SOC 2, delivered. Not just dashboarded.
Type 1 in six to ten weeks. Type 2 with the same team that ran your Type 1. Engineers write the policies, harden the cloud accounts, and close the findings. An independent CPA firm issues the report.
Independent CPA report attesting that a service organization's controls meet the AICPA Trust Services Criteria.
SOC 2 is a CPA-attested report on whether a service organization's controls meet five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is mandatory; the others are optional and added based on what your customers ask for. Type 1 is a point-in-time assessment of control design. Type 2 is an opinion over an observation window of three to twelve months that the controls also operated effectively. The report is not a certification; it is the audit opinion of an independent CPA firm licensed by the AICPA.
Who needs it
Any service organization that holds, processes, or transmits customer data and sells to mid-market or enterprise buyers. SaaS, fintech, healthtech, MSPs, and managed cloud providers run into SOC 2 first because procurement teams ask for it on every vendor security review. The first SOC 2 typically comes up around Series A or first enterprise deal. Type 1 buys you time; Type 2 is what enterprise procurement actually wants to see.
The HSD playbook for SOC 2
HSD's engineers begin with a gap assessment against the AICPA Trust Services Criteria and your existing controls. We write the missing policies, configure the missing technical controls, roll out endpoint MDM if you do not have one, set up SSO and SCIM if you do not have those, harden the cloud accounts, and stand up the evidence collection. Continuous monitoring runs from day one through the audit window. We coordinate the CPA firm partner from kickoff letter through report delivery. Your team approves changes; you do not write them.
Timeline
Week 1
Kickoff and gap assessment
Scope, criteria selection, control mapping against current environment, audit firm selection
Weeks 2 to 4
Policy and technical baseline
Information security policy, acceptable use, change management, vendor management; SSO, MDM, logging, backup hardening
Weeks 4 to 6
Evidence collection
Continuous monitoring of access reviews, change tickets, incident logs, vendor reviews
Weeks 7 to 10
Type 1 audit
CPA firm fieldwork, walkthroughs, evidence sampling, draft report
Months 4 to 12
Type 2 observation window
Three to twelve months of operating effectiveness, depending on customer requirements
Following the window
Type 2 audit and report
Fieldwork on operating effectiveness, draft, customer review, final report
Cost reality
| Line item | Range | Note |
|---|---|---|
| Software-only platforms (Vanta, Drata) | USD 7,500 to 25,000 per year | Plus a separate consultant for remediation |
| Remediation consulting (separate from software) | USD 30,000 to 80,000 per framework | Hourly billing typical, scope creep common |
| CPA audit firm fees | USD 12,000 to 35,000 per audit | Type 1 lower end, Type 2 higher; partner-tier matters |
| HSD bundled program | Scoped per program | Software, engineers, auditor coordination in one fixed-scope engagement |
What auditors check
Information security policies, acknowledged by all employees
Written, version-controlled, reviewed annually, with timestamped acknowledgments from every active employee.
Access reviews on a documented cadence
Quarterly access reviews for production and sensitive systems with a record of who reviewed, what was found, and what changed.
Change management with separation of duties
Code merges require review from someone other than the author; production deployments are tied to ticketed changes.
Vendor risk management program
List of subprocessors, criticality tiers, due diligence records, and an annual re-review.
Incident response process and table-top exercise
Documented runbook, defined severity levels, a recent table-top with notes.
Logging, monitoring, and alerting on critical paths
Centralized logs, retention policy, monitoring with alerts that are routed to a real on-call.
Common pitfalls
Treating SOC 2 as a one-time project
Type 2 is an observation window. Controls have to operate every day, not just on audit week.
Buying software without budgeting for remediation
The dashboard does not write your policies or configure your IAM. That work happens before the audit, regardless of vendor.
Picking the cheapest audit firm
Partner-tier varies. Enterprise customers occasionally reject reports from smaller firms with weak quality programs.
Ignoring complementary user entity controls
The customer-side controls listed in your report are part of how the auditor describes scope. Skim them; some customers read them carefully.
Over-scoping criteria on the first attempt
Security plus one other criterion is enough for most first-time engagements. Adding Privacy or Processing Integrity prematurely doubles the work.
FAQ
How fast can HSD get us SOC 2 Type 1?+
What is the difference between SOC 2 Type 1 and Type 2?+
Can I skip Type 1 and go straight to Type 2?+
Does SOC 2 require a penetration test?+
Who issues the SOC 2 report?+
How long is a SOC 2 report valid?+
Want SOC 2 scoped for your stack?
Thirty-minute call. Fixed-scope quote inside a week. We tell you honestly when SOC 2 should wait or when it should lead.