> For the complete documentation index, see [llms.txt](https://docs.oxfordinfosec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oxfordinfosec.com/soc2-type-i-and-ii.md).
# SOC2 Type I and II
## Introducing the Service
If you're selling into the US market, SOC 2 is increasingly the expected evidence of security maturity. A Type I report gets you in the door; a Type II report keeps you there. Customers, investors, and partners expect not only an attestation, but evidence that your security posture is continuously maintained between audits.
Oxford Infosec takes small, fast-moving companies through SOC 2 readiness, the Type I attestation, and into ongoing Type II audit readiness. Our consultants hold internationally recognised credentials (ISO 27001 Lead Auditor/Implementor, CIPP/E, CIPM, CISSP) and have guided multiple SaaS and technology businesses through SOC 2 for the first time.
Our approach is pragmatic and risk-driven, built for small, fast-moving teams so that every recommended control is proportionate to real-world risk, Trust Services Criteria requirements, and customer expectations.
We can optionally combine this expertise with a compliance automation platform, giving you continuous evidence collection, real-time dashboards, and automated alerts instead of periodic checklists.
## What Problem Does This Solve?
Winning enterprise deals, particularly in the US market, increasingly depends not only on achieving a SOC 2 Type II attestation but on demonstrating that your security posture is continuously maintained.
Typical challenges for high-growth organisations:
| Challenge | Consequence |
| ------------------------------------------------------- | ------------------------------------------------------ |
| **No dedicated security lead** | Slow, fragmented implementation; audit exceptions |
| **Limited capacity to keep controls current** | Evidence gaps, urgent fixes before audit window closes |
| **SaaS sprawl and dynamic infrastructure** | Unclear control ownership, missing audit trails |
| **Evolving threat and customer requirements landscape** | Controls drift away from organisational reality |
Oxford Infosec provides an experienced implementation consultant and ongoing SOC 2 maintenance, so you achieve attestation quickly and stay continuously audit-ready.
## Fit for Small Businesses
This service is designed for organisations that need a credible SOC 2 report without the overhead of an enterprise-scale programme. Typically that means:
* **20 to 200 employees**: large enough to face US customer demands, small enough that enterprise templates would swamp the business
* **Selling into the US market**: SaaS platforms, technology-enabled services, or professional services with US buyers or investors
* **Handling sensitive customer data**: customer data, financial information, or other information where buyers expect independent assurance
* **Facing external pressure**: procurement questionnaires, investor due diligence, or contractual attestation requirements
Our approach recognises the reality of fast-moving teams: limited headcount, shifting priorities, and the need to keep shipping product while still holding a credible SOC 2 report. It keeps the framework achievable without turning it into a parallel bureaucracy.
* **Practical controls**: we focus on what you actually do day-to-day and adjust policies and evidence to fit. If something genuinely doesn't apply (for example, you don't process payments), we scope Trust Services Criteria appropriately rather than inventing work.
* **Light-touch scheduling**: readiness assessments, workshops, and evidence collection are conducted with the minimum possible impact on the rest of the business.
* **Automated evidence wherever possible**: The platform's integrations pull access logs, configuration states and test results from your existing systems, cutting down on manual screenshots and spreadsheets. Where automation isn't possible, we agree the simplest manual check that will satisfy an auditor.
* **Risk-led priorities**: not everything gets fixed at once. We order actions by compliance impact and the effort to deliver them, so you can stage improvements alongside normal delivery.
* **Straightforward guidance**: we avoid standards-speak and explain what's required in plain English. Policies come as editable templates, with notes that make clear what's mandatory versus optional.
If only one US customer is asking once, SOC 2 might not be the right answer yet. A strong set of controls and a well-answered questionnaire can often buy you time until the demand is more persistent.
