Term · 14. International Standards
SOC 2 (System and Organization Controls 2) SOC 2
Definition
AICPA auditing framework for service organizations, evaluating controls relevant to five Trust Services Criteria: Security (common criteria, required), Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type 1 attests to control design at a point in time; SOC 2 Type 2 attests to operating effectiveness over a period (typically 6-12 months). De-facto baseline for SaaS vendor due diligence.
- Synonyms
-
- AICPA SOC 2
- Trust Services Criteria
- Discouraged variants
-
- SOC1 (different scope — financial reporting controls)
- Application
- Required by enterprise customers before procurement of SaaS. IDM/IAM impact: documented identity lifecycle (JML), provisioning workflows, access reviews, MFA enforcement, privileged account monitoring, audit logs of all identity events. Auditors verify these via interview, sampling, and walkthroughs.
- Sources
-
- AICPA — SOC for Service Organizations primary source
Related terms
-
CMMC (Cybersecurity Maturity Model Certification) (CMMC)
US Department of Defense framework certifying cybersecurity practices of Defense Industrial Base (DIB) contractors handl …
-
CSA CCoP (Cybersecurity Code of Practice for CII, Singapore) (CSA CCoP)
Singapore Cyber Security Agency's mandatory Code of Practice for Critical Information Infrastructure (CII) operators acr …
-
ENISA (European Union Agency for Cybersecurity) (ENISA)
EU agency providing cybersecurity guidance, threat intelligence, and certification schemes across member states. Coordin …
-
EU CRA (Cyber Resilience Act) (CRA)
EU regulation (Regulation (EU) 2024/2847; in force 10 Dec 2024) imposing cybersecurity requirements on products with dig …
-
FedRAMP (Federal Risk and Authorization Management Program) (FedRAMP)
US government program standardising security assessment and authorization of cloud services used by federal agencies. Th …
-
MAS TRM (Monetary Authority of Singapore — Technology Risk Management Guidelines) (MAS TRM)
Singapore central bank's prescriptive guidelines (revised 2021) for technology risk management at financial institutions …