SOC2 Type I and II
Introducing Oxford Infosec
Oxford Infosec is a UK-based information security and privacy consultancy whose practitioners hold internationally recognised credentials (ISO 27001 Lead Auditor/Implementor, CIPP/E, CIPM, CISSP).
Our methodology is pragmatic and risk-driven, engineered for fast-moving organisations so that every recommended control is proportionate to real-world risk, Trust Services Criteria requirements, and customer expectations.
We can optionally combine this expertise with the Drata compliance-automation platform (or suchlike), giving customers continuous evidence collection, real-time dashboards, and automated alerts instead of periodic checklists.
What Problem Do We Solve?
Winning enterprise deals, particularly in the US market, increasingly depends not only on achieving a SOC 2 Type II attestation but on demonstrating that your security posture is continuously maintained.
Typical pain-points for high-growth organisations are:
No dedicated security lead
Slow, fragmented implementation; audit exceptions
Limited capacity to keep controls current
Evidence gaps, urgent fixes before audit window closes
SaaS sprawl & dynamic infrastructure
Unclear control ownership, missing audit trails
Evolving threat & customer requirements landscape
Controls drift away from organisational reality
Oxford Infosec provides an experienced implementation resource and ongoing SOC 2 maintenance, so you achieve attestation quickly and stay continuously audit-ready.
Fit for Small and Medium‑Sized Businesses
This service recognises the reality of fast-moving teams: limited headcount, shifting priorities, and the need to keep shipping product while still holding a credible SOC 2 report. Our approach keeps the framework achievable without turning it into a parallel bureaucracy.
Practical controls – we focus on what you actually do day-to-day and adjust policies and evidence to fit. If something genuinely doesn't apply (for example, you don't process payments), we scope Trust Services Criteria appropriately rather than inventing work.
Light-touch scheduling – readiness assessments, workshops and evidence collection are conducted with the minimum possible impact on the rest of the business.
Automated evidence wherever possible – Drata integrations pull access logs, configuration states and test results from your existing systems, cutting down on manual screenshots and spreadsheets. Where automation isn't possible, we agree the simplest manual check that will satisfy an auditor.
Risk-led priorities – not everything gets fixed at once. We order actions by compliance impact and the effort to deliver them, so you can stage improvements alongside normal delivery.
Straightforward guidance – we avoid standards-speak and explain what's required in plain English. Policies come as editable templates, with notes that make clear what's mandatory versus optional.
Named Practitioner
Lead SOC 2 Consultant
ISO 27001 Lead Implementor / Auditor, CISSP, CISM
Acts as single point of accountability, reporting to the customer's executive sponsor.
Compliance Automation Platform
We recommend using Drata, a cloud-based compliance automation platform that serves as the “engine room” for day-to-day SOC2 housekeeping, however, we can work with any similar platforms you might have in place already.
Once connected to your existing tools (e.g. AWS, Google Workspace, GitHub etc), it continuously collects evidence that key privacy and security controls are operating, maintains your policy documents, and displays progress on a live readiness dashboard. The platform automatically raises tasks, like policy reviews, vendor re-assessments or staff-training refreshers, assigns them to the right people with due dates, and preserves an auditable trail.
Understanding SOC 2
Trust Services Criteria
SOC 2 is built around the AICPA's Trust Services Criteria. Every engagement includes Security (the Common Criteria), and you select additional categories based on customer requirements and business context:
Security (required)
Protection against unauthorised access
All engagements
Availability
System uptime and accessibility
SaaS platforms with SLAs
Processing Integrity
Accurate, timely, authorised processing
Data processing, financial systems
Confidentiality
Protection of confidential information
B2B services handling sensitive data
Privacy
Personal information lifecycle
Consumer-facing applications
Type I vs Type II
Type I
Controls are suitably designed at a point in time
First-time attestation, urgent customer requirement
Type II
Controls operated effectively over a period (typically 6–12 months)
Ongoing assurance, enterprise sales
Most customers ultimately need a Type II report. We can help you achieve a Type I quickly if required, then transition to Type II for the following audit period.
Scope of Activities
This service is split into the initial implementation, which takes you all the way to your first SOC 2 report, and then the subsequent maintenance of the controls and evidence to ensure you remain audit-ready for annual Type II examinations.
Implementation
Kick-off & Scoping
A lightweight alignment call with founders or leadership to agree on:
Trust Services Criteria – decide which categories apply (Security is mandatory; Availability, Confidentiality, Processing Integrity, Privacy are selected based on customer requirements).
System boundaries – define which infrastructure, applications and processes are in scope.
Report type – Type I for speed, or straight to Type II if timeline allows.
Accountability – nominate a senior contact (often CTO/COO/founder) to make quick decisions.
Drata Implementation
Connect Drata to your existing systems (cloud, IAM, code repos, device management, ticketing, etc.) so it can automatically collect evidence.
We configure integrations, set owners and review cycles, and make sure the dashboard reflects how your business actually runs, minimising manual effort.
Risk Assessment
Identify your key assets (like customer data, code, infrastructure), spot the main threats and weaknesses, and record the risks in a simple register.