## Outcomes: What You Get
### Attestation you can rely on
| Outcome | What this means |
| --------------------------------------------------- | ------------------------------------------------------------------------------------------------- |
| **You achieve attestation on your target timeline** | Readiness, implementation, and audit prep aligned to your deal, investor, or contractual deadline |
| **The report reflects the business** | Controls match how you actually operate, not a generic template that auditors flag |
| **Type II readiness is continuous, not episodic** | Evidence collects as you work, so the next audit window doesn't turn into a scramble |
### Credibility with US buyers and investors
| Outcome | What this means |
| -------------------------------------------------- | ------------------------------------------------------------------------------- |
| **You can answer security questionnaires quickly** | Evidence is ready, mapped to common frameworks and what US buyers typically ask |
| **Enterprise procurement doesn't stall deals** | Buyers get the assurance they need without weeks of back-and-forth |
| **Investors aren't surprised by security debt** | Due diligence on controls, incidents, and risk posture is covered by the report |
### A programme that runs itself
| Outcome | What this means |
| ------------------------------------------ | ------------------------------------------------------------------------ |
| **You know where you stand** | Live view of control status, evidence coverage and open actions |
| **Exceptions surface early** | Gaps are caught and remediated before the CPA tests them |
| **The framework fits around the business** | Controls and cadence calibrated to small teams, not enterprise templates |
## Compliance Automation Platform
We recommend using a cloud-based compliance automation platform that serves as the "engine room" for day-to-day SOC 2 housekeeping. We can work with whichever platform you have in place already.
Once connected to your existing tools (for example, AWS, Google Workspace, GitHub), it continuously collects evidence that key privacy and security controls are operating, maintains your policy documents, and displays progress on a live readiness dashboard. The platform automatically raises tasks (like policy reviews, vendor re-assessments or staff training refreshers), assigns them to the right people with due dates, and preserves an auditable trail.
## Understanding SOC 2
### Trust Services Criteria
SOC 2 is built around the AICPA's Trust Services Criteria. Every engagement includes **Security** (the Common Criteria), and you select additional categories based on customer requirements and business context:
| Category | Focus | Typical Applicability |
| ------------------------ | --------------------------------------- | ------------------------------------ |
| **Security** (required) | Protection against unauthorised access | All engagements |
| **Availability** | System uptime and accessibility | SaaS platforms with SLAs |
| **Processing Integrity** | Accurate, timely, authorised processing | Data processing, financial systems |
| **Confidentiality** | Protection of confidential information | B2B services handling sensitive data |
| **Privacy** | Personal information lifecycle | Consumer-facing applications |
### Type I vs Type II
| Report Type | What It Demonstrates | Typical Use Case |
| ----------- | ------------------------------------------------------------------- | --------------------------------------------------- |
| **Type I** | Controls are suitably designed at a point in time | First-time attestation, urgent customer requirement |
| **Type II** | Controls operated effectively over a period (typically 6–12 months) | Ongoing assurance, enterprise sales |
Most customers ultimately need a Type II report. We can help you achieve a Type I quickly if required, then transition to Type II for the following audit period.
## Scope of Activities
This service is split into the initial implementation, which takes you all the way to your first SOC 2 report, and then the subsequent maintenance of the controls and evidence to ensure you remain audit-ready for annual Type II examinations.
### Phase 1: Implementation
| Category | Activity |
| -------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Kick-off and Scoping** | A lightweight alignment call with founders or leadership to agree on:
- Trust Services Criteria: decide which categories apply (Security is mandatory; Availability, Confidentiality, Processing Integrity, Privacy are selected based on customer requirements).
- System boundaries: define which infrastructure, applications, and processes are in scope.
- Report type: Type I for speed, or straight to Type II if timeline allows.
- Accountability: nominate a senior contact (often CTO, COO, or founder) to make quick decisions.
