soc2listed

# SOC 2 Type II Prep > **Disclaimer**: this skill supports preparation for a SOC 2 examination but does not replace an AICPA-licensed auditor. Only a licensed CPA firm can issue a SOC 2 report. This skill helps with pre-audit readiness. ## When to use SOC 2 (System and Organization Controls 2) is an AICPA framework for service organizations that demonstrates that controls around Security and related Trust Services Criteria are effective. Popular in B2B SaaS because US customers (and increasingly EU customers) put it as a contractual requirement. Triggers on: - A question like "where do we start with SOC 2", "Type I or Type II", "which TSCs to select", "evidence for SOC 2", "explain CUECs to a customer", "overlap with ISO 27001". - A B2B SaaS that hits a SOC 2 requirement on an RFP or master service agreement. - A handoff from `iso27001` for a dual-attestation strategy. - Preparation for the annual Type II cycle (observation period + report). ### When NOT (handoff) - EU regulatory compliance (NIS2, DORA, AVG) → the relevant skills. SOC 2 is not legally required, only contractual. - ISO 27001 as alternative or complementary → `iso27001`. - Risk-assessment methodology → `risk-register`. - Policy drafting itself → `policy-drafter`. - Evidence-technical packaging → `audit-evidence`. - Technical implementation of controls → the relevant security skills. - SOC 1 (financial-reporting controls) is out of scope — different auditor objective. - SOC 3 (public summary version) is m