The AICPA attestation framework on service-organization controls relevant to security, availability, processing integrity, confidentiality, and privacy, widely required by US enterprise procurement.
SOC 2.
SOC 2 is one of three AICPA System and Organization Controls reporting frameworks. SOC 1 covers controls relevant to user-entity internal control over financial reporting (the successor to SAS 70). SOC 2 covers controls relevant to security, availability, processing integrity, confidentiality, and privacy under the Trust Services Criteria published in TSP Section 100. SOC 3 is a general-use summary version of SOC 2 designed for public distribution. SOC 2 examinations are performed under AICPA professional standard AT-C 205, Examination Engagements.
The Trust Services Criteria include five categories: Security (the common criteria, always included), Availability, Processing Integrity, Confidentiality, and Privacy. The Security common criteria include 33 specific criteria organized into nine sections (control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access controls, system operations, change management, and risk mitigation). Each additional category adds incremental criteria. Most enterprise procurement requirements specify Security alone or Security plus Availability and Confidentiality; Processing Integrity is typical for transaction-processing services; Privacy is often replaced by separate ISO 27701 or HIPAA-specific attestation.
Type I and Type II differ in scope. A Type I report is an attestation on the suitability of the design of controls at a point in time. A Type II report attests to both design and operating effectiveness over an examination period, with sampling and testing of control operation over the period. Type II is the procurement-standard report in US enterprise SaaS and managed-service contracts. Initial issuance typically follows a six-month observation period; subsequent issuance is annual on a rolling twelve-month basis with no gap. Bridge letters cover the period between report end date and the next report start date.
For a foreign-headquartered SaaS, cloud-hosting, managed-service, fintech-infrastructure, or IT-services firm entering the US enterprise market, SOC 2 Type II is the procurement-standard cybersecurity attestation. US enterprise buyers (Fortune 500, large mid-market, US healthcare, US financial services) routinely require a current SOC 2 Type II report before signing a master services agreement or order form. The report must cover the service in scope, the examination period must be current (no more than 12 months old with bridge letter coverage), and the report must come from an AICPA-member CPA firm in good standing.
The implementation lift for a foreign firm new to SOC 2 typically runs 9 to 18 months including readiness assessment, control implementation, six-month observation period, and Type II examination. A foreign firm with an established ISO 27001 program will find substantial overlap, but SOC 2 is a different attestation standard, performed by US-licensed CPAs, with different criteria structure. The two are commonly maintained in parallel: ISO 27001 for EU and ROW procurement, SOC 2 Type II for US enterprise procurement.
SOC 2 sits on the SaaS, cloud, and IT-services trajectory work in the Operators entering the US book, on the Answers hub for cybersecurity-attestation questions, and alongside the ISO 27001, HIPAA, and FedRAMP related entries. The presentation work covers how the firm names its SOC 2 Type II coverage, its examination period, its issuing CPA firm, and its bridge-letter posture on US-facing surfaces. The examination work belongs with the firm's CPA firm and information-security function.
Global Marketing Agency does not provide SOC 2 readiness assessment, control implementation, examination, or CPA-firm attestation. Those activities belong to the firm's information-security function and a US-licensed CPA firm. GMA works on how the firm's SOC 2 posture is presented, sequenced, and read on US-facing surfaces.
Sources cited on this page: AICPA, SOC 2, AICPA Trust Services Criteria, AICPA SOC for Service Organizations, ISO/IEC 27001, FedRAMP, NIST Computer Security Resource Center.