System and Organization Controls (SOC) 2 Type 2
SOC 2 Type 2 overview
System and Organization Controls (SOC) for Service Organizations are internal control reports created by the American Institute of Certified Public Accountants (AICPA). They're intended to examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service.
A SOC 2 Type 2 attestation is performed under:
- SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
- SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide).
- TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).
At the conclusion of a SOC 2 audit, the auditor renders an opinion in a SOC 2 Type 2 report, which describes the cloud service provider’s (CSP’s) system and assesses the fairness of the CSP’s description of its controls. It also evaluates whether the CSP’s controls are designed appropriately, were in operation on a specified date, and were operating effectively over a specified time period.
Azure and SOC 2 Type 2
Microsoft Azure, Dynamics 365, and other Microsoft online services undergo rigorous independent third-party SOC 2 Type 2 audits conducted by a reputable certified public accountant (CPA) firm. For more information, see the Azure SOC 2 Type 2 attestation report. Azure SOC 2 Type 2 reports are relevant to system Security, Availability, Processing Integrity, and Confidentiality.
Moreover, the Azure SOC 2 Type 2 attestation report addresses the requirements set forth in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) and the Cloud Computing Compliance Criteria Catalogue (C5:2020) created by the German Federal Office for Information Security (BSI). For more information, you can review the following Azure compliance offerings:
- Azure Government
Services in scope
For a list of Microsoft online services in audit scope, see Microsoft Azure Compliance Offerings or the Azure SOC 2 Type 2 attestation report:
- Dynamics 365
- Microsoft 365
- Power Platform
For Azure DevOps, see the standalone Azure DevOps SOC 2 Type 2 attestation report.
Office 365 and SOC 2 Type 2
For more information about Office 365 compliance, see Office 365 SOC 2 documentation.
The Azure SOC 2 Type 2 attestation report covers Azure, Dynamics 365, Power Platform, and select Microsoft 365 online services. You can access Azure SOC audit reports and bridge letters from the Service Trust Portal (STP) SOC reports section. You must sign in to access audit documents on the STP. For more information, see Get started with Microsoft Service Trust Portal.
The Azure DevOps SOC 2 Type 2 attestation report is available separately from the Service Trust Portal SOC reports section.
Frequently asked questions
How often are Azure SOC reports issued? SOC reports for Azure, Dynamics 365, and other online services are based on a rolling 12-month run window (audit period) with new reports issued semi-annually (period ends are 31-Mar and 30-Sep). Bridge letters are issued during the first week of each quarter to cover the prior three-month period. For example, the January letter covers 1-Oct through 31-Dec, the April letter covers 1-Jan through 31-Mar, the July letter covers 1-Apr through 30-Jun, and the October letter covers 1-Jul through 30-Sep.
Where can I get the Azure SOC audit documentation including bridge letters? For links to audit documentation, see Audit reports. You must have an existing subscription or free trial account in Azure or Azure Government to sign in. You can then download audit certificates, assessment reports, and other applicable documents to help you with your own regulatory requirements.
If you're an Azure DevOps customers who can't access the Service Trust Portal, you can email Azure DevOps for its SOC 1 and SOC 2 reports. This email is to request Azure DevOps SOC reports only.
Where can I find an assessment of the Cloud Security Alliance CCM controls implementation? The Azure SOC 2 Type 2 audit is based on the American Institute of Certified Public Accountants (AICPA) Trust Services Principles and Criteria, including security, availability, confidentiality, privacy, and processing integrity, and the criteria in the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). The objective is to meet both the AICPA criteria and requirements set forth in the CCM. The Azure SOC 2 Type 2 audit incorporates the CCM controls assessment as required by the CSA STAR Attestation. For more information, see the Azure SOC 2 Type 2 attestation report.
Does the Azure SOC 2 Type 2 attestation also include compliance coverage for Germany C5:2020? Yes. A C5:2020 audit can be combined with a SOC 2 audit to leverage parts of the system description and audit results for overlapping controls. Azure publishes a combined attestation report (C5:2020, SOC 2 Type 2, CSA STAR Attestation) based on the audit assessment performed by an independent auditor, which demonstrates proof of compliance with Germany C5:2020.
Where can I see management responses to exceptions noted? Management responses are located towards the end of the SOC attestation report. Search the document for "Management Response".
Where can I see user entity responsibilities? User entity responsibilities are located at the very end of the SOC attestation report. Search the document for "User Entity Responsibilities".
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- Compliance on the Microsoft Trust Center
- Service Trust Portal SOC attestation reports
- AICPA SOC for Service Organizations
- SSAE No. 18, Attestation Standards: Clarification and Recodification (AICPA Professional Standards)
- SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide, available for purchase)
- TSP section 100 (AICPA 2017 Trust Services Criteria, includes March 2020 updates)