Build trust with SOC 2 in 2024

The internationally recognised standard for demonstrating your commitment
to Security, Availability, Processing Integrity, Confidentiality and Privacy.


Is this the year you grow with SOC 2?

There’s no better standard to baseline your information security and earn trust with a broad customer base.

AssuranceLab is a registered CPA and CA firm ready to help you earn trust with SOC 2 in the US and globally.

We provide end-to-end readiness and audit services, with a cloud-native and agile approach that enables you to work at your own pace.


You’re in great company. We work with hundreds of fast-growing software companies across 13 countries, ranging in size from 2 to 26,000 employees.


We work with more than 500 fast-growing companies across 20+ countries, ranging in size from 2 to 26,000+ employees.


Is this the year you

grow with SOC 2?

SOC 2 reports are independent assessments conducted by certified public accounting firms or other qualified auditors. It indicates to stakeholders your commitment to the security of customer data. 

The SOC 2 framework is based on the Trust Services Criteria (TSC) defined by the AICPA. These include Security, Availability, Confidentiality, Privacy and Processing Integrity.

As a registered CPA and CA firm, we provide complete audit services, with a cloud-native and tech-enabled approach. This means you work at a pace that suits you rather than navigating the traditional complex audit model.

Ready to get started with SOC 2?



Four Steps to SOC 2

left arrow right arrow
SOC 2 Readiness Assessment

SOC 2 Readiness Assessment

Integrating with many compliance platforms, we provide a tailored view of your controls and any gaps to help you prepare for your audit.

SOC 2 Remediation Support

SOC 2 Remediation Support

We guide you as you address gaps and implement fit-for-purpose processes that align with your culture and the SOC 2 criteria. Our flexible and responsive team helps you work through it at your own pace.

SOC 2 Audit Type 1

SOC 2 Type 1 Audit

We conduct the Type 1 audit at your pace to help you minimise disruption and learn through the process. Our iterative reviews and feedback help you stay on track and achieve operational benefits.

SOC 2 Type 2 Audit

SOC 2 Audit Type 2

We conduct the Type 2 audits either at your own pace within a defined timeline or incrementally throughout the year to minimise disruption and increase confidence in your compliance. 

Ready to get started on your compliance journey?


Clear reasons to act


International credibility

A globally recognised attestation
report to build trust at scale


Customer comfort and trust

A detailed report addressing crucial
customer due diligence questions


Minimal business disruption

Agile and flexible audits that help minimise the disruption while meeting client deadlines


Choice of goalposts

Optional criteria for availability,
confidentiality, processing integrity
and privacy


Multi-standard compliance

A strong starting point in meeting
multiple related frameworks,
standards and certifications


Recognition of partial progress

The ability to achieve a SOC 2 report
with known process improvements


Everything you need to know about SOC 2 compliance 

assurancelab soc2 booklet cover Jan2023

We’ve prepared a free guide for business leaders and professionals looking at SOC 2 reporting. Your guide includes:

5 reasons to get accredited

2 pathways for compliance

SOC 2 vs. ISO 27001

Compliance platforms

Costs, timeline and what to expect


Your questions answered

What is SOC 2?

SOC 2 reports are independent assessments conducted by certified public accounting firms or other qualified auditors. These reports assure customers, stakeholders and regulatory bodies that a service organisation has implemented effective controls to protect the confidentiality, integrity and availability of customer data. The SOC 2 framework is based on a set of Trust Services Criteria (TSC) defined by the AICPA. These include Security, Availability, Confidentiality, Privacy and Processing Integrity.

Service organisations undergo a SOC 2 audit to assess the design and operating effectiveness of controls related to the TSC. The audit process involves evaluating the organisation's control environment, conducting testing procedures, and issuing a SOC 2 report that outlines the findings and conclusions.

Is SOC 2 a certification?

No, it is an attestation report. It is commonly treated like a certification and often has accreditation logos, but there are three key differences:

  1. You can achieve a SOC 2 report with exceptions or qualifications, but the report itself is still valid with those disclaimers included.
  2. Instead of a single-page certificate, a SOC 2 report provides details of your compliance scope and processes in a system description. It also includes details of your controls and the auditor’s tests that validated those controls (for Type 2 reports).
  3. There is no prescribed certification period. For SOC 2 you can choose your reporting dates and periods for Type 1 and Type 2 reports as needed.
SOC 2 may also be used by large enterprises as a pass/fail, but by design, it can be used more broadly for due diligence and vendor risk management.

What is the scope of a SOC 2 report?

SOC 2 follows a common industry standard when determining the scope. That is, by looking at which services, systems, data, processes and people are relevant to be secured to protect the customers and other parties that rely on that security.

This scope is formed by starting with a focus on a specific service. That may be one or more Software-as-a-Service offerings, platform infrastructure another function as a service, or professional services. This then cascades down to what systems are used to deliver the service(s), the data that is collected, the people that operate and support it, and the processes to manage the services in a secure manner that covers the SOC 2 Trust Services Criteria.

