Book a free readiness call
Security Attestation Standard

Enterprise buyers require SOC 2 before contracts close. Here is what that takes.

If your company processes, stores, or transmits customer data, enterprise buyers will ask for your SOC 2 Type II report before signing. Use Carbide's free assessment to find exactly where your program stands today.

Take the free SOC 2 readiness assessment Also need ISO 27001? Take the ISO assessment
Categories
5 Trust Service Categories
Security is required in every audit. The remaining four apply based on your service scope.
Report type
Type I vs Type II
Enterprise buyers almost always require Type II, which covers operating effectiveness over 6–12 months.
Attestation
Licensed CPA firm
SOC 2 reports are issued by a licensed CPA — not self-certified. The auditor reviews your controls directly.
Free assessment tools

Know your gaps before you engage anyone

Both tools are free. Complete one and you have a gap report you can act on before any other conversation.

Free tool ~10 min · all 5 TSC categories
SOC 2 Readiness Assessment
20 questions covering all five Trust Services Criteria. You get an overall readiness score, a per-category breakdown, and a prioritized gap list with remediation guidance — delivered on screen the moment you finish.
Start the SOC 2 Assessment →
Free tool if ISO 27001 certification also applies
ISO 27001 Readiness Assessment
Maps your current posture against ISO 27001:2022 and flags exactly where your gaps are. Use this alongside the SOC 2 assessment if your buyers require both standards.
Start the ISO 27001 Assessment →
Note SOC 2 and ISO 27001 serve different buyer audiences and have different audit processes. Neither substitutes for the other. If your pipeline requires both, the assessments above give you a complete picture of where each program stands before you engage anyone.
What SOC 2 requires

SOC 2 and the AICPA Trust Services Criteria — what the standard actually covers

SOC 2 is an attestation standard developed by the AICPA, assessed against the Trust Services Criteria (TSC) that define the required security controls. Here is what each means for your compliance program.

SOC 2 Attestation standard
AICPA Trust Services Criteria Underlying standard
Governing body
AICPA (American Institute of Certified Public Accountants)
AICPA — the TSC is the control framework the SOC 2 attestation is assessed against
What it covers
An attestation standard for third-party reports on an organization's security controls, issued by a licensed CPA firm
Five categories of control criteria — Common Criteria (Security) required in every audit, plus Availability, Processing Integrity, Confidentiality, and Privacy based on service scope
Who it applies to
B2B SaaS companies, cloud service providers, and any organization that processes customer data and is asked by enterprise buyers to demonstrate security controls
All companies pursuing SOC 2. The categories included in the report depend on the services your company provides and the commitments made to customers.
Report types
Type I attests to control design at a point in time. Type II covers operating effectiveness over a minimum 6–12 month observation period. Enterprise buyers almost always require Type II.
The five TSC categories apply equally across both report types. The difference between Type I and Type II is the length of the observation period, not which criteria are assessed.
Assessment type
A licensed CPA firm conducts the audit and issues the attestation report. Companies do not self-certify.
The CPA assesses your controls against the TSC. Evidence collected must cover the full observation period for a Type II report.
Enforcement
No legal mandate in most jurisdictions. Enterprise procurement teams routinely require a current SOC 2 Type II report as a contract condition before signing.
No separate enforcement mechanism — TSC compliance is assessed as part of the SOC 2 report process.
Carbide coverage
Full — advisors well versed in SOC 2. Platform handles gap tracking, evidence collection, and auditor coordination from scoping through report issuance.
Full — TSC control mapping, policy drafting, and advisor review before any evidence goes to a CPA firm.
Important SOC 2 Type I reports attest to control design at a single point in time. Most enterprise buyers require Type II, which covers how controls operated over 6 to 12 months. Starting a Type II observation period requires controls to already be in place — gaps cannot be remediated during the observation window. Starting now shortens the time before your report is available.
Is this your situation?

Four scenarios where SOC 2 requirements are already in play

SOC 2 requirements arrive through enterprise deals, procurement questionnaires, and partner agreements — often before a formal compliance program exists. These are the situations where the timeline is shorter than most companies expect.

First SOC 2
Enterprise prospect asking for a SOC 2 report you don't have
You have landed an enterprise deal, but the prospect's security team has asked for a current SOC 2 Type II report before signing. Your company has not completed a SOC 2 audit and does not have an observation period on file. The deal is conditional on receiving the report.
A Type II observation period typically runs 6–12 months and cannot be shortened retroactively. Starting the process now reduces how long your deal is on hold. Carbide's advisors scope the audit, establish the observation period, and manage the CPA firm relationship from your first engagement.
Type I to Type II
SOC 2 Type I complete — enterprise buyers now want Type II
You completed a Type I audit to satisfy an early-stage customer requirement. Your pipeline has grown and enterprise prospects now require Type II, which covers operating effectiveness over a full observation period. Your controls are designed, but you have not yet run an observation window with a CPA firm.
The evidence that supported your Type I report is a starting point. A credentialed advisor review before the Type II window opens identifies which controls need to be strengthened so there are no gaps when the auditor reviews your observation period.
Annual renewal
Renewal window approaching with inconsistent evidence coverage
Your first SOC 2 Type II report is complete, but the annual renewal window is approaching. Evidence collection has been inconsistent — some controls are documented, others are not — and there is no continuous audit trail covering the full observation period. Your team is filling gaps in the weeks before the audit.
Evidence collected after a gap period does not retroactively cover the observation window. Carbide's platform collects evidence continuously so your audit package reflects the full period, not a sprint at the end.
Multi-framework
Pursuing SOC 2 alongside ISO 27001 or HIPAA
Your company is working toward SOC 2 and at least one other framework. You are tracking controls manually across multiple requirement sets, duplicating effort on overlapping controls, and managing separate evidence packages for each audit. The workload is expanding faster than your team can absorb it.
SOC 2 and ISO 27001 share a significant set of underlying controls around access, incident response, and vendor management. Carbide maps both in a single engagement so evidence collected for one standard contributes to the other wherever the requirements overlap.

