What is SOC 2, actually?
SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of CPAs (AICPA). It evaluates how a service organization manages customer data based on five categories called Trust Services Criteria. A licensed CPA firm performs the audit and issues a report that your customers use to evaluate your security posture.
SOC 2 is not a certification you earn once and keep forever. It is an audit report that covers a specific period, and it needs to be renewed regularly. There are two types:
Evaluates the design of your controls at a single point in time. It answers the question: do you have the right controls in place? This is faster to achieve (typically 1-3 months of preparation) and is often the starting point for companies pursuing SOC 2 for the first time.
Evaluates the design and operating effectiveness of your controls over a period of time (usually 6-12 months). It answers the question: do your controls actually work consistently? This is what most enterprise customers ultimately want to see.
Most companies start with Type I to prove they have controls in place, then move to Type II for the next audit cycle. Some companies skip Type I entirely and go straight to Type II if they already have strong controls and can demonstrate consistent operation over the audit period.
The report itself is not public. You share it selectively with customers and prospects under NDA. This is different from ISO 27001, where the certificate itself is public but the detailed audit findings are not.