1. Home
  2. Blog
  3. Understanding SOC 2 Certification

Understanding SOC 2 Certification

this is a image for the SOC2 blog post

SOC 2 Readiness & Gap Assessment → CPA Attestation (Type 1 & Type 2)

First things first: there is no SOC 2 “certificate.” SOC 2 is an independent attestation report performed by a licensed CPA firm against the AICPA Trust Services Criteria (TSC). Your team operates controls and collects evidence; an independent CPA tests that evidence and issues the report.

Type 1 vs Type 2 — what’s the difference?

  • Type 1: Point-in-time assessment of design—are controls suitably designed on the as-of date?
  • Type 2: Period assessment of design and operating effectiveness—did the controls run as intended over 6–12 months?

Type 2 offers stronger assurance for customers because it proves controls operated over time. Many organisations start with Type 1 to confirm design, then move into a Type 2 examination window.

The path to SOC 2: Readiness → Remediation → Attestation

  1. Define scope & system description — services in scope, boundaries, components, subservice organisations (carve-out vs inclusive), and complementary user entity controls (CUECs).
  2. Select TSC — Security (mandatory) plus Availability, Confidentiality, Processing Integrity, and/or Privacy as needed.
  3. Readiness & gap assessment — review policies/procedures, control design, and evidence readiness; log and risk-rate gaps.
  4. Remediation sprint — owners, due dates, acceptance criteria; implement or tighten controls; produce proof (tickets, change logs, access reviews, monitoring).
  5. Evidence collection & monitoring — centralise artifacts; ensure logging, alerting, and review cadences are working and retained for sampling.
  6. Pre-audit dry-run — sample tests, population checks, exception handling, and narrative refinement.
  7. CPA attestation — engage a licensed, independent CPA firm for Type 1 or Type 2 and respond to PBC (Prepared-By-Client) requests.
  8. Maintain compliance — quarterly access/change reviews, incident exercises, vendor monitoring, vulnerability management, and bridge letters between periods.

Trust Services Criteria (TSC)

  • Security — protection against unauthorised access.
  • Availability — system uptime/capacity and recovery.
  • Processing Integrity — complete, valid, accurate, timely processing.
  • Confidentiality — protection of classified/proprietary information.
  • Privacy — protection of personal information and PII.

Mapping to ISO/IEC 27001 (how they align)

If you already run an ISO 27001 ISMS, you’ll accelerate SOC 2—governance and risk foundations are reusable.

  • Governance & risk: SOC 2 CC1.x ↔ ISO 27001 Clauses 4–10, Annex A.5 (policies, roles, risk, objectives).
  • Access control: SOC 2 CC6.x ↔ ISO Annex A.5.15–A.5.19 (identity lifecycle, MFA, privileged access, reviews).
  • Operations & change: SOC 2 CC8.x ↔ ISO Annex A.5.23–A.5.28 (change, capacity, logging & monitoring).
  • Supplier management: SOC 2 CC9.x ↔ ISO Annex A.5.20–A.5.21 (due diligence, contractual controls, oversight).
  • Protection: SOC 2 CC7.x ↔ ISO Annex A.5.7–A.5.14 (malware, vulnerability mgmt, backups, network security).
  • Privacy: SOC 2 Privacy ↔ ISO/IEC 27701 add-on (roles, notices, DPIAs, rights, retention).

How Compliance365 gets you ready

  • Scoping workshop & system description (boundaries, subservices, shared controls, CUECs).
  • Control-by-control gap review against selected TSCs with an ISO 27001 mapping lens.
  • Prioritised remediation plan with owners, evidence lists, and acceptance criteria.
  • Evidence kit — templates for policies, access reviews, change tickets, incident runbooks, logs, backups, vuln scans, vendor due diligence, training.
  • Pre-audit readiness check (mock requests and sample pulls to de-risk the CPA fieldwork).
  • CPA hand-off support — introductions to independent CPA firms (we don’t attest; only licensed CPAs issue SOC 2 reports).

Summary

SOC 2 is an independent CPA attestation, not a certificate. The fastest route is to run a focused readiness and remediation program, then move into a Type 1 or Type 2 attestation window with evidence prepared and sampling risks under control. If you’re ISO 27001-aligned, you’re already part-way there.

Need help scoping or getting your evidence audit-ready? We can prepare you end-to-end so your CPA engagement runs smoothly.

Note: This article reflects guidance as at November 2023. Always confirm requirements with your chosen CPA firm.

Recent Posts

This is an image for the security savings blog post

Optimising Cloud and Cybersecurity Costs

this is a image for the IS18 reporting blog blog post

Navigating Queensland's IS18 Reporting

this is a image for the SOC2 blog post

Understanding SOC 2 Certification: Type 1 vs Type 2 and How Your Organisation Can Certify

this is a image for the Operational technology blog post

Cybersecurity Assessements of OT Environments

this is an image for the ISO27001 2022 update

Moving from ISO27001 2013 to ISO27001 2022: A Comprehensive Guide

this is the image to managing third part risk

Managaing Third Party Risk