SOC 2, aka Service Organization Control Type 2, is a cybersecurity compliance framework developed by the American Institute of Certified Public Accountants (AICPA). The primary purpose of SOC 2 is to ensure that third-party service providers store and process client data in a secure manne

SOC 2: Five Service Principles

  1. Security

The security principle refers to protection of system resources against unauthorized access. Access controls help prevent potential system abuse, theft or unauthorized removal of data, misuse of software, and improper alteration or disclosure of information.

IT security tools such as network and web application firewalls (WAFs), two factor authentication and intrusion detection are useful in preventing security breaches that can lead to unauthorized access of systems and data.

  1. Availability

The availability principle refers to the accessibility of the system, products or services as stipulated by a contract or service level agreement (SLA). As such, the minimum acceptable performance level for system availability is set by both parties.

This principle does not address system functionality and usability, but does involve security-related criteria that may affect availability. Monitoring network performance and availability, site failover and security incident handling are critical in this context.

  1. Processing integrity

The processing integrity principle addresses whether or not a system achieves its purpose (i.e., delivers the right data at the right price at the right time). Accordingly, data processing must be complete, valid, accurate, timely and authorized.

However, processing integrity does not necessarily imply data integrity. If data contains errors prior to being input into the system, detecting them is not usually the responsibility of the processing entity. Monitoring of data processing, coupled with quality assurance procedures, can help ensure processing integrity.

  1. Confidentiality

Data is considered confidential if its access and disclosure is restricted to a specified set of persons or organizations. Examples may include data intended only for company personnel, as well as business plans, intellectual property, internal price lists and other types of sensitive financial information.

Encryption is an important control for protecting confidentiality during transmission. Network and application firewalls, together with rigorous access controls, can be used to safeguard information being processed or stored on computer systems.

  1. Privacy

The privacy principle addresses the system’s collection, use, retention, disclosure and disposal of personal information in conformity with an organization’s privacy notice, as well as with criteria set forth in the AICPA’s generally accepted privacy principles (GAPP).

Personal identifiable information (PII) refers to details that can distinguish an individual (e.g., name, address, Social Security number). Some personal data related to health, race, sexuality and religion is also considered sensitive and generally requires an extra level of protection. Controls must be put in place to protect all PII from unauthorized access.


Network/ Application Firewalls 

Two-Factor Authentication 

Intrusion Detection


Performance Monitoring 

Disaster Recovery 

Security Incident Handling

Quality Assurance 

Processing Monitoring 



Access Controls

Application Firewalls


Access Control

Two-Factor Authentication


What to expect during A SOC 2 audit?

  1. Security Questionnaire – An auditor will most likely provide your team with a security questionnaire that asks numerous questions around your team’s security program, policies, infrastructure, and implemented technical controls.
  2. Evidence Collection – Teams will be asked to provide evidence of effective controls within your organization. Your team will need to be able to provide current policies and proof of technology standards that are currently in-place.
  3. Evaluation and Follow-up – An auditor may ask for additional evidence or answers to clarify questions around current security controls. Teams with SOC 2 compliance gaps may be asked to update their security program and resolve control gaps before the certification process can continue
  4. Report Creation (Certification) – After an auditor has successfully evaluated the effectiveness of your organization’s controls, they will write up and provide a SOC 2 type 1 or SOC 2 type 2 report for your organization.

Ready for your compliance journey

Get in touch today

Subscribe now

Subscribe to get your copy of checklist etc

Skip to content