ISO-STANDARD.app

SOC 2 compliance guide

What SOC 2 actually requires, the difference between Type I and Type II, the Trust Services Criteria — and a practical 90-day path written for SaaS teams without a compliance department.

What SOC 2 is

SOC 2 (Service Organization Control 2) is an attestation report — not a certificate — issued by a licensed CPA firm under AICPA standards. It describes how your service organisation meets the Trust Services Criteria: security, availability, processing integrity, confidentiality and privacy.

In practice, SOC 2 has become the default North American answer to "is your SaaS safe to buy?" — comparable to what ISO 27001 is in the rest of the world.

The five Trust Services Criteria

  • Security (Common Criteria) — mandatory for every SOC 2 report
  • Availability — uptime commitments, monitoring, incident response
  • Processing Integrity — complete, valid, accurate, timely processing
  • Confidentiality — protection of information designated as confidential
  • Privacy — collection, use, retention, disclosure of personal information

A 90-day path to SOC 2 Type I

Step 1

Days 1–14: Scope and gap analysis

Decide which TSCs are in scope. Walk every Common Criteria control against current practice. Output: a gap list with owners and target dates.
Step 2

Days 15–45: Close the gaps

Write the policies (information security, access control, change management, incident response, vendor management, BCP). Configure MFA, logging, vulnerability scanning, background checks, formal onboarding/offboarding.
Step 3

Days 46–60: Run the controls

Operate every control at least once. Hold the management review. Run an internal security awareness session. Capture screenshots, tickets and approvals — these become evidence.
Step 4

Days 61–75: Readiness assessment

Optional but recommended. A pre-audit dry run with your CPA firm catches design gaps before the real audit, where they cost more to fix.
Step 5

Days 76–90: Type I audit

The auditor reviews the system description and tests control design. Findings, if any, are management points — fix them and you have your Type I report.

SOC 2 and ISO 27001 in one workspace

Most growing SaaS companies end up doing both. The control overlap is huge — running two separate spreadsheets means writing every policy twice and answering every customer question twice.

ISO-STANDARD.app ships a ready-to-adopt SOC 2 workspace with the risk register, controls catalogue, policies and audit-ready exports already wired together — no spreadsheet sprawl, no consultant lock-in.

Start free See pricingTalk to us

Prefer a conversation? Email hello@iso-standard.app — a real human responds within one business day.

Frequently asked questions

What's the difference between SOC 2 Type I and Type II?
Type I is a point-in-time report: 'on date X, the controls were designed appropriately.' Type II covers a period (usually 3–12 months) and tests that controls operated effectively over that window. Most enterprise buyers expect Type II.
How long does SOC 2 take?
Type I: 2–3 months once controls are in place. Type II: add the observation window (3 months minimum, 12 months typical) on top. Most startups achieve Type I in a quarter and Type II in their second year.
How does SOC 2 compare to ISO 27001?
ISO 27001 is an international certifiable standard with a defined ISMS and Annex A controls. SOC 2 is a US-originated attestation report based on Trust Services Criteria. Heavy overlap — running both is roughly 1.3× the work of running one, not 2×.
Which Trust Services Criteria should we pick?
Security is mandatory. Availability, Confidentiality, Processing Integrity and Privacy are optional and chosen based on customer demand. Most SaaS startups scope Security + Availability + Confidentiality.
← Back to FAQHome →