Let's talk
Oxford Infosec

SOC 2 - Type I and IIWill US buyers trust us?

If you're selling into the US market, SOC 2 is increasingly the expected evidence of security maturity. A Type I report gets you in the door; a Type II report keeps you there. Buyers want proof your security posture holds up between audits, not just on the day.

We take small, fast-moving companies through SOC 2 readiness, the Type I attestation, and into ongoing Type II audit readiness, then maintain the controls and evidence so you stay continuously audit-ready.

In short

  • 01A SOC 2 report, Type I for speed or straight to Type II, achieved on the timeline your deal or investor needs.
  • 02Evidence ready for US security questionnaires, mapped to the Trust Services Criteria and what buyers ask.
  • 03Type II readiness that's continuous, not episodic, so the next audit window doesn't turn into a scramble.

What problems we solve

Achieving attestation is only half the job; staying audit-ready is the rest. You're in the right place if any of these sound familiar:

01

US buyers expect a SOC 2 report

In the US market, a SOC 2 attestation is increasingly the price of entry for enterprise deals.

02

We've no dedicated security lead

Implementation stalls and fragments, and exceptions surface during the audit.

03

We can't keep controls current

Evidence gaps open up and the run-up to the audit becomes a scramble.

04

SaaS sprawl, infrastructure keeps moving

Control ownership is unclear and audit trails go missing.

05

Threats and customer demands keep shifting

Controls drift away from how the business actually operates.

06

Procurement and due diligence stall deals

Buyers and investors want independent assurance, and you can't show it quickly.

How SOC 2 compliance works

01Basis
Fixed fee

Implementation

We scope the Trust Services Criteria and system boundaries, run the risk assessment, write the policies, support the controls, and run a readiness review before the formal examination.

02Milestone
Type I or Type II

Attestation

We coordinate with your chosen CPA firm, prepare the evidence packages, and take you through the examination, Type I for speed or straight to Type II where the timeline allows.

03Minimum term
12-month minimum

Maintenance

Evidence collects as you work and we liaise with the CPA firm, so the annual Type II examination doesn't turn into a scramble.

That's the shape of the engagement. The full service description sets out every activity, assumption, and exclusion.

Read the full service description

Companies we've worked with.

AmpereBeamBiographicaChalfenGeneral IndexHarbr DataJudge.meLightsonicResponsible MarketingSyntassoThe Key GroupZaptic

What we put in place

We focus on what you actually do day-to-day and adjust policies and evidence to fit. If something genuinely doesn't apply (say you don't process payments), we scope the Trust Services Criteria appropriately rather than inventing work.

01Trust Services Criteria scoping
02System boundary definition
03Risk assessment and register
04Control mapping and gap analysis
05Core security policies and procedures
06Access control and MFA
07Logging and monitoring
08Change management
09Incident response
10Vendor and third-party management
11Security awareness and training
12Readiness assessment and CPA liaison

Who it's for

20 to 200 employees: large enough to face US customer demands, small enough that enterprise templates would swamp the business

Selling into the US: SaaS platforms, technology-enabled services, or professional services with US buyers or investors

Handling sensitive customer data: customer data, financial information, or other data where buyers expect independent assurance

Under external pressure: procurement questionnaires, investor due diligence, or contractual attestation requirements

Baseline security in place: SOC 2 refines and evidences controls like MFA and logging, rather than building them from scratch

What's not included

  • Deep technical remediation (re-architecture, code fixes, SIEM build)
  • Penetration testing and red team exercises
  • Other compliance frameworks (ISO 27001, PCI-DSS, HIPAA)
  • Legal drafting of DPAs, MSAs, and contracts
  • CPA examination fees (procured from the auditor directly)
Read the full service description

You work with a named Lead Consultant who holds recognised credentials (ISO 27001 Lead Auditor or Implementer, CIPM, CISSP). They are your single point of accountability, reporting to whoever you nominate as executive sponsor. Where it helps, we pair them with a compliance automation platform such as Drata, connected to your existing tools like AWS, Google Workspace, and GitHub, so evidence is collected continuously and your readiness shows on a live dashboard.

Term and pricing

Phase 1: Implementation

One-off

Fixed fee

Phase 2: Maintenance

12-month minimum

Recurring fee, renewable annually

With ISO 27001, vCISO, or DPO

Optional

Can be combined where it makes sense

Exact figures depend on your size, your starting point, and how much needs putting in place. Use the calculator for an indicative estimate.

Estimate the cost

Common questions

SOC 2 FAQs

See whether SOC 2 is the right move.

A short conversation is usually enough to tell whether SOC 2 is worth pursuing now, or whether a strong set of controls and a well-answered questionnaire would buy you time. If something else suits you better, we'll say so.

Estimate the costGet in contact