01SOC 2 in 60 seconds
SOC 2 (Service Organization Controls 2) is the report most US enterprise customers ask Indian SaaS vendors to produce before signing. It is not a regulation or a certification — it is an attestation by an independent auditor (CPA firm) that your controls operate effectively.
- Created by AICPA (American Institute of Certified Public Accountants)
- Performed by CPA firms (auditors must be licensed CPAs)
- Two types: Type 1 (point in time) and Type 2 (over a period)
- Two main report variants: SOC 2 Type 1 and Type 2; SOC 3 is a public summary
- Scoped against five Trust Services Criteria — at least Security; you choose to add Availability, Confidentiality, Processing Integrity, Privacy
- Most enterprise customers ask for SOC 2 Type 2 covering at minimum Security + Availability
02Type 1 vs Type 2
| Type 1 | Type 2 |
|---|---|
| Point-in-time snapshot | Over a period (typically 6 or 12 months) |
| Attests controls are designed appropriately | Attests controls operated effectively over time |
| 2–3 months to obtain | 8–12 months minimum (preparation + observation + audit) |
| Lower assurance; some customers won't accept | The standard expectation in enterprise sales |
Practical pattern: most teams do Type 1 once (to unblock initial sales), then Type 2 on the next 12-month cycle.
03Trust Services Criteria
- Security (Common Criteria) — required for every SOC 2; covers logical/physical access, change management, risk management, etc. ~100 sub-criteria
- Availability — system availability for operation per commitments. Common addition for SaaS
- Confidentiality — protection of confidential information. Common when handling customer secrets
- Processing Integrity — system processing complete, valid, accurate, timely. Common for financial / data-processing SaaS
- Privacy — collection, use, retention, disposal of personal information. Less common; many use GDPR/DPDP for privacy instead
Most Indian SaaS targeting US enterprises: Security + Availability. Add Confidentiality if storing significant customer data.
04The 9 Common Criteria categories
- CC1: Control Environment — governance, ethics, oversight
- CC2: Communication and Information
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
Each has multiple sub-criteria. Modern SaaS-focused control frameworks (Vanta, Drata, SecureFrame templates) implement the standard set; customisation is at the margins.
05The audit process
Pre-audit (months 1–6)
- Choose auditor and tooling (in-house vs platform like Vanta/Drata/SecureFrame)
- Define scope — services, systems, locations, criteria
- Implement controls; collect evidence
- Run readiness assessment with auditor or independent consultant
- Address gaps
Observation period — Type 2 only (6 months minimum)
Controls must operate consistently over the period. Auditors will sample evidence from this window. Evidence collected during the observation period is what matters; pre-period evidence is moot.
Audit fieldwork (4–8 weeks)
- Auditor requests evidence (typically 200–400 items)
- Walk-throughs of major controls
- Interviews with control owners
- Sampling and testing
- Findings discussion
Report issuance (2–4 weeks after fieldwork)
- Auditor opinion: Unqualified (clean), Qualified (some exceptions), Adverse (controls not effective), Disclaimer (couldn't form opinion)
- Description of system + controls
- Description of tests performed and results
- Management's response to any exceptions
06What enterprise customers do with the report
- Procurement / Vendor Risk reads the auditor opinion + executive summary
- Security team reviews exceptions and complementary user entity controls (CUECs — controls the customer must implement)
- Legal reviews scope and any disclaimers
- The report is shared under NDA — customers don't redistribute, generally
- Refreshed annually; expired SOC 2 reports get flagged in vendor risk reviews
07Critical controls
- Background checks on employees with system access (CC1.4)
- Onboarding/offboarding with documented access provisioning and revocation
- Least-privilege access reviews quarterly, evidenced
- MFA on all admin and external-facing systems
- Vulnerability management with SLA-tracked remediation
- Patch management with documented schedule + exceptions
- Change management with reviews/approvals before production deploy
- Incident response with documented procedure + evidence of recent incidents handled
- Encryption at rest and in transit (with documented standards)
- Backup and recovery tested at least annually
- Vendor risk management with assessments of critical vendors
- Logging and monitoring with documented log review
- Disaster recovery testing
08Common findings on first SOC 2
- Access review evidence missing for certain quarters
- Change tickets without documented testing for emergency changes
- Background check evidence missing for some legacy employees
- Vulnerability remediation past SLA without documented exception
- Vendor risk assessments missing or out-of-date
09Choosing an auditor
- Big 4 (PwC, EY, Deloitte, KPMG) — high-trust to enterprise customers, expensive, slow, less flexible
- Mid-tier (BDO, Grant Thornton, Crowe) — credible, more affordable, often more responsive
- SOC-focused boutiques (BARR, A-LIGN, Schellman, Insight Assurance) — specialise in SaaS SOC 2; familiar with SaaS controls; often the right pick for tech companies
10Compliance platforms
Vanta, Drata, SecureFrame, Sprinto (India-built) automate evidence collection, vendor management, and control monitoring. Pros: dramatic time savings; consistent evidence; integration with cloud, HR, and ticketing systems. Cons: $20–50K USD per year; lock-in. Worth it for any team pursuing SOC 2 + ISO 27001 + multiple frameworks.
11SOC 2 + ISO 27001 — the dual play
Once SOC 2 is established, adding ISO 27001 is significantly easier — most controls overlap. Sequence:
- Year 1: SOC 2 Type 1 → Type 2
- Year 2: Add ISO 27001 (extends SOC 2 with risk assessment, ISMS framework, statement of applicability)
- Year 3+: Maintain both with shared evidence collection
12India-specific considerations
- Background checks must comply with Indian labour law — limited criminal history scope
- Data residency may be a customer concern; document where data lives
- DPDP compliance now expected alongside SOC 2 for Indian operations
- Time zone — auditor working hours may misalign; plan for asynchronous evidence delivery
From first SOC 2 to enterprise-ready
A 30-minute consultation. We scope your SOC 2 (Type 1 or 2), map the critical-control gaps, choose the right audit framework, and give you a 90-day plan to get observation-period-ready.