Frameworks / Foundational SaaS & Cloud / SOC 2 Type 1 & 2
AICPA · Trust Services Criteria · Lead framework

Enterprise procurement, cleared.

SOC 2 is the report most enterprise buyers ask for before they sign. It is an AICPA attestation: an independent CPA firm reports on whether your controls were designed (Type 1) or operating effectively over a period (Type 2). For most B2B software companies it is what moves a vendor-security review from held to approved.

Our stance: many organizations are better served planning directly for a Type 2, using a Type 1 only when timing, a specific customer requirement, or operational realities justify the interim step.

Book the scoping call See the timeline ↓ 48-hour written memo
§ 0 · Why it matters

Why organizations pursue SOC 2.

  • Enterprise procurement. Many enterprise buyers request a SOC 2 report before approving a vendor.
  • Faster security reviews. A current report can reduce back-and-forth on security questionnaires and shorten review cycles.
  • Vendor risk approval. Third-party risk teams frequently use the report as a baseline for vendor due diligence.
  • Customer trust. The report gives prospects independent assurance about how you handle their data.
  • Market expectation. In much of B2B software, a SOC 2 report has become a common expectation rather than a differentiator.
Context

SOC 2 does not guarantee a closed deal or a passed review. It removes a common obstacle, and for many companies that obstacle is what stalls revenue. The mechanics below explain what the report actually is and how to approach it.

The assurance engine

One report.
Every control domain it touches.

  • Identity & Access
  • Change Management
  • Vendor Risk
  • Security Operations
  • Risk Management
  • Governance
  • Evidence Collection
  • Audit Readiness

SOC 2 exists because enterprise buyers need confidence that governance, identity, evidence, vendor oversight, and security operations operate as one system.

Enterprise trust, engineered.
The Nexurion Trust Core: a glowing central processor labelled Nexurion surrounded by SOC 2 control domains — Security, Access, Change Management, Vendor Management, Monitoring, Governance, and Evidence — over a dark architectural lattice engraved with SOC 2 and its trust criteria.
§ I · The standard

What SOC 2 actually is, in plain English.

The one-line version

A CPA-signed opinion on whether your controls actually work — an attestation, not a certification. No certificate, no badge, no public registry.

CPA-signedauditor’s opinion Private reportnot a public list Type 1 or Type 2design vs. operating Four opinion typesunqualified → disclaimer No badgeno public registry
The standard, in full

SOC 2 is a report a licensed CPA firm writes about your service organization. It states, in writing, whether the controls you described to them: the policies, the encryption, the access reviews, the change management, the vendor due diligence: were either suitably designed at one point in time (Type 1), or operated effectively across a window of three to twelve months (Type 2).

It is governed by the AICPA's SSAE 18 attestation standard, specifically AT-C section 205. The criteria are the 2017 Trust Services Criteria, last revised 2022: seventeen common criteria for security, plus four optional categories (availability, confidentiality, processing integrity, privacy). SOC 2 is an attestation, not a certification: there is no certificate, no public register, and the AICPA does not publish a list of compliant firms. The deliverable is a private report, signed by the auditor, carrying one of four opinions: unqualified (clean), qualified (specific exceptions), adverse, or a disclaimer.

The path to signed

Enterprise procurement, cleared.

Lead
Security review
Vendor risk
Procurement
Contract

A qualified prospect wants to buy. Nothing is in the way: yet.

Their security team asks for your SOC 2 report. With a current Type 2 in hand, the review opens instead of stalling.

Third-party risk reviews the report, not a 200-line questionnaire. Weeks come off the cycle.

Procurement has the independent assurance it needs to proceed. No back-and-forth.

The deal advances. Cleared.

All cleared. A current SOC 2 Type 2 compresses this journey from months to days.

01 · Lead
A qualified prospect. No blockers yet.
Deal enters pipeline cleanly.
02 · Security Review
200-question questionnaire. 3–6 weeks of back-and-forth.
Report reviewed. Review opens instead of stalls.
03 · Vendor Risk
Third-party risk demands additional documentation.
Report satisfies vendor risk. No additional requests.
04 · Procurement
Procurement needs independent assurance to proceed.
Assurance provided. Procurement advances.
05 · Contract
Legal surfaces outstanding security questions.
No open questions. Deal signs.

