What is the primary objective of **SOC 2**?

**The primary objective of SOC 2 is to provide independent assurance that a service organization's controls meet the Trust Services Criteria (TSC) for security, availability, processing integrity, confidentiality, and privacy.** Developed by the AICPA, SOC 2 evaluates systems handling customer data, with Security (CC1-CC9) as the mandatory common criteria. Type 2 reports assess design and operating effectiveness over 3-12 months, delivering stakeholder trust for SaaS and cloud providers.

Who is legally or professionally required to comply with **SOC 2**?

**No organization is legally required to comply with SOC 2, as it is a voluntary AICPA framework, but service organizations processing customer data face professional mandates from enterprise clients.** Targeted at SaaS, cloud, fintech, and data processors, it is demanded in RFPs, MSAs, and vendor risk assessments by Fortune 500 buyers, where 70-80% of deals hinge on Type 2 reports.

Does **SOC 2** require an external audit or third-party certification?

**Yes, SOC 2 requires an external audit by an independent AICPA-accredited CPA firm to issue Type 1 or Type 2 attestation reports.** Auditors perform walkthroughs, sample testing (e.g., 40 instances per control), and verify evidence like logs and pen tests, resulting in an opinion (unqualified, qualified, adverse, or disclaimer) on TSC compliance.

How often should an assessment for **SOC 2** be performed?

**SOC 2 Type 2 assessments should be performed annually, covering a 3-12 month monitoring period, with bridge letters extending validity up to 3 months.** This ensures continuous operating effectiveness, capturing full cycles like quarterly access reviews and annual pen tests, with bridged monitoring (prior 9 months + new 3 months) for recertification.

What are the consequences of non-compliance with **SOC 2**?

**Non-compliance with client-mandated SOC 2 results in deal disqualification, extended sales cycles (3-6 months), and heightened breach liability, though no direct AICPA fines apply.** Absent Type 2 reports, vendors face exhaustive questionnaires, custom clauses, reputational damage, and potential $1M+ damages under SLAs or laws like CCPA.

An **SOC 2** be mapped to other international frameworks?

**Yes, SOC 2 maps effectively to frameworks like ISO 27001 (80% control overlap), NIST CSF, and others via AICPA spreadsheets.** Common Criteria (CC1-CC9) align with ISO Annex A (114 controls) and NIST Govern/Detect functions, enabling unified evidence for multi-compliance without dual audits.

What is the first step to begin implementing **SOC 2**?

**The first step for SOC 2 implementation is a scoping exercise and gap analysis against the Trust Services Criteria, engaging a CPA for readiness assessment.** Define in-scope systems, data flows, and TSC (Security mandatory), inventory assets, and map 50-100 controls, prioritizing quick wins like policies and IAM.

What is the primary objective of **EN 1090**?

**EN 1090 ensures structural steel and aluminium components and kits are executed to controlled technical requirements and conform for CE marking under the Construction Products Regulation (CPR).** It comprises **EN 1090-1** for conformity assessment via certified **Factory Production Control (FPC)** and **Declaration of Performance (DoP)**, **EN 1090-2** for steel execution (welding, tolerances, inspection), and **EN 1090-3** for aluminium. Risk scales via **Execution Classes (EXC1–EXC4)** based on consequence class (CC1–CC3), service category (SC1–SC2), and production category (PC1–PC2).

Who is legally or professionally required to comply with **EN 1090**?

**Manufacturers of load-bearing steel and aluminium structural components and kits for permanent incorporation in EU/EEA construction works must comply with EN 1090 to affix CE marking.** This includes fabricators, steelwork contractors, and suppliers of elements like beams, trusses, and assemblies for buildings, bridges, or industrial structures. Compliance is mandatory under CPR for market placement; non-structural or temporary items are excluded.

Does **EN 1090** require an external audit or third-party certification?

**Yes, EN 1090-1 mandates certification of the Factory Production Control (FPC) system by a Notified Body via AVCP systems.** This involves initial inspection of the factory, FPC review, and **Initial Type Testing (ITT)** or **Initial Type Calculation (ITC)**, followed by ongoing surveillance audits. Certification enables legal CE marking and DoP issuance.

How often should an assessment for **EN 1090** be performed?

