SOC 2 Readiness.
AICPA SSAE 18 attestation for service organizations — Trust Services Criteria applied to cloud platforms
Readiness guide
SOC 2 is an attestation report issued by an independent CPA firm under the AICPA's SSAE 18 standard (Statement on Standards for Attestation Engagements No. 18). It reports on a service organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy — the five Trust Services Criteria.
Two report types exist. Type 1 is a point-in-time assessment of control design. Type 2 evaluates the operating effectiveness of controls over a period (typically 6-12 months). Most SaaS buyers ask for Type 2; Type 1 is generally accepted as a stepping stone for first-year applicants.
Critically, SOC 2 is not a certification. There is no “SOC 2 certified” status — auditors issue an opinion (unqualified, qualified, or adverse) on the controls presented in the report. The report itself is a living document distributed under NDA to prospective customers.
Source: AICPA SSAE 18 · AICPA Trust Services Criteria
SOC 2 applies to service organizations that process customer data — most commonly US-based SaaS companies whose enterprise prospects make SOC 2 a procurement requirement. There is no legal requirement to have a SOC 2 report; the pressure is commercial.
You probably need SOC 2 if: enterprise procurement teams ask for it during sales cycles, your security questionnaire responses repeatedly cite “SOC 2 in progress” as a gap, or you're losing deals to vendors who have one and you don't.
You probably do NOT need SOC 2 yet if: your customer base is consumer or SMB, no enterprise prospect has explicitly requested it, or you're pre-product-market-fit. Most SaaS startups don't need SOC 2 in year one — they need it in year two when enterprise sales unlocks revenue.
Cloud Upload is not a CPA firm. The attestation itself must come from a licensed CPA. We prepare the controls, evidence, and risk analysis that the CPA firm audits against.
SOC 2 readiness is the work that happens BEFORE the auditor arrives. Three concrete outputs:
-
Output A
Designed and documented control set
Every Trust Services Criterion you intend to claim has a control mapped to it. Controls are documented in your control matrix with owner, frequency, and evidence type.
-
Output B
Evidence collection apparatus
A repeatable mechanism for gathering control evidence — access reviews, change logs, vendor management records, security training completion. Evidence collection is the failure mode (see our writeup The SOC 2 evidence tax).
-
Output C
Audit-ready posture
Risk assessment current, vendor risk reviewed, security policies signed, incident response runbook tested. The CPA arrives, samples your evidence against your controls, and issues an opinion.
Most engagements include only the Security criterion (mandatory). Availability, Processing Integrity, Confidentiality, and Privacy are optional and add scope — Cloud Upload helps you decide which apply to your customer base before you commit.
Most SOC 2 Common Criteria (CC1 through CC9) map cleanly onto specific CloudCheck 360° categories. The rest are policy and process work that runs alongside the audit.
| Section | Title | CC360° category |
|---|---|---|
| CC1 | Control Environment | Cross-cutting (governance + organizational structure — outside CC360°) |
| CC2 | Communication & Information | §4 Logging & Detection (audit trail + monitoring) |
| CC3 | Risk Assessment | Cross-cutting (annual risk analysis — outside CC360°) |
| CC4 | Monitoring Activities | §4 Logging & Detection · §8 IR Readiness |
| CC5 | Control Activities | Cross-cutting (control design — outside CC360°) |
| CC6 | Logical Access | §1 IAM (identity boundaries) · §3 Data (encryption + access) |
| CC7 | System Operations | §2 Network · §6 Architecture & Resilience · §7 Workload Security |
| CC8 | Change Management | §7 Workload Security (CI/CD + IaC) · §1 IAM (deploy permissions) |
| CC9 | Risk Mitigation | Cross-cutting (vendor risk + insurance — outside CC360°) |
The five Trust Services Criteria sit on top of the Common Criteria. Security is the only mandatory criterion; the other four (Availability, Processing Integrity, Confidentiality, Privacy) are optional. Each adds specific controls — Availability pulls heavily from §6 Architecture & Resilience; Confidentiality from §3 Data; Privacy from §1 IAM and §3 Data; Processing Integrity is mostly application-layer.
A SOC 2 readiness engagement is typically 8 to 14 weeks, depending on starting state and scope.
-
Weeks 1-2
Scoping & gap assessment
Identify which Trust Services Criteria apply, current state vs target state, control matrix design. CloudCheck 360° pass runs in parallel to surface technical gaps.
