SOC 2: Service Organization Control 2

Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

Current Framework: 2017 Trust Services Criteria (With Revised Points of Focus - 2022)
Attestation Standard: SSAE No. 21 (effective June 15, 2022)
Governing Body: AICPA (American Institute of Certified Public Accountants)

Overview

SOC 2 provides detailed examination of controls at service organizations using Trust Services Criteria. Designed for SaaS providers, cloud services, and organizations processing user data where clients need assurance about security and privacy controls.

Five Trust Service Criteria

1. Security (Mandatory) - Protection against unauthorized access, disclosure, and damage


2. Availability - Systems available for operation and use


3. Processing Integrity - Processing complete, valid, accurate, timely, authorized


4. Confidentiality - Confidential information protected


5. Privacy - Personal information properly collected, used, retained, disclosed, disposed

Type I vs Type II Reports

• Type I: Point-in-time assessment of control design suitability


• Type II: Period of time (6-12 months) assessment of design AND operating effectiveness

Key Requirements

Organizations must implement controls addressing selected Trust Services Criteria, typically including access control, encryption, monitoring, incident response, change management, vendor management, and security awareness training.

Applicability

Designed for service organizations: SaaS providers, cloud providers, MSPs, data centers, payment processors, healthcare technology, fintech, and any organization processing user data where clients require control assurance.

Mandatory vs Voluntary

Voluntary - not legally mandated, but increasingly business necessity. Many enterprise clients contractually require SOC 2 reports. Demonstrates commitment to security and provides competitive advantage.

Assessment Process

Must be conducted by licensed CPAs following SSAE No. 21 attestation standards. CPA firms evaluate system description, test control design and operating effectiveness (Type II), and issue restricted-use report.

Relationship to Other Frameworks

• NIST: Official mappings to NIST 800-53 and NIST CSF available


• ISO 27001: Approximately 80% control overlap, different purposes


• HIPAA: HITRUST CSF provides mapping between SOC 2 and HIPAA


• Maps to other security frameworks for multi-framework compliance

Report Types

• SOC 1: Financial reporting controls (ICFR)


• SOC 2: Trust Services Criteria (restricted use, detailed)


• SOC 3: Trust Services summary (public distribution)

Typical Timeline

Type II implementation: 9-18 months from start to report issuance (includes 6-12 month examination period)

Company Size

No minimum size requirements - applies to any service organization regardless of size. Decision driven by business need and client requirements.

Massachusetts Considerations

No state-specific variations. Standard applies uniformly across all states. MA service organizations follow same AICPA standards and Trust Services Criteria.