System and Organisation Controls 2
The security standard US enterprise buyers require. Covers your systems, controls, and data handling.
What Is SOC 2?
SOC 2 is an audit report — not a certification — issued by an independent CPA firm that evaluates whether your organisation's security controls meet the AICPA's Trust Services Criteria. The report tells your enterprise customers that a qualified third party has examined how you protect data, manage access, respond to incidents, and handle vendor risk — and found your controls to be suitably designed and operating effectively.
It comes in two types. Type I is a point-in-time evaluation: the auditor assesses whether your controls are designed correctly as of a specific date. Type II covers an observation period — typically 6 or 12 months — and tests whether controls operated consistently throughout. Enterprise buyers almost always want Type II. Type I is a useful checkpoint but not a destination.
SOC 2 covers up to five Trust Services Criteria: Security (always required), Availability, Confidentiality, Processing Integrity, and Privacy. Most companies scope to Security only for their first report. The Security criteria — CC1 through CC9 — cover your control environment, risk assessment, access controls, incident response, change management, and vendor risk management.
Does SOC 2 Apply to Your Organisation?
Understanding typical procurement requirements and compliance thresholds.
B2B SaaS Selling to US Enterprise
US enterprise procurement teams treat SOC 2 as a baseline vendor requirement. Without it, deals stall at the security review stage.
API Platforms and Developer Tools
Developers building on your API work at companies with security review processes. SOC 2 removes friction from their procurement sign-off.
Managed Service Providers (MSPs)
MSPs access client systems and data. SOC 2 demonstrates that your access controls and incident response meet enterprise expectations.
FinTech and PayTech
Financial services companies applying vendor risk management to their technology stack routinely require SOC 2 from SaaS vendors.
India-Market B2B SaaS
SOC 2 is gaining traction with larger Indian enterprises but ISO 27001 remains more widely required. SOC 2 is essential if you have US customers or plan to expand there.
- You are building a purely internal tool with no external customers or users.
- You operate exclusively in the European public sector, where ISO 27001 is the standard.
- You process zero customer data and act solely as an offline advisory consulting firm.
Why SOC 2 Matters in 2026
Understanding the current regulatory pressures and market adoption vectors.
US Procurement Tightening
In 2026, over 90% of US mid-market and enterprise SaaS procurements mandate a SOC 2 Type II report before trial access or POCs are authorized.
Automation Tooling Maturity
Compliance automation tools simplify screenshot gathering, but auditors have raised the bar for manual reviews of custom risk assessments and vendor reports.
Investor Due Diligence Gate
Venture debt, private equity, and institutional investors expect a SOC 2 audit pipeline as a mandatory checklist item during financial due diligence.
The Requirements
The core security controls and evidence parameters audited for SOC 2.
How Long Does It Take?
A realistic phase-by-phase implementation roadmap for SOC 2.
Scoping & Gap Assessment
Define system boundaries, choose Trust Criteria, and run policy assessments.
Remediation & Policies
Implement MFA, configure SSO, write security policies, and setup monitoring agents.
Tabletop & Review
Execute a mock incident response tabletop test, review vendor reports, and select a CPA auditor.
Type I Audit & Type II Window
CPA auditor runs Type I assessment. Observation window for Type II (typically 3–6 months) begins immediately.
With Existing Certifications
8–10 weeks: Leverage existing ISO 27001 policies and evidence, shortening preparation time.
Starting from Scratch
12–16 weeks: Start from zero policies, establishing credentials, tooling, and operational history.
The Mistakes That Delay Most SOC 2 Programs
Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.
Scoping everything into scope on day one
CTO says 'we want to be comprehensive' without asking what buyers actually need.
Ask your top 3 buyers which criteria they require before your first scoping conversation. Most only need Security.
Treating Vanta or Drata as the compliance program
Automation tools cover evidence collection well but don't build a risk assessment, test your incident response plan, or review your vendor CUECs.
Use the tool for evidence collection. Build the program yourself — risk assessment, IR testing, vendor reviews — in parallel.
Starting evidence collection without a naming convention
After 3 months, you have 200 files named 'screenshot_final_v2_ACTUAL.png' and nobody can find anything.
On day one, create a folder structure and naming convention: CC6.3_AccessReview_Q3_2026.pdf. It takes 20 minutes and saves 20 hours.
Skipping the tabletop exercise
Teams write an incident response plan and assume that means their IR is ready. An untested plan is a document, not a control.
Run a 90-minute tabletop exercise 60 days before your audit. Document who attended, what scenario was tested, and what you found.
Not reviewing vendor CUECs
AWS, Okta, and every critical vendor publishes Complementary User Entity Controls in their SOC 2 report. Most companies have never read them.
Get the latest SOC 2 report for your top 5 vendors. Find the CUECs section. Document each one and confirm it's implemented.
Rishabh's Take on SOC 2
Practitioner Voice“The scoping conversation is where most SOC 2 programs go wrong before they even start. The number one mistake I see is teams deciding what to put in scope based on what they think is 'thorough' rather than what their buyers actually require — and spending 6 months building controls for criteria nobody asked for. Before you spend a dollar on SOC 2, email your top three enterprise contacts and ask: which criteria do you need, and will you accept Type I to close the deal? Their answers determine your scope. Everything else flows from that conversation.”
Related Resources
Articles, guides, and tools to accelerate your compliance program.
SOC 2 Insights
The report is issued. The hard work is done — or is it? Here's how to share it with customers, maintain your controls, and make sure your second audit is easier than your first.
The formal audit isn't a surprise exam — it's a structured process you can prepare for. Here's exactly what happens from first evidence request to final report, and how Orion navigated it.
SOC 2 Self-Assessment Checklist
Run our free interactive SOC 2 Self-Assessment Checklist to map out your readiness gap and audit criteria instantly.
Compare Frameworks
Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.
Frequently Asked Questions
Common queries about SOC 2 compliance and certification processes.