SOC 2 · Pillar

SOC 2 attestation, delivered as a discipline.

SOC 2 is a service-organization control report issued by a licensed CPA firm against the AICPA Trust Services Criteria. We advise the program end-to-end: readiness, control build, evidence engineering, auditor management, and continuous compliance across renewal cycles.

01 — Overview

SOC 2 is the assurance report North American enterprises expect their strategic vendors to hold. It exists in two forms: Type I attests to the design of controls at a point in time; Type II attests to their operating effectiveness across a period.

The report is issued against the AICPA's Trust Services Criteria — Security (required) plus optional Availability, Processing Integrity, Confidentiality, and Privacy. Scoping the right criteria is the first decision that either compounds or complicates every subsequent phase of the program.

Cyber Inspect runs SOC 2 as a program, not a project. We embed evidence collection into the systems that already produce it, prepare the auditor package, and carry the program forward year over year.

02 — Engagement

Our approach.

  1. I

    Scoping & TSC selection

    Partner-led scoping session to elect the right criteria and system boundary for your commercial context.

  2. II

    Readiness assessment

    Gap analysis against the elected TSCs, with a costed remediation roadmap and defensible sequencing.

  3. III

    Control build & evidence

    We design, implement, and instrument each control — from access reviews to change management to vendor oversight.

  4. IV

    Audit facilitation

    We run the CPA relationship end-to-end and drive the report to issuance without surprises.

  5. V

    Continuous compliance

    Managed compliance across renewal cycles, including bridge letter support and Type II period transitions.

03 — Deliverables

What you receive.

  • TSC scoping memo and system boundary documentation
  • Readiness report with costed remediation roadmap
  • Complete control implementation and testing evidence
  • Automated evidence pipelines (Vanta, Drata, Sprinto, Secureframe, or bespoke)
  • System description drafted to AICPA guidance
  • Auditor evidence room, curated and indexed
  • Issued SOC 2 report from an independent CPA firm
  • Bridge letters and continuous compliance program

04 — Timeline

Expected duration.

Type I engagements run three to five months. Type II engagements run six to twelve months driven by the observation period elected. Clients renewing an existing SOC 2 typically compress subsequent cycles to eight weeks of active work.

Ready to begin?

A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.

Schedule the call →

05 — FAQ

Common questions.

Should we start with Type I or go straight to Type II?+

Type I is appropriate when a specific buyer has requested evidence quickly and a Type II observation window would miss the commercial deadline. In every other case we recommend proceeding directly to Type II — the market treats Type I as a milestone, not a destination.

Which Trust Services Criteria should we elect?+

Security is mandatory. Availability is standard for infrastructure and platform providers. Confidentiality is standard for anyone handling customer business data. Processing Integrity applies to transaction and payment processors. Privacy is elected when the report will be relied on for GDPR or state privacy compliance.

How does SOC 2 compare to ISO 27001?+

SOC 2 is an attestation report issued by a CPA firm; ISO 27001 is a certification issued by an accredited certification body against an international standard. Roughly 70% of controls map cleanly between the two. Companies serving global enterprise pipelines typically hold both.