SOC 2 Readiness

Trust Services Criteria Compliance

What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing framework developed by the AICPA designed to ensure service providers securely manage data to protect their organization's and clients' interests. It's the standard your enterprise customers and prospects expect you to meet.

Whether you're pursuing SOC 2 for the first time to close a deal or need to maintain your existing compliance posture, we get you audit-ready — from gap analysis through evidence collection to audit day support.

SOC 2 Type I vs. Type II

Both report types are examinations performed by a licensed CPA firm against the Trust Services Criteria. The difference is what the auditor evaluates — and how long it takes to get the report.

Type IType II
What it evaluatesWhether your controls are suitably designed at a point in timeWhether your controls operated effectively over a period of time
Observation windowNone — a single 'as of' dateTypically 3–12 months
Best forA first report or an urgent customer requirementWhat enterprise customers ultimately expect
Typical readiness timelineAbout 3 monthsAbout 3 months, plus the observation window

What We Cover

Our SOC 2 readiness program addresses all five Trust Services Criteria, scoped to what matters for your business.

  • 1Security — Protection against unauthorized access, both physical and logical. This is required for every SOC 2 audit.
  • 2Availability — System uptime and performance commitments. Critical for SaaS companies with SLA obligations.
  • 3Processing Integrity — Ensuring system processing is complete, valid, accurate, and timely.
  • 4Confidentiality — Protecting information designated as confidential through encryption, access controls, and data handling procedures.
  • 5Privacy — Personal information lifecycle management from collection through disposal, aligned with your privacy commitments.

Our Process

Typical engagement: about 3 months (first-time SOC 2) to 2–4 weeks (annual renewal preparation)

01

Assessment & Gap Analysis

We assess your current security posture against the target framework through questionnaires, environment scans, and documentation review. The result is a clear picture of where you stand and what gaps need to be closed.

02

Remediation Planning

Based on the gap analysis, we create a prioritized remediation plan with clearly defined tasks, impact ratings, and criticality scores. Each task is scoped so your team knows exactly what to do and in what order.

03

Policy & Control Implementation

We draft and implement the security policies, procedures, and technical controls required by the framework. This includes configuring your GRC platform, mapping controls, and establishing the processes auditors expect to see.

04

Evidence Collection & Documentation

We help you collect, organize, and document the evidence that demonstrates control effectiveness. This includes screenshots, configuration exports, policy sign-offs, and access reviews — everything an auditor will ask for.

05

Readiness Review & Audit Support

We perform a pre-audit readiness review to confirm identified gaps are addressed and evidence is complete. When you engage your auditor or certification body, we support you through the process — answering questions, providing context, and supporting your team throughout.

We prepare you. An independent auditor examines you.

Only a licensed CPA firm can perform a SOC 2 examination and issue your report — and the firm that builds your controls shouldn’t be the one auditing them. We deliberately stay on the readiness side of that line: we close your gaps, organize your evidence, and support your team through audit day, while an independent auditor you engage issues the report. That separation is what makes your report credible to the customers who ask for it.

The same principle applies to ISO 27001, where Clause 9.2 requires an impartial internal audit — which is why our internal audit practice operates separately from our readiness services.

GRC Platform Experience

We configure and manage your compliance program in Drata and Vanta — mapping controls to Trust Services Criteria, automating evidence collection, and preparing your platform so your compliance evidence is well-organized and accessible.

SOC 2 Frequently Asked Questions

What is a SOC 2 readiness assessment?

A SOC 2 readiness assessment is a structured review of your security controls against the Trust Services Criteria before your formal audit. It identifies which controls you already satisfy, which have gaps, and what evidence you'll need — so you can fix problems before your auditor finds them. Our readiness engagements cover the full path: gap analysis, remediation, policy and control implementation, evidence collection, and a final pre-audit review.

How long does SOC 2 readiness take?

A first-time SOC 2 readiness engagement typically takes about three months; annual renewal preparation takes 2–4 weeks. The audit itself is separate: a Type I audit examines your controls as of a single date, while a Type II audit requires an observation window — commonly 3–12 months — before the auditor can issue the report. Plan your total timeline around readiness plus the audit type you choose.

What's the difference between SOC 2 Type I and SOC 2 Type II?

A Type I report evaluates whether your controls are suitably designed at a specific point in time. A Type II report evaluates whether those controls operated effectively over a period — typically 3–12 months. Many companies start with a Type I to satisfy an urgent customer requirement, then complete a Type II over the following observation period, which is what most enterprise customers ultimately expect.

Is SOC 2 a certification?

No. SOC 2 is an attestation, not a certification: a licensed CPA firm examines your controls and issues a report with its opinion. There is no SOC 2 'certificate' — customers ask for a copy of your report instead. ISO 27001, by contrast, is a certification issued by an accredited certification body.

Do you perform the SOC 2 audit yourselves?

No — only a licensed CPA firm can perform a SOC 2 examination and issue the report, and the firm that prepares you shouldn't be the one auditing you. We do the readiness work: close your gaps, organize your evidence, and support your team through audit day, while an independent auditor you engage issues the report. That separation is what keeps your report credible.

How much does SOC 2 cost?

Our SOC 2 readiness engagements are billed at $5,000 per month, and a first-time SOC 2 typically takes about three months — so plan on roughly $15,000 for readiness. Two costs are separate: the CPA firm's audit fee and your GRC platform license (such as Drata or Vanta). Total cost is driven by company size, how many Trust Services Criteria are in scope, the current state of your controls, and whether you pursue a Type I or Type II. Book a 30-minute call for a fixed quote.

Which Trust Services Criteria do we need?

Security is mandatory for every SOC 2 audit. The other four — Availability, Processing Integrity, Confidentiality, and Privacy — are optional and should be scoped to the commitments you make to customers. Most SaaS companies start with Security plus Availability, adding Confidentiality when contracts require it.

Do we need a penetration test for SOC 2?

SOC 2 doesn't explicitly require a penetration test, but auditors expect to see a vulnerability management program, and a pentest is the most common way to demonstrate it. Many enterprise customers also request recent pentest results alongside your SOC 2 report, so most companies schedule one during readiness.

Get Started

Book a 30-minute scoping call to discuss your SOC 2 readiness goals.