SOC 2 compresses this cycle from months to days.

§ I.5 · Why us

A boutique firm, not a compliance factory.

The compliance factory
  • Canned SOW, identical for every client
  • Junior associate does the work, partner sells it
  • Scope padded with line items you don't need
  • "You don't qualify" if you don't fit the template
  • Surprise change-orders mid-engagement
Nexurion
  • SOW built around your business, not a template
  • Senior practitioner from day one: no junior hand-off
  • We cut unnecessary cost: you pay for what moves the audit
  • We edit SOW language together until both sides agree
  • Fixed fee, written: no surprise change-orders
How we scope

We never say "you don't qualify."

Our approach

If a framework isn't right for you yet, we'll tell you: and tell you what is. When it is right, we sit down and shape the statement of work to your reality: your stack, your team, your timeline, your budget. The deliverable bends to your business. You do not bend to a canned deliverable.

§ II · Scope decoder

Does this apply to you?

A two-question filter we run on every intake call. If you answer "yes" to either, you are almost certainly going to be asked for a SOC 2 Type 2 within twelve months.

Interactive · 3 questions

SOC 2 scope check

1. Do you store, process, or transmit customer data on their behalf?
2. Has any prospect put SOC 2 in their RFP / vendor questionnaire?
3. Largest deal currently held up by security review?
Answer above: we’ll tell you whether SOC 2 is a fit.
Type 1 · Point in time

Controls designed.
Not yet operating.

Evidence begins
accumulating.

Operating effectiveness established.

Clean Type 2
in hand.

A Type 1 report captures your controls at one point in time. It proves suitably-designed controls exist — not that they’re running.

The audit period opens. Controls must now operate. Evidence is captured continuously — not assembled at year-end.

Month over month, evidence accumulates. The CPA tests effectiveness across the full period. No scrambles — the evidence was already there.

An unqualified opinion: your controls operated effectively. This is the report enterprise procurement asks for before they sign.

Assurance level
Enterprise procurement requires this. Not Stage 0.
TYPE 1 SOC 2 Report · Period of Coverage Start 3 mo 6 mo 9 mo 12 mo + OPERATING EFFECTIVENESS PERIOD Independent CPA attestation · AICPA SSAE 18 / AT-C 205 · Trust Services Criteria
§ V · The clock

A first-time Type 2, realistically: 8 to 14 months.

From kickoff to a clean report in your buyer's hands. The chokepoint is almost never the audit; it’s readiness, evidence, and the audit period itself.

Wk 0 – 4
Readiness assessment
Gap analysis against all 17 CC + scoped TSC. Risk register, vendor inventory, current-state controls map. Output: a gap report and a scoped remediation plan.
Wk 4 – 16
Remediation
Policies written, MFA enforced, access reviews instituted, change-mgmt formalized, monitoring deployed, vendor reviews completed. Continuous-monitoring tooling configured.
Wk 16+
Audit period begins
Controls run for 3 / 6 / 12 months. Evidence is captured continuously. We sit in your weekly stand-up to triage anomalies before they become exceptions.
Wk 28 – 52
Fieldwork
CPA firm walks controls, samples evidence, interviews owners, tests effectiveness. We defend evidence and own auditor remediation requests.
+ 6 wks
Report issued
Draft report walked, management response letter prepared, final report signed and delivered. Usually unqualified. Renewal planning starts immediately.
Why teams hire Nexurion
§ VI · How Nexurion runs it

Senior partner from day one. ConMon from week one.

Partner-led from kickoff through fieldwork. ConMon-instrumented from week one. Audit-room delivered before fieldwork opens.

Methodology detail

Most readiness firms hand you a policy template library and a SaaS portal, then stop calling. We don’t. Every Nexurion SOC 2 engagement is led by a senior practitioner: the person on the engagement letter is the person reading evidence, sitting in your week-over-week stand-ups, and on the call when the auditor finds a sample they want to escalate. Read our methodology.

