SOC 2 · Preparation Kit

SOC 2 Type I and Type II Readiness

Preparation materials for SOC 2 audit, from Trust Service Criteria mapping to evidence collection. For Vietnamese SaaS targeting US and Canada markets.

Get pTrackly support →

1. Scope & TSC Selection

  • Define service(s) in scope, typically production system
  • Select required TSC: Security (CC) always required
  • Evaluate additional: Availability, Confidentiality, Processing Integrity, Privacy
  • Decide Type I (fast) or Type II (enterprise-grade)

2. Controls Mapping

  • Map existing controls to Common Criteria (CC1-CC9)
  • Identify gaps, controls missing or insufficient
  • Build System Description, describe system and controls
  • Policies must cover: Access Control, Change Management, Risk, Incident

3. Evidence Collection (Type II)

  • Identify evidence type per control (automated vs manual)
  • Observation period: minimum 6 months, start collecting early
  • Evidence examples: access logs, change tickets, incident reports, training records
  • Centralize evidence, easy to share with auditor

4. Select CPA Firm Auditor

  • Auditor must be an AICPA-licensed CPA firm
  • Firms experienced with SaaS/tech: BARR Advisory, Prescient Assurance, A-LIGN, Johanson Group
  • Request proposals from at least 2-3 firms
  • Audit timeline typically: 4-8 weeks from kick-off to report

5. After receiving SOC 2 Report

  • Type I report validity: no expiry but enterprise usually requires recent (< 1 year)
  • Type II: annual renewal audit typically recommended
  • Prepare executive summary to share with prospective customers
  • Trust Center / Security page to publish SOC 2 availability

pTrackly helps you implement SOC 2 faster with ready-made templates and automated evidence collection.

Get Free Demo

Ready to get audit-ready?

Book a 15-minute call. See the platform. Decide if it fits.

Book Free Demo 15 min, no commitment
No credit card required Setup in 24 hours Cancel anytime
Book a Demo