SOC 2 — Service Organisation Control 2
The security report enterprise customers demand
SOC 2 is the security audit report required by most US enterprise customers and increasingly by Australian and global organisations. Demonstrate your security, availability, and confidentiality controls with an independent attestation.
SOC 2 (Service Organisation Control 2) is an auditing framework developed by the American Institute of CPAs (AICPA). It evaluates a service organisation's controls relevant to security, availability, processing integrity, confidentiality, and privacy — known as the Trust Services Criteria (TSC). Unlike ISO 27001, SOC 2 produces an audit report rather than a certificate, and reports come in two types: Type I (point-in-time design assessment) and Type II (operational effectiveness over a period, typically 6–12 months).
SOC 2 Type II is widely considered the gold standard for SaaS companies and cloud service providers, particularly for customers in North America. As Australian and New Zealand companies expand globally and sell to US enterprise customers, SOC 2 has become a non-negotiable vendor requirement alongside — or sometimes instead of — ISO 27001.
Who Needs It
Who Needs SOC 2?
SaaS companies selling to US enterprise, healthcare, or financial services customers
Cloud service providers and managed service providers handling customer data
Fintech, healthtech, and B2B SaaS companies with enterprise contracts
Organisations required by customer contracts to provide a SOC 2 report
Companies wanting to accelerate enterprise sales by removing security as a blocker
Businesses undergoing investor due diligence or M&A processes
Key Requirements
What It Covers
Security (Common Criteria)
Mandatory for all SOC 2 reports. Covers logical access controls, system monitoring, change management, and risk mitigation.
Availability
Optional criterion. Evaluates whether systems are available for operation and use as committed — including uptime, incident response, and DR planning.
Processing Integrity
Optional criterion. Addresses whether system processing is complete, valid, accurate, timely, and authorised.
Confidentiality
Optional criterion. Evaluates controls protecting information designated as confidential throughout its lifecycle.
Privacy
Optional criterion. Covers the collection, use, retention, disclosure, and disposal of personal information per AICPA privacy principles.
Evidence Collection (Type II)
For Type II reports, controls must be demonstrated as operating effectively over the observation period (typically 6–12 months).
Business Value
Benefits of SOC 2
Unblock enterprise sales cycles by eliminating security questionnaires and vendor assessments
Access US market and enterprise customers who require SOC 2 from all vendors
Demonstrate operational security maturity to investors and acquirers
Build a competitive moat — many competitors lack SOC 2 compliance
Reduce liability and contractual risk with a documented, audited security programme
Our Process
How We Help You Achieve It
Readiness Assessment
We assess your current controls against the SOC 2 Trust Services Criteria and identify gaps.
Scope Definition
We help you define the right scope and criteria to match customer requirements without over-engineering.
Remediation
We implement and document required controls, policies, and evidence collection processes.
Type I Audit Support
We support your Type I audit to validate control design before the Type II observation period.
Type II Observation Period
We help you maintain controls and collect evidence throughout the 6–12 month observation period.
Type II Audit & Report
We coordinate with your auditor through the Type II audit and final report issuance.
FAQ
Frequently Asked Questions
Ready to Start Your SOC 2 Journey?
Begin with a free cybersecurity gap assessment to understand where you stand, then let our experts guide you to certification.