Cybersecurity Glossary

What is SOC 2?

Q: Can we use automation tools for SOC 2?

Yes — Vanta, Drata, Secureframe, and others dramatically reduce the evidence-collection burden. They don’t replace the auditor, but they make controls easier to run and prove.

SOC 2 is an auditing framework developed by the AICPA that evaluates a service organization’s controls against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 reports are commonly requested by B2B customers as evidence that their vendor handles data responsibly.

Blocks 99% of password attacks

Required by most cyber insurance

Core to SOC 2, HIPAA, PCI

How It Works

How SOC 2 works

Three-step view of how it operates in practice.

Scope & readiness

Define which services and systems are in scope. Run a readiness assessment to identify control gaps.

Remediate & document

Implement missing controls, document policies, and ensure evidence is collected consistently.

Audit

An independent CPA firm evaluates the controls. Type I is a point-in-time check; Type II observes controls operating over a 6-12 month period.

SOC 2 Variants

SOC 2 Type I vs Type II vs SOC 3

A clear breakdown of the common variants.

Report

SOC 2 Type I

Controls designed and implemented at a specific date. Quicker to achieve; less rigorous.

Most common

SOC 2 Type II

Time-based one-time codes from an app like Microsoft Authenticator or Google Authenticator. Offline-capable and phishing-resistant against many attacks.

Convenient

SOC 3

The user approves a sign-in with a tap on their phone. Easy to use but vulnerable to MFA fatigue attacks — always pair with number matching.

Strongest

Trust Services Criteria

FIDO2 keys like YubiKey, or device-bound passkeys. Phishing-resistant by design — the key will not authenticate against a fake domain.

Why It Matters

Why SOC 2 matters for SMBs

SOC 2 is an auditing framework developed by the AICPA that evaluates a service organization’s controls against five Trust Services Criteria: Security,…

98%

of B2B SaaS buyers require a SOC 2 report before signing contracts with new vendors

Source: Vanta State of Trust Report, 2024

Pitfalls

Common SOC 2 mistakes

Starting with the audit, not readinessSkipping readiness means finding control gaps during the audit — which blows the timeline and budget.
Documentation without implementationAdmins, finance, and anyone with access to money or sensitive data should use an app or hardware key — never SMS alone.
Treating it as one-timeSOC 2 Type II is an annual cycle. Building control execution into daily operations beats annual scramble.
Over-scopingIncluding every system and service in the initial scope makes the audit unwieldy. Start scoped, expand over time.

Common Questions

SOC 2 frequently asked questions

How long does SOC 2 Type II take?⌄

A typical first-year cycle: 2-3 months readiness, 6-month observation window, 1-2 months audit. Subsequent years are faster because controls are already running.

How much does SOC 2 cost?⌄

Readiness assessment: $15K-$50K. Audit (Type II): $25K-$75K for SMB scope. Ongoing tooling and internal time is a multiple of that.

Do we need SOC 2 if we’re HIPAA compliant?⌄

Different frameworks, different audiences. HIPAA is healthcare-specific and regulatory; SOC 2 is commercial and demanded by B2B customers. Many organizations need both.

What’s the difference between SOC 2 and ISO 27001?⌄

ISO 27001 is an international standard with broader scope. SOC 2 is AICPA and more common in the US. Most commercial buyers accept either.

Can we use automation tools for SOC 2?⌄

Have a documented recovery process before it happens. Typically an administrator verifies the user's identity through an out-of-band channel, temporarily disables MFA, and re-enrolls the user with a new device. Backup codes or a secondary security key reduce downtime.

Related Services

LogicalNet services related to MFA

Identity & Access Protection Primary

MFA enforcement, conditional access, least privilege, and identity monitoring.

Email Security

Phishing defense, account-takeover monitoring, and secure email gateways.

Related Terms

Customers asking for a SOC 2 report?

Talk to a LogicalNet identity expert. We will review your current environment, recommend the right MFA methods for each group of users, and help you deploy without disrupting the business.

Schedule Consult Identity Services

No commitment · Local engineers · Response within 1 business day