Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFrameworks & Standards

What is SOC 2?

SOC 2 is the report enterprise buyers ask SaaS vendors for. Here is what it covers, the Type I versus Type II difference, and how to get there.

7 min read

SOC 2 (System and Organization Controls 2) is an attestation report, defined by the AICPA, on how well a service organisation protects customer data. For SaaS and cloud companies selling to enterprises, a SOC 2 report is often the ticket to closing deals and passing vendor security reviews.

Unlike a certification, SOC 2 is a report issued by a licensed CPA firm after examining your controls against the Trust Services Criteria. This guide covers the criteria, report types, and the path to getting one.

Key takeaways
  • SOC 2 is a CPA-issued report against the Trust Services Criteria, not a pass/fail certificate.
  • Security (the common criteria) is required; availability, processing integrity, confidentiality, and privacy are optional add-ons.
  • Type I assesses controls at a point in time; Type II assesses them over a period, usually 3 to 12 months.
  • Enterprise buyers usually want Type II, so plan for an observation window.

The Trust Services Criteria

SOC 2 is built on five Trust Services Criteria. Security, often called the common criteria, is mandatory. You choose which of the others to include based on what you promise customers:

  • Security: protection against unauthorized access (always included).
  • Availability: the system is available as committed.
  • Processing integrity: processing is complete, accurate, and timely.
  • Confidentiality: confidential information is protected.
  • Privacy: personal information is handled per your privacy notice.

Type I versus Type II

A Type I report describes your controls and tests whether they are suitably designed at a single point in time. A Type II report goes further and tests whether those controls operated effectively over a period, typically three to twelve months. Because Type II proves controls work over time, it is what most enterprise customers ask for.

How to get report-ready

Define your scope and the criteria you will include, implement the controls, then run them long enough to generate an evidence trail for the Type II window. A CPA firm then performs the examination and issues the report, which you share with customers under NDA.

The observation window is where teams struggle, because it requires continuous, dated evidence. Automating evidence collection makes the window a formality rather than a manual burden.

Frequently asked questions

Is SOC 2 a certification?
No. It is an attestation report issued by a licensed CPA firm. There is no certificate; customers review the report itself, usually under NDA.
Should we get Type I or Type II?
Type I is faster and can be a stepping stone, but most enterprise buyers want Type II because it proves your controls operated effectively over a period.
How is SOC 2 different from ISO 27001?
ISO 27001 is a certifiable international standard for a management system; SOC 2 is a US-originated attestation report against the Trust Services Criteria. Many companies pursue both, and the underlying controls overlap heavily.
How does NMT help with SOC 2?
NMT automates evidence collection and control mapping across the Trust Services Criteria and monitors controls continuously, so the Type II observation window is easy to sustain.

Get SOC 2-ready without the scramble

Automate the evidence behind a clean Type II report. Start by seeing your current exposure.

Run a free check
Related
Compliance & Assurance solution Guide: What is ISO 27001? Cybersecurity for SaaS & startups