What Is SOC 2 Compliance? Guide for SaaS Companies

A prospective customer has asked for your SOC 2 report. Your investor's due diligence checklist requires one. Procurement at a Fortune 500 has flagged that they cannot move your contract forward without it. And the question you are now staring at possibly for the first time is what does that actually mean, and how long is this going to take.

SOC 2 is not a regulation. There is no government agency that fines you for non-compliance, no statutory deadline, no licence to revoke. It is also not, strictly speaking, a "certification" there is no SOC 2 badge, no PDF signed by a regulator, no number you can put on a website. SOC 2 is a market requirement enforced contract-by-contract, deal-by-deal, by enterprise buyers and their procurement teams. And in 2026, in B2B SaaS, that market requirement has become a de facto entry ticket without it, you do not sell to mid-market and enterprise customers, and you do not raise institutional capital.

This guide explains what SOC 2 actually is, who needs it, what the audit process looks like, what a SOC 2 report says (and what it does not), and what the realistic path to one looks like for a modern SaaS or cloud company. It is written for the founder, CTO, or compliance lead who has just been asked for a SOC 2 report and needs to understand the framework before they read anything else.

1. What SOC 2 Actually Is — and Why It Is Not Quite a "Certification"
2. Who Needs SOC 2 Compliance — and Who Asks For It
3. SOC 2 Type 1 vs Type 2 — The Difference That Matters
4. The Five Trust Services Criteria, and Which Ones Apply to You
5. What the SOC 2 Audit Process Actually Looks Like
6. What a SOC 2 Report Is — and What It Is Not
7. How SecurityWall Helps Companies Get SOC 2 Ready

What SOC 2 Actually Is — and Why It Is Not Quite a "Certification"

SOC 2 short for System and Organization Controls 2 is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA). It defines how service organisations should design and operate the controls that protect their customers' data. The framework is structured around five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Unlike a regulation, SOC 2 is voluntary in the legal sense. No statute requires it. No government regulator enforces it. The framework is enforced by the market by enterprise buyers, regulated industries, and institutional investors who require it before they will sign a contract or write a cheque. In B2B SaaS, that market enforcement is now near-total above a certain customer-size threshold.

It is also, technically, not a certification. A SOC 2 audit produces a report, not a certificate. The report is a formal opinion letter signed by a licensed CPA firm, stating whether the service organisation's controls are designed appropriately (Type 1) or are operating effectively over a defined period (Type 2). When founders say "we got SOC 2 certified," what they mean or should mean is "we completed a SOC 2 audit and hold a clean auditor's report."

The distinction matters because SOC 2 reports are dated, scoped, and tied to a specific audit period and specific Trust Services Criteria. Two companies can both "have SOC 2," and one of them may be covering far less ground than the other. Sophisticated buyers know to ask for the report itself not just a confirmation that you have one.

Who Needs SOC 2 Compliance — and Who Asks For It

SOC 2 applies to service organisations companies that store, process, or transmit data on behalf of their customers. In modern terms, that is the entire B2B SaaS, cloud infrastructure, and managed service economy.

Specifically, SOC 2 is most often required of:

• B2B SaaS platforms of any kind that hold customer data CRMs, project management tools, analytics platforms, subscription billing systems, communication platforms
• Cloud infrastructure and PaaS providers that host or process customer workloads
• Managed service providers delivering security, IT, or compliance services
• Fintech platforms handling financial data, transactions, or regulatory reporting on behalf of clients
• HealthTech and adjacent platforms processing health information for covered entities
• Data processors and analytics platforms ingesting, transforming, or enriching customer data
• AI and ML platforms training models or providing inference on customer data

The pattern: if your customer trusts you with data they are themselves accountable for, your SOC 2 report is the document that makes that trust auditable.

