System and Organization Controls 2, or SOC 2, is an information security framework created by the American Institute of Certified Public Accountants (AICPA). Audits for SOC2s can be costly and time-consuming. SOC 2 was developed around five “trust Services” criteria, including security, availability, processing, integrity, confidentiality, and privacy. SOC 2 Type 1 evaluates a company’s information security controls at a single point in time, while SOC 2 Type II evaluates a company’s information security controls over several months. For those who can afford it, SOC 2 certification is worth it, but the majority of Fortune 500 companies don’t require their vendors to be SOC 2 certified.