From day one we instrument continuous monitoring against your control library: not a quarterly evidence sweep. Access reviews trigger automatically; vendor due-diligence renewals show in a queue; change-management metadata is captured at PR-merge time, not at year-end. When the auditor walks fieldwork, we hand them a read-only audit-room with every artifact pre-mapped to the TSC control it satisfies. Sample requests turn around in hours, not days. More on ConMon »

The goal is not only a clean Type 2. It is a control environment that is sustainable: cheaper and lower-effort to operate in year two than in year one, and durable across renewals as the company grows.. See engagement outcomes.

01
Senior practitioner from day one
The name on the engagement letter is the person reading your evidence. No junior hand-off.
02
Continuous monitoring from week one
Controls instrumented to run year-round, not a year-end evidence scramble.
03
Audit-ready evidence
A read-only audit-room, every artifact pre-mapped to the criterion it satisfies.
04
Independent from the CPA
We don’t sign the opinion, so our readiness carries no conflict. By design.
Engagement structure

Independent of the auditor: by design.

We are not a CPA firm and we do not issue SOC 2 reports. That independence is non-negotiable: a readiness partner whose firm also signs the opinion has a conflict no engagement letter can paper over. We work alongside the CPA firm of your choice: or recommend one of the three we’ve had clean engagements with. Auditor relationships »

What a senior partner prevents
§ VII · Where engagements stall

Six places a SOC 2 goes sideways.

After running a few dozen of these, the failure modes are remarkably consistent. None are technical. All are organizational.

01 / Sales pressure

"Type 1 by end of quarter."

Why it happens
Sales loses a deal, demands a Type 1 in 60 days. Readiness gets compressed, controls get rubber-stamped, the report is unimpressive, the buyer asks for Type 2 anyway. You’ve burned $40k and reset the clock. Run real readiness or run nothing.
02 / Vague scope

"Just everything, right?"

Why it happens
A SOC 2 is bounded by a system description. If you scope every product, every entity, every region: you pay for it in evidence collection. We narrow scope to the buyer-facing system + the underlying infrastructure, and exclude what doesn’t need to be there.
03 / Evidence theater

Collecting everything, mapping nothing.

Why it happens
A drawer full of PDFs is not evidence. Evidence is artifacts pre-mapped to controls, reproducible, dated, with a clear owner. ConMon-first engagements skip the panic; evidence-theater engagements end with a 3-week scramble.
04 / Vendor sprawl

Sub-processors nobody owns.

Why it happens
Engineering signed up a vector DB free tier in 2024 with company data in it; nobody put it through vendor due diligence. CC9 will find it. Your DPA will not cover it. Inventory pre-readiness, kill what isn’t justified, MSA the rest.
05 / People controls

Off-boarding by memory.

Why it happens
An employee left in March; their GitHub is still active in October. CC6 fails. The fix is HR triggering an SCIM workflow on termination: not a Slack message to IT.
06 / Auditor mismatch

A $50/hr CPA signing a $5M ARR report.

Why it happens
Buyers Google your auditor. Pick the firm that signs reports for companies one tier above yours; aspirational, not a stretch. We’ll introduce you to three, no kickback.
§ VIII · Auditors

CPA firms we’ve walked clean engagements with.

Auditor-neutralreferrals on fit, not fees
No referral feeswe accept none
Partner-level fitthree firms, your stage & sector
Bring your ownwe align with your existing auditor
How we work with auditors

We are auditor-neutral by policy and refer based on fit, sector, and partner-level relationships: never on referral fees (we accept none). After multiple engagements together you learn which firms turn around evidence requests in days versus weeks; which ones write conservative versus precise system descriptions; which ones bring sector-specific partners. We’ll introduce you to three firms with active partner relationships, calibrated to your stage and sector. Buyers care about the firm name on the cover: we make sure that name is one they recognize.

