What Is SOC 2 Compliance? A Plain-English Guide
What is SOC 2 compliance, how the Trust Services Criteria work, who needs a report, and how to map controls to evidence and stay audit-ready before an accredited auditor issues your attestation.
By the Scrutineer team
June 2026 · 11 min read
What is SOC 2 compliance, and why customers keep asking for it
What is SOC 2 compliance? In plain terms, SOC 2 is an independent report on how well a service organization protects the data it handles. It is built around the Trust Services Criteria defined by the AICPA, and it gives your customers documented assurance that you have real controls in place rather than good intentions. When a prospect's security team blocks a deal until you produce a SOC 2 report, this is what they are asking for: proof, examined by an outside party, that your security practices work the way you say they do.
SOC 2 is not a certification you hang on the wall. It is an attestation report issued by a licensed CPA firm after they examine your controls. Scrutineer helps you get ready for that examination by mapping your controls, collecting evidence, and flagging gaps, but the report itself is always issued by an accredited auditor. That distinction matters, and we will come back to it.
The Trust Services Criteria explained
SOC 2 is organized around five Trust Services Criteria. Security is mandatory and forms the common baseline every SOC 2 report covers. The other four are optional and you include them based on what you promise customers:
- Security (Common Criteria). Protection against unauthorized access, covering access control, change management, risk assessment and monitoring. Every SOC 2 report includes this.
- Availability. The system is available for operation as committed, relevant if you make uptime promises.
- Processing Integrity. Processing is complete, valid, accurate and timely, relevant for transaction or data-processing platforms.
- Confidentiality. Information designated as confidential is protected as committed.
- Privacy. Personal information is collected, used, retained and disposed of in line with your privacy notice.
Most companies start with Security only, then add criteria as their commitments grow. Choosing your scope deliberately keeps the audit focused and the evidence load manageable.
What goes into a SOC 2 report
A SOC 2 report is more than a pass or fail. It contains the auditor's opinion, a description of your system, the controls you have in place mapped to each criterion, and the tests the auditor performed along with their results. The heart of the work is the control-to-evidence mapping: for every control you claim, you need to show evidence that it exists and, for a Type 2 report, that it operated over a period of time.
This is where most teams underestimate the effort. A single control like "access is reviewed quarterly" needs a documented policy, a record of each review, and proof the reviews actually happened on schedule. Multiply that across dozens of controls and you see why readiness, not the audit week itself, is the real project.
Readiness is the work that matters
Scrutineer treats readiness as a living state rather than a one-time scramble. It maps your controls to the Trust Services Criteria, auto-collects evidence from your systems, and flags the controls where evidence is missing or stale before an auditor ever sees them. You walk into the examination knowing exactly where you stand. The platform supports your readiness; it does not replace the auditor's independent judgment or issue the attestation. To see how that continuous posture works, read about our approach to SOC 2 compliance.
Who needs SOC 2, and when
If you are a B2B software or services company that stores, processes or transmits customer data, you will eventually be asked for SOC 2. The trigger is usually a sales cycle: a mid-market or enterprise buyer's procurement and security teams require it before signing. The earlier you build the underlying controls, the less disruptive the report becomes, because the controls are simply how you already operate.
How to get started without boiling the ocean
The path to a SOC 2 report follows a consistent shape:
- Scope the criteria. Start with Security, add others only if you commit to them.
- Map controls to evidence. For each criterion, define the control and identify the evidence that proves it.
- Close the gaps. Where a control is missing or evidence is thin, fix it before the audit window opens.
- Run a readiness review. Confirm every control has current evidence and a clear owner.
- Engage an accredited auditor. A licensed CPA firm examines your controls and issues the report.
Continuous evidence collection turns that last step from a fire drill into a formality. When your controls produce evidence as a byproduct of normal operations, audit-ready becomes your default state rather than a quarterly emergency.
Where this leaves you
SOC 2 compliance is, at its core, a disciplined answer to a simple question: can you prove your security controls work? Define your scope, map controls to evidence, close gaps early, and keep that evidence current so readiness never lapses. The accredited auditor still issues the attestation, but the better your readiness, the smoother that examination goes. To see how continuous evidence collection keeps you prepared, explore continuous compliance.
See Scrutineer scrutinize your posture
Connect your stack, and Scrutineer maps your controls to SOC 2, ISO 27001, HIPAA, GDPR and PCI, collects evidence automatically and returns a readiness report with per-control statuses, linked evidence and a prioritized gap list. AI scrutinizes, you decide.