SOC 2 is a standard developed by the American Institute of Certified Public Accountants (AICPA), and is designed to provide assurance about a company’s information security policies, particularly those around the safeguarding and security of client data.
The assessment takes the form of an auditor’s attestation report, and provides detailed information about a company’s adherence to one or more of five trust service principles: security, availability, processing integrity, confidentiality, and privacy. In other words, you have to show, via documentation and demonstrations, that you’re acting in good faith with other people’s information.
There are two types of SOC 2 compliance, type 1 and type 2. The two types are complementary, and type 1 is often used as a stepping stone to type 2. Type 1 compliance is a point-in-time audit, and demonstrates that privacy and security controls are in place and well designed. Type 2 is a longer-term process (usually six to twelve months) that demonstrates the effectiveness of those controls in a real-world environment.