If you already have an auditor: we’ll sit with their senior on a kick-off and align on scope, evidence format, and walk-through cadence. We’ve never had to disengage from an auditor mid-fieldwork.

§ IX · Cross-mapping

SOC 2 against the rest of the stack.

SOC 2 is rarely the only framework your buyers ask for. The good news: most criteria overlap. The bad news: the gaps are not where you think.

The stack

SOC 2 against the rest of the stack.

SOC 2 your baseline ISO 27001 ~85% overlap HITRUST CSF ~70% overlap NIST 800-171 ~65% overlap HIPAA ~60% overlap PCI DSS v4 ~50% overlap ISO 42001 (AI) ~25% overlap
Line weight indicates approximate control overlap with SOC 2. Higher overlap means more of the work you do for SOC 2 carries directly into that framework. Detailed crosswalk below.
The stack

SOC 2 is the start, not the end.

Overlap with adjacent frameworks — tap any row for detail
ISO 27001
85%
What SOC 2 covers
Annex A controls map cleanly to most Common Criteria.
What's still needed
Statement of Applicability, ISMS scope, three-year cert cycle, internal audit program.
HITRUST CSF
70%
What SOC 2 covers
Most TSC controls have a direct HITRUST equivalent.
What's still needed
MyCSF assessment, sector-specific controls, e1/i1/r2 maturity scoring.
NIST 800-171
65%
What SOC 2 covers
Significant overlap on access control and configuration management.
What's still needed
CUI marking, system security plan, POA&M, supply-chain controls.
HIPAA
60%
What SOC 2 covers
Security rule covered by CC criteria + Confidentiality TSC.
What's still needed
BAAs, breach-notification procedures, minimum-necessary rule, OCR-specific risk analysis.
PCI DSS v4
50%
What SOC 2 covers
CC6 and CC7 cover much of access and operations controls.
What's still needed
Cardholder-data scoping, network segmentation, ASV scans, prescriptive 4.0 controls.
GDPR
30%
What SOC 2 covers
Privacy TSC partial; SOC 2 is not a privacy framework.
What's still needed
Lawful basis, DPIAs, controller/processor split, cross-border transfers, DSARs.
ISO 42001
25%
What SOC 2 covers
Security controls provide a partial foundation for AI governance.
What's still needed
AI impact assessment, model lifecycle governance, third-party AI inventory, AIMS.
FrameworkOverlap with SOC 2What you still need to do
ISO 27001~85%: Annex A controls map cleanly to most CC.Statement of Applicability, ISMS scope, three-year cert cycle, internal audit program.
HIPAA~60%: security rule covered by CC + Confidentiality.BAAs, breach-notification procedures, minimum-necessary rule, OCR-specific risk analysis.
PCI DSS v4~50%: CC6 / CC7 cover much of access & ops.Cardholder-data scoping, network segmentation, ASV scans, prescriptive 4.0 controls.
HITRUST CSF~70%: most TSC controls have a HITRUST equivalent.Sector-specific assessments, MyCSF assessment, e1 / i1 / r2 maturity scoring.
NIST 800-171~65%: significant overlap on access & CM.CUI marking, system security plan, POA&M, supply-chain controls.
GDPR~30%: Privacy TSC partial; SOC 2 isn’t a privacy framework.Lawful basis, DPIAs, controller / processor split, cross-border transfers, DSARs.
ISO 42001 (AI)~25%: orthogonal to AI risk management.AIMS, AI impact assessment, model lifecycle, third-party AI inventory. See governance »
Reference & lookup Everything below stays on the page in full — recent changes, adjacent frameworks, frequently-asked questions, and field notes. It is here when you need it, and out of the way until you do.
§ III · The criteria

The five Trust Services Criteria.

Security is mandatory: the seventeen Common Criteria (CC1-CC9) every report must include. The other four are scoped in only when a buyer requires them or your service materially handles that domain. Click each to drill into the controls a CPA will test.

RequiredCommon Criteria: Security

The 17 controls every SOC 2 report includes. Mapped to COSO 2013 internal-control principles. This is the foundation: governance, risk assessment, monitoring, communication, control activities, logical and physical access, system operations, change management, and risk mitigation.

