SOC 2 Type 2
Attestation · $15K–$400K · 6–15 months
- Controls
- Trust Services Criteria (security required; availability, confidentiality, processing integrity, privacy optional)
- Recertification
- Annually (rolling observation windows)
- Oversight
- AICPA-licensed CPA firm
- Common gaps
- Access reviews, change management evidence, monitoring
- Related
- SOC 2 Type 1, ISO 27001, HITRUST
- Public registry
- AICPA ↗
What is SOC 2 Type 2?
SOC 2 Type 2 is an attestation report in which an independent CPA firm tests whether your security controls operated effectively across a defined observation window — commonly three to twelve months. It is the report most enterprise buyers and procurement teams expect.
Is SOC 2 Type 2 a certification or an attestation?
It is an attestation, not a certification. There is no pass/fail certificate; the auditor issues an opinion (unqualified, qualified, adverse, or disclaimer) on how your controls performed over the period.
Who needs SOC 2 Type 2?
Any software or service company whose customers handle sensitive data and ask for proof of security — especially B2B SaaS selling to mid-market and enterprise buyers.
What does it cost and how long does it take?
Type 2 commonly runs from roughly $15K at the boutique end to six figures for Big Four engagements, with the observation window driving most of the elapsed time.