SOC 2 Business Overview - What You Need to Know

  • By John Miller
  • 03 Sep, 2017

Managing scope for SOC 2 Report - defining the system boundary, principles covered, period covered, and more 

The SOC 2 certification isn’t actually a examination.  SOC 2  an external audit (SOC 2 Report) conducted by an Certified Public Accounting (CPA). 


There are two types of SOC 2 reports: 

1)Type II report focuses on the suitability of the design and operating effectiveness of controls

2) Type I report focuses on the suitability of the design of controls (not effectiveness).  

Note: SOC 1 focuses on the financial reporting controls (e.g. financial audit).


Used by both global technology companies such as Amazon and leading startups, the SOC 2 examination is fast becoming the industry standard for reporting on effectiveness of information security.  Your goal should be complete the examination without any exceptions, demonstrating you were qualified the first time without requiring corrections.


SOC 2 examinations are administered by an independent Certified Public Accounting (CPA) firm to verify all findings are objective.  Attaining the SOC 2 Type II certification may require extensive preparation, often including InfoSec program enhancements, readiness assessments or gap analysis, and preparatory mock examination(s) to collect evidence.


Pro Tip: Some organizations may only require a SOC 2 Type I Report.  If a SOC 2 Type II is required, then carefully control the scope (e.g. system scope base boundaries, principle covered, and period covered).  Contact our team to learn more.

SOC 2 Type II Certification the Quick and Easy Way

By M H November 12, 2017
SOC 2 Type II Certification the Quick and Easy Way in 12 Steps

Advice on Selecting a SOC 2 Readiness Firm

By John Miller November 4, 2017
Selecting a SOC 2 Readiness Firm
More Posts