CC1
Control Environment
Board oversight, integrity, ethics, accountability: board minutes, code of conduct, hiring practices.
CC2
Communication & Information
Policy distribution, employee acknowledgments, customer-facing security communications.
CC3
Risk Assessment
Annual risk assessment, fraud risk, vendor risk: scored register with mitigations.
CC4
Monitoring
Internal audit cadence, deficiency tracking, management remediation evidence.
CC5
Control Activities
Selection, development, deployment of controls; segregation of duties documented.
CC6
Logical & Physical Access
Access reviews, MFA, off-boarding, key management, privileged access: heaviest evidence area.
CC7
System Operations
Vulnerability management, threat detection, incident response, BCP/DR tests.
CC8
Change Management
Code review, deployment approvals, infra-as-code change tickets, rollback evidence.
CC9
Risk Mitigation
Vendor due diligence, BAA / DPA library, sub-processor inventory, insurance.

OptionalAvailability: uptime & recovery

Required when contracts include SLAs, when buyers ask about RPO/RTO, or when uptime is the product. Tests resilience and disaster recovery.

A1.1
Capacity planning
Forecasting, environmental monitoring (temperature, power), capacity testing.
A1.2
Backup & recovery
Backup schedule, restore tests, geographic separation, encryption-at-rest.
A1.3
Disaster recovery
Annual DR test, results documented, gap remediation tracked.

OptionalConfidentiality: information classification

For organizations handling material defined as confidential by contract: IP, source code, business secrets, financial data. Distinct from "privacy" (personal information).

C1.1
Identification & classification
Data inventory, classification labels, handling rules per class.
C1.2
Disposal
Secure disposal procedures, certificates of destruction, off-boarding scrubs.

OptionalProcessing Integrity: did the system do what it claimed?

Most relevant for FinTech, ledger systems, calculations, healthcare claims engines. Tests whether system processing is complete, valid, accurate, timely, authorized.

PI1.1
Definition of inputs
Data dictionary, input validation specs, schema versioning.
PI1.2
System inputs
Input controls, edits, error handling, completeness checks.
PI1.3
Processing
Reconciliations, exception reports, duplicate-detection.
PI1.4
Output
Output review, customer notifications, restatement procedures.
PI1.5
Storage
Data retention, archival, integrity verification (hashes, audit trails).

OptionalPrivacy: collection through disposal

Generally not the right path for privacy compliance: most clients are better served by ISO 27701 or direct GDPR / state privacy mapping. But buyers in healthcare and education sometimes require it explicitly.

P1
Notice
Privacy notice published, version history, language adequacy.
P2
Choice & Consent
Consent records, opt-in / opt-out mechanisms, withdrawal pathways.
P3
Collection
Data minimization, lawful basis documentation, source records.
P4
Use, Retention, Disposal
Use-limitation policies, retention schedule, disposal certificates.
P5
Access
DSAR workflow, identity verification, response timelines.
P6
Disclosure
Third-party disclosure inventory, sub-processor notice.
P7
Quality
Accuracy, completeness, relevance procedures.
P8
Monitoring
Privacy program review, incident escalation, board reporting.
§ X · 2026 updates

What changed since the 2022 revision.

The AICPA last revised the Trust Services Criteria in 2022; the underlying 2017 TSC remain the working baseline. The points-of-focus were rewritten to be less prescriptive: a double-edged change that gave good firms more room and gave bad firms more excuses. The big shifts auditors are emphasizing in the 2026 cycle:

  • AI risk under CC3 / CC9. Auditors increasingly ask how you assessed AI / LLM features in your risk register, even where AI isn’t in scope of the report. Our AI Governance practice handles the bridge.
  • Third-party / sub-processor scrutiny. CC9 deficiencies have driven the most exceptions in the last 18 months. Sub-processor inventory is now table-stakes.
  • Continuous monitoring evidence. Auditors prefer system-generated evidence over screenshot files. ConMon is no longer optional.
  • Privacy bridge. Buyers asking for SOC 2 + Privacy often get better-served by SOC 2 + ISO 27701; we can scope a hybrid.

