In Plain English
SOC 2 is an audit report that tells customers how well a service provider protects their data. An independent auditor examines your security controls and writes a detailed report of what they found.
The key difference from ISO 27001: SOC 2 is not pass/fail. The auditor describes what controls exist and whether they work effectively. Reports can include exceptions or qualified opinions while still being issued. Readers must decide if they are comfortable with any noted issues.
Trust Service Criteria
SOC 2 audits assess five Trust Service Criteria - you choose which apply to your service:
- Security - Protection against unauthorised access (required)
- Availability - System uptime and accessibility
- Processing Integrity - Accurate and complete data processing
- Confidentiality - Protection of confidential information
- Privacy - Personal information handling
Type I vs Type II
Type I examines your controls at a single point in time - do they exist and are they designed properly? Type II examines controls over a period (usually 6-12 months) - do they actually work in practice? Type II is more rigorous and more valued by customers.
SOC 2 vs ISO 27001
- Geography - SOC 2 is primarily US; ISO 27001 is international
- Outcome - SOC 2 is a report; ISO 27001 is a certification
- Pass/Fail - ISO 27001 is binary; SOC 2 can have exceptions
- Scope - Both cover security; ISO 27001 is more prescriptive