SOC 2 (Service Organisation Control 2)

SOC 2 (Service Organisation Control 2) is a security and operational-controls audit framework developed by the AICPA (American Institute of Certified Public Accountants), widely used to assess cloud-service vendors and SaaS platforms. SOC 2 reports document a service organisation's controls against five Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy. For DACH organisations selecting SaaS ERP or cloud-based integration platforms, the vendor's SOC 2 attestation is a standard evaluation input alongside ISO 27001 certification.

The five Trust Service Criteria

• Security (always included) — protection against unauthorised access, both physical and logical. Foundational to all SOC 2 reports
• Availability — system availability for operation and use as committed
• Processing integrity — complete, accurate, timely and authorised processing
• Confidentiality — information designated as confidential is protected
• Privacy — personal information collected, used, retained, disclosed and disposed of in accordance with commitments

Most SOC 2 reports cover Security plus selected additional criteria based on the service's scope. Pure infrastructure services (cloud hosting) typically include Security and Availability. SaaS ERP typically includes Security, Availability, Processing Integrity and Confidentiality. Privacy is rarer due to overlap with GDPR and similar privacy frameworks.

Type I versus Type II

SOC 2 Type I: assesses whether the service organisation has implemented the controls described in its system at a point in time. Useful as an initial baseline; quicker to obtain (typically 3-6 months). SOC 2 Type II: assesses whether the controls operated effectively over a specified period (typically 6-12 months). Much stronger evidence of mature operations; required for serious vendor evaluation. Type II reports include the auditor's tests of operating effectiveness with sample sizes and results. For SaaS ERP selection, insist on Type II reports; Type I alone signals immature controls or early-stage operations. Major SaaS ERP vendors (SAP, Microsoft, Oracle, NetSuite, Workday, Salesforce, ServiceNow) all maintain SOC 2 Type II reports updated annually.

SOC 2 versus ISO 27001

Both frameworks assess information-security controls but differ in approach. ISO 27001 (global standard, especially strong in Europe) is a certification of an Information Security Management System (ISMS) with a defined set of controls (Annex A) applicable in the customer's context. Certificate issued by accredited certification body. SOC 2 (US-led, increasingly global) is an attestation by an independent CPA firm against the AICPA framework, with a detailed report describing controls and operating effectiveness. Different audiences: ISO 27001 widely recognised by European corporates; SOC 2 widely recognised by US-and-tech corporates. Major SaaS ERP vendors hold both, presenting them as complementary evidence. For DACH selection, both should be requested and reviewed.

Practical use in vendor evaluation

Three patterns for working with SOC 2 reports during vendor selection. (1) Request the latest Type II report from the vendor under NDA. Most vendors provide it readily; reluctance is itself a signal. (2) Focus on the auditor's qualifications and exceptions. Clean reports with no exceptions in 12 months indicate mature controls; reports with multiple exceptions need careful analysis — what were the exceptions, were they remediated, are residual risks acceptable. (3) Map controls to your specific concerns. The Trust Service Criteria cover broad areas; your contractual requirements may drill into specific controls (encryption at rest, incident notification timelines, sub-processor management). Verify these are explicitly addressed in the report. Working with internal information-security teams or external assurance consultants improves the review quality.

Related Topics

• SLA
• SaaS ERP
• NIS-2