SOC 2
SOC 2
Service Organization Control 2 — a security and reliability audit framework for service organizations
1. Overview: SOC 2, a security assurance framework that verifies 5 trust criteria via independent audit
flowchart LR
A["Hard for customers to verify<br/>data-security trust —<br/>growing demand for audits"] --"AICPA independent audit,<br/>verified against TSC criteria"--> B["SOC 2 report<br/>proves Trust Services compliance"] --"Builds customer trust,<br/>contract/sales advantage"--> C["Stronger competitiveness<br/>for SaaS/cloud companies"]
style A fill:#FFEBEE,stroke:#D32F2F,color:#000
style B fill:#E3F2FD,stroke:#1976D2,color:#000
style C fill:#E8F5E9,stroke:#388E3C,color:#000
Definition: An audit standard developed by the AICPA (American Institute of Certified Public Accountants) in which an independent auditor verifies and reports how well a service organization (SaaS, cloud, or data-processing company) complies with the 5 Trust Services Criteria (TSC) — Security, Availability, Processing Integrity, Confidentiality, and Privacy — when handling customer data.
Characteristics: (Voluntary certification) Not a legal requirement, but has become a de facto necessity as a customer requirement for B2B SaaS and cloud companies. (Security is mandatory) Of the 5 TSCs, Security (the Common Criteria) is mandatory; the other 4 are optional additions. (Comparing SOC types) Unlike SOC 1 (financial internal controls) and SOC 3 (public summary report), SOC 2 covers operational and security controls broadly.
2. SOC 2’s core structure
A. The 5 Trust Services Criteria (TSC)
flowchart TD
subgraph R1[" "]
direction LR
T1["Security<br/>CC: Common Criteria —<br/>prevents unauthorized access,<br/>mandatory criterion"]
T2["Availability<br/>agreed-upon level of<br/>system operational availability,<br/>SLA compliance"]
T3["Processing Integrity<br/>completeness, accuracy,<br/>and timeliness of<br/>data processing"]
end
subgraph R2[" "]
direction LR
T4["Confidentiality<br/>protection and access restriction<br/>of information designated confidential —<br/>encryption, access control"]
T5["Privacy<br/>collection, use, retention,<br/>disclosure, and disposal<br/>of personal data — linked to GDPR/CCPA"]
end
style T1 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
style T2 fill:#E3F2FD,stroke:#1976D2,color:#000
style T3 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style T4 fill:#FFF3E0,stroke:#F57C00,color:#000
style T5 fill:#E8F5E9,stroke:#388E3C,color:#000
style R1 fill:none,stroke:none
style R2 fill:none,stroke:none
The 5 TSCs in detail, with key controls
| TSC | Core purpose | Key controls | Applies to |
|---|---|---|---|
| Security | Protect systems from unauthorized access, disclosure, and damage | Access management, MFA, encryption, vulnerability management, log monitoring | Mandatory for all SOC 2 |
| Availability | Maintain system operational availability at the agreed SLA level | DR, BCP, performance monitoring, incident-response procedures | SaaS/cloud services |
| Processing Integrity | Ensure completeness, accuracy, and timeliness of data processing | Input validation, error handling, processing-history tracking | Data processing, fintech |
| Confidentiality | Protect and restrict access to data designated confidential | Encryption, NDAs, data classification, disposal policy | Confidential data between businesses |
| Privacy | Protect personal data across its full lifecycle, from collection to disposal | Consent management, data minimization, access restriction, disposal procedures | Personal-data-processing services |
B. Type I / Type II audits and the compliance procedure
flowchart LR
subgraph R1[" "]
direction LR
T1["SOC 2 Type I<br/>Point-in-time assessment<br/>of control design suitability —<br/>do the controls exist?<br/>Prep time: 2–4 months"]
T2["SOC 2 Type II<br/>Assessment of control<br/>operating effectiveness over a<br/>period (6–12 months) —<br/>do the controls work effectively?<br/>Prep time: 6–12+ months"]
end
style T1 fill:#E3F2FD,stroke:#1976D2,color:#000
style T2 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
style R1 fill:none,stroke:none
The SOC 2 certification process
flowchart LR
S1["Define scope —<br/>select TSCs,<br/>confirm system/service<br/>boundaries"]
S2["Gap analysis —<br/>assess current controls<br/>against TSC requirements"]
S3["Implement controls —<br/>establish policies/procedures,<br/>apply technical controls,<br/>build evidence collection"]
S4["Select auditor —<br/>AICPA-licensed<br/>independent auditor,<br/>a CPA firm"]
S5["Conduct audit —<br/>evidence review,<br/>interviews/testing,<br/>issue the report"]
S1 --> S2 --> S3 --> S4 --> S5
S5 -->|"Annual renewal"| S1
style S1 fill:#E3F2FD,stroke:#1976D2,color:#000
style S2 fill:#F3E5F5,stroke:#7B1FA2,color:#000
style S3 fill:#FFF3E0,stroke:#F57C00,color:#000
style S4 fill:#FFEBEE,stroke:#D32F2F,color:#000
style S5 fill:#1E3A5F,stroke:#1E3A5F,color:#fff
SOC 2 vs. other major security certifications
| Comparison | SOC 2 | ISO 27001 | ISMS-P |
|---|---|---|---|
| Developed by | AICPA (US) | ISO/IEC (international) | KISA (Korea) |
| Scope | Service-organization trust | Enterprise-wide information security management | Information security + personal data protection |
| Primary market | US and global B2B SaaS | Companies worldwide | Companies/public agencies in Korea |
| Audit method | Independent auditor’s report | Certification-body assessment | Certification-body assessment |
| Renewal cycle | Annual (Type II recommended) | 3 years (annual surveillance) | 3 years (annual surveillance) |
| Local use | SaaS/cloud companies serving overseas customers | Global business + domestic companies | Companies with a domestic legal obligation |
3. Expected benefits and practical application of SOC 2 certification
| Category | Key expected benefit | Practical application |
|---|---|---|
| Customer trust | Independent audit report objectively demonstrates security posture | Submit the SOC 2 report during enterprise sales/contracting to answer security questionnaires |
| Global market | A de facto requirement for entering the US/North American market | Obtain SOC 2 Type II before exporting a SaaS product to build trust with overseas customers |
| Internal security | The certification process builds a genuine security control framework | Mature access management, logging, encryption, and DR infrastructure |
| Regulatory response | SOC 2 controls link to GDPR, CCPA, and other data-protection requirements | Adding the Privacy TSC addresses personal-data compliance simultaneously |