Protecting privacy and security is foundational for all organizations that process, store, or transmit customer data and personal information.

The System and Organization Controls for Service Organizations 2 (SOC 2) is the framework used to determine whether an organization’s practices are sufficient to safeguard that data.

What are the SOC 2 requirements?

To gain SOC 2 compliance, a company must prove its ability to protect customer data and process sensitive information. To that end, SOC 2 criteria include five Trust Services Criteria, as defined by the American Institute of Certified Public Accountants (AICPA): Security, availability, confidentiality, processing integrity, and privacy.

1. Security

The security element refers to an organization’s ability to protect against unauthorized access and its responsiveness to security breaches that may disclose sensitive information.

2. Availability

This category requires that information and services are available for operation and use to meet the entity’s objectives. 

3. Confidentiality

All confidential material and information should be sufficiently protected—this includes private customer data. 

4. Processing Integrity

An organization’s system processing should be accurate, timely, and authorized to meet all organizational objectives.

5. Privacy

Finally, all confidential information and personally identifiable material should be entirely secure, from the point of collection to when it is used, disclosed, and eventually disposed of.

While not every SOC 2 audit must consider all five Trust Services Principles, it provides an excellent basis for knowing what principles could be assessed for compliance. For example, a service provider that only deals with data storage may not necessarily need to include additional criteria such as processing integrity in a SOC 2 audit. However, security, availability, confidentiality, and privacy principles will apply to companies that utilize a data center.

What are the SOC 2 controls?

When preparing for a SOC 2 audit, developing your organization’s internal controls are foundational. Your internal controls will help protect information security and compliance risk management on the whole. 

To help ready your company for SOC 2 attestation, consult guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which lays out a framework for internal controls: Control environment, risk assessment, control activities, information and communication, and monitoring.

Control environment

Your control environment includes several aspects relating to your control system, from infrastructure to system operations and processes. Workplace culture and accountability play into this control—your company’s explicit segregation of duties will help provide a clear set of guidelines to ensure that each member of your management acts appropriately.

Risk assessment

Internal and external risk assessment is a significant part of establishing proper controls for your organization. Take advantage of risk management strategies and frameworks to assist your entity’s ability to identify, analyze, mitigate, and monitor any risks that could compromise your compliance and information security—for both your company and any business partners.

Control activities

Your organization’s internal policies and procedures to minimize risk are included in this category of internal controls. Ensure your control activities are embedded throughout each project lifecycle and manage risk in all functions of your company. 

Information and communication

Paramount to internal control success is ample access to information and communication within your organization. Senior management must record and verbalize expectations to all employees, and staff should be sharing information with upper management to help leaders create policy and risk management processes. 

Above all, a consistent and structured flow of information will help maintain compliance and swiftly identify any potential gaps in your system.


When your organization has its policies and risk management practices, ongoing monitoring will help complete the internal control system. Monitoring activities should include continuously assessing metrics, evaluating, and performing audits to keep an eye on compliance requirements. Changes can and should be made as gaps are identified, and upper management should have an agile process for adapting risk management practices and policies where needed.

What is a SOC 2 assessment?

When it comes time for your SOC 2 assessment, you’ll work with an independent Certified Public Accountant (CPA) or accounting firm and determine your audit scope. To establish the scope of your audit, you’ll decide which of the five Trust Service Categories apply to your organization and which SOC report you need—Type 1 or Type 2. 

Then, for each Trust Service Category that applies to your organization, the auditor will examine internal controls by collecting evidence such as organizational charts, asset inventories, and onboarding processes. If any issues come up, your organization will have the opportunity to fix any gaps in your system. Your overall audit cost will increase with any remediation, so it’s wise to prepare as much as possible before going through the official assessment.

Readying your company for a SOC 2 assessment will not only help your organization gain necessary compliance attestations, but it will also help with risk mitigation and overall ease of governance. SOC 2 protects both companies and individuals—your organization will be much stronger with regulatory compliance measures in place.