Our Process

Q: How long does the SOC 2 Advisory process take?

Our five-phase SOC 2 programme takes 10–12 weeks from kick-off to audit-ready — meaning your formal audit can begin in week 10 or 11. For SOC 2 Type 1, your certified report is typically issued 12–16 weeks from engagement start. For Type 2, you begin the 6–12 month observation period after receiving your Type 1 report.

Q: How much time will this take from my engineering team?

Most clients find that SOC 2 requires 3–6 hours per week from their engineering team during the active implementation phase (weeks 3–8). The gap assessment and readiness phases require less — primarily structured interviews and evidence review sessions that we schedule around your sprint cycles. We deliberately minimise engineering burden so your team can stay focused on your product.

Q: What happens after we receive our SOC 2 report?

After your report is issued, we move into ongoing monitoring and annual renewal. We maintain your controls, monitor for changes that affect your SOC 2 scope, and contact you three months before your next audit window to begin the renewal cycle. SOC 2 Type 2 requires a new report every 12 months — we manage the entire renewal process so you are never scrambling in the weeks before your audit date.

100⁺

Companies guided to certification

98^%

First-attempt audit pass rate

10^–12

Weeks average to audit-ready

Handoffs — one advisor throughout

The Five Phases

Every engagement follows the same structure. The copy changes. The commitment doesn't.

Click any phase to see exactly what happens, who does what, and what you receive at the end. Every item below has been refined across 100+ certifications.

Weeks 1–2

Gap Assessment

We audit your existing controls, map your infrastructure, and classify every gap by severity — before a single policy is written or a single control is built. You receive a comprehensive gap report and a prioritised remediation roadmap within two weeks of kick-off.

Kick-off & Scope Confirmation

Structured kick-off call. We confirm your SOC 2 scope — the exact systems, services, and infrastructure in scope — so you do not pay for assessments that will never appear in your report. Day 1–2.

Controls Assessment

We test what is actually in place — not just what is documented. Structured interviews with your technical and operational teams, hands-on review of your infrastructure and tooling. Day 3–6.

Gap Classification

Every finding mapped against the SOC 2 criteria, classified by severity — critical, major, minor. We differentiate gaps that close in days from those that need engineering weeks. Day 7–9.

Report & Roadmap Delivery

A complete, specific gap report with every finding, supporting evidence, prioritised remediation roadmap, resource estimates, and a recommended audit timeline. Not a template — your company's name is the least specific thing in it. Day 10–14.

Deliverable: Gap Assessment Report + Prioritised Remediation Roadmap

Weeks 3–8

Control Implementation

We build the controls, write the policies, and build the evidence collection workflows — alongside your team, not instead of them. We work around your sprint cycles and never require your engineers to stop shipping product to manage a compliance programme.

Policy Writing & Documentation

We write every policy — information security, access control, change management, incident response, business continuity, and more. Written specifically for your company, not adapted from a generic template library.

Technical Control Configuration

We configure the technical controls in your environment — logging, monitoring, encryption, access controls, vulnerability scanning — alongside your engineering team. We provide specifications, your team implements, we verify.

Vendor & Third-Party Risk

We build your vendor review programme, obtain security documentation from critical subprocessors, and produce the vendor assessment records your auditor will request. Often the most overlooked area — and one of the most scrutinised.

Evidence Collection Workflows

We design your evidence collection system — what evidence is collected, how, by whom, and at what frequency. Efficient evidence workflows prevent the last-minute scramble that causes failed audits. Your team collects. We organise.

Deliverable: Complete policy suite · Configured controls · Evidence library

Weeks 9–10

Readiness Testing

Before your auditor arrives, we run the same tests they will run. Every control tested for both design adequacy and operating effectiveness. Every gap found here is closed before fieldwork begins. This is why 98% of our clients pass on the first attempt.

Controls Effectiveness Testing

We test every control in your SOC 2 scope — not just that it exists, but that it is operating as designed. Controls that are documented but not genuinely running are the most common cause of audit findings. We find them before your auditor does.

