SOC 2 · Preparation Kit
SOC 2 Type I and Type II Readiness
Preparation materials for SOC 2 audit, from Trust Service Criteria mapping to evidence collection. For Vietnamese SaaS targeting US and Canada markets.
Get pTrackly support →1. Scope & TSC Selection
- □ Define service(s) in scope, typically production system
- □ Select required TSC: Security (CC) always required
- □ Evaluate additional: Availability, Confidentiality, Processing Integrity, Privacy
- □ Decide Type I (fast) or Type II (enterprise-grade)
2. Controls Mapping
- □ Map existing controls to Common Criteria (CC1-CC9)
- □ Identify gaps, controls missing or insufficient
- □ Build System Description, describe system and controls
- □ Policies must cover: Access Control, Change Management, Risk, Incident
3. Evidence Collection (Type II)
- □ Identify evidence type per control (automated vs manual)
- □ Observation period: minimum 6 months, start collecting early
- □ Evidence examples: access logs, change tickets, incident reports, training records
- □ Centralize evidence, easy to share with auditor
4. Select CPA Firm Auditor
- □ Auditor must be an AICPA-licensed CPA firm
- □ Firms experienced with SaaS/tech: BARR Advisory, Prescient Assurance, A-LIGN, Johanson Group
- □ Request proposals from at least 2-3 firms
- □ Audit timeline typically: 4-8 weeks from kick-off to report
5. After receiving SOC 2 Report
- □ Type I report validity: no expiry but enterprise usually requires recent (< 1 year)
- □ Type II: annual renewal audit typically recommended
- □ Prepare executive summary to share with prospective customers
- □ Trust Center / Security page to publish SOC 2 availability
pTrackly helps you implement SOC 2 faster with ready-made templates and automated evidence collection.
Get Free DemoReady to get audit-ready?
Book a 15-minute call. See the platform. Decide if it fits.
Book Free Demo 15 min, no commitment No credit card required Setup in 24 hours Cancel anytime