SOC 2 reports give customers independent assurance that a service organisation protects their data. Unlike prescriptive frameworks, SOC 2 is criteria-based: you design controls that meet the Trust Services Criteria relevant to your offering.
Type I vs Type IILink to this section
A Type I report describes control design at a point in time. A Type II report tests operating effectiveness over a period – usually 6–12 months. Most enterprise buyers expect Type II; plan your observation window before promising dates to customers.
Scoping your reportLink to this section
Security (Common Criteria) is always in scope. Availability, confidentiality, processing integrity, and privacy are optional categories you select based on what you promise customers. Scope creep is expensive – we help teams pick categories that match contracts, not aspirations.
How we support SOC 2 readinessLink to this section
We translate criteria into engineering-friendly controls: what to log, what to review monthly, and what evidence your auditor will ask for on day one of fieldwork.
Trust Services Criteria coverage
Common Criteria
| Criterion | Focus area | How we help |
|---|---|---|
| CC1 | Control environment | Governance structure, tone-at-the-top messaging, and org charts that satisfy auditor walkthroughs. |
| CC6 | Logical and physical access | Access reviews, SSO/MFA standards, and vendor access policies with quarterly evidence exports. |
| CC7 | System operations | Monitoring runbooks, incident response drills, and change-management records tied to deployments. |
| CC8 | Change management | PR templates, separation of duties, and release evidence that maps cleanly to Git history. |
Availability
| Criterion | Focus area | How we help |
|---|---|---|
| A1 | Capacity and recovery | SLA definitions, backup/restore tests, and disaster-recovery tabletop exercises with documented outcomes. |
Confidentiality
| Criterion | Focus area | How we help |
|---|---|---|
| C1 | Data classification and handling | Classification scheme, encryption standards, and customer-data handling procedures for engineering teams. |