Which criteria are mandatory?

Only Security (Common Criteria) is mandatory. You add Availability, Processing Integrity, Confidentiality, and Privacy depending on your service and customer expectations.

Should I start with Type I or Type II?

Type I is faster and often a sensible first step; Type II is the evidence most customers ultimately require.

SOC 2 is most common in the US and international B2B market; ISO 27001 is the internationally recognized certification. The two overlap heavily — in Sightadel, evidence can be reused across both.

How often must SOC 2 be renewed?

SOC 2 Type II reports cover a period and are typically repeated annually.

ISO 27001 ISO 9001 ISO 42001 NIS2 GDPR BSI C5:2026 NIST CSF 2.0 SOC 2

SOC 2 · Trust Services Criteria

SOC 2: Proving Trust to Your Customers

SOC 2 is an attestation standard from the AICPA (American Institute of Certified Public Accountants) for service providers that handle customer data — particularly B2B SaaS and cloud providers. The result is not a certificate but an attestation report you use to demonstrate to customers that your controls are suitably designed and operating effectively. This page explains what SOC 2 is, who it is relevant for (and who not), how Type I and Type II differ, and how to stay continuously audit-ready with Sightadel.

What Is SOC 2?

SOC 2 (System and Organization Controls 2) is a framework under which a licensed CPA assesses a service provider's internal controls. The basis is the Trust Services Criteria (TSC):

Security (Common Criteria): the mandatory foundation of every SOC 2 report.
Availability: availability of the service.
Processing Integrity: complete and accurate processing.
Confidentiality: protection of confidential information.
Privacy: handling of personal data.

You choose which criteria, beyond mandatory Security, are included in the report — depending on your service and your customers' expectations. The completed report is typically shared with customers and prospects under a non-disclosure agreement.

Who Is SOC 2 Relevant For — and Who Not?

SOC 2 is relevant for you if …

… you are a service provider that processes or hosts customer data, and your customers expect independent evidence of your security controls. Typical cases:

B2B SaaS providers, especially those with US or internationally active customers,
cloud and hosting providers,
providers for whom SOC 2 regularly appears in procurement and security questionnaires.

In many B2B sales processes, a SOC 2 report is now effectively a prerequisite for even making the shortlist.

SOC 2 is probably not a priority for you if …

… you do not process customer data as a service provider, or your customers do not require the evidence. In purely national contexts where clients instead expect ISO 27001 or the BSI C5, SOC 2 is often secondary.

The caveat: SOC 2 is market-driven, not legally mandated. The question is therefore rarely "Am I obligated?" but "Do my target customers require it — and do I lose deals without the report?"

Type I or Type II — What's the Difference?

SOC 2 Type I assesses whether the controls are suitably designed as of a specific date. Faster to achieve, often a first step.
SOC 2 Type II additionally assesses whether the controls operated effectively over a period (often 3 to 12 months). Type II is more meaningful and is what most customers ultimately want to see.

The Typical Challenge in SOC 2 Preparation

Evidence across the full period. For Type II, effectiveness must be demonstrated continuously — not just on audit day. Organizations that only start collecting shortly before end up with gaps.
Fragmented evidence. Access reviews, change tickets, onboarding records, incident logs — spread across many systems.
Duplicate work alongside other standards. Organizations already implementing ISO 27001 or NIS2 maintain much of it twice because the evidence is not linked.

How Sightadel Simplifies SOC 2 Preparation

Sightadel is the compliance portal within the Pervigon Security Suite. It represents the Trust Services Criteria as a structured control catalog to which you assign measures, owners, and evidence.

Faster to audit-ready. The Trust Services Criteria are built into the portal. You map existing controls and immediately see what is still missing for the chosen scope (Security plus optional criteria).

Continuous evidence for Type II. Recurring tasks — such as access reviews — are scheduled, reminded, and documented in the portal. This produces the continuous chain of evidence across the assessment period.

Reuse of evidence. A control such as multi-factor authentication is mapped simultaneously to SOC 2, ISO 27001, and NIS2. One piece of evidence, multiple frameworks — instead of parallel maintenance.

No external consultants as a permanent crutch. The mapping logic is built into the portal and supported by the neoAI core. The CPA remains responsible for the audit; the ongoing preparation is handled by your team.

Audit-ready. Every control is linked to an owner, status, evidence, and history — the artifact the auditor wants to see.

SOC 2 with Sightadel in Practice

1
Define scope.Which Trust Services Criteria beyond Security belong in the report?
2
Map & close gaps.Map existing controls, run a gap analysis, build a prioritized action plan.
3
Maintain evidence.Collect evidence continuously across the Type II period — recurring and traceable.
4
Support the audit.Provide the CPA with the required state in a structured way.

Frequently Asked Questions About SOC 2

No. SOC 2 is an attestation report from a licensed CPA, not a certificate.

SOC 2 Readiness as a State, Not an Annual Project

A SOC 2 report is a recurring proof over a period. Sightadel keeps your controls and evidence continuously audit-ready — so each new audit period builds on a maintained state rather than a scramble.

See your SOC 2 status in Sightadel.

Book a demo