-
Weeks 2-6
Control design & remediation
Controls documented in matrix. Technical gaps remediated. Policies drafted (Information Security Policy, Access Control Policy, Incident Response Plan, Vendor Management Policy, Business Continuity Plan, etc.). Evidence collection apparatus stood up.
-
Weeks 6-10
Evidence collection & risk analysis
First evidence cycle runs (typically monthly or quarterly per control). Annual risk assessment performed and documented. Vendor risk reviews completed. Security training program launched.
-
Weeks 10-14
CPA selection & pre-audit walkthrough
Cloud Upload introduces 2-3 vetted CPA firms (we are vendor-neutral; pick what fits your timeline and budget). Pre-audit walkthrough with selected CPA. Audit kicks off. Cloud Upload remains available for engineering questions during the audit.
After Type 1: 6-12 month observation period before Type 2. Cloud Upload stays engaged on a quarterly cadence to maintain controls and evidence collection.
-
Access reviews exist but are never performed.
Quarterly access reviews are a CC6 control most companies claim and few actually run. The control is documented; the evidence is missing. Auditors specifically test for evidence of execution, not just policy existence.
-
Change management without change tickets.
CC8 expects every production change to have a documented approval. Companies that deploy via PR-merge often have implicit approval (the merge is the approval) but no auditor-readable artifact. Fix: require PR-template fields for risk assessment and approver, link to ticket system.
-
Vendor risk reviewed once, never refreshed.
CC9 requires ongoing vendor risk monitoring. Most companies do an initial vendor review during onboarding and never revisit. Auditors look for annual vendor reassessments, particularly for vendors handling customer data.
-
Risk assessment dated 18 months ago.
CC3 requires a current risk assessment. “Current” is generally interpreted as updated annually. A risk assessment from your last fundraise is probably stale. The fix is annual cadence with documented review.
-
Policies signed by founders, never re-signed by employees.
CC1 expects all employees to acknowledge security policies on hire and annually thereafter. Companies that grew fast often have signed policies from founders + first 5 hires, then nothing for the next 50 employees. The fix is HR-system-integrated annual policy acknowledgment.
-
Type 1 or Type 2?
Type 2 is what enterprise buyers want. Type 1 is acceptable as a year-one stepping stone, but most prospects will ask “when is Type 2?” within 6 months. Plan the Type 2 observation period from day one of Type 1 readiness.
-
Which Trust Services Criteria do we need?
Security is mandatory. Pick others based on what you are claiming to customers. If your contracts mention 99.9% uptime, you probably need Availability. If you are processing payments or PII, Confidentiality often applies. Privacy is increasingly common for any consumer-facing platform. Processing Integrity is rare except in financial-services SaaS. Cloud Upload helps you scope this in week one.
-
How much does a SOC 2 audit cost?
Type 1 typically $15,000-$40,000 from a reputable CPA firm depending on scope. Type 2 typically $25,000-$80,000. Readiness work (Cloud Upload + your team time) is separate — usually 8-14 weeks of engagement. Total first-year SOC 2 cost (readiness + Type 1 + first Type 2) is rarely below $50,000 all-in for a small SaaS company.
-
What about Vanta / Drata / SecureFrame?
Compliance automation tools are useful for evidence collection and policy templates. They do not replace consultant judgment on which controls actually apply to your business, how to design controls that fit your engineering culture, or how to negotiate scope with the CPA. We use these tools where they help; we do not pretend they replace the readiness work.
-
Can we use the same SOC 2 report for European customers?
Sometimes. European enterprise buyers often accept SOC 2 as evidence of security maturity, but ISO 27001 is the European standard. Many growing SaaS companies eventually need both. The good news: significant overlap in controls means the second framework is faster than the first — typically 60-70% control reuse.
-
When should we start?
When enterprise procurement is asking for it OR when your sales cycle keeps stalling on the security questionnaire. Premature SOC 2 is expensive without ROI; late SOC 2 is leaving deals on the table. The best signal is “we lost a deal because we did not have SOC 2.”
Primary sources: AICPA SSAE 18 · AICPA Trust Services Criteria · CloudCheck 360° methodology · The SOC 2 evidence tax
Get started
Run a free audit to see your SOC 2 posture.
The patterns in this guide come from real engagements. To see how your environment compares — and which gaps would land in your readiness report — start with a free scan or talk to us about a manual engagement.