SOC 2 is a report on an organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy and the effectiveness of those controls. The SOC 2 audit is the auditor’s opinion on how your organization’s security controls meet the SOC 2 requirements.
SOC 2 is a compliance framework. To meet the SOC 2 requirements, an organization will have to implement a huge list of security controls (“rules for your organization”) and then collect evidence that they have been implemented.
- Controls are operational like having employees go through security awareness training and maintaining an org chart, or technical, like running vulnerability scans on your servers, encrypting your s3 buckets, backing up your database, etc.
An auditor takes a look at your implementation and evidence, asks you some questions about them, and hands you a SOC 2 report. Done!