International StandardVoluntary (commercially required)· TSC 2017 (revised 2022)

SOC 2: Service Organization Controls 2

AICPA SOC 2 — Trust Services Criteria — issued by American Institute of Certified Public Accountants.

Speak to a SOC 2 SpecialistExplore the Compliance Platform
Issuer
AICPA (American Institute of CPAs)
Trust Services Criteria
5 — Security (CC), Availability, Confidentiality, Processing Integrity, Privacy
Report types
Type 1 (point in time) or Type 2 (period of operation, usually 6-12 months)
Audit performed by
Licensed CPA firms
Common adoption
SaaS, cloud services, B2B technology vendors
OVERVIEW

What is SOC 2?

SOC 2 (Service Organization Control 2) is an attestation report issued by a licensed CPA firm against the AICPA's Trust Services Criteria (TSC). It is the dominant security assurance report for SaaS vendors, cloud services, and B2B technology companies serving the U.S. market — and increasingly required by enterprise procurement teams globally, including in Qatar.

SOC 2 reports come in two types: Type 1 attests to the design of controls at a point in time; Type 2 attests to the operating effectiveness of controls over a defined period (typically 6-12 months). Type 2 is the report most enterprise buyers want to see. Reports are scoped to one or more of five Trust Services Criteria — Security (the mandatory baseline, also called Common Criteria or CC), Availability, Confidentiality, Processing Integrity, and Privacy.

Unlike ISO 27001, SOC 2 does not produce a certificate — it produces an attestation report (typically 50-150 pages) that buyers can review under NDA. This makes it more verbose but also more transparent, which is one reason it has become the de facto standard for B2B SaaS due-diligence.

APPLICABILITY

Who must comply with SOC 2?

  • 01SaaS vendors and cloud service providers serving U.S. enterprise customers
  • 02B2B technology companies whose customers require third-party assurance
  • 03Managed service providers and outsourced data processing operators
  • 04Qatar-based technology exporters selling to U.S. or international enterprise buyers
  • 05Fintech, healthtech, and proptech companies handling sensitive customer data
CONTROL DOMAINS

SOC 2 structure at a glance

The SOC 2 framework is organised into the following control areas. Vantage GRC pre-maps each one so evidence collected once contributes to your compliance picture across overlapping frameworks.

Common Criteria (Security) — mandatory baseline

Control environment (CC1)
Communication and information (CC2)
Risk assessment (CC3)
Monitoring activities (CC4)
Control activities (CC5)
Logical and physical access controls (CC6)
System operations (CC7)
Change management (CC8)
Risk mitigation (CC9)

Availability (A) — optional

System availability for operation and use as committed
Capacity planning and performance monitoring
Environmental protections and recovery

Confidentiality (C) — optional

Confidential information protection during transmission and storage
Confidential information disposal

Processing Integrity (PI) — optional

Complete, valid, accurate, timely, and authorised system processing
Input controls, processing controls, output controls

Privacy (P) — optional

Notice and communication
Choice and consent
Collection, use, retention, and disposal
Access, disclosure, quality, monitoring and enforcement
KEY REQUIREMENTS

What SOC 2 requires you to do

  1. 1Define system boundaries and the services in scope of the SOC 2 report.
  2. 2Select Trust Services Criteria scope — Security is mandatory; Availability, Confidentiality, Processing Integrity, and Privacy are optional but commonly requested by enterprise buyers.
  3. 3Implement controls against selected criteria with documented policies, procedures, and operating evidence.
  4. 4Engage a licensed CPA firm to perform the audit (Type 1 or Type 2).
  5. 5Address any exceptions or qualifications identified in the report.
  6. 6Maintain SOC 2 readiness on an ongoing basis — most buyers expect annual Type 2 reports.
HOW VANTAGE HELPS

Vantage's approach to SOC 2

Vantage GRC supports SOC 2 readiness as a complementary view to ISO 27001 — controls implemented for ISO 27001 satisfy a substantial portion of SOC 2 Common Criteria requirements. The platform tracks evidence collection, control operating effectiveness, and exceptions in a format that accelerates the CPA audit process. For Qatar SaaS and technology vendors selling internationally, Vantage halves the cost of maintaining parallel ISO 27001 + SOC 2 compliance.

Book a 30-Min ConsultationExplore the Platform
RELATED FRAMEWORKS

SOC 2 works alongside

International

ISO 27001

Information Security Management System

International

NIST CSF

NIST Cybersecurity Framework

FAQ

SOC 2 questions

What's the difference between SOC 2 Type 1 and Type 2?

Type 1 attests to the design of controls at a single point in time — useful for first-year reports or when launching a new service. Type 2 attests to the operating effectiveness of controls over a defined period (typically 6-12 months) and is what enterprise buyers usually want to see. Most organisations start with Type 1 in year 1 and move to Type 2 in year 2.

Does SOC 2 result in a certificate?

No. SOC 2 produces an attestation report (typically 50-150 pages) issued by a licensed CPA firm. There is no SOC 2 certificate or logo. Buyers review the report itself under NDA to assess the auditor's findings.

How does SOC 2 compare to ISO 27001?

ISO 27001 is a prescriptive control standard with a binary certified/not-certified outcome. SOC 2 is an attestation report against the AICPA's Trust Services Criteria, providing detailed narrative on control design and operating effectiveness. Many organisations pursue both — they share substantial control overlap, and one platform can drive evidence collection for both.

Ready to operationalise SOC 2 compliance?

Talk to a Vantage GRC consultant about your SOC 2 programme — pre-mapped controls, evidence management, and audit-ready dashboards. Doha-based.

Book a ConsultationExplore the Platform