If you are a UK SaaS or technology company selling to US enterprise customers, you have almost certainly been asked: "Do you have a SOC 2 report?" SOC 2 has become the de facto security assurance standard for US buyers, and it is increasingly expected even from UK-based vendors — not just for direct US sales, but also for contracts with UK subsidiaries of US companies and for global enterprise deals where the US parent sets security procurement policy.

This guide covers what SOC 2 requires, how it differs from ISO 27001, the practical readiness timeline, and the steps UK tech companies should take to prepare for a successful audit.

What Is SOC 2?

SOC 2 (Service Organisation Control 2) is an attestation standard developed by the American Institute of CPAs (AICPA). Unlike a certification with a pass/fail outcome, SOC 2 produces an auditor's opinion on whether an organisation's controls provide reasonable assurance that the applicable Trust Services Criteria are met. The report is designed to be shared with customers, prospects, and other stakeholders as evidence of security posture.

A SOC 2 report evaluates an organisation's controls across five Trust Services Criteria:

  • Security — the system is protected against unauthorised access, use, or modification. The Security criterion is the only one that is always included and is mandatory for every SOC 2 examination.
  • Availability — the system is available for operation and use as committed or agreed. This criterion is relevant for organisations with service-level commitments around uptime.
  • Processing Integrity — system processing is complete, valid, accurate, timely, and authorised. Relevant for organisations where data processing accuracy is critical — payment processors, data analytics platforms.
  • Confidentiality — confidential information is protected as committed or agreed. Relevant for organisations handling client-confidential data such as trade secrets, source code, or business plans.
  • Privacy — personal data is collected, used, retained, disclosed, and disposed of in conformity with the organisation's privacy commitments and applicable privacy regulations.

Most UK tech companies pursue SOC 2 with only the Security criterion (often referred to as a SOC 2 Security report), which covers the Common Criteria included within the Trust Services Criteria. Organisations that need to demonstrate more — for example, a SaaS platform with uptime SLAs would add Availability — can include additional criteria as needed.

SOC 2 Type I vs Type II

Understanding the difference between Type I and Type II reports is essential for planning:

SOC 2 Type I reports on the suitability of the design of controls at a specific point in time. The auditor assesses whether the controls are designed appropriately to meet the Trust Services Criteria, but does not test whether they operated effectively over a period. A Type I report can be produced relatively quickly — typically 1–2 months after the readiness period — and is often used as an interim step while working toward a Type II report.

SOC 2 Type II reports on both the design and the operating effectiveness of controls over a minimum period — typically 3 to 12 months. The auditor tests that controls not only exist but are consistently applied throughout the period. A Type II report provides significantly higher assurance to customers and is almost always what US enterprise buyers expect.

Most organisations pursue a Type II report. A common approach is to complete a Type I report first (which can serve immediate customer demands) while operating controls through the Type II observation period. The total cost for a first-time SOC 2 Type II engagement typically ranges from £30,000 to £80,000 depending on organisation size, scope complexity, and audit firm, with annual renewal audits costing £15,000 to £35,000.

SOC 2 vs ISO 27001: Which Should You Choose?

The choice between SOC 2 and ISO 27001 depends on your target market, customer expectations, and compliance strategy. Both demonstrate security maturity, but they serve different purposes:

ISO 27001 is a certifiable international standard. An accredited certification body issues a certificate valid for three years (subject to annual surveillance audits). ISO 27001 is widely recognised globally and is often preferred by UK, European, and Asia-Pacific buyers. The standard is prescriptive — organisations must implement controls from Annex A (93 controls in the 2022 version) and demonstrate continuous improvement through the Plan-Do-Check-Act cycle.

SOC 2 is an attestation report. There is no certificate — instead, the auditor provides a report with their opinion. The report is typically reissued annually. SOC 2 is more flexible than ISO 27001: organisations define their own controls to meet the Trust Services Criteria, rather than adopting a prescribed control set. This flexibility makes SOC 2 attractive for technology companies with modern architectures and agile operating models.

