If you’ve ever been asked, “Do you have a SOC 2?” you’ve seen how vendor trust works today. Buyers don’t just want promises—they want proof that a service provider can protect data and operate responsibly.
This independent examination helps provide that proof.
What is SOC 2?
SOC 2 (System and Organization Controls 2) is an independent examination performed under AICPA standards that results in a report on a service organization’s controls related to one or more Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
AICPA SOC 2 overview
Trust Services Criteria reference
Two important clarifications:
-
SOC 2 is not a “badge” that guarantees you’ll never have an incident. It’s an independent evaluation of controls within a defined scope.
-
SOC 2 is not the same as a certification. The outcome is a SOC 2 report with the auditor’s opinion and (for Type 2) detailed testing results.
Why SOC 2 matters
It matters because it reduces uncertainty—for you and for the people who trust you with their data.
This framework can help you:
-
Shorten security reviews and vendor due diligence
-
Demonstrate security and operational discipline
-
Build credibility with customers, partners, and regulators
-
Identify gaps early—before they turn into incidents or lost deals
If you’re looking at SOC 2 through an investment or acquisition lens, vendor posture and operational maturity matter even more.
Type 1 vs. Type 2
There are two types of reports:
Type 1: “Designed correctly?”
Evaluates whether controls are suitably designed as of a point in time.
Type 2: “Working consistently?”
Evaluates how controls operated over a period of time (operating effectiveness), including the auditor’s tests and results.
In real-world vendor decisions, Type 2 carries more weight because it demonstrates consistency—not just policy.
How to read a SOC 2 report quickly (without drowning in it)
The report is tailored to the organization and its scope. When you’re reviewing one, focus on:
-
The audit period and report date
For Type 2, check the period covered and how recent it is. -
Which Trust Services Criteria are included
Security is the foundation. Other categories are included based on the service and risk. -
Scope and system description
What’s included, what’s excluded, and what systems/locations are in play. -
Exceptions and management responses
Look for deviations, failures, and how the organization addressed them. -
Subservice organizations
Understand what’s outsourced and how it’s covered (inclusive vs carve-out). -
Complementary User Entity Controls (CUECs)
These are controls you, the customer, must do on your side for the vendor’s controls to fully work.
What The Trust Services Criteria Mean
SOC 2 reporting is built around five categories:
Security
Protection against unauthorized access and misuse.
Availability
Systems are available as committed (think SLAs, resilience, and recovery).
Processing Integrity
Systems process data accurately, completely, and on time.
Confidentiality
Sensitive information is protected as agreed/required.
Privacy
Personal information is collected, used, retained, and disclosed appropriately.
If you want the official criteria reference, find it here: AICPA Trust Services Criteria.
Security: a practical checklist
Security is the foundation of SOC 2 and shows up across every report. A practical way to think about “security controls” is:
1) Access controls (logical + physical)
Limit access to authorized people only. Strong authentication, least privilege, controlled admin access.
2) Change management
A controlled process for system changes: approvals, testing, rollback plans, separation of duties when appropriate.
3) System operations
Monitoring and alerting, incident response, vulnerability management, backup validation.
4) Risk management
A repeatable approach to identifying, prioritizing, and reducing risk—plus vendor risk and business continuity planning.
SOC 2 doesn’t prescribe one exact toolset. It sets expectations. Organizations choose controls that fit their environment and risk profile.
If you’re not sure where to start, a risk-based plan makes SOC 2 (and security generally) far more manageable.
Other criteria you might include (beyond Security)
Security is the baseline, but many organizations include additional criteria depending on the service and buyer expectations:
Availability
Demonstrate uptime commitments, capacity planning, monitoring, and recovery.
Processing Integrity
Common for transaction-heavy environments (financial, ecommerce, processing workflows).
Confidentiality
Show how sensitive information is restricted and protected in storage, transit, and access (especially for regulated or contractual requirements).
Privacy
Explain how personal information is collected, used, retained, and disclosed in practice—and how those practices align with your published policies.
Who can perform a SOC 2 examination?
SOC examinations are performed by independent CPA firms. Teams may include IT/security specialists to support testing, but the CPA firm is responsible for the engagement and the final report.
A note on SOC logo usage
Be careful with marketing language here. SOC 2 results in a report—not a “certification”—and SOC logo usage is governed by AICPA guidelines and registration requirements.
Where MSG fits
At Managed Services Group, we treat SOC 2 the way it’s meant to be treated: operational discipline that protects clients and reduces business risk. As a SOC 2 Type 2 audited MSP/MSSP, we build and run our services around the controls customers expect—identity security, monitoring, change control, backup integrity, and documented processes that hold up under scrutiny.
If you’re pursuing SOC 2, preparing for a customer security review, or evaluating an IT partner, we can help you cut through the noise and focus on what matters.
MSG IT Security services
MSG IT Due Diligence (for acquisitions/investments)
Contact us
Contact us today to discuss SOC 2 readiness, vendor due diligence, or building a security program that stands up to real scrutiny.