What is a SOC 2 report?

A SOC 2 report includes the following sections: 

Management Assertion

This section summarizes the claims company management has made about their security controls. It also describes, in management’s view, whether the organization’s systems satisfy the Trust Services Criteria included in the audit.  

Independent Service Auditor’s Report

This section includes the auditor’s opinion about how the organization’s controls perform against the TSC selected. An “unqualified opinion” indicates the company is fully compliant and the auditor didn’t find anything to qualify that assertion. A “qualified opinion” means the company is nearly fully compliant, but a few areas may need improvement. An “adverse opinion” means security controls are insufficient in one or more significant areas. A “disclaimer of opinion” means the auditor doesn’t have enough information to support any of the other options. 

System Overview

This section explains what your organization does, including industry, location, and technical infrastructure. It also summarizes the security controls that have been implemented. 

Infrastructure

This section defines the people, policies, processes, software, data, and technology that comprise the organization, as well as any third parties outsourced. 

Relevant Aspects of the Control Environment

This section details your internal controls relating to information systems, risk assessment and management, and monitoring. 

Complementary User-Entity Controls

CUECs, also known as User Control Considerations (UCCs), are controls that organizations depend on their customers to implement. For example, removing access for former employees. 

Complementary Subservice Organization Controls

Similar to CUECs, these are controls organizations rely on supporting vendors such as data processing services to implement. 

Trust Services Criteria, Criteria Related Controls, and Tests of Controls

This section lists every security controls in place and the results of any tests the auditor ran against those controls. 

Other Information

Any additional information provided by the organization that the auditor didn’t use or deemed irrelevant to the audit.