Type 2 is what most enterprise procurement expects. Type 1 is sometimes used as an interim deliverable for organisations not yet ready for the period-based evidence Type 2 requires.

How long does a SOC 2 Type 2 audit take?

The audit period itself is typically 6–12 months of operating-effectiveness evidence. Readiness work before the period begins varies; with continuous evidence collection in place, ready-to-audit can be achieved in months rather than the year-plus a manual programme requires.

Can the same evidence support SOC 2 and ISO 27001?

Substantially yes. The frameworks overlap in control content. Lavawall® maps to both, so a single evidence base supports both audits where the controls overlap.

Does Lavawall® issue the SOC 2 report?

No. SOC 2 reports are issued only by AICPA-licensed CPA firms. Lavawall® produces the evidence and the supporting documentation; the auditor samples and attests.

What is SOC 2 (System and Organization Controls 2)? Definition, components, and why it matters

Definition

SOC 2 is governed by the American Institute of Certified Public Accountants (AICPA) and is part of the SOC reporting framework alongside SOC 1 (financial reporting controls) and SOC 3 (general-use summary report). Only AICPA-licensed CPA firms can issue SOC 2 reports.

The audit attests an organisation's controls against the AICPA Trust Services Criteria. The Common Criteria (CC1–CC9) are mandatory for all SOC 2 reports. Additional Categories (Availability A1, Processing Integrity PI1, Confidentiality C1, Privacy P1–P8) are optional and added based on the relevance to the customer's commitments.

There are two report types: Type 1 attests to control design effectiveness at a single point in time; Type 2 attests to design AND operating effectiveness over a period (typically 6–12 months). Most enterprise procurement requires Type 2.

Core components

Trust Services Criteria (TSC). The AICPA framework against which SOC 2 reports attest. Common Criteria CC1–CC9 mandatory; Availability, Processing Integrity, Confidentiality, and Privacy categories optional.
CC1–CC9 (Common Criteria). Control environment, communication and information, risk assessment, monitoring activities, control activities, logical and physical access controls, system operations, change management, and risk mitigation.
Type 1 vs Type 2. Type 1 = design at a point in time; Type 2 = design + operating effectiveness over a period.
Audit period. For Type 2, typically 6–12 months. The auditor samples evidence across the period.
Independent CPA firm. Only AICPA-licensed CPA firms can issue SOC 2 reports.
Report distribution. SOC 2 reports are restricted-use (typically to customers and prospects under NDA). SOC 3 is the general-use summary version.

Why it matters

SOC 2 has become the de facto trust signal for SaaS, fintech, and many B2B-services companies in North America. Enterprise procurement processes increasingly require SOC 2 Type 2 before a vendor is even considered. Without it, deals stall or are lost.

For MSPs, SOC 2 plays two roles. The MSP's own SOC 2 certification is an essential credibility signal for serving SOC-2-conscious clients (the MSP is part of the client's vendor risk assessment). SOC 2 readiness delivered as a service to client tenants is also a billable engagement.

SOC 2 and ISO 27001 overlap substantially. Many organisations pursue both, since SOC 2 is more accepted by North American technology buyers and ISO 27001 is more accepted internationally.

How Lavawall® helps with SOC 2 (System and Organization Controls 2)

Lavawall® treats SOC 2 as a first-class framework. The AICPA Trust Services Criteria map directly to live evidence Lavawall® already collects from Windows / macOS / Linux endpoints and M365 / Entra / Azure / Google Workspace tenants.

Multi-tenant by design supports MSP SOC 2 delivery across many client tenants. Per-client isolation, per-client billing, and co-branded reports are native concepts.

ThreeShield, the audit firm that built Lavawall®, has direct experience advising on SOC 2 audits. The control mappings reflect what AICPA-certified auditors actually examine. SSP, control narrative, and evidence packaging output are designed for assessor consumption.

Frequently asked

Type 1 or Type 2?: Type 2 is what most enterprise procurement expects. Type 1 is sometimes used as an interim deliverable for organisations not yet ready for the period-based evidence Type 2 requires.
How long does a SOC 2 Type 2 audit take?: The audit period itself is typically 6–12 months of operating-effectiveness evidence. Readiness work before the period begins varies; with continuous evidence collection in place, ready-to-audit can be achieved in months rather than the year-plus a manual programme requires.
Can the same evidence support SOC 2 and ISO 27001?: Substantially yes. The frameworks overlap in control content. Lavawall® maps to both, so a single evidence base supports both audits where the controls overlap.
Does Lavawall® issue the SOC 2 report?: No. SOC 2 reports are issued only by AICPA-licensed CPA firms. Lavawall® produces the evidence and the supporting documentation; the auditor samples and attests.