SOC 2

SOC 2 (Service Organization Control 2) is an international standard for evaluating the security, availability, and trustworthiness of services provided by service organizations. The SOC 2 report is essential for companies that process sensitive customer data and need to demonstrate a high level of security.

We’ll guide you through the entire SOC 2 preparation process – from identifying what’s needed, to creating the required documentation, and supporting you during the audit.

What is SOC 2?

SOC 2 is a security framework developed by the American Institute of CPAs (AICPA). It evaluates organizational controls related to security, availability, processing integrity, confidentiality and privacy (i.e. Trust Services Criteria):

  • Security – protection against unauthorized access
  • Availability – the system is available for operation as agreed
  • Processing integrity – system processing is complete, accurate, and authorized
  • Confidentiality – information designated as confidential is protected
  • Privacy – personal data is collected, used, and stored in line with the organization’s commitments 

For SOC 2, you select which of the Trust Services Criteria apply to your business. Security is mandatory; the most common combination is Security – Availability – Confidentiality.

SOC 2 is not a certification (like ISO/IEC 27001), but an audit-based assessment of your organization’s security practices. The result is a formal SOC 2 report, issued by an independent auditor, confirming your compliance with the selected criteria. SOC 2 has two types:

  • SOC 2 Type I: Assesses the design of security controls at a specific point in time
  • SOC 2 Type II: Assesses the operating effectiveness of those controls over a period (e.g., 6–12 months)

The type of SOC 2 affects audit planning and evidence gathering, not the documentation itself.

Difference between ISO 27001 and SOC 2

How can we help?

We start by identifying which Trust Services Criteria are relevant for your company and mapping your information assets and processes. Based on your industry, services, goals, and current projects, we assess potential risks and vulnerabilities.

Through interviews with key staff, we determine what’s already in place, where there are gaps, and what needs to be added or updated.

We’ll then prepare or tailor the necessary documentation to meet SOC 2 requirements. This includes risk analysis, business continuity planning, and access control recommendations.

Výstupem naší spolupráce pro Vás budou přehledně zpracované podklady pro auditora i pro interní řízení bezpečnosti. Dokumentace je přizpůsobena vybraným kritériím a reálnému nastavení Vaší firmy.

Schedule a Consultation
  • SOC 2 preparation including control implementation and evidence collection
  • Integration with ISO/IEC 27001 if you already have an ISMS
  • Compliance with legal requirements built from templates or integrated into your current system
  • Custom documentation built from templates or integrated into your current system
  • Risk analysis to identify and assess security risks
  • Business continuity to maintain operations in case of disruption

What we focus on?

Practical implementation

We help you build processes that work in your day-to-day operations and align with your existing security setup.

Tangible value

We focus on delivering real benefits from your SOC 2 investment – increased customer trust, better control over operations, and sustainable service development.

Broader context

We understand related frameworks like ISO/IEC 27001, the new Cybersecurity Act (NIS2), DORA, or TISAX. We know where they overlap and help you avoid unnecessary duplication.

Contact us and get your umbrella against cyber threats!

We will help you create the foundations, principles and documentation for the effective security. We will teach you how to understand and rely on your security in case of incidents, so that it is preventive and does not limit the operations.

Contact

Latest articles

businesswomen-tick-mark-assessment-questionnaire-evaluation-online-survey-online-exam-choose-right-answer-exam-filling-out-online-survey-form-answer-test-questions-concept
Regulated services under the New Cybersecurity Act
What are regulated services and why does it matter? Identifying them is key to determining whether you will be affected by the new cyber law and under what regime.

READ MORE

guarantee-concept-certification-manufacturing-iso-standards-audit-checklist-high-quality-photo
SOC 2 vs. ISO 27001: Which one makes sense for you – and when?
SOC 2 or ISO 27001? Both certifications address information security, but each in a slightly different way. In this article, we explain the differences, advantages, and limitations – and when each investment really pays off.

READ MORE

a woman holding a book in front of her face, partially obscuring her features.
Self-identification according to the new Cybersecurity Act
What is self-identification? In short, it means that every company must determine on its own whether the new Cybersecurity Act applies to it. If it does, the company is required to notify the state. But how exactly do you go about the self-identification process?

READ MORE

All articles

Newsletter

Do you want to ensure your company is protected from cyber threats while also complying with applicable legislation? Sign up for our newsletter and receive practical advice from our legal consultants.

Kliknutím na odebírat vyjadřujete souhlas se zpracováním osobních údajů pro marketingové účely.
  • info@cybrela.com
  • + 420 724 587 588

Cybrela

IČ: 17597943

Headquarters:

Rybná 682/14

Praha 1-Staré Město

110 00

Office:

Dukelských hrdinů 564/34

Praha 7-Holešovice

170 00

Privacy Policy

© 2025 Cybrela

Webdesign by