Who Actually Asks for It

Three groups drive almost all SOC 2 demand:

• Enterprise customers in vendor security review. Procurement, security, and compliance teams at mid-market and enterprise organisations require SOC 2 before signing contracts. The request typically appears in a security questionnaire alongside other framework requests (ISO 27001, HIPAA, PCI DSS where relevant).
• Regulated industries. Customers in financial services, healthcare, insurance, government contracting, and critical infrastructure are subject to vendor risk management obligations that effectively mandate SOC 2 from their suppliers.
• Institutional investors. VCs, growth-equity firms, and acquirers increasingly require SOC 2 as part of cybersecurity due diligence before closing a round or transaction. The absence of a clean SOC 2 report can materially affect deal terms.

The trigger for SOC 2 work is almost always commercial a stalled deal, a closed-lost reason, an investor diligence ask. Companies rarely pursue SOC 2 because they want to. They pursue it because their next contract depends on it.

SOC 2 Type 1 vs Type 2 — The Difference That Matters

There are two distinct SOC 2 reports, and the difference is consequential both for the work involved and for what your customer will accept.

SOC 2 Type 1 is a point-in-time assessment. The auditor examines whether your controls are designed appropriately as of a specific date. It answers the question: do the right controls exist, on paper and in practice, on this date?

SOC 2 Type 2 is a period-of-time assessment. The auditor examines whether your controls operated effectively across a defined audit window typically 3, 6, or 12 months. It answers a much harder question: did the right controls actually function, consistently, over a sustained period?

The practical sequencing for most companies: complete a Type 1 audit to satisfy an immediate customer or investor requirement, then enter a Type 2 observation window typically 6 months and produce the first Type 2 report at the end. From there, Type 2 is renewed annually.

The Five Trust Services Criteria, and Which Ones Apply to You

The SOC 2 framework is built around five Trust Services Criteria (TSC). The choice of which criteria to include is yours except for one, which is mandatory.

Security is the only mandatory criterion. Every SOC 2 report includes Security. It covers protection of system resources against unauthorised access, and is sometimes called the Common Criteria because the underlying controls (CC1 through CC9) span all five categories.

Availability addresses whether systems are accessible for operation and use as committed. Required by customers whose business depends on your uptime typically infrastructure providers, communication platforms, business-critical SaaS.

Processing Integrity addresses whether system processing is complete, accurate, timely, and authorised. Required by customers where your platform performs calculations or transformations they rely on payments, billing, analytics, financial reporting.

Confidentiality addresses protection of information designated as confidential. Required when you handle data classified as confidential by your customers legal, healthcare, government, financial services.

Privacy addresses collection, use, retention, disclosure, and disposal of personal information. Required when you handle consumer personal data and your customers need privacy assurances aligned with frameworks like GDPR or CPRA.

Which Criteria You Should Actually Include

The temptation is to include all five to maximise the report's value. The reality is that each additional criterion adds substantial scope and cost extra controls to design, evidence to collect, and audit procedures to satisfy. Most companies start with just Security for their first SOC 2, then add Availability and Confidentiality as customer demand justifies. Processing Integrity and Privacy are typically added only when specific customer or regulatory requirements drive them.

Asking your sales team which customers have asked for which criteria before you scope the audit saves substantial time and cost downstream.

What the SOC 2 Audit Process Actually Looks Like

The full SOC 2 journey from "we need to start" to "we have a signed report" runs 6–12 months for most companies. The phases are predictable.

Phase 1 — Readiness and Gap Assessment

A structured comparison of your current controls against the SOC 2 framework. Identifies what is in place, what is partially implemented, and what is missing and produces a remediation roadmap. This is where the free SOC 2 readiness assessment gives you an instant first read; a full SOC 2 gap analysis goes deeper across the same 12 control domains.

Phase 2 — Control Implementation and Remediation

The bulk of the calendar time. Implementing missing controls, formalising policies and procedures, deploying technical safeguards, training staff, and producing the documentation auditors will examine. Effort scales with the gap assessment results a security-mature SaaS may need 6–10 weeks; a greenfield environment can need 4–6 months.

