SOC 2 in one paragraph
SOC 2 is a report produced by an independent CPA firm against the Trust Services Criteria defined by the AICPA. The criteria cover security, availability, processing integrity, confidentiality, and privacy. Security is mandatory; the other four are optional, and the operator selects which to be assessed on. A Type II report covers a period (most commonly twelve months) and tests whether the controls operated effectively across that period. The output is a report, not a certificate. There is no logo to display; the substance is the report itself.
What the report actually contains
A SOC 2 Type II report has four sections. Section 1 is the auditor's opinion. Section 2 is the operator's assertion about their system. Section 3 is the system description, which is where the actual control universe is documented. Section 4 is the control matrix with the auditor's test results, including any exceptions found during the audit period. The exception list is the substantive content. A clean opinion on a report with three significant exceptions is materially different from a clean opinion on a report with none.
Procurement teams should request the full report under NDA, read Section 4, and ask the operator to walk through each exception and the remediation. An operator unwilling to share the report under NDA is signalling something about how they want to be evaluated.
ISO 27001 in one paragraph
ISO 27001 certifies that the operator has implemented an Information Security Management System meeting the standard. The 2022 revision is the current version. Annex A lists 93 controls grouped into four themes: organizational, people, physical, and technological. Unlike SOC 2, the output is a certificate from an accredited certification body, and the certificate has a defined scope statement. Read the scope statement carefully; it states which parts of the organisation and which locations are inside the certification boundary.
Scope is the trap on both sides
On both SOC 2 and ISO 27001, scope is the issue procurement teams underread. An operator running ten facilities can hold a certification that covers only the head office and one flagship building; the marketing page may simply say “ISO 27001 certified.” The contractual question is whether the facility you are placing equipment in is inside the scope.
Ask for the scope statement (ISO 27001) and the system description (SOC 2) for the specific facility. If neither names the building you are contracting, the certification does not apply to your environment.
Contract clauses that make the framework work
A certification on a marketing page does nothing until the contract refers to it. Procurement teams should ask for three clauses at minimum. First, an obligation that the operator maintains the certification for the contract term and notifies the tenant of any lapse or scope change within a defined notice period. Second, an annual delivery obligation for the renewed SOC 2 Type II report and ISO 27001 certificate. Third, an audit-cooperation clause that lets the tenant verify any controls relevant to a regulatory audit affecting the tenant's use of the facility.
Without these clauses, a certification lapse during the contract term is not a contractual breach, which usually means it is not actionable.
When neither is enough
Workloads with regulated data require additional frameworks on top of the SOC 2 and ISO 27001 baseline. Cardholder data needs PCI DSS attestation. Protected health information needs HIPAA-compliant operator practices and a Business Associate Agreement. US federal data needs FedRAMP at the appropriate impact level. Each maps to a separate certification hub on viabandwidth.