SOC 2 (System and Organization Controls 2) Type 2 certification is an auditing procedure that ensures service providers securely manage data to protect the interests and privacy of their clients. It is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA). The primary purpose of SOC 2 is to ensure that third-party service providers store and process client data in a secure manner. The criteria for these audits are based on five “trust service principles”:
- Security: The system is protected against unauthorized access.
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity’s privacy notice.
A SOC 2 Type 2 certification report provides detailed information and assurance about the controls in place over a period of time (typically six months to a year). Unlike ISO certifications, there is no central body that accredits firms for SOC 2. Instead, the American Institute of Certified Public Accountants (AICPA) sets the standards for SOC 2, and licensed CPAs perform the audits. Organizations undergo an examination process by independent CPA SOC auditors (accredited by the AICPA), and if they meet the AICPA’s criteria, they receive a SOC 2 report.