RedOps Cyber Intelligence — Regulated Mid-Market AI Security
RedOpsCyber Intelligence
Request a consultation
Home/Frameworks/SOC 2 Type II
Attestation (AICPA)

SOC 2 Type II

The independent attestation your enterprise customers ask for — and the one most often mistaken for a security guarantee.

Request a consultation View services
Standard
AICPA attestation standards (SSAE 18)
Type
An attestation report — not a certification or government license
Criteria
Five Trust Services Criteria; Security (the common criteria) is mandatory
Report types
Type 1 (design at a point in time) and Type 2 (operation over a period, typically 3–12 months)
Issued by
An independent, licensed CPA firm
Best for
SaaS and fintech firms selling to enterprise buyers

01What it is

SOC 2 is an attestation report produced under AICPA standards. An independent CPA firm examines whether your controls meet the Trust Services Criteria you select and issues an opinion. It is not a pass/fail certificate and not a government license — it is an auditor’s report that your customers’ security teams read to decide whether they trust you with their data.

02Type 1 vs Type 2

A Type 1 report assesses whether your controls are suitably designed at a single point in time. A Type 2 report assesses whether those controls actually operated effectively across a period — usually three to twelve months. Enterprise buyers increasingly insist on Type 2, because a well-designed control that isn’t consistently operated proves very little.

03The five criteria

Every SOC 2 covers Security — the common criteria — which is mandatory. You then choose any of Availability, Processing Integrity, Confidentiality, and Privacy based on the promises you make to customers. Scoping these criteria well is the difference between a report that closes deals and one that creates audit work without adding value.

04Where AI fits in

If your product uses AI, buyers now ask how those systems and their data flows sit within — or outside — your SOC 2 scope. A SOC 2 rarely covers a third-party model provider or every AI feature by default. We make that boundary explicit so your report says what you need it to say, and so you can answer the AI questions that now arrive alongside the SOC 2 request.

05What RedOps delivers

RedOps takes you from “we need a SOC 2” to audit-ready — and structures the work so it doubles as the foundation for ISO 27001.

SOC 2 readiness scope
  • A readiness assessment and the right Trust Services Criteria scoping
  • Control gap identification and remediation before the observation window opens
  • An evidence repository and the policy stack auditors expect
  • Liaison and preparation for your chosen CPA audit firm
  • A single control set built to be reused for ISO 27001
  • Clear documentation of where AI systems sit in scope
Go deeper

For a plain-English walkthrough of what a SOC 2 Type 2 report attests to and how to read one you receive, read the field note →

SOC 2

Turn the SOC 2 request into a closed deal.

If a prospect is blocking on your SOC 2 — or you want a report that actually covers your AI — book a 30-minute consultation and we’ll scope the fastest credible path.

Request a consultation View services
Related frameworks
Certification

ISO 27001

The international ISMS certification — and how to run it off your SOC 2 control set.

Learn more
AI Governance

NIST AI RMF

Structure your AI risk so it answers the questions a SOC 2 alone doesn’t.

Learn more
Regulation

NYDFS Part 500

For regulated financial and insurance firms layering compliance obligations.

Learn more