What is SOC 2? A complete guide to compliance

Enterprise security teams don't want to take your word for it anymore. They want proof that your controls work, documented by an independent auditor who watched them operate for months. SOC 2 certification gives them that proof, which is why it's become a hard requirement for selling into healthcare, financial services, and most enterprise SaaS buyers. This guide covers what the framework actually tests, how the audit process works, and what it costs to get compliant without stalling your sales pipeline.

TL;DR:

• SOC 2 Type 2 proves your controls work over time; Type 1 only shows design at one point.
• Expect $20K-$80K first-year cost including audit fees, tooling, and internal time.
• US buyers require SOC 2; European buyers prefer ISO 27001; many companies need both.
• The audit takes 6-20 months depending on your auditor and existing security controls.
• Wolfia (used by Amplitude, Miro, and ThoughtSpot) auto-fills post-audit customer questionnaires, RFPs, and DDQs so your team reviews instead of writes.

SOC 2 stands for System and Organization Controls 2. It's a framework developed by the AICPA (American Institute of Certified Public Accountants) to audit how service organizations manage and protect customer data.

The "2" matters here. SOC 1 covers financial reporting controls, which is why your payroll processor cares about it. SOC 2 is built for tech and cloud service providers, where the question isn't "can we trust your bookkeeping?" but "can we trust you with our data?"

SOC 2 audits whether a company's security practices hold up against five Trust Service Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is the only required criterion. The rest depend on what's relevant to your business.

The framework is US-centric but recognized globally, which is why enterprise buyers in virtually every industry now ask for it by default.

Enterprise buyers don't want to work with vendors on good faith alone. They require proof. SOC 2 has become the de facto entry ticket for selling to mid-market and enterprise companies, particularly in SaaS and cloud services. Skip it, and you're not losing deals on price or features. You're losing them before the conversation even starts.

The data backs this up. Only 7% of companies with less than $1M in funding are SOC 2 compliant, compared to 45% of companies generating over $100M in revenue. That gap is deliberate. As companies grow and start targeting larger accounts, SOC 2 becomes a hard prerequisite.

A SOC 2 report signals to procurement teams and security reviewers that your controls have been independently verified. That's the difference between a 90-day security review and a deal that closes in weeks.

Each criterion maps to a specific type of risk your customers care about. Here's what each one covers in practice:

The only mandatory criterion. It covers access controls, firewalls, intrusion detection, and encryption. Every SOC 2 audit starts here.

Your systems are accessible as promised. Think uptime SLAs, disaster recovery plans, and incident response procedures.

Data is processed completely, accurately, and on time. Relevant for companies handling financial transactions or data pipelines.

Sensitive data is protected throughout its lifecycle. This includes encryption at rest and in transit, plus strict access policies.

Covers how personal information is collected, used, retained, and disclosed. Closely tied to compliance frameworks like GDPR and CCPA.

Most B2B SaaS companies start with Security only. If your product touches uptime-sensitive workflows or personal data, Availability and Privacy are worth considering. But expanding scope adds audit time and cost, so start lean unless a customer explicitly requires it.

Type 1 and Type 2 reports answer different questions. Type 1 asks: are your controls designed correctly at this point in time? Type 2 asks: did those controls actually work over an extended period, typically 3 to 12 months?

Type 1 is faster and cheaper to obtain. It's a reasonable starting point, but enterprise buyers increasingly see it as a placeholder. Security reviewers know that Type 1 only proves policy design was written down on audit day, not that anyone followed those controls.

Type 2 is the standard that matters for serious vendor relationships. Most procurement teams at mid-market and enterprise companies will accept nothing less.

Start with Type 1 if you need something on paper quickly. But plan for Type 2 before you're deep in a procurement cycle with a Fortune 500 buyer who asks for it.

SOC 2 is voluntary. No law mandates it. But that distinction matters less every year, because enterprise procurement teams have made it a de facto requirement.

If you're a B2B SaaS company, cloud provider, or tech vendor with enterprise customers, you need SOC 2. The industries where it's effectively non-negotiable include healthcare, financial services, and any sector handling sensitive personal or financial data. Sell into those verticals without it, and security reviews stall before they begin.

SOC 2 is less urgent if you sell exclusively to small businesses or consumers who don't run formal vendor assessments. But the moment you target mid-market or enterprise accounts, expect the question on every deal.

SOC 2 costs more than the audit invoice alone. The audit fee is just one line item in a longer bill.

For small to midsize companies, SOC 2 Type 2 audit fees typically run $12,000 to $20,000. Larger organizations pay $30,000 to $100,000 or more depending on scope and auditor.

