SOC 2 (Service Organization Controls 2) is the report most US enterprise customers ask Indian SaaS vendors to produce before signing. It is not a regulation or a certification β it is an attestation by an independent auditor (CPA firm) that your controls operate effectively. This module covers the framework, the differences between Type 1 and Type 2, the Trust Services Criteria, and how to scope a successful first SOC 2 engagement.
SOC 2 in 60 seconds
- Created by AICPA (American Institute of Certified Public Accountants)
- Performed by CPA firms (auditors must be licensed CPAs)
- Two types: Type 1 (point in time) and Type 2 (over a period)
- Two main report variants: SOC 2 Type 1 and Type 2; SOC 3 is a public summary
- Scoped against five Trust Services Criteria β at least Security; you choose to add Availability, Confidentiality, Processing Integrity, Privacy
- Most enterprise customers ask for SOC 2 Type 2 covering at minimum Security + Availability
Type 1 vs Type 2
| Type 1 |
Type 2 |
| Point-in-time snapshot |
Over a period (typically 6 or 12 months) |
| Attests controls are designed appropriately |
Attests controls operated effectively over time |
| 2-3 months to obtain |
8-12 months minimum (preparation + observation period + audit) |
| Lower assurance; some customers won’t accept |
The standard expectation in enterprise sales |
Practical pattern: most teams do Type 1 once (to unblock initial sales), then Type 2 on the next 12-month cycle.
Trust Services Criteria β what’s in scope
- Security (Common Criteria) β required for every SOC 2; covers logical/physical access, change management, risk management, etc. ~100 sub-criteria
- Availability β system availability for operation per commitments. Common addition for SaaS
- Confidentiality β protection of confidential information. Common when handling customer secrets
- Processing Integrity β system processing complete, valid, accurate, timely. Common for financial / data-processing SaaS
- Privacy β collection, use, retention, disposal of personal information. Less common; many use GDPR/DPDP for privacy instead
Most Indian SaaS targeting US enterprises: Security + Availability. Add Confidentiality if storing significant customer data.
The 9 Common Criteria categories
- CC1: Control Environment β governance, ethics, oversight
- CC2: Communication and Information
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
Each has multiple sub-criteria. Modern SaaS-focused control frameworks (Vanta, Drata, SecureFrame templates) implement the standard set; customisation is at the margins.
The audit process
Pre-audit (months 1-6)
- Choose auditor and tooling (in-house vs platform like Vanta/Drata/SecureFrame)
- Define scope β services, systems, locations, criteria
- Implement controls; collect evidence
- Run readiness assessment with auditor or independent consultant
- Address gaps
Observation period (Type 2 only β 6 months minimum)
Controls must operate consistently over the period. Auditors will sample evidence from this window. Evidence collected during the observation period is what matters; pre-period evidence is moot.
Audit fieldwork (4-8 weeks)
- Auditor requests evidence (typically 200-400 items)
- Walk-throughs of major controls
- Interviews with control owners
- Sampling and testing
- Findings discussion
Report issuance (2-4 weeks after fieldwork)
- Auditor opinion: Unqualified (clean), Qualified (some exceptions), Adverse (controls not effective), Disclaimer (couldn’t form opinion)
- Description of system + controls
- Description of tests performed and results
- Management’s response to any exceptions
What enterprise customers actually do with the report
- Procurement / Vendor Risk reads the auditor opinion + executive summary
- Security team reviews exceptions and complementary user entity controls (CUECs β controls the customer must implement)
- Legal reviews scope and any disclaimers
- The report is shared under NDA β customers don’t redistribute, generally
- Refreshed annually; expired SOC 2 reports get flagged in vendor risk reviews
Critical controls β the ones that always come up
- Background checks on employees with system access (CC1.4)
- Onboarding/offboarding with documented access provisioning and revocation
- Least-privilege access reviews quarterly, evidenced
- MFA on all admin and external-facing systems
- Vulnerability management with SLA-tracked remediation
- Patch management with documented schedule + exceptions
- Change management with reviews/approvals before production deploy
- Incident response with documented procedure + evidence of recent incidents handled
- Encryption at rest and in transit (with documented standards)
- Backup and recovery tested at least annually
- Vendor risk management with assessments of critical vendors
- Logging and monitoring with documented log review
- Disaster recovery testing
Common findings (exceptions) on first SOC 2
- Access review evidence missing for certain quarters
- Change tickets without documented testing for emergency changes
- Background check evidence missing for some legacy employees
- Vulnerability remediation past SLA without documented exception
- Vendor risk assessments missing or out-of-date
None are catastrophic but they will appear as exceptions in the auditor opinion if not remediated.
π Intermediate Module Β· Basic Tier
Continue reading with Basic tier (βΉ499/month)
You've read 27% of this module. Unlock the remaining deep-dive, quiz, and every other Intermediate module.
99+ modulesAll levels up to this tier
20-question quizzesUnlimited retries with explanations
Completion certificatesShareable on LinkedIn
5 more sections locked below
