SOC 2 (Service Organization Control 2) is a reference framework from the AICPA (American Institute of Certified Public Accountants), structured around the Trust Services Criteria (TSC).
For a B2B SaaS selling to enterprise clients in the United States or Fortune 500 / Global 2000 organizations, SOC 2 Type II has become the de facto standard.
Type I vs Type II — the critical difference
Type I is a snapshot: at a given moment, the auditor verifies that controls are designed and in place. Useful as an interim step but rarely valued alone by enterprise procurement teams.
Type II is what enterprise clients actually require: controls are audited over a 6 to 12 month observation period. The auditor verifies not only that controls exist, but that they actually operate as intended throughout the period.
The 5 Trust Services Criteria
- Security (mandatory — Common Criteria CC1 to CC9).
- Availability (optional — recommended for critical SaaS with SLAs).
- Confidentiality (optional — recommended for SaaS handling sensitive data).
- Processing Integrity (optional — rare, for computational/financial SaaS).
- Privacy (optional — based on AICPA Privacy Framework, GDPR-aligned).
Security is always included. The most common SOC 2 scope for B2B SaaS: Security + Availability + Confidentiality.
The 9 Common Criteria of Security
- CC1: Control Environment
- CC2: Communication and Information
- CC3: Risk Assessment
- CC4: Monitoring Activities
- CC5: Control Activities
- CC6: Logical and Physical Access Controls
- CC7: System Operations
- CC8: Change Management
- CC9: Risk Mitigation
Each CC group breaks down into specific controls (typically 80-150 detailed controls depending on scope).
Roadmap to SOC 2 Type II in 9-12 months
Phase 1 — Gap analysis (3 weeks)
Mapping of your situation against the 5 TSC + 9 Common Criteria. Maturity scoring per control, gap identification, prioritization. Choice of scope (Security only or extended to Availability/Confidentiality/Privacy).
Phase 2 — Control implementation (3-5 months)
Documentation: security policy, access management, incident management, change management, supplier management. Operational implementation: MFA everywhere, vulnerability management, monitoring, alerting, backup management, business continuity plan. GRC tooling for evidence collection (Drata, Vanta, Secureframe — based on your choice).
Phase 3 — Observation period (6 months minimum)
All controls operate in real conditions during the observation period. Automatic evidence collection (monthly snapshots of control state). Internal audit at midpoint to identify failing controls.
Phase 4 — AICPA audit (1-2 months)
SOC 2 auditor selection (AICPA-accredited audit firm). Evidence preparation, control walk-through, findings management. SOC 2 Type II report delivery (40-80 pages).
Cost envelope for a B2B SaaS
- Consulting: €35-60K (gap analysis + implementation + internal audit + audit prep).
- AICPA audit: €15-25K (~€5-7K for phase 1, €10-18K for phase 2 and report).
- GRC tooling: €5-15K/year (Drata, Vanta, Secureframe).
- Internal time: 0.3-0.5 FTE during 12 months.
Total initial cycle: €60-120K over 9-12 months.
Annual recurring: €30-50K (mandatory annual audit + tooling + 0.1-0.2 internal FTE for maintenance).
SOC 2 vs ISO 27001 — strategic choice
Both are complementary but address different audiences:
| Criterion | ISO 27001 | SOC 2 Type II |
|---|---|---|
| Origin | International (ISO/IEC) | American (AICPA) |
| Validity | 3 years with annual audits | Report on 6-12 month period |
| Final document | Certificate | Audit report (40-80 pages) |
| Scope | Information security management system | Operational controls per TSC |
| Target audience | Europe + global | United States, multinationals |
| Initial cost | €80-150K | €60-120K |
| Annual recurring | €25-40K | €30-50K (mandatory annual audit) |
Recommended strategy for B2B SaaS: ISO 27001 first (foundation ISMS), then SOC 2 Type II at 6 months (the report being based on controls already 70-80% ISO 27001-compliant). Many European B2B SaaS targeting enterprise obtain both.
Bundle ISO 27001 + SOC 2 — 30-40% savings
The smartest approach for a SaaS targeting both markets: a coordinated 18-month program.
- Months 1-9: ISO 27001 implementation + start SOC 2 observation.
- Months 10-12: ISO 27001 certifier audit + completion of SOC 2 observation.
- Months 13-18: SOC 2 Type II AICPA audit and report delivery.
Total cost: €100-180K vs €140-270K separate. Savings: €40-90K. Time: 18 months vs 24-30 months separate.
The "shadow GRC" risk
Many SaaS install Drata or Vanta and consider themselves "covered". GRC tools automate evidence collection but do not produce compliance — they accelerate it. The risk: a SaaS that thinks it is "SOC 2 ready" because Drata is green often discovers at audit that fundamental controls are missing or non-operational. The tool is necessary but not sufficient.
Frequently asked questions
Why do enterprise clients require SOC 2 Type II?
SOC 2 Type II attests that controls are operated in real conditions over 6-12 months (not a snapshot at a moment in time). Enterprise buyers (Fortune 500, Global 2000) consider SOC 2 Type II as the standard proof of operational maturity for a SaaS provider. Often listed as a requirement from the DDQ phase for any SaaS handling their data.
How long after starting can SOC 2 Type II be obtained?
9 to 12 months minimum: 3 months of control implementation, 6 months minimum of observation (required Type II duration), 1-2 months of AICPA audit and report drafting. For Type I (snapshot): 4-6 months. Many enterprise clients accept Type I as a transition while Type II is planned.
Which Trust Services Criteria should I choose?
Security is mandatory (Common Criteria CC1-CC9). Beyond: Availability (recommended for critical SaaS with SLAs), Confidentiality (recommended if sensitive data), Privacy (GDPR-aligned), Processing Integrity (rare, for computational/financial SaaS). Most B2B SaaS take Security + Availability + Confidentiality.
Should my SaaS do ISO 27001 or SOC 2 first?
For a European B2B SaaS also targeting the US enterprise market, the recommended sequence is ISO 27001 first (9-12 months), then SOC 2 Type II in 6-9 additional months (reusing 70-80% of ISO 27001 controls). For a SaaS focused only on the US, SOC 2 Type II directly is coherent. The decision depends on your target market.
Is a GRC tool required for SOC 2?
Not mandatory but strongly recommended. SaaS GRC tools like Drata, Vanta, Secureframe automate evidence collection (monthly snapshots of control state), document management, mapping to controls. Cost €5-15K/year but significant savings in internal time (equivalent 0.1-0.2 FTE). WeeSec helps choose based on your stack.