What is SOC 2?
SOC 2 is a set of criteria for how companies should handle and protect data. It was created by the AICPA and has become the de facto standard for demonstrating security practices, especially among SaaS companies and technology service providers.
Unlike a certification you either pass or fail, SOC 2 results in an audit report. An independent auditor examines your controls against the trust service criteria and writes a detailed report about what they found. That report is what you share with customers and prospects who want assurance that your security practices are sound.
SOC 2 originated in the United States, but it has become a global standard. European companies increasingly pursue SOC 2 alongside ISO 27001, especially when selling to US-based customers.
What are the five trust service criteria?
SOC 2 evaluates organizations against five categories. You do not have to address all five — only Security is mandatory. The others are optional and depend on your business.
Security (required). This is the foundation. It covers protection against unauthorized access, both physical and logical, including firewalls, access controls, multi-factor authentication, encryption, and monitoring. Every SOC 2 audit includes security.
Availability. How reliably your systems are up and running. This matters for SaaS companies that promise uptime SLAs.
Processing integrity. Whether your systems process data accurately and completely. Relevant for companies that handle financial transactions, calculations, or data transformations.
Confidentiality. How you protect confidential information such as trade secrets, business plans, and intellectual property.
Privacy. How you collect, use, retain, and dispose of personal information. This has some overlap with GDPR but is specifically framed around the AICPA's privacy criteria.
Type I vs. Type II: what is the difference?
Type I evaluates the design of your controls at a specific point in time. The auditor looks at your policies and systems on a given date and reports whether they are appropriately designed. Think of it as a snapshot.
Type II evaluates both the design and the operating effectiveness of your controls over a period of time, typically 6 to 12 months. The auditor does not just check that the controls exist — they verify that the controls actually worked during the observation period.
Type II is what most customers and prospects want to see. It proves that your controls are not just on paper but actually functioning. Most companies start with a Type I audit to establish a baseline and then move to Type II for ongoing compliance.
What does SOC 2 require for access management?
Access control is one of the most scrutinized areas in any SOC 2 audit. Auditors want to see that you have clear, working processes for managing who can access your systems and data.
They look at onboarding controls — how access is granted when someone joins the company or starts a new role, and whether access levels are appropriate for the person's job function. They look at offboarding controls — when someone leaves, how quickly their access was revoked. Auditors will look for evidence that terminated employees were deprovisioned promptly, ideally on their last day or within hours.
They expect regular access reviews, typically quarterly, with documentation showing that someone reviewed access lists and confirmed they were appropriate (or took action to remove unnecessary access). They look for least privilege — users should only have the minimum access necessary for their jobs. They expect MFA for accessing production systems and sensitive data (not having MFA is a finding in nearly every SOC 2 audit). And they need audit trails showing who accessed what and when.
How do access reviews work for SOC 2?
Access reviews are a recurring pain point for IT teams going through SOC 2. The concept is straightforward: periodically review who has access to your systems and verify that each person's access is still appropriate.
Done manually, this typically means pulling a list of users and their permissions from each system, sending that list to the appropriate manager or system owner for review, documenting the reviewer's confirmation, and keeping all of this documentation for the auditor. In practice, IT teams pull CSV exports, send spreadsheets via email, chase people for responses, and then try to compile everything into a coherent package before the audit.
This is exactly the kind of process that identity governance tools automate. Adcyma can run scheduled access reviews against your Entra ID tenant, route review tasks to the right people, track completions, and generate the audit-ready reports that your SOC 2 auditor needs to see.
How long does a SOC 2 audit take?
The timeline depends on your starting point. A readiness assessment takes 4-8 weeks to identify gaps and get controls in place. A Type I audit takes 4-6 weeks for the auditor to evaluate control design. A Type II observation period runs 6-12 months of operating with controls in place, followed by 4-8 weeks of audit work.
From zero to a completed Type II report, you are looking at roughly 12-18 months. Having proper tooling for access management can speed up the process significantly, since access-related controls are a major portion of the audit scope.
SOC 2 vs. ISO 27001: do you need both?
SOC 2 and ISO 27001 overlap substantially, but they are different frameworks with different audiences.
SOC 2 is more common in North America and among SaaS companies. It results in an audit report that details your specific controls. ISO 27001 is an international standard that results in a certification. It is more common in Europe and covers a broader scope of information security management.
Many companies, especially those selling globally, pursue both. The good news is that the underlying controls are largely the same. If you have strong access management, MFA, logging, and regular reviews in place, you are covering a significant portion of both frameworks. The work you do for one makes the other easier.