SOC 2 is rarely about one report — it’s about getting the program to a place where the next renewal isn’t a fire drill. We treat the first audit as the start of an ongoing operation, not the finish line.
SOC 2
SOC 2 — Type I & Type II
From first customer ask to a clean Type II report — prepared, achieved, and continuously maintained as your business changes.
SOC 2 — common questions
What is included in a SOC 2 engagement?
Readiness assessment against the Trust Services Criteria, policy library, control implementation, GRC platform deployment and operation, evidence collection, and end-to-end coordination with the auditor through Type I and Type II.
How long until SOC 2 Type II?
After Type I and a 3 to 12-month observation period (most companies choose 6 months), the Type II audit follows. We continue running the program through the observation window so evidence accumulates automatically.
Do you cover all five Trust Services Criteria?
Security is required; the other four (availability, processing integrity, confidentiality, privacy) are scoped to the criteria your customers actually request. We help you make that scoping call during onboarding.