Many UK tech companies pursue both ISO 27001 and SOC 2, recognising that they serve different markets. ISO 27001 covers UK/EU/APAC buyer requirements, while SOC 2 addresses US buyer expectations. The controls overlap significantly, so maintaining both is manageable once the initial programme is established.

SOC 2 Readiness Timeline

A typical SOC 2 Type II engagement spans 6–12 months from start to audit report. The key phases are:

  1. Scoping (2–4 weeks) — determine which Trust Services Criteria to include, which systems and services are in scope, and which organisational functions support the in-scope services. A clear scope avoids wasted effort on out-of-scope controls.
  2. Gap assessment (2–4 weeks) — evaluate existing controls against the selected Trust Services Criteria. Identify missing controls and weaknesses in existing controls. This phase produces a remediation roadmap.
  3. Remediation (1–3 months) — implement missing controls, update policies, deploy monitoring tools, and establish evidence collection processes. Common gaps include: incomplete access reviews, lack of formal change management procedures, missing vendor due diligence processes, and inadequate incident response documentation.
  4. Operating period (3–6 months for Type II) — controls must operate for the observation period. During this time, evidence is collected to demonstrate consistent operation: access review records, change approval tickets, vulnerability scan results, incident logs.
  5. Audit (4–8 weeks) — the independent auditor tests controls, reviews evidence, interviews control owners, and issues the SOC 2 report. For a first-time audit, the auditor typically spends 1–2 weeks on-site (or remote) and another 3–4 weeks on report preparation.
  6. Report issued — the SOC 2 Type II report is released. Annual renewal audits are less intensive, focusing on changes and continued operation of controls.

Common Readiness Pitfalls for UK Tech Companies

Based on our consultants' experience, the most common issues that delay or jeopardise SOC 2 reports include:

  • Underestimating evidence requirements — SOC 2 auditors require evidence, not assertions. A policy stating "access reviews are conducted quarterly" is insufficient without the actual access review records. Automated evidence collection platforms are strongly recommended.
  • Scope creep — ambitious organisations sometimes include too many systems or criteria in their first SOC 2 report, extending the timeline and cost significantly. Start with the Security criterion and one or two additional criteria at most.
  • Insufficient logical access controls — weak password policies, lack of MFA, and unmanaged privileged access are common findings in first-time SOC 2 audits. These are straightforward to remediate but often overlooked.
  • Vendor management gaps — SOC 2 requires oversight of sub-service organisations (third parties that process data on your behalf). If you use AWS, Azure, or other cloud infrastructure, you need to document how you monitor their SOC 2 reports or equivalent certifications.
  • Change management informality — many early-stage tech companies manage changes through Slack messages or informal approvals. SOC 2 requires documented change management with separation of duties between development, testing, and production environments.

Auditor Selection: A Critical Decision

Choosing the right SOC 2 auditor is as important as the readiness work itself. Not all audit firms are equal in their approach, sector expertise, or report quality. Key considerations when selecting an auditor include:

  • AICPA-licensed CPA firm — SOC 2 audits can only be performed by licensed CPA firms. Ensure your chosen auditor holds the relevant licensing and has a track record of SOC 2 examinations.
  • Technology sector experience — an auditor that understands SaaS architecture, cloud infrastructure, and DevOps processes will conduct a more informed and efficient examination than one that primarily audits manufacturing or banking firms.
  • Report readability — your SOC 2 report will be shared with prospective customers. Some audit firms produce reports that are clearer and more professional in presentation. Ask for a sample report from each candidate.
  • Timeline and availability — quality audit firms may be booked months in advance. Start the auditor selection process early, ideally right after the gap assessment phase.

How Our Consultants Help with SOC 2 Readiness

Our team provides SOC 2 readiness support tailored to UK technology companies preparing for US market entry. We conduct gap assessments, develop control documentation, advise on evidence collection processes, and prepare your team for the audit. Combined with our fractional vCISO service, we can manage your SOC 2 programme end-to-end — from scoping through remediation and audit — providing consistent security leadership throughout the engagement.

Learn about Pyralink vCISO services →

Free compliance readiness score →