SOC 2 for Vietnamese IT outsourcing companies
When US customers actually require it, what the scope covers for outsourcing, and a realistic roadmap to get started.
When a US customer actually asks for SOC 2
Not every deal raises this question. With small US startups or SMBs, the topic rarely comes up. But with enterprise and fintech, four specific situations arise:
Procurement sends an 80-150 question questionnaire. One of the first items: "Do you have a SOC 2 Type II report?" Answering no does not kill the deal immediately, but the security team escalates and asks for compensating controls.
The customer's Master Service Agreement states: "Service Provider shall maintain SOC 2 Type II compliance and provide an annual report upon request." Signing that MSA means you have committed to the report.
Technical scoping is done, commercial terms are agreed, then the customer's CISO steps in. They request evidence of access controls and incident response. Without a SOC 2 report, you submit individual policy documents. That process takes weeks.
The RFP lists a SOC 2 Type II report as a mandatory requirement. Without the report, the submission is eliminated at qualification before technical evaluation.
If you have not run into any of the above, SOC 2 is not an immediate priority. Once your pipeline starts including US enterprise deals, that is the time to run a gap assessment.
What SOC 2 covers for an outsourcing company
For a software outsourcing or BPO company, SOC 2 scope typically covers the software development environment: access to source code and production systems, employee account management (onboarding, offboarding, least privilege), how client data is handled during development and testing, incident response procedures for breaches or unauthorized access, and logging and monitoring of internal systems. The auditor evaluates whether these controls are properly designed (Type I) or operating effectively over a period of time (Type II). There are no headcount or revenue thresholds: scope is defined by agreement between you and the auditor.
SOC 2 versus ISO 27001 for outsourcing
| Aspect | SOC 2 | ISO 27001 |
|---|---|---|
| Who requires it | US enterprise and fintech | Japan, EU, Singapore, global enterprise |
| Output type | Audit report (not a certificate) | International certificate |
| Control overlap | 60-70% of controls overlap | |
| Time to first credential | Type I: 3-6 months | Certificate: 6-18 months |
| Annual audit cost | Ask 2-3 CPA firms to compare | Varies by CB and company size |
Roadmap: getting SOC 2 as an outsourcing company
Define scope, select Trust Service Criteria (Security is required, Availability and Confidentiality depend on customer requirements). Assess existing controls and document gaps.
Four main control areas to build out: access management (MFA, least privilege, periodic access review), logging and monitoring, incident response procedure with runbook and tested exercises, HR security (onboarding checklist, background check policy, offboarding revocation).
A CPA firm examines the design of controls at a specific point in time. The Type I report shows controls are suitably designed. Some customers accept Type I while waiting for Type II.
Controls must operate consistently for at least 6 months. During this period, collect evidence continuously: access logs, change management records, incident reports, vendor review records. This is the most execution-intensive phase.
The CPA firm evaluates both the design and the operating effectiveness of controls throughout the observation period. The result is the SOC 2 Type II report that US enterprise customers require.
Cost reality: what to know before budgeting
Readiness assessments through consultants in the US market typically fall between $5,000 and $20,000, depending on scope and the number of controls being reviewed. Local Vietnamese consultants may charge substantially different rates.
Actual audit fees vary widely by scope and the CPA firm you select. There is no reliable total cost figure to give here because the range across cases is too broad. The most practical approach is to contact 2-3 AICPA-licensed CPA firms directly, describe your specific scope (number of systems, headcount in scope, selected TSC), and compare quotes before planning your budget.
Frequently asked questions
Do US customers actually require SOC 2?
Not all of them, but US enterprise and fintech buyers frequently require it. The clearest signal is a vendor security questionnaire or Master Service Agreement with a SOC 2 clause. Startups and SMBs rarely require it.
Does a 50-person outsourcing company need SOC 2?
It depends on the customer, not the company size. If a large US customer requires a SOC 2 report, a 50-person shop still needs it to keep the contract. If all customers are startups or SMBs, you likely do not need it.
SOC 2 or ISO 27001 for outsourcing?
ISO 27001 is the better fit if you have customers in Japan, EU, or Singapore. SOC 2 is better if customers are primarily in the US. Many large Vietnamese outsourcing companies do both because they serve both markets.
Ready to get audit-ready?
Book a 15-minute call. See the platform. Decide if it fits.
Book Free Demo 15 min, no commitment