SOC 2 Compliance: What It Is, Who Needs It, and How to Get Certified
A practical guide to SOC 2 compliance — what it is, how it differs from ISO 27001, what the Trust Services Criteria require, how the audit process works, and what European companies need to know about SOC 2 in a NIS2 and DORA world.
SOC 2 Compliance: What It Is, Who Needs It, and How to Get Certified
SOC 2 is the security attestation framework that US enterprise buyers expect. Developed by the AICPA (American Institute of Certified Public Accountants), it evaluates how service organizations protect customer data across five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
For European companies selling into the US market, SOC 2 is often the first compliance requirement buyers ask about. For companies already ISO 27001 certified, the overlap is significant — but the differences matter.
This guide covers what SOC 2 requires, how the audit works, how it relates to ISO 27001, and what European companies should consider.
What Is SOC 2?
SOC 2 is an attestation framework — not a certification in the traditional sense. A CPA (Certified Public Accountant) firm examines your controls against the Trust Services Criteria and issues a report describing what they found. The report is your evidence of compliance.
There are two types:
SOC 2 Type I
- Evaluates control design at a point in time
- Answers: "Are the right controls in place?"
- Faster to obtain (weeks, not months)
- Less valuable to buyers — shows intention, not execution
SOC 2 Type II
- Evaluates control design and operating effectiveness over a period of time (typically 6-12 months)
- Answers: "Do the controls actually work?"
- Requires sustained compliance during the observation period
- The standard buyers expect and the report auditors reference
The Five Trust Services Criteria
Security (Common Criteria) — Required
The Security criteria are included in every SOC 2 report. They cover:
- CC1: Control Environment — Governance, organizational structure, management commitment
- CC2: Communication and Information — Internal and external communication about security
- CC3: Risk Assessment — Risk identification, analysis, and management
- CC4: Monitoring Activities — Ongoing evaluation of controls
- CC5: Control Activities — Policies and procedures for control implementation
- CC6: Logical and Physical Access Controls — Authentication, authorization, physical security
- CC7: System Operations — Monitoring, incident detection, response
- CC8: Change Management — Controlled changes to infrastructure and software
- CC9: Risk Mitigation — Vendor management, business continuity
Availability — Optional
Evaluates whether systems are operational and available as committed:
- Uptime monitoring and performance management
- Disaster recovery and business continuity
- Capacity planning and infrastructure resilience
- Incident response for availability events
Processing Integrity — Optional
Evaluates whether system processing is complete, valid, accurate, and timely:
- Data validation and error handling
- Processing monitoring and quality assurance
- Output reconciliation and verification
Confidentiality — Optional
Evaluates how confidential information is protected:
- Data classification and handling
- Encryption and access controls for confidential data
- Data retention and secure disposal
- Confidentiality agreements and obligations
Privacy — Optional
Evaluates how personal information is collected, used, retained, disclosed, and disposed:
- Privacy notices and consent management
- Data subject rights (access, correction, deletion)
- Data retention and disposal practices
- Third-party data sharing controls
SOC 2 vs. ISO 27001
Both demonstrate security maturity, but they serve different markets and take different approaches:
| Aspect | SOC 2 | ISO 27001 |
|---|---|---|
| Origin | AICPA (US) | ISO/IEC (International) |
| Type | Attestation report | Certification |
| Market | Primarily US | International, strong in Europe |
| Approach | Criteria-based (Trust Services Criteria) | Risk-based (Annex A controls) |
| Validity | Report covers a specific period (typically 12 months) | Certificate valid for 3 years with annual surveillance |
| Auditor | Licensed CPA firm | Accredited certification body |
| Output | Detailed report with auditor's opinion | Certificate + statement of applicability |
| Flexibility | Choose which Trust Services Criteria to include | Choose controls based on risk assessment |
| Cost | Generally EUR 40,000-170,000 first year | Generally EUR 30,000-100,000 first year |
When You Need Both
Many European SaaS companies obtain both:
- ISO 27001 for European enterprise buyers, NIS2/DORA alignment, and international credibility
- SOC 2 for US enterprise buyers and the American market
The good news: approximately 70-80% of controls overlap. If you have one, achieving the other requires incremental effort, not starting from scratch.
The SOC 2 Audit Process
Phase 1: Readiness Assessment (1-3 months)
Before engaging an auditor:
- Define scope — Which systems, services, and Trust Services Criteria are included?
