What the SOC 2 report is, the Trust Services Criteria, the difference between Type I and Type II, the observation period, honest timelines and cost lines. An informational guide, not a pitch.
SOC 2 (System and Organization Controls 2) is not a certification. It's an attestation report issued by a US CPA firm under AICPA standards (SSAE 18 / AT-C). The report expresses an independent professional opinion on how well an organisation's controls meet the Trust Services Criteria.
Plainly: there's no “SOC 2 certificate” to hang on a wall. There's a report, often dozens of pages, that an independent auditor produces and signs, which you share (usually under NDA) with customers who ask. Saying “we're SOC 2 certified” is the wrong term, and a sophisticated buyer notices.
SOC 2 is effectively the trust standard of the US market for SaaS and cloud vendors. You need it when: you sell B2B software/services to US customers (especially enterprise); your deal is blocked by a vendor security review and the customer won't sign without the report; you're a European or foreign company targeting the US and must speak the trust language buyers expect there (in the EU, ISO 27001 carries more weight; in the US, SOC 2).
That's why many companies do both ISO 27001 (EU/global) and SOC 2 (US).
SOC 2 rests on the AICPA Trust Services Criteria (TSC): Security (Common Criteria, mandatory), plus optional Availability, Processing Integrity, Confidentiality and Privacy.
Only Security is required; the others are added based on what your service promises. More criteria mean wider scope and cost: choose them with a reason, not for show.
The most important, and most misunderstood, distinction. Type I assesses the design of controls at a point in time (a snapshot, weaker, sometimes used as an intermediate step). Type II assesses operating effectiveness over a period (typically 3-12 months): stronger, because it shows controls work over time, and it's what US enterprise buyers actually ask for.
The observation period is what changes everything about timing: for a Type II, controls must run and be monitored for months before the CPA can issue the report. It cannot be compressed: it's part of the methodology.
1) Readiness assessment. 2) Scope selection (which TSC, which system). 3) Control implementation and mapping to TSC. 4) Evidence collection (optionally via a compliance automation platform). 5) (Type II) Observation period. 6) CPA audit: the independent auditor reviews controls and evidence and issues the report with its opinion. 7) Recurring refresh: customers expect recent reports.
Firm boundary: we do not sign the SOC 2 report. A CPA (independent third party) does. We take the company to readiness, map controls, prepare evidence and coordinate with the CPA. The preparer doesn't attest.
Type I: relatively quick after readiness (a snapshot of control design). Type II: readiness plus the observation period (typically 3-12 months) before the CPA can issue the report.
This is why “SOC 2 in 3 months” loses credibility (and sometimes the deal) with a US buyer: 3 months may be readiness, but Type II still needs the observation period. We tell you the real timeline: readiness plus observation period.
Readiness/consulting (gap, control implementation, evidence preparation, CPA coordination); the CPA audit, billed by the CPA and separate from consulting (the independent signature); an optional compliance automation platform for evidence collection, a separate subscription; internal costs (team time, security tooling); recurring report refresh.
We don't post a flat price: it depends on scope, TSC and Type; the CPA fee is always separate, because it's independent.
SOC 2 = attestation (a CPA report plus opinion), the US trust language, Type II needs an observation period. ISO 27001 = certification (issued by an accredited body), EU/global, a 3-year cycle with annual surveillance.
Many companies do both; controls overlap heavily, so building for one accelerates the other.
No, it's an attestation: a CPA report plus opinion. There's no “SOC 2 certificate”.
Type I assesses control design at a point in time; Type II assesses operating effectiveness over a period (typically 3-12 months).
Readiness plus the observation period (typically 3-12 months), during which controls must run and produce evidence, before the CPA issues the report.
Only Security (Common Criteria). The other four (Availability, Processing Integrity, Confidentiality, Privacy) are optional.
No, the CPA does. We take you to readiness, map controls and coordinate with the CPA.
See our service: gap assessment, choosing your TSC, controls, evidence and coordination with the CPA.