High Table Logo - ISO 27001
HT Fav Icon

ISO27001:2022 FAQ

What is ISO 27001?
What is ISO 27001 Certification?
How much does ISO 27001 Cost?
What are ISO 27001 Policies?
What are ISO 27001 Documents?

Home / ISO 27001 Glossary of Terms / SOC 2

SOC 2

23/09/2025

Author: Stuart Barker | ISO 27001 Expert and Thought Leader

SOC 2 Definition - ISO 27001 Glossary

Service Organisation Control 2 (SOC 2)

Service Organisation Control 2 (SOC 2) report is an audit report used by service organisations to show how they protect customer data. A service organisation is a business that provides a service to another company. For example, a cloud hosting provider, a data centre, or a payroll company. The report proves that the service organisation has controls in place to protect the privacy and security of a client’s information. It is based on a set of criteria called the Trust Services Criteria (TSC). There are five of these criteria: SecurityAvailabilityProcessing IntegrityConfidentiality, and Privacy. The SOC 2 report is an important way for businesses to build trust with their clients.

Examples

Here are some examples of companies that would get a SOC 2 report:

  • A cloud service provider: A company like Amazon Web Services (AWS) or Microsoft Azure, which stores customer data on their servers, would need a SOC 2 report to show that they keep this data safe.
  • A payroll processing company: A company that handles employee salaries and personal information for other businesses would need a SOC 2 report to prove they protect that data.
  • A software-as-a-service (SaaS) company: If a company offers an online tool where clients store their data, they would get a SOC 2 report to show that the tool is secure.

Context

Imagine you are a small business owner. You want to use an online company to manage your employees’ payroll. This company will have access to sensitive information like names, addresses, and bank details. How can you be sure they will keep this information safe? This is where a SOC 2 report comes in.

You can ask the payroll company for their SOC 2 report. The report, written by an independent auditor, will tell you how the company handles and protects your data. It will explain their security measures and show that they follow the rules. This report gives you peace of mind that your data is in good hands. A SOC 2 report is a way for a company to show its customers that it is trustworthy and responsible with their data.

Stuart Barker, ISO 27001 expert

Stuart Barker
ISO 27001 Expert and Thought Leader

Book a Call
ISO 27001 Toolkit Business Edition
ISO 27001:2022 Jumpstart Kit
ISO 27001:2022 Toolkit: Business Edition
ISO 27001:2022 Toolkit: Consultant Edition
Stuart Barker, ISO 27001 expert

About the author

Stuart Barker is an information security practitioner of over 30 years. He holds an MSc in Software and Systems Security and an undergraduate degree in Software Engineering. He is an ISO 27001 expert and thought leader holding both ISO 27001 Lead Implementer and ISO 27001 Lead Auditor qualifications. In 2010 he started his first cyber security consulting business that he sold in 2018. He worked for over a decade for GE, leading a data governance team across Europe and since then has gone on to deliver hundreds of client engagements and audits.

He regularly mentors and trains professionals on information security and runs a successful ISO 27001 YouTube channel where he shows people how they can implement ISO 27001 themselves. He is passionate that knowledge should not be hoarded and brought to market the first of its kind online ISO 27001 store for all the tools and templates people need when they want to do it themselves.

In his personal life he is an active and a hobbyist kickboxer.

His specialisms are ISO 27001 and SOC 2 and his niche is start up and early stage business.