Each risk is given an owner and a treatment decision (accept, reduce, transfer, avoid), which is then followed up during quarterly risk management sessions.
Maintenance
SOC 2 Service Governance Cadence
The table below details a typical cadence of touch points needed to maintain SOC 2 readiness throughout the year. This list is not prescriptive, and in many cases some sessions can be combined. The final meeting cadence will always be enough to satisfy audit requirements.
Operational Oversight
Compliance Working-Group Meeting – track open actions, new risks, control SLA breaches, Drata alerts.
Monthly
Risk Management
Quarterly Risk Review – refresh asset list, re-score top risks, verify treatment progress, log emerging threats. Updates risk register & treatment plan.
Quarterly
Management Review
Present KPI deck (objectives, incidents, audit results, corrective actions). Record decisions and assignments for continual improvement.
Semi-annual (minimum)
Readiness Assessment
Conduct internal control testing aligned to Trust Services Criteria; track execution and close-out of exceptions.
Quarterly spot-checks; full assessment before audit
Policy & Procedure Governance
Systematic review of the policy suite and operational procedures; capture regulatory or business-driven changes; publish updated versions in Drata.
Quarterly
Improvement & Exception Log
Evaluate open corrective actions, recurring incident themes, and lessons learned; prioritise improvement initiatives.
Monthly
Vendor Security Oversight
Reassess critical vendors; review SOC reports, security questionnaires and contract clauses; update vendor risk register.
Quarterly
External Audit Liaison
Prepare auditor access, evidence sampling plan and logistics for annual Type II examination; debrief outcomes and action plans.
Annually
Training & Awareness Governance
Track security-awareness completion, role-based training needs, phishing-simulation results; plan next campaign.
Quarterly
Out‑of‑Scope
Deep technical remediation
For example: Network (re-)architecture & segmentation, source-code refactoring / secure-coding fixes, building or operating a SIEM/SOC
Other compliance frameworks
PCI-DSS, ISO 27001, NIST CSF, HIPAA, FedRAMP, etc.
Non-SOC 2 policies
Policies not required for Trust Services Criteria
Pen-testing & red-team
External / internal penetration tests, social-engineering simulations
Physical-security build-outs
Door-access systems, CCTV, server-room fit-outs
Legal & contract drafting
Negotiating / red-lining DPAs, MSAs, supplier security clauses
Security Incident Response (beyond best-endeavours support)
Emergency incident response, 24×7 crisis hotline, incident containment
Business Continuity & DR engineering
Designing alternate data centres, hot/hot fail-over, full DR run-books
HR process execution
Carrying out disciplinary actions, conducting background checks
Procurement & licensing
Purchasing SaaS tooling (SIEM, training portals, GRC platforms), CPA firm fees
Travel & on-site expenses
Consultant travel, accommodation, per diem
DPO services
Acting as Data-Protection Officer under GDPR
Custom software / tool development
Building bespoke dashboards, scripts or automations beyond standard Drata integrations
Audit costs
The SOC 2 examination is procured directly from a licensed CPA firm – Oxford Infosec can advise on selection
Assumptions
Executive sponsorship is active and visible
A named senior leader approves scope, risk appetite and resource allocations; without this, key decisions stall.
Customer provides timely access to people, systems and sites
Interviews, evidence collection and control validation depend on access to SMEs, cloud consoles, logs and (if applicable) premises.
Baseline security controls already exist (e.g. MFA, central logging)
Implementation effort is scoped to refine and evidence controls, not build them from scratch.
Business processes stay materially stable during the audit period
Major reorganisations, M&A activity or product pivots can alter system boundaries and control environment, potentially impacting fees, timelines, and audit scope.
Customer implements remediation actions they own by agreed due dates
Oxford Infosec guides and validates; hands-on engineering work (e.g. enabling S3 encryption) remains a client responsibility.
Third-party vendors will cooperate with security questionnaires / evidence requests
Trust Services Criteria require vendor oversight; delays caused by non-responsive vendors are outside consultant control.
Legal review of policies and contracts is provided by the customer's counsel
Oxford Infosec supplies security language, but final legal vetting sits with the customer.
Engagement is delivered remotely unless on-site days are mutually scheduled and pre-approved
Travel costs and lead-times are excluded unless explicitly agreed.
All project communications are in English and within the customer's standard working hours (Europe/London time zone)
Ensures availability for workshops, steering meetings and incident advisory calls.
Security incidents are disclosed promptly
Timely awareness is required to update the risk register, improvement log and Drata evidence.
CPA firm fees and scheduling are the customer's responsibility
Oxford Infosec assists with liaison and readiness but does not contract directly with the auditor.
Customer has identified or will identify a suitable CPA firm
Oxford Infosec can recommend firms experienced in SOC 2 examinations for technology companies.
Term and Review
The implementation (Phase 1) is a fixed fee, while the Maintenance (Phase 2) has a minimum engagement term of twelve months, renewable annually, which begins after the first SOC 2 report is issued.
Scope and fees are reviewed at each renewal to ensure the service continues to meet customer requirements and organisational needs.
Last updated