**EN 1090 requires initial Notified Body certification followed by continuous surveillance audits, typically annually for the first year then per EN 1090-1 Table B.3 based on Execution Class.** Higher EXC (e.g., EXC3–EXC4) demand more frequent or intensive audits; internal FPC assessments occur continuously with records supporting product release.

What are the consequences of non-compliance with **EN 1090**?

**Non-compliance with EN 1090 prevents legal CE marking, blocking EU/EEA market access and exposing manufacturers to CPR enforcement.** Notified Bodies may suspend/withdraw FPC certificates for major non-conformities, triggering product recalls, fines, civil liability, and public reporting. Structural failures amplify risks via insurance denials and reputational damage.

An **EN 1090** be mapped to other international frameworks?

**EN 1090 integrates with standards like ISO 3834 for welding quality, but direct mappings to other frameworks are not specified in the standard.** It aligns operationally with ISO 9001 for quality management and Eurocodes for design, with welding coordination per ISO 14731; however, equivalence depends on specific Execution Class requirements.

What is the first step to begin implementing **EN 1090**?

**The first step is to perform a product scope assessment and determine Execution Classes (EXC1–EXC4) for your structural components.** Classify based on consequence class (CC), service category (SC), and production category (PC) matrix, defaulting to **EXC2** if unspecified, then conduct a gap analysis against EN 1090-1 FPC requirements.

SOC 2 vs EN 1090

Standards Comparison

SOC 2

Voluntary

2010

AICPA framework for Trust Services Criteria compliance

EN 1090

Mandatory

2009

EU standard for steel and aluminium structural execution

Quick Verdict

SOC 2 provides voluntary trust assurance for tech service data security globally, while EN 1090 mandates CE marking for structural steel/aluminium components in EU construction. Tech firms adopt SOC 2 for enterprise sales; fabricators need EN 1090 for legal market access.

Cybersecurity / Trust

SOC 2

System and Organization Controls 2

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Structural Metalwork

EN 1090

EN 1090 Execution of steel and aluminium structures

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Risk-based Execution Classes EXC1-EXC4
Factory Production Control FPC certification
CE marking and DoP requirements
Welding quality via ISO 3834
Material traceability and NDT inspection

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

SOC 2 Details

What It Is

SOC 2 (System and Organization Controls 2) is a voluntary audit framework developed by the AICPA to evaluate service organizations' controls over customer data. It uses Trust Services Criteria (TSC)—a principles-based, risk-focused approach assessing security and operations.

Key Components

Five TSC: Security (mandatory, CC1-CC9), Availability, Processing Integrity, Confidentiality, Privacy (optional).
50-100 controls mapped to criteria, with redundancy (2-3 per point).
Built on COSO principles; Type 1 (design) and Type 2 (operating effectiveness) reports by CPA auditors.

Why Organizations Use It

Accelerates enterprise sales, unlocks markets like SaaS/cloud.
Builds stakeholder trust, reduces breach risks/liability.
Competitive moat via 15-30% faster close rates, ROI in 3-6 months.
Overlaps with ISO 27001 (80%), HIPAA, GDPR for efficiency.

Implementation Overview

Phased: gap analysis (2-4 weeks), deployment (4-8 weeks), monitoring (3-12 months), audit (1-2 months).
Targets SaaS/fintech (10-500+ employees); automation (Vanta) cuts effort 70%.
Annual Type 2 recertification with bridge letters. (178 words)

EN 1090 Details

What It Is

EN 1090 is a harmonized European standard family (EN 1090-1, -2, -3) for the execution and conformity assessment of structural steel and aluminium components under the Construction Products Regulation (CPR). Its primary purpose is ensuring safe fabrication, assembly, and market placement via CE marking. It employs a risk-based approach through Execution Classes (EXC1–EXC4).

Key Components

**EN 1090-1Conformity assessment, Factory Production Control (FPC), Declaration of Performance (DoP).
**EN 1090-2/-3Technical rules for steel/aluminium (welding, tolerances, corrosion protection, inspection).
Core principles: traceability, welding quality (ISO 3834), NDT scaled by EXC.
Certification model: Notified Body audits FPC with ongoing surveillance.

Why Organizations Use It

Mandatory for EU market access with CE marking.
Reduces liability, rework; enables high-risk projects.
Builds trust via certified quality and traceability.

