Compliance framework
What is SOC 2 compliance?
In short
What SOC 2 attests, the difference between Type I and Type II, how it compares with ISO 27001, and when Indonesian companies get asked for it.
A deal is almost closed. The contract is drafted, the pricing is agreed, and then the enterprise buyer's security team sends a short questionnaire with one line that stalls everything: "Please attach your latest SOC 2 report." If you have one, you send it and the deal moves. If you do not, the procurement process pauses while the buyer decides whether to make an exception or walk away. For a growing Indonesian software or services company selling to larger customers, that single request is often the first time SOC 2 becomes urgent. This page explains what SOC 2 actually is, how Type I differs from Type II, how it sits alongside ISO 27001, and when Indonesian companies get asked for it.
What SOC 2 is
SOC 2 stands for System and Organization Controls 2. It is an attestation report produced by an independent CPA firm under standards set by the American Institute of Certified Public Accountants (AICPA). The auditor examines how your organisation controls customer data and issues a formal opinion on whether those controls meet the AICPA Trust Services Criteria.
The word to hold onto is attestation. A SOC 2 engagement does not produce a certificate. It produces a report, sometimes a hundred pages long, describing your systems, the controls you have in place, the tests the auditor ran, and the auditor's opinion. Calling SOC 2 a certification is a common mistake, and it matters, because the deliverable and the process are different from a certifiable standard. There is no accredited body handing out a SOC 2 badge; there is a CPA firm putting its name to an opinion about your controls.
The Trust Services Criteria give the report its structure. There are five of them:
| Criterion | What it covers |
|---|---|
| Security | Protection of systems and data against unauthorised access. This is the only mandatory criterion, also called the common criteria, and every SOC 2 report includes it. |
| Availability | Whether the system is available for operation and use as committed or agreed. |
| Processing integrity | Whether system processing is complete, valid, accurate, timely, and authorised. |
| Confidentiality | Whether information designated as confidential is protected as committed. |
| Privacy | How personal information is collected, used, retained, disclosed, and disposed of. |
Only security is required. The other four are optional, and you include them based on what your customers care about and what you actually do. A backup provider might add availability; a payments processor might add processing integrity; a company handling personal data might add privacy. Scoping the criteria sensibly is part of the readiness work, because every criterion you include adds controls the auditor will test.
Type I vs Type II
SOC 2 comes in two report types, and buyers treat them very differently. The distinction is about what the auditor examines: the design of your controls at one moment, or how they operated over a stretch of time.
| SOC 2 Type I | SOC 2 Type II | |
|---|---|---|
| What the auditor assesses | Whether controls are suitably designed | Whether controls operated effectively |
| Time frame | A single point in time | A period, usually 3 to 12 months |
| What it demonstrates | The right controls exist as described | The controls actually worked over time |
| Typical use | A first report, a faster starting point | The report most enterprise buyers expect |
A Type I is a snapshot. It says your controls are designed correctly as of a given date. It is quicker to reach and often serves as a first step. A Type II is the more demanding report: the auditor observes your controls over a defined window and tests whether they operated effectively throughout. Because a Type II shows sustained operation rather than a one-day design check, most serious buyers ask for it. A common path is to obtain a Type I first, then keep the controls running through an observation period and follow with a Type II.
SOC 2 vs ISO 27001
SOC 2 is often mentioned in the same breath as ISO 27001, and buyers sometimes ask for one or the other. They solve a similar problem, proving you manage information security well, but they are structurally different.
| SOC 2 | ISO 27001 | |
|---|---|---|
| What it is | An attestation report by a CPA firm | A certifiable standard with an accredited certificate |
| Deliverable | An auditor's opinion and report | A certificate plus the audit that supports it |
| Framework | AICPA Trust Services Criteria | An information security management system (ISMS) |
| Where it is expected | North American and SaaS buyers | Europe and Asia, and buyers wanting a recognised certificate |
| Renewal | A fresh report each period | Certification with periodic surveillance audits |
The two are complementary, not mutually exclusive. ISO 27001 is a certifiable standard: you build an information security management system, an accredited body audits it, and you receive a certificate. SOC 2 is an attestation: a CPA firm examines your controls and issues a report and opinion. The underlying controls overlap heavily, so organisations that hold ISO 27001 usually find much of the SOC 2 groundwork already done, and the reverse is true as well. If you are weighing the certifiable route, our guide to ISO 27001 certification in Indonesia walks through what that standard involves locally.
SOC 2 in the Indonesian market
SOC 2 is not part of Indonesian law. No regulator here requires it, and it does not replace or satisfy local obligations such as UU PDP or the sectoral rules that OJK applies to financial institutions. Those requirements stand on their own, and our overview of Indonesia's cybersecurity regulations sets out what the law here actually demands.
What drives SOC 2 in Indonesia is the market, not the statute book. It shows up as a buyer expectation. When an Indonesian software company sells to a large enterprise, particularly one based in the United States, the buyer's procurement and security teams often make a SOC 2 report a condition of the contract. The same happens when a local firm becomes a vendor in someone else's supply chain and inherits their assurance requirements. In practice, SOC 2 tends to arrive as a sales blocker rather than a compliance deadline: a deal is waiting on it. Treating it as a governance, risk, and compliance workstream, rather than a one-off scramble, is what keeps it from stalling the next deal too.
Where Alpha Code fits
Getting SOC 2 ready is mostly about closing the gap between the controls you have and the Trust Services Criteria the auditor will test, then keeping those controls running long enough to support a Type II. Alpha Code handles that groundwork through its compliance and GRC service: scoping which criteria apply to you, running a readiness assessment against them, closing the gaps, and preparing the evidence so the audit itself goes smoothly. The CPA firm issues the report; the work of being ready for it is where a local partner who knows both the criteria and the Indonesian context saves the most time.
Reviewed by Mohit Bhansali, Head of Technology
Frequently asked questions
SOC 2 is an attestation report produced by an independent CPA firm that examines how a service organisation controls customer data against the AICPA Trust Services Criteria. It is a report, not a certification. There is no SOC 2 certificate to hang on a wall; the deliverable is an auditor's opinion on whether your controls meet the criteria.
Related
Our services
Ready to strengthen your security posture?
Talk to our Jakarta-based team about your requirements.
Jakarta-based team. We reply within one business day.