SOC 2 — Trust Services Criteria FAQ

SOC 2 (System and Organization Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy — known as the Trust Services Criteria (TSC).

Unlike ISO 27001 which is a certification, SOC 2 results in an attestation report issued by a licensed CPA firm. Learn more about SOC 2.

SOC 2 Type I evaluates whether your controls are designed appropriately at a specific point in time. It is a snapshot assessment.

SOC 2 Type II evaluates whether your controls are operating effectively over a period of time (typically 6-12 months). It provides much stronger assurance.

Most enterprise clients require a Type II report. Organizations typically start with Type I and progress to Type II.

The five Trust Service Criteria are:

• Security (Common Criteria): Protection against unauthorized access — this is REQUIRED for all SOC 2 reports
• Availability: System is accessible for operation and use as committed
• Processing Integrity: System processing is complete, accurate, and timely
• Confidentiality: Information designated as confidential is protected
• Privacy: Personal information is collected, used, and retained in accordance with policies

Security is mandatory. The other four are selected based on your business needs and client requirements.

SOC 2 costs vary by type and organization complexity:

• Type I (small org): $10,000 - $25,000
• Type I (mid-size): $25,000 - $50,000
• Type II (small org): $20,000 - $50,000
• Type II (mid-size): $50,000 - $100,000+

This includes readiness assessment, gap remediation, evidence collection, and CPA firm audit fees. Get a detailed estimate.

Timelines depend on the report type:

• Type I: 2-4 months from kickoff to report issuance
• Type II: 6-15 months (includes the observation period of 3-12 months)

Many organizations pursue Type I first (faster) while building the operational track record needed for Type II. Contact us for timeline guidance.

The SOC 2 audit process involves:

• Scoping: Define which TSC criteria and services are in scope
• Readiness Assessment: Gap analysis against selected criteria
• Remediation: Implement missing controls and fix gaps
• Evidence Collection: Gather documentation proving controls are in place
• CPA Audit: Independent CPA firm examines controls and issues report
• Report Delivery: SOC 2 report issued to share with clients under NDA

SOC 2 audits can only be performed by licensed CPA (Certified Public Accountant) firms. Unlike ISO certifications, SOC 2 is an attestation engagement governed by AICPA standards. The CPA firm must be independent and follow the SSAE 18 attestation standard.

Avantcert helps you prepare for the audit and connects you with reputable CPA firms. We do not perform the audit ourselves — maintaining independence. Get started with SOC 2 preparation.