Skip to content
FortaRisks
Back to blogCompliance

SOC 2: what it takes to pass

October 31, 2025 · 4 min read

Sooner or later, a prospect sends the email: "Can you share your SOC 2 report?" For many B2B software companies, that request is the moment SOC 2 becomes a deal blocker rather than a distant goal.

SOC 2 is not a certification, and there is no badge to display. It is an attestation report, issued by an independent CPA firm under the AICPA framework, that describes your controls and gives an auditor's opinion on them. Customers ask for it because it lets them outsource part of their own due diligence: instead of trusting your word, they trust a licensed auditor's examination. Here is what the report covers, and where first-time audits break down.

The five Trust Services Criteria

SOC 2 is built on five Trust Services Criteria, and you scope in only the ones relevant to your service:

  1. Security. Also called the Common Criteria, this is the foundation and is always required. It covers protection of systems and data against unauthorized access, disclosure and damage.
  2. Availability. Whether your systems are available for operation and use as committed, relevant if you sell on uptime or continuity.
  3. Processing Integrity. Whether system processing is complete, valid, accurate, timely and authorized, relevant when you process transactions or calculations for customers.
  4. Confidentiality. Whether information designated as confidential is protected across its lifecycle, relevant when you handle sensitive business data.
  5. Privacy. Whether personal information is collected, used, retained and disposed of in line with your commitments, relevant when you handle personal data directly.

Most first audits scope Security alone, or Security plus Availability and Confidentiality. Adding criteria you cannot support only widens the surface an auditor will test.

Type I versus Type II

There are two kinds of report, and the difference matters more than the name suggests.

A Type I report evaluates the design of your controls at a single point in time. It answers one question: are the right controls in place today? It is a useful first milestone, but says nothing about whether those controls actually work day to day.

A Type II report evaluates operating effectiveness over a period, typically 3 to 12 months. The auditor does not just confirm a control exists; they sample evidence across the whole window to confirm it operated consistently. This is what customers usually want, and when someone asks for "your SOC 2," they almost always mean Type II.

The control areas an auditor evaluates

Whatever criteria you scope, the audit examines a consistent set of control areas:

  • Access control. Provisioning, de-provisioning, least privilege, and multi-factor authentication for privileged access.
  • Change management. Code and infrastructure changes are reviewed, tested and approved before production.
  • Risk assessment. A documented, recurring process to identify and treat risks.
  • Monitoring and logging. Systems are logged, alerts are configured, and anomalies are investigated.
  • Vendor management. Third parties with access to your data are assessed and tracked over time.
  • Incident response. A defined process to detect, respond to and learn from security incidents.
  • Control environment. The governance layer: policies, defined ownership, and evidence that leadership actually stands behind the program.

Evidence is the whole game

The single biggest misunderstanding about Type II is timing. It requires evidence collected continuously across the audit window, not reconstructed at the end. An auditor sampling access reviews across nine months will notice if all of them are dated the week before fieldwork. If the evidence was not generated as the control ran, the control effectively did not operate.

Why first audits stall

  • Problem: teams treat SOC 2 as a document exercise and a point-in-time push, when it rests on controls that run continuously and produce their own evidence.
  • Impact: a failed or delayed audit means qualified opinions, blocked enterprise deals, and months of rework, often after budget and timelines were already committed to sales.
  • Action: assign a clear owner, scope only the criteria you can support, and start collecting evidence the day your audit window opens, not the week fieldwork begins.

The gaps that come up most

Four blind spots appear again and again. First, no owner: the program is everyone's job and therefore no one's. Second, paper controls: a policy exists but produces no evidence that anyone follows it. Third, weak vendor management: sub-processors are onboarded and never reviewed again. Fourth, and most costly, starting evidence collection too late, which quietly shortens or invalidates the audit window.

See where you stand

Before you engage an auditor, gauge your starting point. Our free SOC 2 readiness self-assessment walks through the control areas above, computes a readiness score and flags your priorities. No sign-up, no data sent: everything is calculated in your browser.

Once your gaps are visible, the Compliance module turns them into a prioritized plan and collects evidence continuously, so your audit window is backed by real records rather than a scramble.

SOC 2 is not a form you fill in once. It is the ongoing proof that the controls you describe to customers actually run. This self-assessment does not replace an auditor, but it shows you exactly where to start.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.