|
| **Compliance Platform Implementation** | Connect the platform to your existing systems (cloud, IAM, code repos, device management, ticketing, etc.) so it can automatically collect evidence. We configure integrations, set owners and review cycles, and make sure the dashboard reflects how your business actually runs, minimising manual effort. |
| **Risk Assessment** | Identify your key assets (customer data, code, infrastructure), spot the main threats and weaknesses, and record the risks in a simple register. Each risk is given an owner and a treatment decision (accept, reduce, transfer, avoid), which is then followed up during quarterly risk management sessions. |
| **Control Mapping and Gap Analysis** | Map existing controls to Trust Services Criteria, identify gaps, and prioritise remediation based on audit impact and effort. |
| **Documentation** | Create or refine core policies and procedures (for example, Information Security, Access Control, Change Management, Incident Response, Vendor Management) and align them to Trust Services Criteria. |
| **Control Implementation Support** | Guide technical and organisational control deployment (MFA, logging, backup, HR onboarding and off-boarding, supplier due diligence) and validate effectiveness. |
| **Readiness Assessment** | Conduct internal readiness review simulating auditor procedures; identify and remediate gaps before the formal examination. |
| **Audit Preparation** | Coordinate with your chosen CPA firm, prepare evidence packages, rehearse auditor Q\&A and logistics. |
### Phase 2: Maintenance
| Category | Activity |
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- |
| **Continuous Monitoring** | Operate compliance automation integrations to harvest evidence, track control SLAs and surface alerts for out-of-tolerance items |
| **Risk Management** | Maintain rolling risk register; review emerging threats and update treatment actions on a quarterly cadence |
| **Readiness Assessments** | Plan and execute periodic control testing and readiness reviews, logging findings and corrective actions |
| **Policy and Procedure Maintenance** | Schedule reviews, update documents for changes to criteria or business operations, and manage version control |
| **Management Review** | Prepare KPI dashboard and facilitate semi-annual management review sessions, capturing decisions and action items |
| **Audit Liaison** | Coordinate with the CPA firm for annual Type II examinations; manage evidence requests, sampling, and responses |
| **Security Awareness and Training** | Deliver onboarding modules, annual refresher and targeted campaigns; monitor completion metrics |
| **Vendor Management** | Perform initial and periodic vendor risk assessments, maintain contract security clauses and monitor third-party SOC reports |
| **Incident and Change Advisory** | Provide guidance for security incidents and major architectural or process changes |
| **Standards and Regulatory Watch** | Monitor AICPA updates, customer requirements trends, and related frameworks; advise on required control adjustments |
## SOC 2 Service Governance Cadence
The table below details a typical cadence of touch points needed to maintain SOC 2 readiness throughout the year. This list is not prescriptive, and in many cases some sessions can be combined. The final meeting cadence will always be enough to satisfy audit requirements.
| Category | Activity | Frequency |
| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- |
| **Operational Oversight** | Compliance working-group meeting. Track open actions, new risks, control SLA breaches, platform alerts. | Monthly |
| **Risk Management** | Quarterly risk review. Refresh asset list, re-score top risks, verify treatment progress, log emerging threats. Updates risk register and treatment plan. | Quarterly |
| **Management Review** | Present KPI deck (objectives, incidents, audit results, corrective actions). Record decisions and assignments for continual improvement. | Semi-annual (minimum) |
| **Readiness Assessment** | Conduct internal control testing aligned to Trust Services Criteria; track execution and close-out of exceptions. | Quarterly spot checks; full assessment before audit |
| **Policy and Procedure Governance** | Systematic review of the policy suite and operational procedures; capture regulatory or business-driven changes; publish updated versions in the platform. | Quarterly |
| **Improvement and Exception Log** | Evaluate open corrective actions, recurring incident themes, and lessons learned; prioritise improvement initiatives. | Monthly |
| **Vendor Security Oversight** | Reassess critical vendors; review SOC reports, security questionnaires and contract clauses; update vendor risk register. | Quarterly |
| **External Audit Liaison** | Prepare auditor access, evidence sampling plan and logistics for annual Type II examination; debrief outcomes and action plans. | Annually |
| **Training and Awareness Governance** | Track security awareness completion, role-based training needs, phishing simulation results; plan next campaign. | Quarterly |
## What's Not Included
| Category | What's not included |
| --------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------- |
| **Deep technical remediation** | For example, network (re-)architecture and segmentation, source-code refactoring or secure-coding fixes, building or operating a SIEM/SOC |
| **Other compliance frameworks** | PCI-DSS, ISO 27001, NIST CSF, HIPAA, FedRAMP, etc. |
| **Non-SOC 2 policies** | Policies not required for Trust Services Criteria |
