“We’re SOC 2 compliant” is a phrase that shows up in almost every B2B vendor’s sales material, and it’s worth understanding precisely what it does and doesn’t actually verify before treating it as a meaningful signal.
What SOC 2 actually is
SOC 2 (System and Organization Controls 2) is an auditing standard defined by the American Institute of Certified Public Accountants, whose audit and assurance guidance on SOC 2 describes it as a report on an organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy. It is not a government certification, and there is no universal pass/fail bar every organization is measured against — it’s an independent auditor’s report on whether an organization’s own stated controls actually exist and, for the more rigorous version, actually operate as claimed.
The five trust services criteria
SOC 2 reports are organized around five possible trust services criteria, and an organization chooses which ones its audit will cover (security is effectively mandatory as the baseline criterion; the other four are typically included based on relevance to what the organization does):
- Security — protection against unauthorized access, the baseline criterion present in essentially every SOC 2 report.
- Availability — whether systems are actually available for operation and use as committed.
- Processing integrity — whether system processing is complete, accurate, and authorized.
- Confidentiality — whether information designated as confidential is actually protected as such.
- Privacy — how personal information is collected, used, retained, and disclosed.
This means two organizations can both claim “SOC 2 compliance” while their reports cover meaningfully different scope — one might cover only security, while another covers all five criteria. The specific criteria included is worth checking, not assuming.
Type I versus Type II: a distinction worth being precise about
This is the single most consequential detail in a SOC 2 report, and it’s frequently glossed over in vendor marketing. A Type I report assesses whether an organization’s controls are suitably designed at a single point in time — essentially a snapshot. A Type II report goes further, assessing whether those same controls actually operated effectively over an observation period, typically six to twelve months.
The difference matters enormously in practice: a Type I report confirms a control exists on paper and was configured correctly on the day of the audit. A Type II report provides evidence the control was actually followed, consistently, over an extended period — which is a materially stronger form of assurance, since a control that exists in policy but isn’t consistently applied provides little real protection. A vendor advertising “SOC 2 compliant” without specifying which type, or citing only a Type I report, is making a considerably weaker claim than a Type II report represents, even though both get described with the same three words.
What SOC 2 doesn’t guarantee
A SOC 2 report, even a strong Type II covering all five criteria, doesn’t guarantee an organization is invulnerable to a breach — it provides evidence that specific, defined controls exist and were followed during the audit period, evaluated against criteria the organization itself helped scope. It’s also a point-in-time (or period-in-time) assessment; a report from eighteen months ago says nothing definitive about current practices. Evaluating a vendor’s security posture properly means checking the report’s actual scope, type, and recency — not just whether the phrase “SOC 2” appears on their website.
How this connects to the controls the audit is actually checking
The specific controls a SOC 2 audit examines — access management following least privilege, how secrets and credentials are managed, how responsibility is divided per the shared responsibility model — are the same practical security fundamentals covered throughout this site. SOC 2 doesn’t invent a separate security standard; it formalizes independent verification that an organization is actually doing the fundamentals it claims to.
Key takeaway
SOC 2 is an auditor’s independent assessment of an organization’s own security-related controls, scoped to whichever of five trust services criteria the organization chose to include — and the difference between a point-in-time Type I report and a Type II report covering months of actual operation is large enough that the two shouldn’t be treated as equivalent, even though both get marketed with the same three words.
This article explains a general auditing standard; specific requirements and scope should be verified against the actual report in question. See our disclaimer.