Implementation Overview

Phased: gap analysis, FPC build, personnel training, NB certification. Applies to fabricators in construction; 6-12 months typical for medium firms.

Key Differences

Aspect	SOC 2	EN 1090
Scope	Data security, availability, privacy for service orgs	Structural steel/aluminium fabrication and conformity
Industry	SaaS, cloud, tech services globally	Construction, manufacturing in EU/EEA
Nature	Voluntary AICPA audit framework	Mandatory harmonized standard under CPR
Testing	Type 2 audits over 3-12 months by CPA	FPC certification, surveillance by Notified Body
Penalties	Lost business, no legal fines	Market exclusion, fines, legal liability

Scope

SOC 2

Data security, availability, privacy for service orgs

EN 1090

Structural steel/aluminium fabrication and conformity

Industry

SOC 2

SaaS, cloud, tech services globally

EN 1090

Construction, manufacturing in EU/EEA

Nature

SOC 2

Voluntary AICPA audit framework

EN 1090

Mandatory harmonized standard under CPR

Testing

SOC 2

Type 2 audits over 3-12 months by CPA

EN 1090

FPC certification, surveillance by Notified Body

Penalties

SOC 2

Lost business, no legal fines

EN 1090

Market exclusion, fines, legal liability

Frequently Asked Questions

Common questions about SOC 2 and EN 1090

SOC 2 FAQ

EN 1090 FAQ

You Might also be Interested in These Articles...

Decoding Tomorrow's Regulations: How Advanced Compliance Tools Predict and Prepare for Future Shifts

Advanced compliance tools use AI, analytics & real-time monitoring to predict regulatory shifts, cut non-compliance costs 3x, and ensure audit readiness. Stay p

ISO 27701 Implementation Roadmap: Step-by-Step Guide for Extending Your ISO 27001 ISMS to PIMS

Extend ISO 27001 ISMS to ISO 27701 PIMS with this step-by-step roadmap. Master role-specific controls, avoid pitfalls, meet certification evidence needs for pri

The Panoramic View: How Integrated Compliance Monitoring Creates Unprecedented Organizational Visibility and Adaptability

Gain unprecedented organizational visibility with integrated compliance monitoring. Automate real-time alerts, ensure GDPR & SOC 2 adherence, reduce risks, and

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

C-TPAT vs ISO 27017

Compare C-TPAT vs ISO 27017: Supply chain security vs cloud controls. Discover key differences, benefits & which fits your compliance needs. Optimize risk now!

EMAS vs ISO 56002

Unlock EMAS vs ISO 56002: EU's verified eco-management powerhouse meets innovation system guidance. Compare compliance, performance gains & strategy. Choose your edge now!

Australian Privacy Act vs NERC CIP

Discover Australian Privacy Act vs NERC CIP: principles-based privacy vs grid cyber standards. Compare compliance, enforcement & strategies for resilient ops. Act now!

SOC 2

EN 1090

Quick Verdict

SOC 2

EN 1090

Key Features

Detailed Analysis

SOC 2 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

EN 1090 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

SOC 2 FAQ

What is the primary objective of SOC 2?

Who is legally or professionally required to comply with SOC 2?

Does SOC 2 require an external audit or third-party certification?

How often should an assessment for SOC 2 be performed?

What are the consequences of non-compliance with SOC 2?

An SOC 2 be mapped to other international frameworks?

What is the first step to begin implementing SOC 2?

EN 1090 FAQ

What is the primary objective of EN 1090?

Who is legally or professionally required to comply with EN 1090?

Does EN 1090 require an external audit or third-party certification?

How often should an assessment for EN 1090 be performed?

What are the consequences of non-compliance with EN 1090?

An EN 1090 be mapped to other international frameworks?

What is the first step to begin implementing EN 1090?

You Might also be Interested in These Articles...

Decoding Tomorrow's Regulations: How Advanced Compliance Tools Predict and Prepare for Future Shifts

ISO 27701 Implementation Roadmap: Step-by-Step Guide for Extending Your ISO 27001 ISMS to PIMS

The Panoramic View: How Integrated Compliance Monitoring Creates Unprecedented Organizational Visibility and Adaptability

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

C-TPAT vs ISO 27017

EMAS vs ISO 56002

Australian Privacy Act vs NERC CIP