SOC 2 is not a certification, it’s a third party attestation of the controls in place at your organization. Typically when a company is asking this question though the answer is you start by understanding your scope (the system, SOC 2 categories, etc.), performing a readiness assessment, and then undergoing either a Type 1 and/or Type 2 assessment by a CPA firm. You’ll end up with a detailed report stating the effectiveness of your controls, which, ultimately is what someone would refer to as being SOC 2 certified.
Previously in SSAE-16 a Management Representation Letter was highly recommended and common practice, however, they were not explicitly required to be obtained except in certain existing subject matter sections. This