Evidence Completeness Review

Every evidence item reviewed for completeness, coverage period, and accessibility. An auditor will request evidence at short notice. We verify every item can be produced within 24 hours — in a format that actually answers the question.

Auditor Simulation

We run a structured walk-through using the same format a CPA firm uses for fieldwork — asking your team the questions an auditor will ask, in the same order, with the same evidence requests. For most teams, this is the first time they have been through an audit process. Better to rehearse it with us.

Gap Closure Before Audit

Every gap found during readiness testing is closed before we confirm you are audit-ready. We do not issue readiness confirmation with outstanding items. Your audit starts from a position of genuine readiness — not optimistic readiness.

Deliverable: Readiness Assessment Report · Audit-ready confirmation

Audit Period

Audit Support

We manage the audit so you do not have to. Every auditor request goes through us — we triage it, review the evidence before it is submitted, and make sure your team is never blindsided by a question no one prepared them for. You focus on the business.

Auditor Request Triage

We receive every auditor evidence request, assess exactly what is being tested, organise the correct evidence, add the context the auditor needs, and manage the submission. Your team answers our questions. We manage the auditor.

Evidence Review Before Submission

Nothing goes to your auditor without our review. We check completeness, coverage period, formatting, and whether the submission closes the question or opens new ones. This step alone prevents a significant proportion of the findings that arise in unsupported audits.

Finding Response Management

When an auditor raises a finding, the response matters as much as the finding. We draft every management response — root cause, remediation evidence, context. A well-managed finding response has turned what would have been a qualified opinion into a clean report.

Draft Report Review

Before your report is issued, we review the complete draft — verifying control descriptions, finding classifications, scope language, and management responses. Errors caught at this stage are correctable. Errors discovered by your customers after issuance are not.

Deliverable: Managed audit process · Certified SOC 2 report

Ongoing

Annual Renewal & Monitoring

SOC 2 certification is not a one-time event. Enterprise buyers expect a new report every 12 months. We stay engaged through every annual renewal cycle — monitoring controls, updating evidence, and ensuring you are never scrambling in the weeks before your next audit date.

Continuous Control Monitoring

We monitor your control environment through the year — flagging changes that affect your SOC 2 scope, ensuring evidence collection continues correctly, and identifying any control deterioration before it becomes a finding in your next audit.

Evidence Library Maintenance

Your Type 2 audit requires evidence covering the full 12-month observation period. We maintain your evidence library through the year — systematic, organised, and audit-ready on day one of your next fieldwork window.

Policy & Scope Updates

As your product evolves, your SOC 2 scope and policies must evolve with it. New products, new infrastructure, new vendors, new team members — we update your programme documentation to reflect your current state, so your policies describe what you actually do.

Annual Renewal Cycle

We contact you three months before your next audit window to begin your renewal cycle. By the time your auditor arrives, your programme is already current, your evidence is complete, and your team is prepared. No scramble. Same outcome every year.

Deliverable: Annual SOC 2 report · Continuous compliance programme

Timeline View

How the weeks map out across a full SOC 2 programme.

Type 1 certification typically issues at week 12–14. Type 2 observation begins simultaneously and concludes at month 9–12.

01 Gap Assessment

WEEKS 1–2

02 Implementation

WEEKS 3–8

03 Readiness Testing

WEEKS 9–10

04 Audit Fieldwork

AUDIT PERIOD

Report Issued

TYPE 1

05 Type 2 Observation

BEGINS W3 · RUNS 6–12 MONTHS →

Why It Works

The same process. Every client. That is the point.

98% first-pass rate is not a coincidence. It is what happens when the same structured programme — refined across 100+ engagements — is applied by the same senior advisors, every time, without shortcuts.

One senior advisor throughout

The advisor who scopes your programme is the one who answers your auditor's questions on the last day of fieldwork. No handoffs. No junior running your engagement while a partner collects the fee. The same experienced practitioner, every step.

