Skip to main content

Compliance framework

What is SOC 2 compliance?

In short

What SOC 2 attests, the difference between Type I and Type II, how it compares with ISO 27001, and when Indonesian companies get asked for it.

Compliance solutions

A deal is almost closed. The contract is drafted, the pricing is agreed, and then the enterprise buyer's security team sends a short questionnaire with one line that stalls everything: "Please attach your latest SOC 2 report." If you have one, you send it and the deal moves. If you do not, the procurement process pauses while the buyer decides whether to make an exception or walk away. For a growing Indonesian software or services company selling to larger customers, that single request is often the first time SOC 2 becomes urgent. This page explains what SOC 2 actually is, how Type I differs from Type II, how it sits alongside ISO 27001, and when Indonesian companies get asked for it.

What SOC 2 is

SOC 2 stands for System and Organization Controls 2. It is an attestation report produced by an independent CPA firm under standards set by the American Institute of Certified Public Accountants (AICPA). The auditor examines how your organisation controls customer data and issues a formal opinion on whether those controls meet the AICPA Trust Services Criteria.

The word to hold onto is attestation. A SOC 2 engagement does not produce a certificate. It produces a report, sometimes a hundred pages long, describing your systems, the controls you have in place, the tests the auditor ran, and the auditor's opinion. Calling SOC 2 a certification is a common mistake, and it matters, because the deliverable and the process are different from a certifiable standard. There is no accredited body handing out a SOC 2 badge; there is a CPA firm putting its name to an opinion about your controls.

The Trust Services Criteria give the report its structure. There are five of them:

CriterionWhat it covers
SecurityProtection of systems and data against unauthorised access. This is the only mandatory criterion, also called the common criteria, and every SOC 2 report includes it.
AvailabilityWhether the system is available for operation and use as committed or agreed.
Processing integrityWhether system processing is complete, valid, accurate, timely, and authorised.
ConfidentialityWhether information designated as confidential is protected as committed.
PrivacyHow personal information is collected, used, retained, disclosed, and disposed of.

Only security is required. The other four are optional, and you include them based on what your customers care about and what you actually do. A backup provider might add availability; a payments processor might add processing integrity; a company handling personal data might add privacy. Scoping the criteria sensibly is part of the readiness work, because every criterion you include adds controls the auditor will test.

Type I vs Type II

SOC 2 comes in two report types, and buyers treat them very differently. The distinction is about what the auditor examines: the design of your controls at one moment, or how they operated over a stretch of time.

SOC 2 Type ISOC 2 Type II
What the auditor assessesWhether controls are suitably designedWhether controls operated effectively
Time frameA single point in timeA period, usually 3 to 12 months
What it demonstratesThe right controls exist as describedThe controls actually worked over time
Typical useA first report, a faster starting pointThe report most enterprise buyers expect

A Type I is a snapshot. It says your controls are designed correctly as of a given date. It is quicker to reach and often serves as a first step. A Type II is the more demanding report: the auditor observes your controls over a defined window and tests whether they operated effectively throughout. Because a Type II shows sustained operation rather than a one-day design check, most serious buyers ask for it. A common path is to obtain a Type I first, then keep the controls running through an observation period and follow with a Type II.

SOC 2 vs ISO 27001

SOC 2 is often mentioned in the same breath as ISO 27001, and buyers sometimes ask for one or the other. They solve a similar problem, proving you manage information security well, but they are structurally different.

SOC 2ISO 27001
What it isAn attestation report by a CPA firmA certifiable standard with an accredited certificate
DeliverableAn auditor's opinion and reportA certificate plus the audit that supports it
FrameworkAICPA Trust Services CriteriaAn information security management system (ISMS)
Where it is expectedNorth American and SaaS buyersEurope and Asia, and buyers wanting a recognised certificate
RenewalA fresh report each periodCertification with periodic surveillance audits

The two are complementary, not mutually exclusive. ISO 27001 is a certifiable standard: you build an information security management system, an accredited body audits it, and you receive a certificate. SOC 2 is an attestation: a CPA firm examines your controls and issues a report and opinion. The underlying controls overlap heavily, so organisations that hold ISO 27001 usually find much of the SOC 2 groundwork already done, and the reverse is true as well. If you are weighing the certifiable route, our guide to ISO 27001 certification in Indonesia walks through what that standard involves locally.

SOC 2 in the Indonesian market

SOC 2 is not part of Indonesian law. No regulator here requires it, and it does not replace or satisfy local obligations such as UU PDP or the sectoral rules that OJK applies to financial institutions. Those requirements stand on their own, and our overview of Indonesia's cybersecurity regulations sets out what the law here actually demands.

What drives SOC 2 in Indonesia is the market, not the statute book. It shows up as a buyer expectation. When an Indonesian software company sells to a large enterprise, particularly one based in the United States, the buyer's procurement and security teams often make a SOC 2 report a condition of the contract. The same happens when a local firm becomes a vendor in someone else's supply chain and inherits their assurance requirements. In practice, SOC 2 tends to arrive as a sales blocker rather than a compliance deadline: a deal is waiting on it. Treating it as a governance, risk, and compliance workstream, rather than a one-off scramble, is what keeps it from stalling the next deal too.

Where Alpha Code fits

Getting SOC 2 ready is mostly about closing the gap between the controls you have and the Trust Services Criteria the auditor will test, then keeping those controls running long enough to support a Type II. Alpha Code handles that groundwork through its compliance and GRC service: scoping which criteria apply to you, running a readiness assessment against them, closing the gaps, and preparing the evidence so the audit itself goes smoothly. The CPA firm issues the report; the work of being ready for it is where a local partner who knows both the criteria and the Indonesian context saves the most time.

Reviewed by Mohit Bhansali, Head of Technology

Frequently asked questions

SOC 2 is an attestation report produced by an independent CPA firm that examines how a service organisation controls customer data against the AICPA Trust Services Criteria. It is a report, not a certification. There is no SOC 2 certificate to hang on a wall; the deliverable is an auditor's opinion on whether your controls meet the criteria.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.