Home Standards Industries ✦ AI Assessment Get a Quote →
HomeStandards → SOC 2

SOC 2 Type I & II — Service Organisation Controls

The de facto security assurance standard for SaaS, cloud, and technology service providers serving US enterprise clients. BALTUM delivers SOC 2 readiness programmes and coordinates Type I and Type II audit delivery through AICPA-accredited CPA firms worldwide.

SOC 2 Type ISOC 2 Type IIAICPA TSCTrust Services Criteria

What is SOC 2?

SOC 2 (System and Organisation Controls 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA). It evaluates a service organisation's controls relevant to the Trust Services Criteria (TSC): Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security (Common Criteria) is required; the remaining four are optional based on business context.

SOC 2 Type I vs Type II

  • Type I — Point-in-time assessment confirming controls are suitably designed. Typical timeframe: 2–3 months. Useful as an interim report while pursuing Type II.
  • Type II — Assessment over an observation period (typically 6–12 months) confirming controls operated effectively throughout. Required by most enterprise and Fortune 500 procurement.

Who Needs SOC 2?

  • SaaS and cloud software companies with US enterprise customers
  • Cloud infrastructure, hosting, and data centre providers
  • Managed security and IT service providers
  • HR, payroll, and benefits platform providers
  • Any technology vendor responding to enterprise security questionnaires

Trust Services Criteria — Common Criteria Overview

  • CC1 — Control Environment (governance, accountability)
  • CC2 — Communication and Information
  • CC3 — Risk Assessment
  • CC4 — Monitoring of Controls
  • CC5 — Control Activities (policies and procedures)
  • CC6 — Logical and Physical Access Controls
  • CC7 — System Operations (anomaly detection, incident response)
  • CC8 — Change Management
  • CC9 — Risk Mitigation

BALTUM SOC 2 Engagement

  • Readiness assessment against all applicable Trust Services Criteria
  • Gap register and remediation roadmap
  • Policy and procedure documentation aligned to TSC requirements
  • GRC platform implementation (Vanta, Drata, Sprinto, or similar)
  • CPA firm coordination for Type I and Type II audit delivery
  • Ongoing compliance maintenance and annual audit support

SOC 2 + ISO 27001 Integration

BALTUM's unified evidence framework maps SOC 2 Trust Services Criteria to ISO 27001:2022 Annex A controls — enabling simultaneous SOC 2 + ISO 27001 certification with a single policy library, single risk assessment process, and significantly reduced audit duplication.