Compliance
SOC 2 Compliance for Technology and Service Organizations
SOC 2 has become the de facto security credential for B2B technology companies and managed service providers. Enterprise procurement teams require it. Cyber insurers reference it. Board-level security conversations invoke it. Yet most organizations that pursue SOC 2 underestimate the operational changes required — and discover gaps mid-audit that delay the report by months. Armorstack’s VERITY advisory and SENTRY monitoring give you the governance structure and continuous evidence needed to complete a SOC 2 audit without surprises.
What SOC 2 Actually Requires
SOC 2 is a voluntary attestation framework developed by the AICPA (American Institute of Certified Public Accountants). It assesses whether an organization has designed and operated controls that satisfy the Trust Services Criteria across five categories: Security, Availability, Confidentiality, Processing Integrity, and Privacy. Security — the Common Criteria — is required for every SOC 2 report. The remaining four categories are optional and selected based on the services the organization provides and the commitments it makes to customers.
The framework distinguishes between two report types with fundamentally different evidence requirements. Understanding that distinction is the starting point for any realistic SOC 2 timeline and budget discussion.
Type I vs. Type II: A Fundamental Distinction
A Type I report attests that controls were suitably designed as of a specific point in time. It requires the auditor to evaluate the design of your controls against the Trust Services Criteria — does your access control policy appropriately define how users are provisioned and deprovisioned? — but does not require evidence that those controls operated effectively over time. Type I reports can typically be completed within two to four months of serious readiness preparation.
A Type II report attests that controls operated effectively over an observation period — typically six to twelve months. This is the report that enterprise procurement teams and sophisticated buyers require, because it demonstrates that controls are not just documented but consistently operating. Type II requires your organization to collect and retain operational evidence — access review records, change management tickets, security training completions, incident logs, and monitoring data — across the entire observation period without gaps. A detailed comparison of timelines, evidence requirements, and procurement implications is at SOC 2 Type I vs Type II.
The Trust Services Criteria: What Each Category Covers
The AICPA’s Trust Services Criteria are organized into Common Criteria (CC) applicable to all reports and additional criteria specific to each optional category. The Common Criteria span nine CC categories addressing governance, risk management, logical access, change management, risk monitoring, and incident response. Full detail on each criterion and the evidence required is at SOC 2 Trust Services Criteria.
| Trust Services Category | Scope | Typical for | Key Controls |
|---|---|---|---|
| Security (CC) | Required for all reports | All organizations | Logical access, MFA, change management, monitoring, incident response |
| Availability (A) | System availability commitments | SaaS, hosting, managed services | Uptime monitoring, backup, disaster recovery, capacity planning |
| Confidentiality (C) | Confidential data protection | Organizations handling B2B confidential data | Data classification, encryption, retention, destruction |
| Processing Integrity (PI) | Complete, accurate, authorized processing | Transaction processors, financial systems | Input validation, error handling, reconciliation controls |
| Privacy (P) | Personal information handling | Organizations subject to CCPA, GDPR, or similar | Notice and consent, collection limitation, use and retention, disclosure |
SOC 2 Readiness Assessment: Where Organizations Actually Stand
Most organizations beginning a SOC 2 journey discover that their current security posture is more documented than operational. Policies exist in a SharePoint folder. Access reviews were completed once, eighteen months ago. Change management is handled through informal Slack approvals. Log data is available but not reviewed on any regular cadence. These gaps do not disqualify an organization from pursuing SOC 2, but they do extend the timeline and create audit risk if not addressed before the observation period begins.
Armorstack’s VERITY team conducts a structured SOC 2 readiness assessment that maps your current control environment against all applicable Trust Services Criteria, identifies gaps by severity, and produces a remediation roadmap with a realistic timeline to audit readiness. The readiness assessment is the correct starting point before engaging an auditing firm — gaps identified during the assessment are far less expensive to close than findings identified by the auditor. Details on the assessment methodology are at SOC 2 readiness assessment.
Common Pre-Audit Gaps
- No formal access review process with documented evidence of completion (CC6)
- Change management occurring outside a ticketing system without approval records (CC6.6)
- Security monitoring in place but no documented review of alerts and anomalies (CC7)
- Incident response plan exists but has never been tested or updated (CC9.2)
- Vendor management lacks a formal risk assessment process for subservice organizations (CC9.2)
- Security awareness training completed but attendance records not retained
- Encryption deployed but no documented inventory of what is encrypted and to what standard
SOC 2 Timeline and Cost: Realistic Expectations
The time from starting a SOC 2 program to a completed Type II report is typically twelve to eighteen months for organizations beginning with limited compliance infrastructure. The path breaks into three phases.
The first phase — readiness assessment and remediation — typically runs eight to sixteen weeks. This is where gaps are identified and closed: policies are written, access review processes are formalized, change management tooling is configured, and monitoring is operationalized. The duration depends heavily on the organization’s starting point.
The second phase is the observation period, during which the auditor collects evidence of controls operating over time. For a Type II report, this period is typically six to twelve months. Critically, the observation period must be clean — controls must operate consistently throughout, with no material gaps or unexplained anomalies in the evidence record.
The third phase is the audit itself, typically four to eight weeks of auditor fieldwork followed by report drafting and issuance.
Market cost ranges for SOC 2 vary significantly based on organization size, scope, and auditor. Readiness consulting engagements typically range from $15,000 to $50,000 depending on complexity. Auditor fees for a Type II report generally range from $20,000 to $75,000. Ongoing compliance program management to maintain audit readiness annually runs $2,000 to $8,000 per month depending on scope. These are general market ranges; contact Armorstack at our contact page for a scoped engagement discussion. A more detailed cost breakdown by organization size is at SOC 2 timeline and cost.
SOC 2 vs. ISO 27001: Choosing the Right Framework
Organizations with international customers or supply chain requirements frequently ask whether SOC 2 or ISO 27001 is the better investment. The short answer depends on your buyer geography and what your customers contractually require.
SOC 2 is an AICPA attestation standard primarily recognized in North America. It produces an auditor report attesting to control effectiveness. ISO 27001 is an international certification standard — the organization is certified as meeting the Information Security Management System requirements, with certification recognized across Europe, Asia-Pacific, and international markets.
The frameworks overlap significantly at the control level. Many organizations pursuing international growth find that building to SOC 2 first and subsequently layering ISO 27001 certification is more efficient than either path alone, because the control infrastructure overlaps substantially and the second audit requires significantly less new work. A detailed framework comparison is at SOC 2 vs. ISO 27001.
How Armorstack Operationalizes SOC 2
The most common failure mode in SOC 2 programs is that compliance is treated as a documentation project rather than an operational program. Policies are written. Evidence is collected once. The observation period begins before controls are consistently operating. The auditor finds gaps, the report is delayed, and the engagement cost increases.
Armorstack structures SOC 2 delivery so that operational evidence collection is automatic rather than manual. VERITY advisory designs the governance structure: risk management, policy framework, vendor management, and access review processes formalized with documented evidence trails. SENTRY managed detection and response provides the operational monitoring layer that satisfies CC7 monitoring requirements — every alert, every anomaly review, every incident response action is logged and retained in a format auditors expect. CORE managed IT services maintains the infrastructure controls required across the observation period: MFA enforcement, patch currency, endpoint encryption, and change management discipline.
The SOC 2 audit checklist covering the Common Criteria and each Trust Services category is at SOC 2 audit checklist. To discuss your organization’s SOC 2 readiness posture, talk to the Armorstack VERITY team or start the 90-Day Proof.