SOC 2 FAQ

SOC 2 is a globally recognised approach to managing risk and protecting sensitive data. While it was developed by the AICPA, the framework is increasingly popular in the UK – especially for organisations that work with US clients.

SOC 2 audits in the UK can be completed by a qualified member of the ICAEW (Institute of Chartered Accountants in England and Wales) or an equivalent provider.

SOC 2 is usually required if you provide technology solutions such as Cloud services and your supply chain includes US-based organisations.

Such clients will often require evidence of SOC 2 to gain assurance that adequate security and risk management controls are in place. As such, if you fall into one of these supply chains, you’ll need to comply with SOC 2.

SOC 2 is a voluntary framework that organisations can choose to follow. However, many organisations – and especially large organisations in the US – make SOC 2 compliance a contractual requirement.

SOC 2 is not the same as ISO 27001, although they are both voluntary frameworks that provide a structured approach for protecting sensitive data, and they share many objectives.

However, one major difference between them is their purpose. ISO 27001 is a management system standard that organisations in any sector can use when implementing an ISMS (information security management system).

By contrast, SOC 2 is designed specifically for service organisations, and you do not certify against the framework. Organisations are instead provided with a SOC 2 report that details the nature of their security and risk management practices. This document is generally used to demonstrate to existing or prospective clients that the organisation’s controls are robust.

A SOC 2 Type I report assesses an organisation’s controls at a single point in time. The purpose of a Type I report is to identify whether the implemented controls have been properly designed.

A SOC 2 Type II report examines how well those controls perform over an extended period – usually at least six months but it could be up to a year.

SOC 1 and SOC 2 reports both contain detailed and confidential information about an organisation’s systems, and the reports are usually only shared with stakeholders. The main difference is that SOC 1 focuses on financial reporting, whereas SOC 2 covers the Trust Services Criteria.

A SOC 3 report is a summary of the Trust Services Criteria that excludes confidential information and other sensitive material. It is intended for public release and can be used by the organisation as marketing material to demonstrate the strength of its controls.

SOC 2 focuses on controls addressed by five interrelated Trust Services Criteria (TSC):

• Security: Protecting information from unauthorised access and disclosure.
• Availability: Ensuring that information and systems can be accessed and perform reliably.
• Confidentiality: Safeguarding access to information to ensure it can only be accessed for legitimate purposes.
• Processing integrity: Verifying that company systems operate as intended.
• Privacy: Ensuring that personal information is processed according to the organisation’s privacy policy.

‘Security’ is the only one that is mandatory, while clients will typically dictate which other TSC it wants the report on. This is usually based on the services the organisation delivers, its risks and its regulatory requirements.

You cannot technically fail a SOC 2 audit, as the framework does not use a pass/fail system. Instead, the auditor will give a ‘qualified’ or ‘adverse’ opinion.

That said, an ‘adverse’ opinion means the auditor has determined that the controls are not designed or operating properly. For most clients, this will not be satisfactory.

Depending on the severity of the issues, the auditor might give the organisation the opportunity to remediate any gaps found during a SOC 2 audit. They will typically request that the organisation remediates the identified weaknesses and provides evidence that this has been done.