Skip to content
Drevni Solutions
All insights
Cybersecurity & ComplianceMay 28, 20267 min read

SOC 2, explained without the panic: what it actually requires

It usually starts with an email from your largest prospect: "Before we can move forward, can you send over your SOC 2 report?" If your stomach just dropped, you're in good company. SOC 2 sounds like a wall, but it's really a checklist with an auditor attached. Here's what it actually means, without the consulting-speak.

What SOC 2 is (and isn't)

SOC 2 is a report, produced by an independent CPA firm, that attests to how well your company protects customer data. It is not a government regulation and not a one-time certificate you frame on the wall. It's an examination of your controls against a set of criteria defined by the AICPA. The output is a report your customers' security teams can read and trust.

There are two flavors. A Type I report looks at whether your controls are designed correctly at a single point in time. A Type II report, the one most enterprise customers actually want, observes whether those controls operated effectively over a period, typically three to twelve months.

The five trust services criteria

SOC 2 is built on five categories. Only the first is mandatory; you scope in the others based on what you promise customers.

  • Security (required): protecting systems against unauthorized access, the common core every report includes.
  • Availability: your systems are up and reachable as committed in your SLAs.
  • Processing integrity: your systems process data completely, accurately, and on time.
  • Confidentiality: information designated confidential is protected as promised.
  • Privacy: personal information is collected, used, and disposed of appropriately.

What the audit actually involves

In practice, getting to a SOC 2 report comes down to proving you do, consistently, the things good security hygiene already calls for: access is granted by role and removed when people leave, laptops are encrypted and monitored, changes to production are reviewed, vendors are vetted, backups are tested, and someone is watching for incidents. The auditor asks for evidence that these controls ran for real, not just that a policy exists in a binder.

A realistic path to getting there

  • Scope it. Decide which trust criteria you actually need based on what customers are asking for. Don't gold-plate.
  • Run a gap assessment. Compare where you are today against the criteria and get an honest punch list.
  • Remediate. Implement the missing controls: usually identity, endpoint, logging, and vendor management, and write the policies that match what you really do.
  • Collect evidence over time. For a Type II, let the controls run for your observation window while the system quietly captures proof.
  • Engage the auditor. An independent CPA firm performs the examination and issues the report.

How long and how hard?

For a small firm starting from decent-but-informal security, a Type I is often a matter of a couple of months of focused work; a Type II adds the observation window on top. The heavy lifting is rarely the audit itself, it's tightening the day-to-day controls and keeping evidence. That's exactly the part a good IT and security partner handles for you.

Where Drevni fits

To be clear: Drevni is not your auditor, and we don't claim to hold SOC 2 ourselves. What we do is get you ready, assess the gaps, stand up the controls (identity, endpoint protection, monitoring, backup, vendor management), document them, and capture the evidence, so that when the CPA firm runs the examination, you pass without the fire drill. Compliance becomes a service we deliver, not a cliff you climb alone.

If a customer is asking for SOC 2, or you can see it coming, start with our cybersecurity checklist, then let's map the shortest realistic path for your firm.

Want this handled for you?

Grab the matching free checklist, or book a 15-minute consult and we'll map your next step.

Let's make your IT quiet.

One conversation tells you where you stand and what to fix first. No pressure, no jargon.

Prefer to talk now? (415) 692-3380 · sales@reply.drevni.com