We close before we confirm

We do not issue readiness confirmation with open items. We do not start the audit clock until every gap from the readiness assessment is closed. This is not caution — it is the only reason our pass rate is 98% rather than something lower.

Fixed fee. Complete scope. No surprises.

Your total investment is agreed before we start. The gap assessment, implementation support, readiness testing, and audit management are all included. There is no billable hour that increases when you need us most — at 11pm the night before a report deadline.

We have done this. As operators.

Every advisor on our team built compliance programmes in-house before advising on them. We know what it is like to defend a control to an auditor with a two-person engineering team. The programme we built for you is the one we would have wanted when we were on the inside.

Annual renewal is built in

Most firms deliver the report and disappear. We built Phase 5 into our programme specifically because SOC 2 is not a one-time event. Your enterprise customers expect a fresh report every year. We are already managing that for you before the first one is issued.

3–6 hours from your engineering team

We are managing your compliance programme. Your engineering team's job is to answer our questions — not run a compliance project. 3–6 hours per week during implementation. Targeted, scheduled, never a surprise. Your roadmap stays on track.

How long does the full process take?

Our five-phase programme takes 10–12 weeks from kick-off to audit-ready — meaning your formal audit can begin at week 10 or 11. For SOC 2 Type 1, your certified report is typically issued 12–16 weeks from engagement start. For Type 2, you begin the 6–12 month observation period simultaneously with your Type 1 programme and receive your Type 2 report roughly 9–12 months from kick-off.

Who will actually work on my engagement?

A senior advisor is assigned to your engagement from day one and stays through every phase — gap assessment, implementation, readiness testing, audit support, and annual renewal. There are no handoffs to junior staff and no change of personnel between your first conversation and your certified report. The person who scopes your programme is the one who answers your auditor's questions on the last day of fieldwork.

How much time will this take from my engineering team?

Most clients find SOC 2 requires 3–6 hours per week from their engineering team during the active implementation phase (weeks 3–8). The gap assessment and readiness phases require less — primarily structured interviews and evidence review sessions we schedule around your sprint cycles. We deliberately minimise engineering burden so your team can stay focused on your product. The compliance work is our job. We ask your team questions. We do not ask them to run a compliance programme.

What happens after we receive our report?

After your report is issued, we move into Phase 5 — ongoing monitoring and annual renewal. We maintain your controls, monitor for changes that affect your SOC 2 scope, and contact you three months before your next audit window to begin the renewal cycle. SOC 2 Type 2 requires a new report every 12 months. We manage the entire renewal process so you are never scrambling in the weeks before your next audit date.

Get Started

Ready to start your
compliance programme?

Book a free 30-minute consultation. A senior advisor will review your situation, confirm the right scope for your business, and give you a realistic timeline and cost estimate — before you commit to anything.

Response within one business day

You speak directly with a senior advisor

Fixed-fee engagements — agreed before work begins

// Book your free consultation

From gap assessment
to certified — in a
straight line.

Every engagement follows the same structure. The copy changes. The commitment doesn't.

Gap Assessment

Control Implementation

Readiness Testing

Audit Support

Annual Renewal & Monitoring

How the weeks map out across a full SOC 2 programme.

The same process. Every client. That is the point.

One senior advisor throughout

We close before we confirm

Fixed fee. Complete scope. No surprises.

We have done this. As operators.

Annual renewal is built in

3–6 hours from your engineering team

Common questions about our process.

Ready to start your
compliance programme?

Every engagement follows the same structure. The copy changes. The commitment doesn't.

Gap Assessment

Control Implementation

Readiness Testing

Audit Support

Annual Renewal & Monitoring

How the weeks map out across a full SOC 2 programme.

The same process. Every client. That is the point.

One senior advisor throughout

We close before we confirm

Fixed fee. Complete scope. No surprises.

We have done this. As operators.

Annual renewal is built in

3–6 hours from your engineering team

Common questions about our process.

Ready to start yourcompliance programme?

Ready to start your
compliance programme?