SOC 2

I. Formal Definition

An attestation report issued by an independent certified public accountant, reporting on the design and, in a Type II report, the operating effectiveness of controls relevant to the trust services criteria of security, availability, processing integrity, confidentiality, and privacy over a defined observation period. SOC 2 is a baseline expectation for federation accreditation, not a ceiling. The federation distinguishes between a SOC 2 report and the controls it describes: the report is evidence; the controls are the substantive obligation.

II. Etymology

Issued under the AICPA Statement on Standards for Attestation Engagements No. 18, finalised in 2017; succeeded the original SAS 70 framework.

III. Federation Usage

Federation members must hold a current SOC 2 Type II report or an equivalent recognised attestation. Type I reports are accepted only during the first observation window of a new attestation programme, under TGS-002:1.7.

IV. Related Terms

• iso-27001
• control-evidence
• segregation-of-duties
• identity-posture

V. Authoritative Citations

• UFMS-001:2.4UFMS Article II - Attestation Floor
• TGS-002:1.7TGS Title II - Attestation Conduct

VI. Citation in BibTeX

@misc{ifo4_glossary_soc2,
  title        = {{SOC 2}},
  author       = {{IFO4 Federation Editorial Board}},
  howpublished = {{IFO4 Federation Glossary, slug \texttt{soc2}}},
  year         = {2026},
  url          = {https://ifo4.org/glossary/soc2},
  note         = {Category: SecOps; key: SOC2}
}

VII. Challenge This Definition

Federation members and accredited practitioners may challenge any entry under TGS-002:1.7. Filed challenges are routed to the editorial board, triaged into the revision register, and resolved in writing on the public docket. The slug remains stable through any revision.