Fortinetics
← Frameworks · COMMERCIAL · SaaS

SOC 2 Type I and Type II — enterprise-ready attestation.

SOC 2 is the de facto commercial B2B security signal. Enterprise buyers ask for it by default in procurement. We design the control environment, structure the evidence pipeline, coordinate with the auditor, and stay present through the audit itself. For customers also pursuing CMMC, FedRAMP, or ISO 27001, we run SOC 2 in parallel rather than sequentially — shared controls, shared evidence, meaningful cost reduction.

Book a scoping call →
5 TSC
Trust Services Criteria
6–12 mo
Type II audit window
Parallel-capable
With CMMC / ISO / FedRAMP

SOC 2 in one paragraph

SOC 2 is an AICPA attestation framework for service organizations. Auditors (licensed CPA firms) examine your controls against the Trust Services Criteria — Security (mandatory), Availability, Confidentiality, Processing Integrity, and Privacy — and issue a report. Type I attests that controls are designed appropriately at a point in time. Type II attests that controls operated effectively over a defined period, typically six to twelve months. Enterprise buyers generally require Type II; Type I is often accepted as an interim signal for newer companies still building the program.

Who needs SOC 2?

Any B2B SaaS company with mid-market or enterprise buyers. The request shows up in security questionnaires from the second or third enterprise customer, and it becomes a procurement gate by the fifth or tenth. Startups often pursue Type I around their Series A or earliest enterprise traction, then transition to Type II within twelve months as the audit window matures.

Scope is typically Security + Availability + Confidentiality for most SaaS companies. Privacy is added when the product handles personal data under GDPR, CCPA, or HIPAA-adjacent regimes. Processing Integrity is rare commercially and specific to products where output correctness matters legally (financial systems, healthcare billing, eDiscovery platforms).

Type I vs Type II — which first?

Type I first when enterprise customers are asking for SOC 2 and you need a report in hand within three months. Type I attests that controls are designed appropriately at a specific point in time — it's a design review, not an operations review. Useful as a stepping stone; not a substitute for Type II at enterprise scale.

Type II attests that controls operated effectively over the audit period. Most enterprise buyers want Type II specifically, and the first Type II window is usually six months (half the standard twelve) to bridge from a recent Type I. After the first Type II report, the cadence becomes annual with a full twelve-month window.

The sequencing we recommend most often: Type I at program kickoff, Type II six months later, then annual Type II after that. Our companion piece on [SOC 2 Type II evidence patterns that actually pass](/insights/soc2-type-ii-evidence-patterns/) walks through what auditors look for during the observation window.

If you're choosing between SOC 2 and ISO 27001 as a first framework, our [SOC 2 vs ISO 27001 article](/insights/soc2-vs-iso-27001-which-first/) lays out the decision tree by buyer geography and product context.

What a SOC 2 engagement looks like

Months 0–1 — scoping. Define the TSC, the system boundary, and the control set. Identify the auditor. Draft the initial control matrix.

Months 1–3 — control implementation and evidence pipeline design. The biggest determinant of audit cost is whether evidence is captured as a byproduct of operations (access reviews producing exports, ticket closures logging to a queryable system, configuration changes tracked in version control) or reconstructed at audit time. Byproduct wins; reconstruction is expensive.

Month 3 — Type I attestation (point-in-time).

Months 3–12 — audit window for Type II. Ongoing evidence capture; the auditor samples across the period at their cadence. No dramatic end-of-window push; the work should already be done.

Month 12+ — Type II report issued. Annual cycle begins.

Why Fortinetics for SOC 2

Architecture-level judgment. Compliance platforms (Vanta, Drata, Secureframe) handle automation well. They do not handle control design, boundary scoping decisions, or the judgment calls about what evidence is actually sufficient for your specific auditor's sampling approach. We make those calls alongside you. Our [when SOC 2 platforms hit their limits](/insights/when-soc2-platforms-hit-their-limits/) piece covers where the platform-only approach breaks down.

Multi-framework fluency. Many of our SOC 2 clients are also pursuing CMMC, FedRAMP, or ISO 27001. We run these in parallel with a shared control framework and shared evidence pipeline. The marginal cost of adding SOC 2 to an existing CMMC program is meaningfully less than running them sequentially. The [framework overlap explorer](/framework-overlap/) shows how the controls map across frameworks.

Stay-present through the audit. We sit with you through the auditor's questions, walk the evidence packets with the auditor, and handle the inevitable "can you clarify" cycles that stretch audits. We don't hand off a binder at kickoff and disappear.

Frequently asked

Questions we get about SOC 2.

Can we just use Vanta or Drata for SOC 2 and skip a firm?
For a simple SaaS with a clean architecture and a cooperative auditor, yes — the platforms handle evidence collection and auditor-portal workflow well. For anything more complex — multi-region deployments, regulated data overlays, frequent architectural changes, atypical control environments — the platform produces evidence that needs a human to interpret before submission. We often use platforms as tools alongside the firm engagement rather than as substitutes.
How long does a SOC 2 Type II audit take?
The audit itself runs across a 6 to 12 month observation window. Preparation ahead of the window takes 3 to 6 months for a prepared organization. Total time from decision to certificate is typically 9 to 18 months for the first Type II — shorter for organizations that already hold Type I.
Which Trust Services Criteria do we actually need?
Security is mandatory on every SOC 2 audit. Availability is added when uptime is a customer commitment (most SaaS). Confidentiality is added when the product handles sensitive non-PII customer data. Privacy is added when PII or PHI is in scope. Processing Integrity is rare outside of products where output correctness matters legally. Most commercial SaaS companies audit Security + Availability + Confidentiality.
What's the cost of SOC 2?
Auditor fees run $15k–$40k for Type I and $25k–$60k for Type II, depending on scope and auditor reputation. Advisory fees for preparation, control design, and evidence pipeline range from $40k–$150k for the first engagement. Compliance platform subscriptions add another $8k–$30k/year depending on vendor and tier. We quote every engagement after scoping; pricing is scope-dependent and not published.
Do we need a SOC 2 if we already have ISO 27001?
Often yes. SOC 2 is preferred by North American enterprise buyers; ISO 27001 is preferred in European and global enterprise contexts. They overlap substantially (both are ISMS-style frameworks) but are not mutually substitutable in a procurement process. If your buyer is North American tech, SOC 2 is usually the primary ask; if your buyer is European or global enterprise, ISO 27001 often comes first. Companies serving both markets typically hold both.
SOC 2 insights
SOC2 · 7 min read
SOC 2 Type II: evidence patterns that survive the observation window
SOC2 · 9 min read
SOC 2 vs ISO 27001: which to pursue first, when to pursue both
SOC2 · 9 min read
Vanta, Drata, and the limits of software-only SOC 2: when to bring in an architect
Next step

Book a scoping call.

Thirty minutes. We'll walk through your specific SOC 2 target, current posture, and what a realistic engagement shape looks like. NDA-first when the scoping needs sensitive detail.

Book a scoping call →