Product & Regulatory

SOC 2 — the report enterprise buyers ask for.

Readiness, gap closure, and evidence architecture for SOC 2 Type I and Type II engagements — designed so the report reads the way procurement and security teams expect.

Request a readiness assessment Our approach

What it is

An AICPA attestation report, not a certificate.

SOC 2 is an attestation report issued by a US-licensed CPA firm under the AICPA's AT-C 205 standard, evaluating a service organisation's controls against the Trust Services Criteria. The criteria cover five categories — security (always included), availability, processing integrity, confidentiality, and privacy — of which security is mandatory and the others are optional based on what the organisation has committed to customers.

A SOC 2 report is not a pass/fail certificate. It is a detailed narrative that describes the organisation, lists the controls it represents as being in place, and records the auditor's tests and findings. Type I reports on the suitability of the design of controls at a point in time; Type II reports on the operating effectiveness of those controls over a period, typically three to twelve months. In enterprise B2B procurement — particularly with US-based customers — the SOC 2 report has become the dominant vendor-security artefact.

Who needs it

SaaS and technology service providers selling to enterprise customers.

SaaS companies, managed service providers, BPO and KPO operators handling customer data, cloud and infrastructure service providers, data processors, hosting providers, and technology-enabled financial services firms. The audience is primarily the enterprise-customer security and procurement team; a SOC 2 Type II report with a clean opinion typically removes the majority of vendor-security questionnaire friction.

Benefits

What a well-built BIFMA system earns you.

Enterprise deal acceleration.

Vendor risk management teams increasingly treat SOC 2 Type II as the default ask for processors of customer data. The report shortens or eliminates many security questionnaires.

US-market positioning.

Outside the US, ISO 27001 tends to dominate; inside the US, SOC 2 is the expected artefact. For organisations serving both markets, running both in parallel is common.

Type I to Type II pathway.

Type I establishes design readiness and unlocks pre-sale conversations. Type II, conducted over an observation period, provides the evidence base customers actually operate on.

Control discipline.

SOC 2 forces explicit documentation of controls, their owners, their operation frequency, and their evidence. The exercise itself materially improves operational discipline.

Reuse across regimes.

Evidence gathered for SOC 2 supports ISO 27001, ISO 27701, privacy compliance, and customer audits. A well-architected programme serves multiple consumers.

Board-level signal.

SOC 2 reporting cycles introduce a quarterly or annual rhythm of management control review that complements board-level governance of information security.

Requirements, in outline

What the standard actually asks of you.

The Trust Services Criteria organise requirements into common criteria (covering control environment, communication and information, risk assessment, monitoring activities, and control activities) plus supplemental criteria for each additional category beyond security. The common criteria align closely with COSO's internal control framework and with ISO 27001 Annex A controls, which is why combined programmes are so efficient.

Practically, an organisation pursuing SOC 2 Type II needs: defined system boundaries and a system description; a risk assessment identifying threats relevant to the Trust Services Criteria; designed controls covering each criterion; documented policies and procedures supporting those controls; evidence that the controls operated throughout the observation period; and a service organisation's written assertion attesting to all of the above. The CPA firm then performs tests over the observation period and issues an opinion. Controls must cover areas including logical access, change management, incident response, vendor management, human resources, physical security, data encryption, monitoring, and business continuity, at a minimum.

Our approach

Five stages, from discovery to certificate.

Scoping & criteria selection

Decide which Trust Services Categories are in scope, define the system and its boundaries, and identify the observation period for Type II.

Gap analysis

Map current controls against the Trust Services Criteria, identify gaps, and prioritise remediation. For organisations with existing ISO 27001, the mapping is substantial and helpful.

Control design & evidence architecture

Document controls at a level the auditor will test, design evidence sources sustainably (tool-native where possible — ticketing, IAM, CI/CD, monitoring tools), and retire controls that generate paper rather than outcomes.

Type I / observation period

Type I readiness audit; or enter the Type II observation period with evidence collection running from day one. Mid-period reviews to catch evidence gaps early.

Auditor engagement

Select and engage a CPA firm, manage the fieldwork, support exception response, and review the draft report before issuance. We do not issue SOC 2 reports ourselves; our independence from the audit firm is part of how the report earns its credibility.

Timeline & investment

Honest ranges, not placeholder pricing.

For a first-time SOC 2 Type I, an organisation with reasonable security practice typically reaches auditor fieldwork in eight to twelve weeks. Type II adds the observation period — most commonly three months for a first Type II, extended to six or twelve months for subsequent cycles. Organisations operating parallel ISO 27001 certification typically shorten SOC 2 readiness to four to six weeks.

Fees depend on organisational size, scope of Trust Services Categories, system complexity, and the cleanliness of existing documentation. CPA firm fees are separate and vary materially by firm. We help evaluate firms on quality and responsiveness rather than steering to a single relationship.

Frequently asked

Questions we answer on most BIFMA calls.

No — SOC 2 is an attestation report, not a certification. There is no "SOC 2 certified" logo; the artefact is the report itself, issued by a CPA firm, and shared under NDA with customers and prospects.

Different regimes, significant overlap. ISO 27001 is an international certification against a specific standard, issued by an accredited certification body. SOC 2 is a US attestation under AICPA criteria, issued by a CPA firm. Enterprise customers frequently request whichever their own frameworks expect; many organisations hold both.

Type I is useful if the sales cycle demands evidence quickly and observation-period time is not available. Type II is what customers actually want. Many organisations run Type I first to de-risk design, then transition into an observation period for Type II.

Type II reports cover an observation period over which controls must have operated effectively. First Type II reports typically cover three to six months; subsequent reports cover twelve months running to the organisation's reporting cadence.

Yes. SOC 2 reports must be issued by a US-licensed CPA firm. Choice of firm affects cost, timeline, and how the report reads. We help evaluate firms based on quality, responsiveness, and your customers' preferences.

Related services

Get a readiness assessment for SOC 2.

Half a day with a senior consultant, a clause-level gap report, and a candid timeline. No commitment beyond the assessment itself.

Request assessment