Attestation vs certification: why SOC 2 is not a certificate
SOC 2 is an AICPA attestation engagement that produces a CPA's professional opinion on your controls — not a pass/fail certificate. Understanding the distinction tells you what you can legitimately claim and why 'SOC 2 certified' is a misnomer.
Attestation, not certification
SOC 2 is governed by the AICPA's attestation standards under SSAE 18 — specifically AT-C section 105 (concepts common to all attestation engagements) and AT-C section 205 (examination engagements). In an attestation, an independent CPA examines a subject matter against criteria and expresses an opinion; it is fundamentally an assurance exercise, not a conformity-assessment scheme. There is no governing body that 'awards' a SOC 2, no registry of certified entities, and no certificate document at the end. What you receive is a report containing the service auditor's opinion on whether your controls were suitably designed and, for a Type 2, operating effectively over a period. That makes 'SOC 2 attestation' or 'SOC 2 report' the accurate phrasing, and 'SOC 2 certificate' a category error.
What the CPA's opinion actually says
The heart of a SOC 2 report is the independent CPA firm's opinion, expressed in defined forms much like a financial-statement audit opinion. An unqualified (often called 'clean') opinion states that controls were suitably designed and, for a Type 2, operated effectively throughout the period, with no material issues. A qualified opinion flags one or more specific exceptions — controls that fell short — while concluding the rest of the system was fine. Less commonly, an adverse opinion or a disclaimer can be issued when problems are pervasive or evidence is insufficient. Crucially, an opinion is a professional judgment about controls relative to the Trust Services Criteria, not a binary score, which is why reading the opinion paragraph and any noted exceptions matters more than the existence of the report itself.
Why 'SOC 2 certified' is the wrong claim
Marketing copy routinely says 'SOC 2 certified,' but no such status exists, and using it can mislead customers and auditors alike. Because SOC 2 is principles-based and produces an opinion rather than a credential, there is nothing to be certified against in a pass/fail sense and no body issuing certificates. The defensible claims are factual and specific: that you 'completed a SOC 2 Type 2 examination,' 'received a SOC 2 report,' or 'maintain SOC 2 compliance,' ideally naming the report type and period. The AICPA's logo guidelines reinforce this, allowing use of the SOC logo for organizations that have undergone an examination while expecting accurate communication of what was done. Sloppy 'certified' language is common enough that sophisticated buyers read it as a signal the vendor doesn't fully understand the framework.
Only a licensed CPA firm can perform it
Because SOC 2 is an attestation under AICPA standards, the examination must be performed by an independent, licensed CPA firm — not a generic security consultancy, a penetration-testing shop, or a compliance-automation vendor. The CPA firm is bound by professional standards covering independence, evidence, and documentation, which is part of what gives a SOC 2 report its weight with third parties. Compliance platforms can collect evidence, monitor controls, and prepare you for the engagement, but they cannot sign the opinion; the audit firm is a separate, independent party. This is a meaningful structural difference from some certification regimes, and it's worth verifying that whoever signs your report is in fact a licensed CPA firm in good standing.
How this differs from ISO 27001 certification
ISO/IEC 27001 is a genuine certification: an accredited certification body audits your information security management system against a defined standard and, if you conform, issues a certificate valid for a three-year cycle with periodic surveillance audits. That is conformity assessment with a binary outcome — certified or not — overseen by accreditation bodies. SOC 2 has no equivalent: no accreditation chain, no fixed certificate, and an opinion rather than a pass/fail result. The two also differ in artifact and audience — ISO produces a short, shareable certificate while SOC 2 produces a detailed, usually NDA-restricted report. Understanding this is why teams sometimes pursue both: ISO 27001 gives a clean, portable badge for global markets, while SOC 2 gives the detailed control assurance North American enterprise buyers expect.