| **Penetration testing and red team** | External or internal penetration tests, social-engineering simulations |
| **Physical security build-outs** | Door-access systems, CCTV, server-room fit-outs |
| **Legal and contract drafting** | Negotiating or red-lining DPAs, MSAs, supplier security clauses |
| **Security incident response (beyond best-endeavours support)** | Emergency incident response, 24×7 crisis hotline, incident containment |
| **Business continuity and DR engineering** | Designing alternate data centres, hot/hot fail-over, full DR run-books |
| **HR process execution** | Carrying out disciplinary actions, conducting background checks |
| **Procurement and licensing** | Purchasing SaaS tooling (SIEM, training portals, GRC platforms), CPA firm fees |
| **Travel and on-site expenses** | Consultant travel, accommodation, per diem |
| **DPO services** | Acting as Data Protection Officer under GDPR. See our DPO as a Service description |
| **Custom software and tool development** | Building custom dashboards, scripts or automations beyond standard platform integrations |
| **Audit costs** | The SOC 2 examination is procured directly from a licensed CPA firm. Oxford Infosec can advise on selection |
## Assumptions
| Assumption | Why this matters |
| ---------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Executive sponsorship is active and visible** | A named senior leader approves scope, risk appetite and resource allocations; without this, key decisions stall. |
| **You provide timely access to people, systems, and sites** | Interviews, evidence collection, and control validation depend on access to the right people, cloud consoles, logs, and (if applicable) premises. |
| **Baseline security controls already exist (for example, MFA, central logging)** | Implementation effort is scoped to *refine* and *evidence* controls, not build them from scratch. |
| **Business processes stay materially stable during the audit period** | Major reorganisations, M\&A activity or product pivots can alter system boundaries and the control environment, potentially impacting fees, timelines, and scope. |
| **You implement remediation actions you own by agreed due dates** | Oxford Infosec guides and validates; hands-on engineering work (for example, enabling S3 encryption) remains your responsibility. |
| **Third-party vendors will cooperate with security questionnaires or evidence requests** | Trust Services Criteria require vendor oversight; delays caused by non-responsive vendors are outside our control. |
| **Legal review of policies and contracts is provided by your own counsel** | Oxford Infosec supplies security language, but final legal vetting sits with you. |
| **Engagement is delivered remotely unless on-site days are mutually scheduled and pre-approved** | Travel costs and lead times are excluded unless explicitly agreed. |
| **All project communications are in English and within your standard working hours (UK/Europe time zone)** | Ensures availability for workshops, steering meetings and incident advisory calls. |
| **Security incidents are disclosed promptly** | Timely awareness is required to update the risk register, improvement log and evidence in the platform. |
| **CPA firm fees and scheduling are your responsibility** | Oxford Infosec assists with liaison and readiness but does not contract directly with the auditor. |
| **You have identified or will identify a suitable CPA firm** | Oxford Infosec can recommend firms experienced in SOC 2 examinations for technology companies. |
## Who Delivers the Service
You'll work with a named Lead Consultant who holds recognised credentials such as ISO 27001 Lead Implementor or Auditor, CISSP, or CISM. They act as your single point of accountability, reporting to whoever you nominate as executive sponsor (often the founder, CTO, or COO).
You'll work with the same named consultant throughout. They learn your business once, so you don't have to explain it each time.
## Term and Review
The implementation (Phase 1) is a fixed fee, while the Maintenance (Phase 2) has a minimum engagement term of twelve months, renewable annually, which begins after the first SOC 2 report is issued.
Scope and fees are reviewed at each renewal to ensure the service continues to meet customer requirements and organisational needs.
## Combining with Other Services
The SOC 2 service works well alongside Oxford Infosec's other services:
* **ISO 27001**: for companies selling into both UK and US markets, ISO 27001 and SOC 2 cover overlapping but distinct expectations. We can help you decide which to pursue first, or whether to run them in parallel. The control overlap means the second certification is considerably less work than the first.
* **vCISO**: your vCISO provides ongoing strategic oversight while this service handles implementation and maintenance. Together, they keep the programme aligned with business priorities rather than becoming a bureaucratic exercise.
* **DPO as a Service**: many Trust Services Criteria touch personal data, particularly under the Privacy category. Having a DPO in place covers the privacy side properly and demonstrates a clear commitment to data protection.
* **Security Foundations**: if the underlying security isn't in place yet, Security Foundations gets the baseline right first. SOC 2 readiness is much easier once the fundamentals are solid.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://docs.oxfordinfosec.com/soc2-type-i-and-ii.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.