← Knowledge Base
SOC 2 Guide

SOC 2 Explained: Type I, Type II, and What Auditors Actually Look For

Cut through the SOC 2 confusion. This guide covers what the report actually says, how Type I and Type II differ, and what you need to prepare.

In this guide
Resources
Need help with this?

Our team can walk you through this in plain English.

Book a Free Chat

SOC 2 Is a Report, Not a Certification

The first thing to understand about SOC 2 is that it’s not a certification like ISO 27001. It’s an audit report — a document produced by a licensed CPA firm that describes your controls and attests to their design or effectiveness.

Your customers request this report as evidence that you take security seriously. It’s particularly common in North American enterprise procurement.

The Five Trust Services Criteria

SOC 2 audits are structured around Trust Services Criteria (TSC). You must include Security (the Common Criteria). Everything else is optional:

Criteria What It Covers
Security Protection against unauthorised access (mandatory)
Availability System uptime and performance commitments
Confidentiality Protection of confidential information
Processing Integrity Completeness and accuracy of processing
Privacy Collection and use of personal information

Most SaaS companies start with Security only, sometimes adding Availability if uptime is a customer concern.

Type I vs Type II

SOC 2 Type I — A point-in-time report. The auditor assesses whether your controls are designed appropriately as of a specific date. Faster to achieve, less rigorous, and less trusted by sophisticated buyers.

SOC 2 Type II — A report covering a period of time (typically 6–12 months). The auditor assesses whether your controls operated effectively throughout that period. This is what enterprise customers actually want to see.

Most organisations aim for Type II. Some do a Type I first as a stepping stone if they need something fast.

What Auditors Actually Test

SOC 2 auditors don’t just read your policies. They test controls by reviewing evidence:

  • Logical access — user provisioning and deprovisioning logs, access reviews, MFA enforcement
  • Change management — code review records, deployment approvals, change tickets
  • Incident management — incident logs, response procedures, post-mortems
  • Vendor management — vendor assessments, contracts, ongoing monitoring
  • Risk assessment — documented risk process, risk register, treatment decisions

If you can’t produce evidence, the control fails — regardless of what your policy says.

How Long Does It Take?

A realistic timeline for a first SOC 2 Type II:

  • Months 1–2: Gap assessment, control design, policy development
  • Months 3–4: Control implementation, evidence collection tooling
  • Months 5–10: Audit observation period (controls operating)
  • Months 11–12: Audit fieldwork and report issuance

Faster is possible with the right tooling and preparation. The audit period itself cannot be compressed — if you want a 12-month report, you need 12 months of evidence.

Choosing an Auditor

SOC 2 audits must be performed by a licensed CPA firm. Quality varies significantly. Things to consider:

  • Experience in your industry and tech stack
  • Whether they use audit automation platforms (speeds up evidence collection)
  • Turnaround time for report issuance
  • Whether they offer readiness assessments before the formal audit
← Back to Knowledge Base Security Policies: What You Actually Need and How to Write Them →