YOUR US COMPLIANCE-DRIVEN BUYERS WANT YOUR SOC 2 ATTESTATION

What you need to know first:

  • Where you actually stand today

  • What gaps need to be closed

  • How much work is really involved

  • What it will cost in time, money, and resources.

THE PATH TO YOUR SOC 2 ATTESTATION:

GAP ANALYSIS

Know exactly what you're signing up for.

Timeline: 3-4 business days*

What's included:

Current State Assessment: stakeholder interviews based on your Trust Services Criteria (TSC) scope

  • Security (mandatory): IT/engineering, access management, incident response

  • Availability: Infrastructure/DevOps, monitoring, backup/DR

  • Confidentiality: Data handling, legal/contracts sometimes

  • Processing Integrity: Engineering, QA

  • Privacy: Legal, HR

Current State: Applicable Trust Services Criterion mapped to your current state; Implemented / Partially Implemented / Missing / Not Applicable

Type I or Type II: A clear, evidence-based recommendation on which report type fits your timeline and customer requirements, based on what your customers are actually asking for, your current evidence-collection maturity, and how much runway you have before you need the report in hand.

Estimated Roadmap: Realistic timeline based on YOUR starting point, resource requirements, and dependencies. Clear ownership for each action.

Budget Planning: Honest assessment of what the SOC 2 attestation will require.

After the Gap Analysis, you can: - Proceed with our Compliance Lead service - Implement yourself with our roadmap - Use another provider - Make a fully informed decision.

Investment: €4,500

COMPLIANCE LEAD SERVICE: PHASE 1

With you until you are ready.

Timeline: 3-6 months (depending on starting point and Trust Services Categories in scope).

What's included:

✓ Policy Development (if applicable): We write the policies, procedures, and documentation you need: not templates, actual policies tailored to your business

✓ Control Implementation: Guidance, Technical and organizational control deployment. Evidence gathering and documentation.

✓ GRC Platform Setup (if applicable): Drata or Vanta implementation and configuration. Automated evidence collection.

✓ Audit Preparation: Pre-audit readiness assessment. Auditor selection guidance.

✓ Ongoing Support: Weekly status calls, Slack access for questions.

This is hands-on implementation, not outsourced compliance. We do the heavy lifting, but SOC 2 requires a counterpart on your team — whoever owns day-to-day security. For interviews, reviews, and technical control deployment, we can't complete them without your access (cloud configs, HR systems, etc.). Expect 3-5 hours/week from that person during implementation.

Investment: €5,500/month

COMPLIANCE LEAD SERVICE: PHASE 2

With you until you get the report.

Timeline: 3-12 months, depending on your customers' requirements and your auditor's recommendations.

What's included:

Evidence Spot-Checks: Periodic review to confirm controls are operating and evidence is accumulating correctly, catching drift before it becomes an audit finding.

Async Support: Slack access for questions, next-business-day response — no weekly calls required.

Pre-Audit Readiness Check: A final review before your auditor's fieldwork begins.

Auditor Support: Guidance through the CPA firm's audit fieldwork and reporting.

Type I engagements skip this phase, moving straight from implementation to audit. During observation, your team operates the controls we built together: we verify it's on track, not build it again. Expect 1-2 hours/week from your counterpart to keep evidence flowing.

Total Investment:

3-month: €5,000

6-month: €8,000

12-month: €13,000

No hidden costs, no surprises later.

Your Path to SOC 2 Type I

Typical Starting Points:

Gap Analysis +

Compliance Lead =

TOTAL INVESTMENT


Already ISO 27001 certified?

€4,500 +

4-5 months =

Starting from scratch?

€4,500 +

6-8 months =

€26,500 - €32,000


€37,500 - €48,500

FAQs

READY TO UNDERSTAND HOW TO GET THERE?

Book a 30-minute discovery call to discuss your situation.