Shieldra
SOC 2 Framework Guide
SOC 2 is an AICPA attestation framework for service organizations. It helps customers evaluate whether controls protecting customer data are suitably designed and operating effectively.
Trust Services Categories
- Security
- Availability
- Processing Integrity
- Confidentiality
- Privacy
Common Criteria
- Control Environment
- Communication and Information
- Risk Assessment
- Monitoring Activities
- Control Activities
- Logical and Physical Access Controls
- System Operations
- Change Management
- Risk Mitigation
Audit evidence
- Management assertion and system description
- Control matrix
- Policies and access reviews
- Infrastructure and monitoring evidence
- Vendor risk evidence
- Type I or Type II testing support
Frequently asked questions
What is SOC 2?
SOC 2 is an AICPA attestation framework for service organizations. An independent CPA firm evaluates whether a company controls protecting customer data are suitably designed (Type I) and operating effectively over a period of time (Type II), against the Trust Services Criteria.
What is the difference between SOC 2 Type I and Type II?
A Type I report assesses whether controls are suitably designed at a single point in time. A Type II report assesses whether those controls operated effectively over an observation window, typically 3–12 months, and is what most enterprise buyers expect.
What are the SOC 2 Trust Services Criteria?
The five Trust Services Categories are Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. Security is always in scope; the others are included based on the commitments a service organization makes to its customers.