YOUR US COMPLIANCE-DRIVEN BUYERS WANT YOUR SOC 2 ATTESTATION
What you need to know first:
Where you actually stand today
What gaps need to be closed
How much work is really involved
What it will cost in time, money, and resources.
THE PATH TO YOUR SOC 2 ATTESTATION:
GAP ANALYSIS
Know exactly what you're signing up for.
Timeline: 3-4 business days*
What's included:
✓ Current State Assessment: stakeholder interviews based on your Trust Services Criteria (TSC) scope
Security (mandatory): IT/engineering, access management, incident response
Availability: Infrastructure/DevOps, monitoring, backup/DR
Confidentiality: Data handling, legal/contracts sometimes
Processing Integrity: Engineering, QA
Privacy: Legal, HR
✓ Current State: Applicable Trust Services Criterion mapped to your current state; Implemented / Partially Implemented / Missing / Not Applicable
✓ Type I or Type II: A clear, evidence-based recommendation on which report type fits your timeline and customer requirements, based on what your customers are actually asking for, your current evidence-collection maturity, and how much runway you have before you need the report in hand.
✓ Estimated Roadmap: Realistic timeline based on YOUR starting point, resource requirements, and dependencies. Clear ownership for each action.
✓ Budget Planning: Honest assessment of what the SOC 2 attestation will require.
After the Gap Analysis, you can: - Proceed with our Compliance Lead service - Implement yourself with our roadmap - Use another provider - Make a fully informed decision.
Investment: €4,500
COMPLIANCE LEAD SERVICE: PHASE 1
With you until you are ready.
Timeline: 3-6 months (depending on starting point and Trust Services Categories in scope).
What's included:
✓ Policy Development (if applicable): We write the policies, procedures, and documentation you need: not templates, actual policies tailored to your business
✓ Control Implementation: Guidance, Technical and organizational control deployment. Evidence gathering and documentation.
✓ GRC Platform Setup (if applicable): Drata or Vanta implementation and configuration. Automated evidence collection.
✓ Audit Preparation: Pre-audit readiness assessment. Auditor selection guidance.
✓ Ongoing Support: Weekly status calls, Slack access for questions.
This is hands-on implementation, not outsourced compliance. We do the heavy lifting, but SOC 2 requires a counterpart on your team — whoever owns day-to-day security. For interviews, reviews, and technical control deployment, we can't complete them without your access (cloud configs, HR systems, etc.). Expect 3-5 hours/week from that person during implementation.
Investment: €5,500/month
COMPLIANCE LEAD SERVICE: PHASE 2
With you until you get the report.
Timeline: 3-12 months, depending on your customers' requirements and your auditor's recommendations.
What's included:
✓ Evidence Spot-Checks: Periodic review to confirm controls are operating and evidence is accumulating correctly, catching drift before it becomes an audit finding.
✓ Async Support: Slack access for questions, next-business-day response — no weekly calls required.
✓ Pre-Audit Readiness Check: A final review before your auditor's fieldwork begins.
✓ Auditor Support: Guidance through the CPA firm's audit fieldwork and reporting.
Type I engagements skip this phase, moving straight from implementation to audit. During observation, your team operates the controls we built together: we verify it's on track, not build it again. Expect 1-2 hours/week from your counterpart to keep evidence flowing.
Total Investment:
3-month: €5,000
6-month: €8,000
12-month: €13,000
No hidden costs, no surprises later.
Your Path to SOC 2 Type I
Typical Starting Points:
Gap Analysis +
Compliance Lead =
TOTAL INVESTMENT
Already ISO 27001 certified?
€4,500 +
4-5 months =
Starting from scratch?
€4,500 +
6-8 months =
€26,500 - €32,000
€37,500 - €48,500
FAQs
-
We don't recommend it. For SOC 2 specifically, the Gap Analysis is what determines Type I vs. Type II, which Trust Services Categories apply, and how much of your ISO 27001 work carries over — without it, we'd be pricing and scoping blind.
-
Same engagement, same pricing — we work within your existing platform rather than starting over.
-
Yes, if you choose Type II. Implementation is Phase 1; observation-period support (evidence spot-checks, async Q&A) is Phase 2, priced separately based on your observation window length.
-
Type I is a point-in-time assessment; Type II requires proving your controls operated effectively over a 3-12 month window. Which one you need usually comes down to what your customers are actually asking for; something the Gap Analysis will clarify.
-
Every company's starting point is different. A fixed fee either overcharges companies that are further along, or loses money on companies starting from zero. Monthly retainer aligns our incentives — we get you certified as efficiently as possible.
-
No. And we'd be cautious of anyone who does. Our job is to prepare you thoroughly; the auditor's opinion is theirs to give, not ours to promise.