Phase 3 — Penetration Testing and Technical Validation

Annual external and internal penetration testing aligned to the SOC 2 framework. Auditors expect specific evidence here: scope, methodology, severity-rated findings, and remediation. Read what SOC 2 auditors expect from penetration testing for the details, and what to budget for SOC 2 penetration testing for pricing reality.

Phase 4 — Audit Period (Type 2 only)

For Type 2, the auditor observes your controls across a defined window usually 6 months for a first audit. During this period your controls must operate consistently, and you must produce evidence (tickets, logs, access reviews, change records) that the auditor can sample.

Phase 5 — Auditor Fieldwork and Report Issuance

The audit firm reviews evidence, conducts interviews, samples controls, and drafts the report. Typically 4–8 weeks of active work. The output is the formal SOC 2 report your auditor's opinion letter which you then share with customers under NDA.

Phase 6 — Continuous Compliance and Annual Renewal

SOC 2 is not a one-time exercise. Type 2 reports cover annual periods, and customers expect continuous compliance meaning controls must operate effectively year-round, with annual auditor renewal.

What a SOC 2 Report Is — and What It Is Not

A SOC 2 report is a formal document, signed by a licensed CPA firm, that contains the auditor's professional opinion on your controls. Understanding what is and is not in that document explains a lot of the friction in B2B compliance conversations.

What a SOC 2 Report Actually Contains

• Independent Service Auditor's Report — the opinion letter itself, the CPA firm's formal conclusion
• Management's Assertion — your own statement about the system and controls being audited
• System Description — narrative description of the system, infrastructure, software, people, processes, and data covered
• Trust Services Criteria and Controls — the controls in scope, mapped to the relevant TSC
• Tests of Controls and Results (Type 2 only) — the auditor's specific procedures and outcomes for each control tested

The complete report typically runs 60–150 pages. It is detailed, technical, and treated as confidential you share it with customers under NDA, not publicly.

What a SOC 2 Report Is Not

It is not a pass/fail certificate. It is not a stamp. It is not a guarantee that your systems will not be breached. And it is not interchangeable across companies every report is specific to one organisation, one audit period, one set of Trust Services Criteria, and one defined system scope.

When a customer asks to "see your SOC 2," what they want is the actual report typically delivered through their procurement or vendor-management process, under NDA. A summary, screenshot, or one-page attestation is not sufficient. Companies that try to substitute lighter artefacts routinely lose credibility with sophisticated buyers.

It also is not a replacement for ISO 27001, HIPAA, PCI DSS, or other frameworks. Customers in regulated industries frequently require multiple frameworks simultaneously. SOC 2 covers some of the same ground as ISO 27001, but the two are not equivalent and procurement teams know it.

How SecurityWall Helps Companies Get SOC 2 Ready

SecurityWall supports SaaS, fintech, and cloud companies through every phase of the SOC 2 journey from "we just got asked for one" through to a clean Type 2 report and continuous compliance. Our model is built around the reality that SOC 2 is more about evidence, operational consistency, and technical depth than about paperwork.

Free SOC 2 Readiness Assessment — Start Here

Before you commit to gap analysis or auditor selection, the free SOC 2 Readiness Assessment gives you an instant first read on where you stand:

• Weighted compliance score across 12 SOC 2 control domains
• Critical gap list with control-by-control breakdown
• Executive auditor summary with remediation roadmap
• 200+ controls mapped to the Trust Services Criteria
• 100% browser-based no sign-up, no data exfiltration, no commitment

Companies use it to baseline their position in 10 minutes, share the executive summary with their board or investors, and decide what to prioritise before any paid engagement begins.

Full SOC 2 Gap Analysis

For companies that need more depth than the free tool, our full gap analysis service reviews your controls in detail including evidence sampling, stakeholder interviews, and a board-ready remediation roadmap formatted to feed directly into the audit firm's evidence requests.

