SOC 2 · Pillar
SOC 2 is a service-organization control report issued by a licensed CPA firm against the AICPA Trust Services Criteria. We advise the program end-to-end: readiness, control build, evidence engineering, auditor management, and continuous compliance across renewal cycles.
01 — Overview
SOC 2 is the assurance report North American enterprises expect their strategic vendors to hold. It exists in two forms: Type I attests to the design of controls at a point in time; Type II attests to their operating effectiveness across a period.
The report is issued against the AICPA's Trust Services Criteria — Security (required) plus optional Availability, Processing Integrity, Confidentiality, and Privacy. Scoping the right criteria is the first decision that either compounds or complicates every subsequent phase of the program.
Cyber Inspect runs SOC 2 as a program, not a project. We embed evidence collection into the systems that already produce it, prepare the auditor package, and carry the program forward year over year.
02 — Engagement
Partner-led scoping session to elect the right criteria and system boundary for your commercial context.
Gap analysis against the elected TSCs, with a costed remediation roadmap and defensible sequencing.
We design, implement, and instrument each control — from access reviews to change management to vendor oversight.
We run the CPA relationship end-to-end and drive the report to issuance without surprises.
Managed compliance across renewal cycles, including bridge letter support and Type II period transitions.
03 — Deliverables
04 — Timeline
Type I engagements run three to five months. Type II engagements run six to twelve months driven by the observation period elected. Clients renewing an existing SOC 2 typically compress subsequent cycles to eight weeks of active work.
Ready to begin?
A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.
Schedule the call →05 — FAQ
Type I is appropriate when a specific buyer has requested evidence quickly and a Type II observation window would miss the commercial deadline. In every other case we recommend proceeding directly to Type II — the market treats Type I as a milestone, not a destination.
Security is mandatory. Availability is standard for infrastructure and platform providers. Confidentiality is standard for anyone handling customer business data. Processing Integrity applies to transaction and payment processors. Privacy is elected when the report will be relied on for GDPR or state privacy compliance.
SOC 2 is an attestation report issued by a CPA firm; ISO 27001 is a certification issued by an accredited certification body against an international standard. Roughly 70% of controls map cleanly between the two. Companies serving global enterprise pipelines typically hold both.