What are the five Trust Services Criteria categories?

All SOC 2 reports include the Common Criteria for Security: Security, Availability, Processing Integrity, Confidentiality and Privacy. Security is always included, but the subsequent areas can be added optionally.

  • Security: included in all reports, this covers basic system and data security
  • Availability: the reliability and resilience of your systems and services
  • Confidentiality: how data is classified, handled and retained in line with its level of sensitivity
  • Processing Integrity: the objectives of your services and how those are managed to ensure complete and accurate data processing
  • Privacy: managing personally identifiable data in line with individuals’ privacy rights.
Security, Availability, and Confidentiality are commonly included to satisfy most enterprise customers’ expectations with minimal additional work on top of the Common Criteria.

Can you fail SOC 2?

Not as such. SOC 2 reports are not pass/fail. The report can be issued with any number of exceptions and qualifications. Most companies choose to delay their SOC 2 report until it is “clean”. If you are in an annual reporting cycle with customer commitments, you may not have that flexibility, so the report may be issued with disclaimers about any identified exceptions and qualifications.

What’s required for SOC 2?

There are a few things to be aware of for SOC 2 reporting:

  • There are 33 common criteria to satisfy by mapping your controls and implementing a state of compliance. We integrate with several compliance platforms to assist your compliance journey.
  • The controls include documented policies, system configurations, and defined processes. Our PolicyTree solution generates your tailored set of policies that are the foundations of your compliance program.
  • An audit is conducted to verify your compliance, which AssuranceLab performs. We have some flexibility for first-time reports, especially Type 1, that lets you fix things as we work through.
  • A system description is prepared to overview your compliance scope and activities. We add your tailored controls, mapped to the criteria and the results of the audit (Type 2); we then both sign off to issue the final report.

Can we reduce the audit work by using a compliance platform?

Yes is the short answer. Unlike ISO 27001, there are no prescribed audit days, so using automation can help auditors achieve the required level of comfort for their controls. But that relies on an audit firm that’s familiar with the specific platform you’re using. It also only works if the controls and scope of the audit are adaptable to the platform. If you look to have customised controls or diverge from the way the platform works, it can cause additional work. We integrate with many compliance automation platforms to ensure a streamlined approach to your audit.

SOC 1 vs SOC 2: what's the difference?

The service organisation control, sometimes referred to as system and organisational control (SOC) standards has been around for decades. Their earlier use was driven by financial reporting objectives, later termed “SOC 1”. That’s where third parties would rely on IT systems or services, and that would impact their financial statement audits or other financial interests like in asset management or superannuation. 

As reliance on third-party services evolved with the rise in software as a service companies, these reports naturally evolved to being used for assurance over those third-party services even when no direct financial objectives were involved. The Trust Services Criteria were then introduced to better align with the modern needs of third parties that were reliant on security, availability, confidentiality, processing integrity and privacy. This became “SOC 2” to differentiate from the earlier SOC 1 purpose.

What is a SOC 3 report?

A SOC 3 report is a redacted version of a SOC 2 Type 2 report that can be published or more easily shared without the confidential information included in SOC 2 reports. A CPA firm like AssuranceLab issues the SOC 3 report using the relevant information from a SOC 2 Type 2 audit and it is usually issued alongside the SOC 2 Type 2 report.

Type 1 and Type 2 reports: what's the difference? 

A Type 1 report attests to your compliance by design. It’s a snapshot in time that can be achieved by showing you have the right systems and processes in place to satisfy the SOC 1 control objectives. 

A Type 2 report attests to your compliance by both design and operation over a set period of time, usually between 3-12 months, to show your systems and processes have been operating consistently to satisfy the SOC 2 control criteria. 

Usually, a Type 1 report is issued first as baseline compliance. That marks the start of the live and recurring Type 2 audit period for reports issued annually. That is the industry standard but the SOC standards have the flexibility to choose the report dates and periods as desired (usually driven by customers’ expectations that drive the industry-standard approach).


Earn trust with other leading standards


Blended Audits

Combine two or more compliance frameworks into a single blended audit process without duplication to scale trust, not costs and effort.



The de facto global and best practice standard for proving secure handling of electronic protected health information (ePHI).


Custom Frameworks

Manage any compliance obligations from customers, regulators or your own internal risk requirements with custom frameworks.


ISO 27001

An international framework to apply a structured and best practice methodology for managing information security.



A comprehensive, best practice standard for cloud security to achieve Level Two accreditation in the security, trust and risk (STAR) register.


Consumer Data Right

Access consumer data in Australia’s economy-wide open data regime with Consumer Data Right accreditation.


ESG Reporting

A flexible and lightweight framework to report up to 500+ positive impact activities supporting environmental, social and governance (ESG) objectives.



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.



Satisfy publicly listed customers regulated by Sarbanes Oxley and supporting financial reporting requirements.

Get started your way

We’re ready when you are



The global gold-standard for privacy. GDPR is regulated for personal data collected from EU citizens, and an effective framework to satisfy enterprise customers globally.