SOC 2 Guide

What is SOC 2?

A complete guide to SOC 2 for Vietnamese companies looking to sell into the US market

By pTrackly Compliance Team · Updated July 2026 · AICPA TSC 2017

What is SOC 2?

SOC 2 (Service Organization Control 2) is an audit report framework developed by the AICPA (American Institute of Certified Public Accountants). It's not a law and not a wall-hanging certificate. It's a report from an independent CPA firm confirming that your systems meet defined security criteria.

Why does SOC 2 matter for Vietnamese companies? Because US enterprise customers ask for it. When you send a proposal to a company in San Francisco or New York, their security questionnaire typically includes: "Do you have a SOC 2 report?" Without one, the deal can stall right there.

SOC 2 is built on 5 Trust Service Criteria (TSC). Security is mandatory in every audit. The remaining four you select based on your service scope:

Required
Security (CC)

Protects the system against unauthorized access. Appears in every SOC 2 report.

Optional
Availability

System is available for operation as committed. Critical for SaaS products with uptime SLAs.

Optional
Confidentiality

Information designated as confidential is protected as committed. Often added when handling sensitive client data.

Optional
Processing Integrity

System processing is complete, valid, accurate, and timely. Relevant for fintech and payment processing.

Optional
Privacy

Personal information is collected, used, retained, and disclosed in conformity with commitments.

Most Vietnamese companies start with Security + Availability. That's the minimum scope US enterprise buyers accept.

SOC 2 Type I and Type II

This is the first question your auditor will ask. The two types differ not in security level, but in how the audit is conducted.

Type I
Point-in-time check
  • Method Auditor confirms controls are suitably designed as of the audit date
  • Observation period None
  • Timeline 3 to 6 months from start
  • Used for Early credential, shows customers you're on the right track
Type II
Continuous operation check
  • Method Auditor verifies controls actually operated throughout the observation period
  • Observation period Minimum 6 months (typically 12 months)
  • Timeline 9 to 18 months from start
  • Used for US enterprise sales, vendor agreements, major contracts

Many companies get Type I first to have something to show customers while the Type II observation period runs. This shortens deal wait time.

Who needs SOC 2 in Vietnam?

SaaS
SaaS providers

If your software stores or processes data for US customers, SOC 2 is almost a prerequisite to appear on their vendor lists.

Cloud
Cloud and hosting providers

Customers need to know how their data on your infrastructure is protected. SOC 2 is the standard answer.

IT/BPO
IT and BPO outsourcing

When your team has access to US client systems or data, they need evidence you manage that access properly.

Fintech
Fintech, digital banking, insurance

Financial and transaction data carries higher security expectations. SOC 2 with the Processing Integrity TSC is frequently required in this sector.

Startup
Startups seeking US investment

Some US VCs and accelerators require SOC 2 as part of due diligence, particularly for B2B SaaS at Series A and beyond.

SOC 2 vs ISO 27001: quick comparison

Both frameworks address information security but serve different markets. Knowing the difference helps you choose the right one.

Aspect SOC 2 ISO 27001
Primary market US, Canada Global, EU, Japan, Singapore
Output type Audit report Certificate
Issuing body AICPA (US) ISO/IEC (international)
Control overlap ~60-70% controls overlap, can be done in parallel
Choose when US/Canada target customers explicitly require a SOC 2 report Targeting Japan, EU, Singapore or want an internationally recognized certificate

Frequently asked questions

Is SOC 2 legally required?

No. SOC 2 carries no legal mandate in any country. Companies pursue it because US customers require it, not because of law. If you're not selling to US enterprise buyers, you may not need SOC 2.

What's the difference between SOC 2 Type I and Type II?

Type I checks that controls are suitably designed at a point in time. Type II checks that controls actually operate continuously for at least 6 months (the observation period). US enterprise buyers typically require Type II before signing major contracts.

Do Vietnamese outsourcing companies need SOC 2?

It depends on the customer. If US enterprise customers require a SOC 2 report in their security questionnaire or vendor agreement, then yes. Many Vietnamese outsourcing companies are pursuing SOC 2 to expand into the US market.

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo