Skip to Content
chevron-left chevron-right chevron-up chevron-right chevron-left arrow-back star phone quote checkbox-checked search wrench info shield play connection mobile coin-dollar spoon-knife ticket pushpin location gift fire feed bubbles home heart calendar price-tag credit-card clock envelop facebook instagram twitter youtube pinterest yelp google reddit linkedin envelope bbb pinterest homeadvisor angies

People left wondering where it all went wrong

For years, companies (and even CPA firms) have been stating that their service is “SOC 2 compliant” or “SOC 2 certified”. To the surprise of many, SOC 2 is actually not a certification, but an attestation. “I had no idea, and I also don’t know what attestation means” one user said. This ByteChek reporter helped by providing a link to the ByteChek blog post titled, What is an Attestation Report to clear that up.

Because SOC 2 is an attestation, you should think of it more as a reporting framework as opposed to a compliance framework. In a compliance framework, you have to meet the specified requirements of that framework in order to “pass”. With SOC 2, there are criteria that are used to measure your controls, and those controls don’t have specified requirements. For example, in some frameworks for logical access, they might require 12 character passwords, with numbers, letters, and special characters. In SOC 2 you could, in theory, have 6 characters with letters only and you could still meet the criteria of logical access if you are preventing unauthorized access. (Although this reporter would recommend something stronger).

“This is why SOC reports have assertions and opinions,” says Jeff Cook, ByteChek CFO. For more information about understanding why SOC is a reporting framework, see ByteChek’s SOC 2 content pages.