SOC 2 (System and Organisation Controls 2) is an auditing standard developed by the American Institute of CPAs (AICPA) that evaluates service organisations against five Trust Services Criteria (TSC): Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. The Security criterion — also called the Common Criteria — is required in every SOC 2 report; organisations choose which additional criteria to include based on their services and client requirements.
A Type I report assesses whether controls are suitably designed at a point in time. A Type II report — significantly more valuable — assesses whether those controls operated effectively over an observation period (typically 6–12 months). Enterprise clients and US/EU buyers almost universally require Type II. Indian SaaS companies, managed service providers, and cloud operators increasingly need SOC 2 to win and retain international business.