What it means
SOC 2 (Service Organization Control 2) is a security audit framework developed by the AICPA, primarily used in the US. It produces a SOC 2 report which evaluates an organisation's controls against five 'Trust Service Principles': security, availability, processing integrity, confidentiality, and privacy.
SOC 2 reports come in two types. Type I assesses control design at a single point in time (a snapshot). Type II tests control effectiveness over a period (typically 6 to 12 months) and is the report that procurement teams actually want to see.
Why it matters
For US-based clients (or anyone selling into US enterprises), SOC 2 Type II is often a hard procurement requirement. Without it, deals stall in legal review.
SOC 2 and ISO 27001 overlap a lot but are not identical. International businesses often pursue both: ISO 27001 for global recognition, SOC 2 for the US enterprise market specifically.
Example
A SaaS brand with strong product-market fit hits a wall trying to close US enterprise deals: every procurement process stalls on the security review. They invest in a SOC 2 Type II audit. Six months later, the same procurement teams move them through review without friction. Sales cycle drops by 30 days on average.