Penetration Testing for SOC 2

SOC 2 auditors expect specific evidence from penetration testing and reports that fall short of that bar are routinely rejected. Our SOC 2 penetration testing service is designed to produce auditor-ready evidence:

• External and internal penetration testing, scoped to the system covered by your audit
• API and application-layer testing aligned to OWASP Top 10 and modern attack patterns
• Severity-rated findings with CVSS scores and remediation guidance
• Retest evidence for closed findings
• Reports formatted for direct delivery to your audit firm

Continuous Compliance Support

After your first report, SOC 2 becomes an annual operational commitment. We support:

• Annual penetration testing and renewal cycles
• Continuous monitoring and evidence collection support
• Customer security questionnaire response support
• Vendor risk programmes for your own service providers

Bundled with Adjacent Frameworks

Many of our clients pursue SOC 2 alongside ISO 27001, HIPAA, GDPR, or PCI DSS. We deliver coordinated programmes across multiple frameworks single point of contact, mapped controls, consolidated evidence eliminating the duplicate effort that comes with running each framework as a separate engagement.

Related reading:

• SOC 2 Gap Analysis: What It Covers and How to Prepare
• SOC 2 Penetration Testing Requirements: What Auditors Expect
• SOC 2 Penetration Testing Cost: What to Budget and What Affects Pricing
• Penetration Testing as a Service (PTaaS): A Practical Guide
• Assumed Breach Penetration Testing for SOC 2 CC7.1 / CC7.2

Frequently Asked Questions

Is SOC 2 a certification?

Technically, no. SOC 2 produces an auditor's report a formal opinion letter from a licensed CPA firm not a certificate. When companies say they are "SOC 2 certified," they mean they hold a current clean SOC 2 report. Sophisticated buyers ask for the report, not for a confirmation.

Do we need Type 1, Type 2, or both?

Most companies pursue Type 1 first to unblock immediate customer or investor requirements, then enter a 6-month observation window and produce a Type 2 report. Enterprise buyers strongly prefer Type 2 and many require it. Type 1 alone, indefinitely, is treated as a stop-gap.

How long does it take to get a SOC 2 report?

A SOC 2 Type 1 typically takes 2–4 months from gap assessment to issued report for a security-mature SaaS company. A first Type 2 takes 6–12 months because of the observation window. Companies with weak existing controls run longer.

What does SOC 2 cost?

Total programme cost varies widely with company size, system complexity, chosen Trust Services Criteria, and starting compliance posture. Our SOC 2 penetration testing cost guide breaks down the technical-testing component; full programme costs depend on remediation scope, audit firm fees, and ongoing tooling.

Can SecurityWall be our SOC 2 auditor?

No and any vendor who says yes should be a red flag. SOC 2 audits must be conducted by a licensed CPA firm. SecurityWall handles readiness, gap analysis, penetration testing, remediation advisory, and ongoing compliance support, and works alongside CPA audit firms. The independence of audit and advisory is a core principle of SOC 2 and one of the reasons buyers trust the report.

What is the difference between SOC 2 and ISO 27001?

Both frameworks address information security, but they differ in approach. SOC 2 produces an auditor's opinion on controls against the AICPA's Trust Services Criteria; ISO 27001 produces a certification against the ISO/IEC 27001 standard for information security management systems. Mature programmes increasingly pursue both they share substantial control overlap but serve different buyer expectations, particularly across geographies (SOC 2 is more dominant in North American B2B, ISO 27001 in European and Asian markets).

What is the next step if we are starting from zero?

Run the free SOC 2 Readiness Assessment first. It gives you a weighted score across the 12 control domains, a critical-gap list, and an executive auditor summary in 10 minutes. From there, decide whether you need a deeper gap analysis, what remediation effort the report implies, and which Trust Services Criteria to scope into your audit.