SOC 2 Type I

A first SOC 2 report that opens the enterprise door.

Point-in-time assurance over the design of your controls, drafted for an auditor's opinion and defended in front of your first Fortune 500 buyer. Partner-led from scoping to signature.

01 — Overview

A SOC 2 Type I report gives your prospects a credentialed answer to the question every enterprise procurement team asks: can we trust the way this vendor has designed its security program?

The report is issued by a licensed CPA firm and speaks to the suitability of your controls at a single point in time. It is the fastest recognised route to enterprise credibility — and, done well, the direct foundation for the Type II opinion that follows.

Cyber Inspect leads the entire engagement short of the audit itself. We scope your system, close the gaps, author the description of the system, and hand your auditor a package that dramatically shortens their fieldwork.

02 — Engagement

Our approach.

  1. I

    Scoping & Trust Services Criteria selection

    We define the system, boundaries, and which Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) apply to your buyers.

  2. II

    Gap assessment against the TSC

    A partner-led walk-through of your current controls with mapped evidence, ranked by risk and audit exposure.

  3. III

    Remediation & control implementation

    We draft policies, engineer control artefacts, and stand up the tooling that closes each finding.

  4. IV

    System description authoring

    The written description of your system — the artefact your auditor will opine on — drafted to their standard, not yours.

  5. V

    Audit facilitation

    We manage the auditor relationship, evidence room, and clarifications from kickoff through issued report.

03 — Deliverables

What you receive.

  • SOC 2 scoping memorandum and TSC selection paper
  • Complete gap assessment with prioritised remediation plan
  • Board-defensible policy suite (18–24 policies)
  • Control-to-criteria mapping matrix
  • System description drafted to AICPA guidance
  • Evidence library, indexed to the auditor's request list
  • Auditor selection support and RFP evaluation
  • Issued SOC 2 Type I report from an independent CPA firm

04 — Timeline

Expected duration.

Most Type I engagements complete in ten to fourteen weeks from kickoff to issued report. Organisations with an existing ISMS or ISO 27001 program often move faster; regulated or highly-distributed environments occasionally require additional scoping time.

Ready to begin?

A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.

Schedule the call →

05 — FAQ

Common questions.

Do we need Type I before Type II?+

No. Many clients skip Type I and go directly to Type II. Type I is the right choice when a report is needed for an active deal cycle, or when leadership wants a rehearsal of the audit before committing to an observation period.

Which auditor do you recommend?+

We work with a shortlist of independent CPA firms and match yours to your buyer profile, industry, and geography. We do not accept referral fees — the recommendation is made solely on fit.

Will this satisfy our enterprise customer's security review?+

In most cases, yes. The SOC 2 Type I report answers the majority of enterprise security questionnaires and often replaces custom due diligence entirely. Where additional artefacts are required, we help you position them.

What do we need to have in place before starting?+

Very little. A written commitment from leadership, a nominated internal point of contact, and access to your production and corporate environments. We build everything else with you.