Not sure which situation applies? The free assessment takes about 10 minutes and tells you exactly where you stand against all five Trust Services Criteria.

Take the free SOC 2 Readiness Assessment → Talk to us
If ISO 27001 also applies

SOC 2 and ISO 27001 address overlapping controls. They are not substitutes for each other.

Many B2B companies pursue SOC 2 to satisfy U.S. enterprise buyers and ISO 27001 to satisfy European or global enterprise requirements. The two standards share significant control overlap, but neither replaces the other. Here is where the work transfers and where it does not.

+
SOC 2 vs ISO 27001:2022
Where the work overlaps — and where it does not

Where they overlap

Access control, incident response, change management, and vendor due diligence appear in both the AICPA TSC and ISO 27001:2022 Annex A
Evidence collected for SOC 2 Common Criteria applies to several ISO 27001 controls — particularly in the organizational and technological themes
Both require documented policies, periodic reviews, and an ongoing evidence trail rather than point-in-time snapshots
Risk assessment is a component of both — though ISO 27001 requires a formal ISMS risk methodology that SOC 2 does not explicitly mandate

Where they diverge

SOC 2 is an attestation report issued by a licensed CPA firm. ISO 27001 is a certification issued by an accredited certification body. Different auditors, different processes, and different outputs — holding one does not satisfy the other.
ISO 27001 requires a formal ISMS with a documented risk assessment methodology aligned to Clause 6.1.2. SOC 2 has no equivalent structural requirement.
U.S. enterprise buyers typically require SOC 2. European and global enterprise buyers often require ISO 27001. Some deals require both — and both must be maintained independently.
Type II observation rules differ from ISO 27001 Stage 2 audit timing. Controls must be operating for the full SOC 2 observation window before the CPA reviews them.
If your company needs both: Carbide handles SOC 2 and ISO 27001 in one engagement. The platform maps your controls against the AICPA TSC and ISO 27001:2022 Annex A simultaneously. Evidence collected once is used wherever it applies across both standards. You do not need two vendors or two compliance programs running in parallel.
How Carbide works

One engagement covers SOC 2 end-to-end

Carbide pairs a compliance platform with a credentialed advisory team. The platform handles evidence collection, control mapping, and gap tracking. Your advisor handles scoping, interpretation, and CPA firm coordination from initial gap assessment through your SOC 2 report.

01
Gap assessment before the observation period starts
A Carbide advisor maps your current posture against the AICPA Trust Services Criteria relevant to your service scope — starting with Common Criteria and then the additional categories that apply. You get a clear picture of what is in place, what needs to be built, and what must be addressed before the Type II observation window opens. Remediation must happen before the window starts, not during it.
02
Remediation with clear priorities
The platform generates a gap list ranked by audit risk and time to close. Your advisor works through each item with your team, identifies which gaps require technical controls versus documentation updates, and flags anything that needs to be resolved before it becomes an audit finding. Nothing enters the observation period before it is ready.
03
Continuous evidence collection and organization
The Carbide platform collects evidence throughout the observation period against each TSC control in your audit scope. Every policy, procedure, and audit trail entry is reviewed by your advisor before it goes into the evidence package.
04
Auditor coordination and report delivery
Your advisor manages the relationship with your CPA firm and prepares your team for the controls review. After your SOC 2 report is issued, Carbide keeps your program current through the next observation cycle so your renewal does not require a last-minute evidence scramble.
Resources

Tools and reading on SOC 2 compliance

Start with the free assessment. It gives you a gap report before any conversation with Carbide. The articles below address the questions that come up most often.

Free tools — start here
Free assessment tool
SOC 2 Readiness Assessment
20 questions across all five Trust Services Criteria. Flags exactly where your gaps are — with remediation guidance — before you engage a CPA firm or an advisor.
Free assessment tool
ISO 27001 Readiness Assessment
Maps your posture against ISO 27001:2022 and flags exactly where the gaps are. Use alongside the SOC 2 assessment if your buyers require both standards.
Articles and guides
Article
The Five SOC 2 Trust Services Criteria: What They Cover and How to Maintain Controls
What each TSC category covers, which ones apply to your service scope, and what ongoing control maintenance looks like across the observation period.
Article
How SOC 2 Compliance Software and Expert Advisory Streamline Audit Readiness
How automating evidence collection and pairing it with advisory oversight reduces the time and cost of SOC 2 audits — and prevents the evidence gaps that generate findings.
Case study
How Indico Data Achieved SOC 2 Compliance with Carbide
How a machine learning company used Carbide's platform and advisory team to reach SOC 2 compliance and satisfy enterprise buyer security requirements.
Article library
All SOC 2 articles and guides
Browse all SOC 2 content on carbidesecure.com — Trust Services Criteria, Type I vs Type II, audit prep, compliance software, and case studies.
Get started

Start with the free assessment. Talk to an advisor when you're ready.

The free SOC 2 assessment covers all five Trust Services Criteria and delivers your results in about 10 minutes. When you book a readiness call, your advisor uses those results to build a realistic path to your Type II report — with Carbide's advisory team handling scoping, evidence collection, and CPA firm coordination from start to finish.

Take the free SOC 2 Readiness Assessment Talk to us