Factor in the full picture and first-year costs usually land between $20,000 and $80,000:

• Readiness assessment: $5,000 to $15,000
• Compliance tooling: $5,000 to $20,000 annually
• Remediation work: varies widely
• Internal engineering and GRC time: often the biggest hidden cost

That last one surprises most teams. Getting to audit-ready means someone has to write policies, close control gaps, and manage the auditor relationship. If that falls on a security engineer or a one-person GRC team, you're looking at weeks of diverted focus.

The full SOC 2 Type 2 process runs 6 to 20 months, depending on who you hire. Specialist auditors typically finish in 6 to 10 months. Big Four firms run 12 to 20 months.

The process breaks into three phases:

• Readiness: Gap assessment, policy writing, and control implementation get you to a baseline before the clock starts.
• Observation period: The auditor watches your controls operate in practice over 3 to 12 months.
• Audit completion: Evidence review, testing, and report issuance wrap everything up.

Companies with security controls already in place move through readiness faster. Starting from scratch means budgeting extra months before the observation window even opens.

SOC 2 and ISO 27001 serve similar goals but work differently in practice. SOC 2 is an attestation report issued by a CPA firm, shared under NDA with specific customers who request it. ISO 27001 is a public certification issued by an accredited body, valid for three years with annual surveillance audits.

The choice often comes down to where your customers are. US enterprise buyers ask for SOC 2. European and global buyers lean toward ISO 27001. Many companies end up pursuing both as they expand internationally.

If you're US-focused and selling to enterprise SaaS buyers, start with SOC 2. Add ISO 27001 when European deals require it.

There's no universal checklist for SOC 2. The AICPA provides points of focus for each criterion, but auditors have discretion. That said, most audits cover the same core controls.

Auditors will check:

• Multi-factor authentication on all critical systems
• Encryption at rest and in transit
• Quarterly access reviews and least-privilege policies
• Change management procedures with documented approvals
• System logging and monitoring with alerting
• Incident response plans with documented test history
• Business continuity and disaster recovery procedures
• Vendor risk management for third-party software

Security is the baseline. If you've added Availability or Privacy to your scope, auditors will also check uptime monitoring, backup systems, and data handling practices against those criteria.

Getting audit-ready is a process, not a checklist you hand to your auditor on day one. Companies that run into expensive findings almost always skipped the gap assessment phase before their observation period started.

Here's the order that works:

• Run a gap assessment against the Trust Service Criteria you're scoping. Identify what controls exist, what's missing, and what's partially in place.
• Close the gaps before the observation period starts. Auditors charge to watch your controls run, not to fix them.
• Write your policies. Incident response, access control, change management, and vendor risk management all need documented procedures.
• Set up evidence collection. Automate evidence collection where possible. Manual evidence gathering is where audits stall.
• Run an internal readiness check before the auditor arrives. Treat it like a mock audit.

Skipping steps moves the problem later in the process, where fixes are costlier and delays hit active sales cycles.

Getting SOC 2 certified is step one. What follows is a constant stream of security questionnaires from buyers who want to verify your controls beyond the report itself. That's where teams get buried.

Wolfia auto-fills security questionnaires across Excel, PDF, Word, and vendor portals by pulling directly from your SOC 2 documentation, policies, and knowledge base. Instead of a 2 to 4 week turnaround per questionnaire, your team reviews answers instead of writing them from scratch.

Your SOC 2 report proves you have controls. Wolfia turns that proof into closed deals faster.

SOC 2 certification solves your credibility problem with enterprise buyers. The next problem is speed. Your sales team can't wait 2-4 weeks per security review when deals are on the line. We built Wolfia because every company hits this wall after certification. Book 15 minutes to see how auto-filled questionnaires cut your review cycle from weeks to hours without adding headcount.

Plan for 6 to 20 months depending on your auditor and starting point. Companies with existing security controls typically finish in 6 to 10 months with specialist auditors, while Big Four firms often run 12 to 20 months.

First-year costs typically range from $20,000 to $80,000 when you include the audit fee ($12,000 to $20,000 for most companies), readiness assessment, compliance tooling, and internal time. The biggest hidden cost is the engineering and GRC hours required to write policies, close control gaps, and manage the auditor relationship.

Type 2 is what enterprise buyers actually accept. Type 1 proves your controls were designed correctly on audit day, while Type 2 proves they worked over 3 to 12 months. Start with Type 1 only if you need something on paper immediately, but plan for Type 2 before you're deep in a procurement cycle with a major buyer.

No. SOC 2 is voluntary, but enterprise procurement teams have made it a requirement in practice. If you're a B2B SaaS company selling to mid-market or enterprise accounts, especially in healthcare or financial services, you'll lose deals before conversations start without it.

You'll face a constant stream of security questionnaires from buyers who want to verify your controls beyond the report itself. Each questionnaire takes 2 to 4 weeks to complete manually, which is where most teams get buried post-certification.