Everything you need to know about SOC 2 certification — from Type I vs Type II, to timeline, cost, and how to automate evidence collection so your team can stay focused on building.
Start your SOC 2 journey freeThe basics
SOC 2 (System and Organisation Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It evaluates a company's controls over security, availability, processing integrity, confidentiality, and privacy — known as the five Trust Service Criteria (TSC). A SOC 2 report is produced by an independent CPA firm and gives enterprise customers documented assurance that your systems and processes meet a rigorous security baseline.
There are two types: SOC 2 Type I is a point-in-time assessment confirming that your controls are suitably designed. SOC 2 Type II goes further — it covers a 6–12 month observation period and confirms that those controls actually operated effectively over time. Enterprise procurement teams and security questionnaires almost always require a Type II report. Most startups begin with a Type I to unblock deals quickly, then pursue Type II in the following audit cycle.
Why it matters
Security questionnaires from Fortune 500 procurement teams almost always include a SOC 2 request. Without it, deals stall in legal review — sometimes for months.
Insurers increasingly offer lower premiums to companies with an active SOC 2 report. It demonstrates mature security controls, reducing the risk profile for the insurer.
A SOC 2 Type II report signals that security isn't an afterthought — it's operational. This matters for customer retention, fundraising due diligence, and partnerships.
Type I vs Type II
| Aspect | Type I | Type II |
|---|---|---|
| Timeline | 2–4 months | 8–14 months (incl. observation) |
| Typical cost | $8,000–$20,000 | $20,000–$50,000 |
| What auditors check | Controls are suitably designed | Controls operated effectively over time |
| Observation period | None (point in time) | 6–12 months |
| Validity period | ~12 months (until superseded) | ~12 months from end of audit period |
| Accepted by enterprises | Sometimes (as a starting point) | Yes — required by most |
The framework
Security (Common Criteria)
The system is protected against unauthorised access — the only required TSC, covering MFA, encryption, access management, and incident response.
Availability
The system is available for operation and use as committed, typically evaluated through uptime SLAs, monitoring, and disaster recovery procedures.
Confidentiality
Information designated as confidential is protected as committed, covering data classification, encryption in transit and at rest, and access controls.
Processing Integrity
System processing is complete, valid, accurate, timely, and authorised — especially relevant for financial processing and data transformation pipelines.
Privacy
Personal information is collected, used, retained, disclosed, and disposed of in conformity with the AICPA privacy framework commitments.
Timeline
Map your current controls against the SOC 2 Common Criteria. Identify which AWS configurations, policies, and procedures are already in place and which need to be created.
Close the gaps from phase 1. Write missing policies, implement missing technical controls, and collect documented evidence for every criterion. This is the longest phase.
An independent CPA firm reviews your controls and evidence. They may request additional documentation before issuing the final SOC 2 report.
AuditPath
AuditPath automates the three most time-consuming parts of SOC 2 preparation so your engineering and security teams can focus on building — not compliance busywork.
Connect your AWS account with a read-only IAM role. AuditPath automatically checks IAM MFA enforcement, CloudTrail status, VPC Flow Logs, S3 public access, RDS encryption, and more — mapping each result to SOC 2 Common Criteria.
Upload, tag, and track every piece of evidence against specific controls. Set expiry dates and get alerts before items lapse. The built-in Evidence Guide tells your team exactly what to collect for all 30 CC criteria.
Generate a secure, read-only portal link for your external auditor. They get a complete view of all controls and evidence, and can download the full audit package as a ZIP — no spreadsheets, no email chains.
FAQ
AuditPath is free to start. Connect your AWS account, run a gap assessment, and see exactly what you need to do — in minutes.
Start your SOC 2 journey free