SOC 2AICPA
Getting Started Guide

System and Organisation Controls 2

The security standard US enterprise buyers require. Covers your systems, controls, and data handling.

Audit Effort3–6 months
Key Fact35+ SOC 2 audits completed by this author

What Is SOC 2?

SOC 2 is an audit report — not a certification — issued by an independent CPA firm that evaluates whether your organisation's security controls meet the AICPA's Trust Services Criteria. The report tells your enterprise customers that a qualified third party has examined how you protect data, manage access, respond to incidents, and handle vendor risk — and found your controls to be suitably designed and operating effectively.

It comes in two types. Type I is a point-in-time evaluation: the auditor assesses whether your controls are designed correctly as of a specific date. Type II covers an observation period — typically 6 or 12 months — and tests whether controls operated consistently throughout. Enterprise buyers almost always want Type II. Type I is a useful checkpoint but not a destination.

SOC 2 covers up to five Trust Services Criteria: Security (always required), Availability, Confidentiality, Processing Integrity, and Privacy. Most companies scope to Security only for their first report. The Security criteria — CC1 through CC9 — cover your control environment, risk assessment, access controls, incident response, change management, and vendor risk management.

Does SOC 2 Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

B2B SaaS Selling to US Enterprise

US enterprise procurement teams treat SOC 2 as a baseline vendor requirement. Without it, deals stall at the security review stage.

Likely applies

API Platforms and Developer Tools

Developers building on your API work at companies with security review processes. SOC 2 removes friction from their procurement sign-off.

Likely applies

Managed Service Providers (MSPs)

MSPs access client systems and data. SOC 2 demonstrates that your access controls and incident response meet enterprise expectations.

Likely applies

FinTech and PayTech

Financial services companies applying vendor risk management to their technology stack routinely require SOC 2 from SaaS vendors.

Likely applies

India-Market B2B SaaS

SOC 2 is gaining traction with larger Indian enterprises but ISO 27001 remains more widely required. SOC 2 is essential if you have US customers or plan to expand there.

Depends on customer base
You probably don't need SOC 2 if:
  • You are building a purely internal tool with no external customers or users.
  • You operate exclusively in the European public sector, where ISO 27001 is the standard.
  • You process zero customer data and act solely as an offline advisory consulting firm.

Why SOC 2 Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

US Procurement Tightening

In 2026, over 90% of US mid-market and enterprise SaaS procurements mandate a SOC 2 Type II report before trial access or POCs are authorized.

Automation Tooling Maturity

Compliance automation tools simplify screenshot gathering, but auditors have raised the bar for manual reviews of custom risk assessments and vendor reports.

Investor Due Diligence Gate

Venture debt, private equity, and institutional investors expect a SOC 2 audit pipeline as a mandatory checklist item during financial due diligence.

The Requirements

The core security controls and evidence parameters audited for SOC 2.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for SOC 2.

1
Weeks 1–3

Scoping & Gap Assessment

Define system boundaries, choose Trust Criteria, and run policy assessments.

Key Deliverable:Gap assessment registry + scoping map
2
Weeks 4–10

Remediation & Policies

Implement MFA, configure SSO, write security policies, and setup monitoring agents.

Key Deliverable:Security policies, logging pipelines, and code approval guidelines
3
Weeks 11–12

Tabletop & Review

Execute a mock incident response tabletop test, review vendor reports, and select a CPA auditor.

Key Deliverable:Tabletop test report and Section III boundary drafts
4
Week 13+

Type I Audit & Type II Window

CPA auditor runs Type I assessment. Observation window for Type II (typically 3–6 months) begins immediately.

Key Deliverable:Type I Report followed by Type II audit logs
With Existing Certifications

8–10 weeks: Leverage existing ISO 27001 policies and evidence, shortening preparation time.

Starting from Scratch

12–16 weeks: Start from zero policies, establishing credentials, tooling, and operational history.

The Mistakes That Delay Most SOC 2 Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Scoping everything into scope on day one

Why it happens:

CTO says 'we want to be comprehensive' without asking what buyers actually need.

How to avoid it:

Ask your top 3 buyers which criteria they require before your first scoping conversation. Most only need Security.

Treating Vanta or Drata as the compliance program

Why it happens:

Automation tools cover evidence collection well but don't build a risk assessment, test your incident response plan, or review your vendor CUECs.

How to avoid it:

Use the tool for evidence collection. Build the program yourself — risk assessment, IR testing, vendor reviews — in parallel.

Starting evidence collection without a naming convention

Why it happens:

After 3 months, you have 200 files named 'screenshot_final_v2_ACTUAL.png' and nobody can find anything.

How to avoid it:

On day one, create a folder structure and naming convention: CC6.3_AccessReview_Q3_2026.pdf. It takes 20 minutes and saves 20 hours.

Skipping the tabletop exercise

Why it happens:

Teams write an incident response plan and assume that means their IR is ready. An untested plan is a document, not a control.

How to avoid it:

Run a 90-minute tabletop exercise 60 days before your audit. Document who attended, what scenario was tested, and what you found.

Not reviewing vendor CUECs

Why it happens:

AWS, Okta, and every critical vendor publishes Complementary User Entity Controls in their SOC 2 report. Most companies have never read them.

How to avoid it:

Get the latest SOC 2 report for your top 5 vendors. Find the CUECs section. Document each one and confirm it's implemented.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Frequently Asked Questions

Common queries about SOC 2 compliance and certification processes.