Question 1

What is the difference between SOC 2 Type I and Type II?

Accepted Answer

Type I attests to the design of your controls at a point in time. Type II attests that the controls operated effectively over a period — typically 6 to 12 months. Most enterprise buyers require Type II eventually, but starting with Type I to validate the design before opening a Type II observation window is often the lower-risk path.

Question 2

How do I choose which Trust Services Criteria to include?

Accepted Answer

Security is mandatory. Availability, Confidentiality, Processing Integrity, and Privacy are added based on what your customers contractually demand and what your service actually does. Most SaaS firms scope Security + Availability + Confidentiality. Privacy is usually only added when you process personal data on behalf of customers and it is contractually required.

Question 3

How long does a SOC 2 programme take?

Accepted Answer

For a SaaS firm of 30-300 people with reasonable security maturity, Type I readiness is typically 8-12 weeks. The Type II observation period is then 6 to 12 months, with the audit fieldwork at the end. We scope precisely after a 1-week assessment.

Question 4

How does SOC 2 differ from ISO 27001?

Accepted Answer

ISO 27001 certifies a management system (the ISMS). SOC 2 attests to specific controls under the AICPA framework. ISO 27001 has stronger international recognition; SOC 2 is the de facto standard for selling into US enterprise buyers. The control sets overlap significantly — we map each ISO 27001 control to the equivalent TSC criteria, so most of the work is reusable in either direction.

Question 5

What does a SOC 2 cost?

Accepted Answer

Audit fees from a reputable CPA firm typically run $20K-$60K for Type I and $40K-$100K for Type II, depending on complexity. Advisory work to get audit-ready is separate. We deliver a fixed-scope readiness engagement — usually 30-60 advisor person-days — and stay alongside through the audit.

Question 6

Do we re-audit annually?

Accepted Answer

Type II attestations are typically annual — most customers require a current report no older than 12 months. Some firms run continuous Type II with rolling 12-month windows. The control library does not change every year, so renewals are lighter than the first audit if you maintain evidence collection year-round.

SOC 2 readiness for SaaS and service organisations selling into regulated buyers

What you get in 90 days

TSC scoping, gap assessment, auditor selection

Control implementation and evidence baseline

Type I attestation prep or Type II observation start

Our SOC 2 Implementation Method

Readiness Assessment

Control Implementation

Evidence Collection

Audit Readiness

Integrated Control Design

Frequently asked questions

Ready to start? Book a 30-min scoping call.