SOC 2
Trust Services Criteria
SOC 2 evaluates controls across five categories:
- Security (mandatory) – protection against unauthorised access, including logical and physical access controls, firewalls, intrusion detection, and multi-factor authentication
- Availability – system uptime, disaster recovery, incident handling, and business continuity controls
- Processing integrity – accuracy, completeness, and timeliness of data processing
- Confidentiality – protection of confidential information through encryption, access controls, and data classification
- Privacy – collection, use, retention, disclosure, and disposal of personal information in accordance with privacy commitments
Only security is mandatory. Organisations choose which additional criteria to include based on their services and client requirements.
SOC 2 Type I vs Type II
| SOC 2 Type I | SOC 2 Type II | |
| Scope | Controls at a point in time | Controls over a period (typically 6-12 months) |
| What it proves | Controls are designed appropriately | Controls are designed AND operating effectively |
| Audit effort | Lower – snapshot assessment | Higher – sustained evidence collection |
| Client confidence | Moderate | High – demonstrates consistent control operation |
| Common use | First-time SOC 2, or interim report | Ongoing assurance for enterprise clients |
SOC 2 and ISO 27001
Many UK organisations hold ISO 27001 certification and are asked by US or global clients for SOC 2 as well. The two frameworks share significant common ground but differ in structure:
ISO 27001 is a certifiable management system standard maintained by ISO/IEC. SOC 2 is an attestation report issued by a CPA firm. ISO 27001 evaluates the information security management system (ISMS) as a whole. SOC 2 evaluates specific controls against the Trust Services Criteria. Organisations frequently maintain both to satisfy international client requirements.
Cyberfort and SOC 2
We help organisations prepare for SOC 2 audits by assessing current controls against the Trust Services Criteria, identifying gaps, and implementing the technical and procedural changes needed to achieve a clean report. Our work typically complements existing ISO 27001 programmes. Learn more about our cyber security review →
Related glossary terms
- ISO 42001 – the AI management system standard, increasingly relevant for organisations with AI-enabled services undergoing SOC 2 assessment
- Zero trust – an architectural approach that strengthens security controls assessed under SOC 2
- Secure by Design – the development principle that supports robust SOC 2 security controls
External references
- Wikipedia: System and Organization Controls – overview of SOC reporting
- AICPA: SOC 2 – official SOC 2 guidance
- Wikidata: Q110407858 – canonical entity identifier
Frequently asked questions
Is SOC 2 a certification or an audit report?
SOC 2 is an audit report (attestation), not a certification. A CPA firm examines your controls and issues a report with their opinion. There is no ‘SOC 2 certified’ status – organisations receive a SOC 2 Type I or Type II report that they share with clients and prospects.
Do UK organisations need SOC 2?
SOC 2 is not a UK regulatory requirement. However, UK service organisations with US or global clients are frequently asked to provide SOC 2 reports as part of vendor due diligence. If your clients require it, it effectively becomes a business requirement.
How long does a SOC 2 audit take?
A Type I audit typically takes two to four months from preparation to report. A Type II audit requires a monitoring period of six to 12 months, plus the audit itself. Organisations with mature ISO 27001 programmes can often accelerate preparation significantly.
Awards and Accreditations
Contact Us
Cyberfort Ltd
Venture West,
Greenham Business Park, Thatcham,
Berkshire,
RG19 6HX