Read our deeper take in Field Notes Vol. II: "What auditors are testing in 2026 that they weren’t in 2024."

§ XI · Pairs with

SOC 2 is rarely the last framework.

A short list of what we typically scope alongside it: in order of how often the question comes up.

Often paired
ISO 27001
For international buyers / EU procurement. ~85% control overlap; we run them concurrently.
If health data
HIPAA
For ePHI in scope. SOC 2 is helpful but not sufficient: needs HIPAA-specific work.
Health buyers
HITRUST CSF
When payers / health systems require it specifically. r2 is the heavy lift.
If AI in product
ISO 42001
AI management system: pairs with SOC 2's CC3/CC9. Governance »
If payments
PCI DSS v4
For cardholder data. Heavy network-segmentation requirements outside SOC 2 scope.
If federal
CMMC L1 / L2
For DoD prime / sub work. SOC 2 doesn’t qualify; CMMC controls are an additional path.
§ XII · FAQ

Frequently asked.

Are we certified when the report is issued? +
No. SOC 2 is an attestation report, not a certification. It does not result in a certification certificate, and there is no public registry of SOC 2-compliant organizations. You hold a private CPA-issued report your buyers read under NDA. Marketing should say "we maintain a SOC 2 Type 2 report": not "we are SOC 2 certified."
How long does the first Type 2 take? +
Realistically, 8 – 14 months from kickoff. Readiness (4 – 16 weeks), audit period (3 – 12 months), fieldwork (6 – 10 weeks). Smaller, well-instrumented teams compress to ~7 months. See full timeline.
What does it cost? +
For a Type 2 first-time issuance: $30 – 90k for the auditor, $35 – 75k for readiness + ConMon (Nexurion fee depends on scope). Renewal years drop sharply. See pricing structure »
Should we run SOC 2 and ISO 27001 at the same time? +
Often, yes. ~85% control overlap means you do roughly 1.3x the work for two reports. We sequence them so the SOC 2 audit period runs while the ISO certification audit happens, and one evidence library serves both.
Can we self-attest? +
No: a SOC 2 must be issued by a licensed independent CPA firm under SSAE 18. Anything else is a self-assessment, which most buyers will reject.
Does our existing HITRUST or ISO 27001 cert satisfy a SOC 2 ask? +
Sometimes. Some buyers accept HITRUST CSF in lieu of SOC 2, particularly in healthcare. Most don’t. ISO 27001 is rarely accepted in lieu of SOC 2 in U.S. enterprise procurement, though it sometimes is in EU.
What’s the difference between SOC 1, SOC 2, and SOC 3? +
SOC 1 covers controls relevant to a customer’s financial reporting (think payroll providers, custodians). SOC 2 covers the Trust Services Criteria: security, etc. SOC 3 is a sanitized SOC 2 marketing document with no exceptions detail; auditors issue it alongside.
§ XIII · From the Brief

Field notes on SOC 2.

Pieces from Nexurion Field Notes directly relevant to the standard.

Vol. I · Field note
Why we tell every client to skip Type 1.
A senior practitioner’s case for going straight to a six-month Type 2: and the ~$30k clients save by doing it.
Coming · Vol. II
What auditors actually test in 2026.
CC9 vendor scrutiny, AI risk under CC3, ConMon-as-evidence: what changed since 2024.
Coming · Vol. III
SOC 2 + ISO 27001 in one period.
How to run the two audits concurrently with one evidence library and 1.3x the engagement effort, not 2x.

SOC 2 on the calendar? Get the 5-minute scoping memo.

Five questions. One reply. Within 48 hours, a senior practitioner sends a written scoping memo: TSC scope recommendation, Type 1 vs Type 2 verdict, a realistic 8–14 month calendar, and a fee range. AI signals translated into audit-ready decisions, on paper, before you commit. The booking link is at the bottom of the memo.

Contact us See the four offers
N Senior practitioner Book the scoping call · 48-hr memo