Bring any framework. Vissibl maps your controls once and keeps them audit-ready, always.
SOC 2 · Trust Services Criteria

The report enterprise buyers ask for. Before they'll sign.

SOC 2 is the trust standard for software and cloud businesses. It is an independent report from a licensed auditor showing that the way you protect customer data holds up to scrutiny. For most B2B vendors it is the credential that unblocks enterprise deals and ends the endless security-questionnaire back and forth. It maps almost one to one onto ISO 27001.

See pricing
  • Type 1 and Type 2
  • Five Trust Services Criteria
  • Maps to your ISO 27001
TRUST SERVICES COVERAGE
SOC 2 Monitor
Live
Security common criteria
LIVE100
Access & change management
LIVE95
Monitoring & incident response
ACTION82
Evidence collection
LIVE90
5
Trust Services Criteria
Type 1 & 2
Reports
93%
Programme health
The shift

Enterprise trust used to be a conversation. Now it's a report they demand.

No report, no deal

Enterprise procurement and security teams ask for your SOC 2 before signing. Without it, deals stall in vendor review or never start.

The questionnaire tax

Every prospect sends a different security questionnaire. A SOC 2 report answers most of them at once and gives your sales team hours back.

Trust has to be proven

Saying you are secure is not enough. SOC 2 is an independent auditor attesting that your controls are real and, in Type 2, that they work over time.

Who it's for

For any business whose customers trust it with data.

B2B SaaS & cloud

The default credential enterprise buyers expect before purchase.

Scale-ups selling up-market

Moving from SMB to enterprise deals, where SOC 2 becomes non-negotiable.

Managed service & tech providers

Handling client systems and data under scrutiny.

Any data processor

If customers ask how you protect their data, SOC 2 is the answer.

What it requires

Five Trust Services Criteria. You choose your scope.

Security (required)

The common criteria every SOC 2 covers, protecting systems and data against unauthorised access.

Availability (optional)

That systems are available and information is accessible as committed.

Processing integrity (optional)

That processing is complete, valid, accurate, timely and authorised.

Confidentiality (optional)

That information designated confidential is protected.

Privacy (optional)

That personal information is collected, used, retained and disposed of appropriately.

Scoped to your commitments

You add optional criteria only where a customer or your service demands it. Security is always in.

What sets SOC 2 apart

Type 1 or Type 2. Design now, effectiveness over time.

A Type 1 report attests that your controls are designed correctly at a point in time, the fast way to show enterprise buyers you are serious. A Type 2 report goes further, proving those controls actually operated over a period of three to twelve months. Type 2 is what large buyers ultimately want, and continuous evidence over that window is exactly where a platform earns its place.

Type 1

Design of controls at a point in time.

Fastest to obtain. Unblocks a deal now and shows intent. Typically ready in weeks once controls are in place.

Type 2

Operating effectiveness over a 3 to 12 month window.

The report enterprises trust most. Requires continuous evidence across the observation period.

Security
The one required criterion

Every SOC 2 report covers the security common criteria. The other four are optional.

3 to 12
Month Type 2 window

The observation period over which controls must operate effectively to earn a Type 2 report.

Weeks
To a Type 1 report

Once controls are in place, a Type 1 attestation is typically ready in weeks, not months.

Less work than you think

Already run ISO 27001? SOC 2 is largely the same controls.

SOC 2 and ISO 27001 overlap heavily. If you run a 27001 system, most of the security controls SOC 2 tests are already in place, you are presenting the same programme for a North American audience.

  • Most SOC 2 security controls already exist in your ISO 27001 system
  • Access, change and incident-management evidence carries across
  • One control set, evidenced once, mapped to both frameworks
  • The main SOC 2 addition is sustained evidence over the Type 2 window
  • One workspace, one dashboard, 27001 and SOC 2 side by side
What's driving it

Why software businesses get their SOC 2.

North America & Global

The default vendor-trust credential.

  • The default vendor-trust credential for US and global enterprise buyers.
  • Often the first thing procurement asks a software vendor for.
  • Expected across every serious enterprise sales motion.
Australia

The passport into US enterprise deals.

  • Australian scale-ups selling into US and global enterprise increasingly need SOC 2.
  • Required to clear vendor security review and win those deals.
  • The credential that shortcuts questionnaires with international buyers.
GCC

For regional providers going global.

  • Regional tech and cloud providers adopting SOC 2 to sell to multinational customers.
  • Meets international procurement expectations from day one.
  • A visible marker of maturity in a fast-professionalising market.
In Vissibl

Your SOC 2 programme running every day. Not just in the audit window.

Trust Services Criteria coverage

Every criterion in scope mapped from day one. Requirements assessed, linked to evidence, gaps surfaced as they appear.

Access & change management

Joiners, movers, leavers, privileged access reviews and change approvals tracked as a living record.

Monitoring & incident response

Alerts, incidents and response actions raised, investigated and closed with sign-off.

Continuous evidence collection

Built for the Type 2 window. Evidence collected across the observation period, not scrambled at the end.

Auditor-ready evidence packs

Trust Services Criteria mapped to controls and evidence, exported in the shape your auditor expects.

Integrated with your IMS

SOC 2 maps to ISO 27001 and sits beside 9001, 14001, 45001, 13485 and 42001. One dashboard, one evidence trail.

FAQ

Common questions.

Is SOC 2 a certification?

No. SOC 2 is an independent attestation report issued by a licensed CPA firm, not a certification. The auditor examines your controls against the Trust Services Criteria and issues either a Type 1 report on the design of those controls at a point in time, or a Type 2 report on how effectively they operated over a period of months.

Should we start with Type 1 or Type 2?

Most vendors start with Type 1 to unblock an immediate enterprise deal, then move to Type 2 as soon as they have run three to twelve months of evidence. Some buyers accept Type 1 as an interim signal; ultimately, sophisticated procurement teams want Type 2.

How long does a SOC 2 take?

Once controls are in place, a Type 1 report is typically ready in weeks. A Type 2 report adds the observation window of three to twelve months over which the auditor tests operating effectiveness. Vissibl surfaces your gap position on day one so you know where you stand before you engage an auditor.

We already hold ISO 27001, do we need SOC 2 as well?

Often, yes. ISO 27001 is the international standard; SOC 2 is what North American and global enterprise buyers explicitly ask for. The good news is that the two overlap heavily, so if you already run 27001 in good standing, most of the SOC 2 control set is already in place. Vissibl maps one control set to both.

Which Trust Services Criteria do we need?

Security is always in scope. Availability, processing integrity, confidentiality and privacy are optional and you add them only where a customer commitment or the nature of your service demands it. Most vendors start with Security and Availability, and add others as enterprise requirements emerge.

Landscape representing enterprise trust and data protection
Free gap analysis

See where you stand against SOC 2 before your next enterprise buyer asks.

Bring your existing controls and documentation. We run Vissi Audit against the Trust Services Criteria and surface your gaps in 11 minutes. No prep, no obligation.