What is SOC 2? SOC 2 Compliance Guide

What is SOC 2? A complete guide to SOC 2 compliance

Explore OnSecurity's services and products for enhancing your organisation's security posture. Understand the importance of SOC 2 compliance requirements.

Daniel Coupland
Penetration Tester & Security Engineer

Key Takeaways

SOC 2 compliance is a voluntary security certification for organisations that store, process, or transmit customer data.
It is built on five Trust Services Criteria — Security (mandatory) plus four optional criteria.
Type I audits assess control design at a point in time; Type II assess operating effectiveness over 3–12 months.
Penetration testing is not required but is expected by auditors and enterprise buyers.
OnSecurity’s pentesting services help you build the evidence base for a clean audit.

What is SOC 2?

SOC 2 (System and Organisation Controls 2) is a voluntary cybersecurity compliance certification and an auditing method developed by the American Institute of CPAs (AICPA) in 2010 to ensure that a business is managing its data and customers’ data correctly.

The framework ensures that companies are handling customer data correctly, which is stored in the cloud and how it stores its own data.

Unlike prescriptive frameworks such as PCI DSS, SOC 2 is flexible. Organisations design their own controls and are assessed against a set of criteria rather than a fixed checklist, making it particularly well-suited to cloud and SaaS businesses.

A SOC 2 audit is carried out by an independent, AICPA-accredited CPA or firm. Following the audit, they produce a report of how well the organisation’s controls meet the relevant criteria. This document can then be shared with clients, prospects, and stakeholders as evidence of a strong security posture.

What is needed for a SOC 2 certification to be completed?

Every SOC 2 audit is structured around the Trust Services Criteria. Security is mandatory; the remaining four are optional, selected based on the organisation’s services and customer commitments.

Security: protecting information from unauthorised access
Availability: ensuring employees and clients can rely on your systems to perform their work
Processing integrity: verifying that company systems operate as intended
Confidentiality: protecting confidential information by limiting its access, storage, and use
Privacy: safeguarding sensitive personal information against unauthorised users

During a SOC 2 audit, an external auditor will assess a business’s security standing against the trust criteria services listed (TSC).

SOC Type 1 and SOC Type 2 – What’s the difference?

There are two types of SOC reports:

SOC 2 Type I reports evaluate a company’s controls at a single point in time. It answers the question: are the security controls designed properly?
SOC 2 Type II reports assess how those controls function, generally over 3-12 months. It answers the question: do the security controls a company has in place function as intended?

Of the two reports a Type I report can be quicker to achieve, whereas Type II reporting offers greater assurances to your customers and their data security.

Who needs a SOC 2 compliance?

Any service organisation that stores, processes, or transmits sensitive customer data should consider SOC 2, particularly if it:

Is a SaaS company selling to enterprise or mid-market customers
Operates in a regulated sector such as healthcare, finance, or professional services
Handles personally identifiable information (PII) or confidential business data
Is asked by prospects or partners for evidence of security controls

SOC 2 is not a legal requirement, but it has become a baseline commercial expectation.

SOC 2 compliance vs other frameworks

SOC 2 compliance is often evaluated alongside ISO 27001, the international information security management standard, and PCI DSS, which governs payment card data. The key difference is approach: SOC 2 is outcomes-based and flexible, while ISO 27001 and PCI DSS prescribe specific controls and configurations. Find out more about the difference between ISO 27001 and SOC 2 here.

ISO 27001 tends to be more common in the UK and European market; SOC 2 is the dominant standard in the United States. Organisations selling across both markets frequently pursue both certifications. There is significant control overlap between the two, and evidence collected for a SOC 2 audit typically supports an ISO 27001 certification as well.

Does SOC 2 compliance require a penetration test?

Penetration testing is not formally required by the SOC 2 Trust Services Criteria. However, it is directly referenced in the AICPA’s guidance under CC4.1 (Monitoring Activities) as a method for evaluating the effectiveness of security controls. Auditors widely treat a current pentest report as the most credible evidence that your defences work in practice, not just on paper.

Auditors typically look for at least quarterly scans alongside annual penetration testing. For Type II SOC 2 compliance, the combination of both demonstrates the continuous monitoring posture the criteria require.

Beyond the audit itself, most enterprise customers requesting your SOC 2 report will separately ask to see a penetration test report. For B2B SaaS companies, a pentest has become commercially inseparable from SOC 2 compliance.

How Onsecurity supports your SOC 2 compliance

OnSecurity provides the pentesting services and platform that directly generates the evidence auditors look for across the Trust Services Criteria.

Penetration testing supports CC4.1 with auditor-ready reports mapped to the Trust Services Criteria. Demonstrates that your controls hold up under real-world attack conditions.

Using OnSecurity as your pentesting partner means you can approach a SOC 2 compliance audit with evidence that controls are designed, tested and functioning. Get an instant penetration testing quote now.

FAQs

What is SOC 2 compliance?

SOC 2 compliance means a service organisation has undergone an independent audit against the AICPA’s Trust Services Criteria and demonstrated that its controls for protecting customer data are suitably designed (Type I) and operating effectively (Type II).

What are the SOC 2 compliance requirements?

The core SOC 2 compliance requirements are defined by the Trust Services Criteria. Security (CC1–CC9) is mandatory for all audits. Availability, Processing Integrity, Confidentiality, and Privacy are optional criteria selected based on your services and customer commitments. Each criterion has specific Points of Focus that guide control design and evidence.

Is SOC 2 certification mandatory?

No. SOC 2 is voluntary. However, it has become a de facto requirement for SaaS and cloud service providers selling to enterprise customers, particularly in the US market.

How long does a SOC 2 audit take?

A Type I audit typically takes 2–3 months. A Type II audit requires a minimum 3-month observation window, with most audits covering 6–12 months.

How does SOC 2 relate to GDPR or UK data protection law?

SOC 2 is an American framework and does not constitute legal compliance with GDPR or the UK Data Protection Act 2018. However, many of the controls required for SOC 2 — particularly under the Privacy TSC — align closely with data protection obligations, and a SOC 2 report can support broader data governance documentation.

How does penetration testing support SOC 2 compliance?

Penetration testing is referenced under AICPA criteria CC4.1 as a method for evaluating whether security controls are functioning effectively. While not formally required, a current pentest report is one of the strongest forms of evidence an auditor can receive, and most enterprise customers expect to see one alongside a SOC 2 compliance report.

Latest Articles

Case Studies

From Checkbox to Commitment: How Orkastrate Turned Annual Pentesting into a Security Habit

How Breef used OnSecurity to strengthen its security posture with speed and simplicity

From Engineering to Enterprise Security: How a Renowned Automotive Business Closed Critical Gaps with OnSecurity

Secure and Streamlined: Why Countingup Chooses OnSecurity for Annual Testing