- Gap analysis — Compare current controls against SOC 2 requirements
- Remediate gaps — Implement missing controls, fix deficiencies
- Document policies — Write or update policies and procedures
- Collect evidence — Begin gathering evidence that controls are operating
Phase 2: Observation Period (Type II only, 6-12 months)
During the observation period:
- Controls must be in operation and consistently followed
- Evidence must be collected continuously (not retroactively)
- Exceptions must be documented and addressed
- Changes to controls must be managed and documented
Phase 3: Audit Fieldwork (2-6 weeks)
The auditor:
- Reviews documentation (policies, procedures, evidence)
- Tests controls through inquiry, observation, inspection, and re-performance
- Evaluates control design (Type I and II) and operating effectiveness (Type II only)
- Identifies any control deficiencies or exceptions
- Discusses findings with management
Phase 4: Report Issuance (2-4 weeks)
The auditor issues the SOC 2 report containing:
- Section I: Management's assertion — Management's description of the system
- Section II: Auditor's report — The auditor's opinion on control design and effectiveness
- Section III: System description — Detailed description of the system, including infrastructure, software, people, and data
- Section IV: Controls and tests — Description of each control, the test performed, and the test result
- Section V (optional): Management's response — Management's response to any exceptions noted
Auditor's Opinion
The auditor issues one of three opinions:
- Unqualified — Controls are suitably designed and operating effectively (clean report)
- Qualified — Controls are generally effective, but one or more exceptions were noted
- Adverse — Significant control deficiencies; the system doesn't meet the criteria
Common SOC 2 Controls
Access Management
- Multi-factor authentication for production systems
- Role-based access control with least privilege
- Quarterly access reviews
- Prompt access revocation for departing employees
- Privileged access management with audit logging
Change Management
- Code review requirements before deployment
- Separation of development and production environments
- Change approval workflows
- Rollback procedures for failed deployments
Monitoring and Incident Response
- Security event monitoring and alerting
- Incident response plan and procedures
- Incident classification and escalation
- Post-incident review and remediation tracking
Vendor Management
- Vendor risk assessment process
- Security requirements in vendor contracts
- Periodic vendor security review
- Sub-processor management and notification
Data Protection
- Encryption at rest and in transit
- Data classification framework
- Data retention and deletion procedures
- Backup and recovery testing
SOC 2 for European Companies
When SOC 2 Makes Sense
- You sell SaaS products to US enterprises
- Your US prospects require SOC 2 during procurement
- You compete against US-based vendors who already have SOC 2
- You want to demonstrate security maturity in both US and European markets
When ISO 27001 May Be Enough
- Your customers are primarily European
- NIS2 or DORA compliance is your primary driver
- Your European buyers ask for ISO 27001, not SOC 2
- Budget constraints require prioritizing one framework
The European Regulatory Context
SOC 2 does not satisfy NIS2 or DORA requirements on its own:
- NIS2 requires compliance with specific Article 21 measures — SOC 2 controls overlap significantly but don't cover all ten required areas
- DORA has specific ICT risk management requirements that go beyond SOC 2's scope
- GDPR requires specific data protection controls that SOC 2's Privacy criteria partially address
An ISMS built on ISO 27001 provides a stronger foundation for European regulatory compliance, with SOC 2 added for US market access.
Common Mistakes
-
Starting with Type II before being ready. If your controls aren't mature, the observation period will surface exceptions that end up in the report. Start with a readiness assessment, fix gaps, then begin the Type II observation period.
-
Scoping too narrowly or too broadly. Too narrow (excluding relevant systems) creates credibility issues with buyers. Too broad (including everything) increases cost and complexity. Scope should cover the systems and services your customers actually use.
-
Treating SOC 2 as a one-time project. SOC 2 Type II is an annual requirement. Controls must operate continuously, evidence must be collected throughout the year, and the audit repeats every 12 months. Build sustainable processes, not a pre-audit sprint.
-
Choosing the wrong auditor. Not all CPA firms have the same depth of technology and security expertise. Choose a firm with experience auditing companies of your size, in your industry, with your technology stack.
-
Neglecting the system description. Section III of the SOC 2 report describes your system in detail. Buyers read this carefully. Invest time in making it accurate, complete, and clear — it shapes buyer perception of your security maturity.
How Orbiq Supports SOC 2 Compliance
- Trust Center: Publish your SOC 2 report availability, Trust Services Criteria scope, and security controls for buyer due diligence
- Continuous Monitoring: Track control effectiveness across SOC 2 criteria and identify gaps before your next audit
- Evidence Management: Automated evidence collection mapped to Trust Services Criteria for streamlined audit preparation
- AI-Powered Questionnaires: Respond to buyer security questionnaires using evidence from your SOC 2 programme
Further Reading
- ISMS — Building the management system that underpins SOC 2 and ISO 27001
- Compliance Automation — Automating SOC 2 evidence collection and monitoring
- Vendor Risk Assessment — How buyers evaluate your SOC 2 report
- Information Security Policy — The governance foundation for SOC 2 controls
This guide is maintained by the Orbiq team. Last updated: March 2026.