Service Organisation Control (SOC 2) is a framework that is used to help organisations maintain information security and assure clients of their ability to protect sensitive data, particularly those operating or looking to operate in the US market. It is published by the American Institute of Certified Public Accountants (AICPA), and involves a CPA auditing against a selection of up to 5 trust services criteria (TSC) and subsequently producing a report on your information security processes and controls. This report is not intended to be public facing, and can only be shared with specific interested parties, such clients, prospective clients, and auditors, in order to demonstrate to these parties that your organisation handles information securely.
It is important to note that SOC 2 is an attestation, not a certification, and there is no concept of a SOC 2 ‘pass’ or ‘fail’. The output of a SOC 2 audit is the report described above, which you will receive regardless of your organisation’s level of compliance with the framework’s requirements. The CPA firm performing the audit will, however, provide an opinion on your alignment with the selected TSC. If the auditor does not identify any significant issues, you will receive an ‘unqualified’ report. However, if there are significant issues and findings raised during the audit, you may receive a ‘qualified’ report.
From beginning to end URM made achieving PCI compliance incredibly easy & worked with us to educate us on the requirements. They were always available for a call whenever we needed to discuss queries along the way & were always flexible to our internal deadlines. We would highly recommend URM from a consultancy & auditing perspective.
Prize competition business
All you need to meet SOC 2 requirements
If your organisation has received a request for a SOC 2 report and is looking to meet all the necessary requirements, URM can offer you informed guidance and practical support.
Find out more
related BLog
Preparing for a Successful SOC 2 Audit
Published on
17 Oct
2025
URM’s blog offers key advice on what to expect from your SOC 2 audit in practice, the types of evidence you will need to provide, how best to prepare, and more.
Read more
Information Security
Published on
29/8/2025
SOC 2 ExplainedURM’s blog answers key questions about SOC 2, including what it is & who it applies to, why it is beneficial, how SOC 2 reports are structured & more.
Read more
"
Our URM consultant was most helpful. Very constructive with her thoughts. She completely understood the technology we are using to monitor the ISMS, which allowed her to fully appreciate the documentation.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.