SOC 2 Compliance Guide

SOC 2 is an attestation report developed by the AICPA for service organisations that store, process, or transmit customer data. It evaluates how well your controls meet the Trust Services Criteria. SOC 2 is not legally required, but it is contractually required by most enterprise buyers — once you sell to a Fortune 1000 company, a regulated industry buyer, or a publicly listed customer, you will be asked for it.

Type I evaluates whether your controls are designed appropriately at a single point in time (a snapshot). Type II evaluates whether those controls operated effectively over a period of time — typically 3 to 12 months. Type II carries far more weight with enterprise buyers. Most companies start with Type I to validate their design, then run a Type II audit window 6–12 months later.

Security (also called the Common Criteria) is required for every SOC 2 report. The other four are optional: Availability (system uptime), Processing Integrity (system processes data completely and accurately), Confidentiality (information designated as confidential is protected), and Privacy (personal information is collected, used, retained, disclosed, and disposed of properly). Most early-stage SOC 2 reports include only Security; you add the others when customers ask or when relevant to your service.

There is no fixed list. The 2017 Trust Services Criteria (revised 2022) define ~60 Common Criteria covering control environment, risk assessment, monitoring, communication, control activities, logical access, system operations, change management, and risk mitigation. Each of the additional TSCs adds 5–20 more criteria. Each criterion can map to multiple controls in your environment — most SOC 2 reports describe 80–150 controls.

For a typical SaaS startup pursuing Type I: external audit fees usually $10K–$25K, plus $5K–$30K for readiness work and tooling. For Type II in the same year: $25K–$60K all-in. Larger or more complex environments commonly spend $50K–$150K+ on Type II including auditor, advisory, tooling, and staff time. The biggest hidden cost is internal effort — typically 200–400 hours during readiness.

For a startup with reasonable hygiene: 8–12 weeks to Type I readiness, then a 3-month minimum Type II observation window, then 4–6 weeks of audit fieldwork — so roughly 6–9 months end to end. For organisations starting from scratch with little existing security tooling: budget 9–12 months. The audit window is the slowest part and cannot be compressed below 3 months for an initial Type II.

For Type II, the auditor evaluates control effectiveness over a defined period. The minimum is typically 3 months for a first audit; thereafter, most companies run a 12-month window so reports can be renewed annually with continuous coverage. During the window, every exception (failed control test, missed access review, etc.) must be documented and remediated. Customers care about the period covered — a 3-month report is acceptable for the first year; a 12-month report is preferred thereafter.

Only a licensed CPA firm registered with the AICPA can issue a SOC 2 attestation. The auditor must be independent — they cannot also be the firm that helped you build the controls. Look for auditors with experience in your industry (cloud SaaS, fintech, health tech, etc.) and ask how many SOC 2 reports they issue per year. Pricing varies widely; the cheapest option is rarely the best.

No, but they overlap by ~80%. SOC 2 is a US-led attestation report focused on Trust Services Criteria, valid for one year. ISO 27001 is an international certification for an Information Security Management System (ISMS), valid for 3 years. SOC 2 is more popular in the US tech sector; ISO 27001 is preferred in Europe, Asia, and regulated global enterprises. Many companies pursue both — the same control set can usually serve both, with one or two additional artifacts (Statement of Applicability, ISMS scope) for ISO 27001.

Security Pulse is built around the SOC 2 Common Criteria from day one. RunWay handles your readiness phase: scoping, risk assessment, policy library, vendor management, training. Autopilot then runs the controls continuously — identity, endpoint, change management, access reviews, vendor monitoring, audit logging, and an evidence vault that produces auditor-ready exports. We support both Type I and Type II audits and integrate with the major auditors.