Read as
Last updated: April 29, 2026
Type 1 vs 2, Trust Services Criteria, audit lifecycle, critical controls, choosing an auditor, India-specific gotchas.
SOC 2 (Service Organization Controls 2) is the report most US enterprise customers ask Indian SaaS vendors to produce before signing. It is not a regulation or a certification — it is an attestation by an independent auditor (CPA firm) that your controls operate effectively. This module covers the framework, the differences between Type 1 and Type 2, the Trust Services Criteria, and how to scope a successful first SOC 2 engagement.
SOC 2 in 60 seconds
- Created by AICPA (American Institute of Certified Public Accountants)
- Performed by CPA firms (auditors must be licensed CPAs)
- Two types: Type 1 (point in time) and Type 2 (over a period)
- Two main report variants: SOC 2 Type 1 and Type 2; SOC 3 is a public summary
- Scoped against five Trust Services Criteria — at least Security; you choose to add Availability, Confidentiality, Processing Integrity, Privacy
- Most enterprise customers ask for SOC 2 Type 2 covering at minimum Security + Availability
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants