Thoughtful Risk Assessments: Empowering Innovation and Security

You’ve completed your SOC 2 report. That first-time report can be a lot of work, and it’s worth celebrating while you hang the new AICPA logo on the website. So what’s next?

We highly recommend you do not use the phrase “SOC 2 Certified." Yes, you see it everywhere, and your competitors are celebrating their certificate - but don’t do it because such a thing does not exist.

There is nuance to this question, and other well-meaning and very smart people that I respect might give a different answer. But within the volumes of literature that set the standards, the true answer is this: There are absolutely no control requirements for SOC 2 reports.