The report enterprise buyers ask for. Before they'll sign.
SOC 2 is the trust standard for software and cloud businesses. It is an independent report from a licensed auditor showing that the way you protect customer data holds up to scrutiny. For most B2B vendors it is the credential that unblocks enterprise deals and ends the endless security-questionnaire back and forth. It maps almost one to one onto ISO 27001.
- Type 1 and Type 2
- Five Trust Services Criteria
- Maps to your ISO 27001
Enterprise trust used to be a conversation. Now it's a report they demand.
No report, no deal
Enterprise procurement and security teams ask for your SOC 2 before signing. Without it, deals stall in vendor review or never start.
The questionnaire tax
Every prospect sends a different security questionnaire. A SOC 2 report answers most of them at once and gives your sales team hours back.
Trust has to be proven
Saying you are secure is not enough. SOC 2 is an independent auditor attesting that your controls are real and, in Type 2, that they work over time.
For any business whose customers trust it with data.
B2B SaaS & cloud
The default credential enterprise buyers expect before purchase.
Scale-ups selling up-market
Moving from SMB to enterprise deals, where SOC 2 becomes non-negotiable.
Managed service & tech providers
Handling client systems and data under scrutiny.
Any data processor
If customers ask how you protect their data, SOC 2 is the answer.
Five Trust Services Criteria. You choose your scope.
Security (required)
The common criteria every SOC 2 covers, protecting systems and data against unauthorised access.
Availability (optional)
That systems are available and information is accessible as committed.
Processing integrity (optional)
That processing is complete, valid, accurate, timely and authorised.
Confidentiality (optional)
That information designated confidential is protected.
Privacy (optional)
That personal information is collected, used, retained and disposed of appropriately.
Scoped to your commitments
You add optional criteria only where a customer or your service demands it. Security is always in.
Type 1 or Type 2. Design now, effectiveness over time.
A Type 1 report attests that your controls are designed correctly at a point in time, the fast way to show enterprise buyers you are serious. A Type 2 report goes further, proving those controls actually operated over a period of three to twelve months. Type 2 is what large buyers ultimately want, and continuous evidence over that window is exactly where a platform earns its place.
Design of controls at a point in time.
Fastest to obtain. Unblocks a deal now and shows intent. Typically ready in weeks once controls are in place.
Operating effectiveness over a 3 to 12 month window.
The report enterprises trust most. Requires continuous evidence across the observation period.
Every SOC 2 report covers the security common criteria. The other four are optional.
The observation period over which controls must operate effectively to earn a Type 2 report.
Once controls are in place, a Type 1 attestation is typically ready in weeks, not months.
Already run ISO 27001? SOC 2 is largely the same controls.
SOC 2 and ISO 27001 overlap heavily. If you run a 27001 system, most of the security controls SOC 2 tests are already in place, you are presenting the same programme for a North American audience.
- Most SOC 2 security controls already exist in your ISO 27001 system
- Access, change and incident-management evidence carries across
- One control set, evidenced once, mapped to both frameworks
- The main SOC 2 addition is sustained evidence over the Type 2 window
- One workspace, one dashboard, 27001 and SOC 2 side by side
Why software businesses get their SOC 2.
The default vendor-trust credential.
- The default vendor-trust credential for US and global enterprise buyers.
- Often the first thing procurement asks a software vendor for.
- Expected across every serious enterprise sales motion.
The passport into US enterprise deals.
- Australian scale-ups selling into US and global enterprise increasingly need SOC 2.
- Required to clear vendor security review and win those deals.
- The credential that shortcuts questionnaires with international buyers.
For regional providers going global.
- Regional tech and cloud providers adopting SOC 2 to sell to multinational customers.
- Meets international procurement expectations from day one.
- A visible marker of maturity in a fast-professionalising market.
Your SOC 2 programme running every day. Not just in the audit window.
Trust Services Criteria coverage
Every criterion in scope mapped from day one. Requirements assessed, linked to evidence, gaps surfaced as they appear.
Access & change management
Joiners, movers, leavers, privileged access reviews and change approvals tracked as a living record.
Monitoring & incident response
Alerts, incidents and response actions raised, investigated and closed with sign-off.
Continuous evidence collection
Built for the Type 2 window. Evidence collected across the observation period, not scrambled at the end.
Auditor-ready evidence packs
Trust Services Criteria mapped to controls and evidence, exported in the shape your auditor expects.
Integrated with your IMS
SOC 2 maps to ISO 27001 and sits beside 9001, 14001, 45001, 13485 and 42001. One dashboard, one evidence trail.
Common questions.
Is SOC 2 a certification?
No. SOC 2 is an independent attestation report issued by a licensed CPA firm, not a certification. The auditor examines your controls against the Trust Services Criteria and issues either a Type 1 report on the design of those controls at a point in time, or a Type 2 report on how effectively they operated over a period of months.
Should we start with Type 1 or Type 2?
Most vendors start with Type 1 to unblock an immediate enterprise deal, then move to Type 2 as soon as they have run three to twelve months of evidence. Some buyers accept Type 1 as an interim signal; ultimately, sophisticated procurement teams want Type 2.
How long does a SOC 2 take?
Once controls are in place, a Type 1 report is typically ready in weeks. A Type 2 report adds the observation window of three to twelve months over which the auditor tests operating effectiveness. Vissibl surfaces your gap position on day one so you know where you stand before you engage an auditor.
We already hold ISO 27001, do we need SOC 2 as well?
Often, yes. ISO 27001 is the international standard; SOC 2 is what North American and global enterprise buyers explicitly ask for. The good news is that the two overlap heavily, so if you already run 27001 in good standing, most of the SOC 2 control set is already in place. Vissibl maps one control set to both.
Which Trust Services Criteria do we need?
Security is always in scope. Availability, processing integrity, confidentiality and privacy are optional and you add them only where a customer commitment or the nature of your service demands it. Most vendors start with Security and Availability, and add others as enterprise requirements emerge.

See where you stand against SOC 2 before your next enterprise buyer asks.
Bring your existing controls and documentation. We run Vissi Audit against the Trust Services Criteria and surface your gaps in 11 minutes. No prep, no obligation.