SOC 2 User Guide 


SOC 2 User Guide  Download (813K; Free to Members Only)
Bookstore Purchase the E-book
Bookstore Purchase the Book

  Provide feedback on this document
Knowledge Center  Visit the Service Management Knowledge Center community

SOC 2 is a Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy. This guide is intended for those evaluating a service organization’s SOC 2 report as part of a governance, risk and compliance (GRC) program; vendor assessment; security evaluation; business continuity plan or other control evaluation. It may also be useful to those considering requesting a SOC 2 report from an existing vendor that does not currently provide a report or a new vendor as part of the due diligence or request for proposal (RFP) process. Specific users of this guide might include:

  • Management of the user entity
  • Those in procurement and contract negotiation
  • Those overseeing vendor management
  • Practitioners evaluating or reporting on controls at a user entity
  • Independent auditors of user entities
  • Regulators
  • Those performing services related to controls at the service organization, such as a service auditor reporting on controls at a user entity that is also a service provider to other user entities

AICPA and ISACA have jointly released this guide to provide user entities with the information they need when interpreting the SOC 2 reports received from service organizations. This guide also complements the companion white paper titled New Service Auditor Standard: A User Entity Perspective available at