CybersecurityConnected & Cyber-Physical Devices

SOC 2

AICPA attestation report on a service organization's controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy, the standard SaaS trust artifact.

Reviewed by Christian Espinosa, Founder, Blue Goat CyberLast reviewed June 20, 2026

Definition

SOC 2 (Service Organization Control 2) is an attestation report issued by an independent CPA firm under the AICPA SSAE 18 standard, evaluating a service organization's controls against one or more of the five Trust Services Criteria: Security (always required), Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 Type I report attests to control design at a point in time; a Type II report attests to operating effectiveness over a period (typically 6-12 months) and is the much stronger artifact. SOC 2 is the de facto baseline trust report for SaaS, cloud, and processing-on-behalf-of-customer services in the U.S.

What the regulation says

SOC 2 is a private attestation, not a regulatory requirement. HHS OCR doesn't certify or recognize SOC 2 for HIPAA compliance, though HHS guidance acknowledges SOC 2 reports as relevant evidence of recognized security practices under HICP/PL 116-321.

What this means in practice

For MedTech, SOC 2 is the most common procurement requirement for any vendor handling PHI on behalf of a covered entity, SaMD platforms, AI/ML inference services, RPM clouds, clinical trial data services. A SOC 2 Type II report typically substitutes for a long custom security questionnaire and is required by Business Associate Agreements with hospitals. SOC 2 doesn't replace HIPAA compliance but is the standard way of demonstrating it operationally to customers.

Common pitfalls

•Treating SOC 2 Type I as equivalent to Type II, Type I is design-only and provides little operational assurance.
•Scoping SOC 2 to a subset of the product to make the audit easier, customers will check the scope statement and reject reports that exclude the systems they care about.
•Confusing SOC 2 with HIPAA, SOC 2 includes some HIPAA-relevant controls but a SOC 2 report doesn't substitute for a Security Risk Analysis under 45 CFR 164.308.

Primary references

3 sources

Link health: 2 verified 1 bot-blocked· last checked 2026-06-20

AICPA·2FDA·1

Inline markers like [1] jump to the matching reference above.

On this term

Category: Cybersecurity
Sources: 3
Updated: 6/20/2026

Compare with another term

Learn in 60 seconds

AICPA attestation report on a service organization's controls over Security, Availability, Processing Integrity, Confidentiality, and Privacy, the standard SaaS trust artifact.

·A SOC 2 Type II report typically substitutes for a long custom security questionnaire and is required by Business Associate Agreements with hospitals.
·SOC 2 doesn't replace HIPAA compliance but is the standard way of demonstrating it operationally to customers.
·A SOC 2 Type I report attests to control design at a point in time; a Type II report attests to operating effectiveness over a period (typically 6-12 months) and is the much stronger artifact.

Remember this

Watch out: Treating SOC 2 Type I as equivalent to Type II, Type I is design-only and provides little operational assurance.

Related terms

You may also need

Auto-suggested from Cybersecurity and shared keywords.

All Cybersecurity terms

From the Blue Goat network

Related resources and services on this topic.