work and evidence carries across, though neither replaces the other.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- AICPA, 2017 Trust Services Criteria (with Revised Points of Focus 2022), TSP section 100, 2022
- AICPA, SOC 2 reporting guidance, confirmed June 2026
- AICPA, Mapping the 2017 Trust Services Criteria to ISO/IEC 27001, confirmed June 2026
Last updated: 21 June, 2026