SOC 2 Glossary
Plain-language definitions for the SOC 2 and compliance vocabulary you will encounter during an audit, in a vendor questionnaire, or while reading another company's attestation report. Browse all 30 terms or filter by category.
- Controls & Security
Access Control
Access control is the practice of restricting which users and systems can read, modify, or execute actions on protected resources.
- Compliance Frameworks
AICPA
The AICPA, or American Institute of Certified Public Accountants, is the professional organization that establishes auditing and attestation standards in the United States, including the SOC suite of reports.
- Audit Process
Attestation Report
An attestation report is the formal document a CPA firm issues at the end of a SOC 2 audit.
- Audit Process
Audit Period
The audit period is the window of time covered by a SOC 2 Type 2 examination.
- Audit Process
Audit Scope
Audit scope defines exactly what is and is not being examined during a SOC 2 audit.
- Roles & Vendors
Auditor
In the SOC 2 context, the auditor is the independent CPA who examines a service organization's controls and issues the formal opinion in the attestation report.
- Trust Services Criteria
Availability
Availability is one of the five Trust Services Criteria in the SOC 2 framework.
- Controls & Security
Change Management
Change management is the formal process for proposing, reviewing, approving, testing, and deploying modifications to production systems.
- Trust Services Criteria
Common Criteria
Common Criteria refers to the foundational set of controls required for every SOC 2 audit, regardless of which optional Trust Services Criteria are also included.
- Trust Services Criteria
Confidentiality
Confidentiality is one of the five Trust Services Criteria in SOC 2.
- Roles & Vendors
CPA Firm
A CPA firm is an accounting practice licensed to perform attestation engagements, including SOC 2 audits, under standards set by the AICPA.
- Controls & Security
Data Classification
Data classification is the practice of categorizing information based on sensitivity so that appropriate protections can be applied.
- Controls & Security
Encryption
Encryption is the process of transforming readable data into a form that cannot be understood without a decryption key, protecting information against unauthorized disclosure.
- Audit Process
Evidence
Evidence is the documentation and artifacts that demonstrate a control was operating as designed during the audit period.
- Audit Process
Gap Analysis
A gap analysis is a structured review that compares your current security and operational practices against the SOC 2 Trust Services Criteria to identify which controls are missing, incomplete, or undocumented.
- Compliance Frameworks
GRC (Governance, Risk, and Compliance)
GRC stands for Governance, Risk, and Compliance and refers collectively to the policies, processes, and tools an organization uses to manage corporate oversight, identify and treat risks, and meet regulatory and contractual obligations.
- Controls & Security
Incident Response
Incident response is the structured set of activities a service organization performs when a security event is detected, including triage, containment, eradication, recovery, and post-incident review.
- Controls & Security
Multi-Factor Authentication (MFA)
Multi-factor authentication, commonly abbreviated MFA, requires users to present two or more independent credentials when authenticating: something they know like a password, something they have like a hardware token or phone, and something they are like a fingerprint or face scan.
- Audit Process
Observation Period
The observation period is the span of time during which controls must be in place and operating effectively before a SOC 2 Type 2 audit can be performed.
- Trust Services Criteria
Privacy
Privacy is one of the five Trust Services Criteria in SOC 2.
- Trust Services Criteria
Processing Integrity
Processing Integrity is one of the five Trust Services Criteria in SOC 2.
- Controls & Security
Risk Assessment
A risk assessment is the structured process of identifying threats and vulnerabilities to a service organization's systems and data, evaluating their likelihood and impact, and prioritizing them for remediation.
- Controls & Security
Risk Register
A risk register is the canonical inventory of identified risks to a service organization, typically maintained as a structured table or database.
- Trust Services Criteria
Security
Security is the required category in every SOC 2 audit, also known as the Common Criteria.
- Roles & Vendors
Service Organization
A service organization in the SOC 2 context is any company that operates systems on behalf of its customers and therefore must demonstrate appropriate controls over those systems.
- Audit Process
SOC 2 Type 1
A SOC 2 Type 1 report evaluates whether a service organization's controls are suitably designed to meet the selected Trust Services Criteria at a single point in time.
- Audit Process
SOC 2 Type 2
A SOC 2 Type 2 report evaluates whether a service organization's controls were both suitably designed and operating effectively across a defined audit period, typically three to twelve months.
- Trust Services Criteria
Trust Services Criteria
The Trust Services Criteria, often abbreviated TSC, are the five categories defined by the AICPA that form the basis for SOC 2 audits.
- Roles & Vendors
Vendor Management
Vendor management, sometimes called third-party risk management, is the program that evaluates and monitors security and compliance risks introduced by external service providers.
- Controls & Security
Vulnerability Management
Vulnerability management is the continuous process of identifying, evaluating, prioritizing, and remediating security weaknesses in systems, applications, and infrastructure.