The short answer
SOC 2 (Service Organization Control 2) is an audit framework developed by the AICPA that evaluates how a service provider manages customer data across five Trust Services Criteria. A SOC 2 report is the deliverable an independent auditor produces after evaluating your controls — it's what enterprise customers ask to see before signing.
SOC 2 is voluntary, but in practice it's table stakes for any B2B SaaS company selling to mid-market and enterprise. Without it, procurement teams will block the deal or send you a security questionnaire roughly the length of a novel.
The five Trust Services Criteria
SOC 2 evaluates your controls against any combination of these five criteria. Most companies start with Security (required); the other four are optional and added based on customer demand.
- Security — required for every SOC 2. Controls protect against unauthorised access, both physical and logical.
- Availability — uptime, performance monitoring, disaster recovery. Add it if you've made uptime promises in customer contracts.
- Processing integrity — data is processed completely, accurately, and on time. Add it for billing, payroll, or transactional systems.
- Confidentiality — data labelled confidential is protected per contractual obligations. Add it if you handle customer-confidential commercial data.
- Privacy — personal information is collected, used, retained, disclosed, and disposed of per the AICPA privacy principles. Add it if you handle consumer PII.
Type I vs Type II — what's the difference?
- SOC 2 Type I
- A point-in-time report. The auditor confirms your controls exist as of one specific date. Useful as a first milestone — you can have it within a few weeks of being ready. Customers will generally accept it as a "yes, they're doing the work" signal but ask for Type II as a follow-up.
- SOC 2 Type II
- An over-time report. The auditor confirms your controls existed AND operated effectively for an audit window — usually 3, 6, or 12 months. This is the report enterprise customers actually want. Most teams aim for an initial 3-month window then renew annually with 12-month windows.
Who needs SOC 2?
If you're a B2B SaaS company selling to companies with more than ~200 employees, you'll be asked for SOC 2 eventually. The catalysts are usually:
- A specific enterprise deal where procurement requires it before signing
- A pattern of security questionnaires asking for it
- Your VC or board asking you to get it before a fundraise
If you're an internal IT team, a consultancy, or a B2C product, SOC 2 is usually not required. ISO 27001 is more common for international customers; HIPAA for healthcare; PCI DSS for direct payment processing.
Typical timeline
If you're starting from scratch, expect 6–9 months to reach a SOC 2 Type II report:
- Months 1–2: scoping, picking Trust Services Criteria, gap assessment, choosing an auditor
- Months 2–4: writing or adopting policies, implementing controls, collecting baseline evidence
- Months 4–6: Type I audit (point-in-time), close any remediation findings
- Months 6–9: maintain controls for the audit window, then Type II audit at the end
The biggest accelerator is using a platform that maps your controls to SOC 2 criteria automatically. Manual control mapping is the part that takes weeks.
Common gotchas
- Don't over-scope. A common mistake is selecting all five Trust Services Criteria up front. Start with Security; add others when a customer asks.
- Auditor selection matters. Choose an auditor familiar with software companies, not a general accounting firm. Big Four is overkill for most series-A startups.
- The audit window starts the day controls go live, not the day you sign with the auditor. Don't pay for an audit window before your controls are operational.
- You will get findings. Almost everyone does on their first audit. The report is still issued; you address findings before the next cycle.
For a deeper walkthrough, see our complete SOC 2 compliance guide.
Related reading
- The practical SOC 2 compliance guide — what to actually do once you've read this
- ISO 27001 explained — the international counterpart most companies pursue alongside SOC 2
- HIPAA explained — healthcare overlap and how SOC 2 + HIPAA combine
- How to build a security program from scratch — what comes before any framework
- Managing multiple frameworks at once — running SOC 2 alongside ISO/HIPAA/PCI
- LukaGRC vs Vanta vs Drata vs Secureframe — picking SOC 2 tooling
Common questions
How long does SOC 2 take?
From scratch, expect 6–9 months for a Type II report. You can get a Type I report in as little as 4–8 weeks once controls are operational.
How much does SOC 2 cost?
Auditor fees typically range from $15,000–$60,000 depending on firm and scope. Platform costs vary. Most teams underestimate the internal time cost — figure 0.5 FTE for 6 months on a first audit.
What are the 5 Trust Services Criteria?
Security (required for every SOC 2), Availability, Confidentiality, Processing Integrity, and Privacy. Security is mandatory; the other four are optional and only included if relevant to what your customers care about.
Who can issue a SOC 2 report?
Only a licensed CPA firm registered with the AICPA. Examples include Schellman, A-LIGN, Prescient Assurance, Insight Assurance, and Sensiba. Big Four firms (Deloitte, EY, KPMG, PwC) also do SOC 2 but cost 2–4x more.
What's an observation window?
For a Type II report, the auditor tests whether your controls operated effectively over a period of time — typically 3, 6, or 12 months. That period is the observation window. Most first-time Type II reports use a 3-month window to start; subsequent reports usually run 12 months.
What is a bridge letter?
A bridge letter (also called a gap letter) is a statement from your CPA covering the period between the end of your last SOC 2 report and a current date. Customers ask for it when they want to confirm nothing material has changed since your last audit ended.
What goes in a SOC 2 report?
Five sections: (1) the auditor's opinion, (2) management's assertion, (3) a description of your system, (4) the trust services criteria and your controls mapped to them, and (5) for Type II only, the auditor's tests and results. Most reports run 40–120 pages.
Do I need Type I before Type II?
No, you can go directly to Type II. Type I is useful when you need to show progress to a customer or investor before the audit window completes.
Does SOC 2 cover GDPR or HIPAA?
Partially. The Confidentiality and Privacy TSCs touch on data protection but SOC 2 doesn't certify GDPR or HIPAA compliance. For HIPAA you need a separate HIPAA Security Rule assessment; for GDPR you need DPIA work and lawful basis documentation that SOC 2 doesn't cover.
Is SOC 2 the same as ISO 27001?
No. SOC 2 is a US-developed audit; ISO 27001 is an international certification standard. They overlap significantly but the deliverables are different. Many companies eventually pursue both.
Last updated: May 25, 2026 · Reviewed by the LukaGRC compliance team
See how LukaGRC compares — try it free.
14-day trial. No card. Per-user pricing. Every feature in every plan.
Start free trial →