SOC 2 Type 1 is a starting line: a small-team field guide

Engineering notes · Black Iris

At some point in the life of a B2B software company, a customer's procurement team asks for "your SOC 2 report" and the calendar suddenly has a hole in it. For most small teams, the right first move is a SOC 2 Type 1, not a Type 2. Here's what that actually involves, what it doesn't, and the path we'd walk a team through.

Type 1 vs Type 2, in plain language

A SOC 2 Type 1 report attests that, on a specific date, your security controls were designed appropriately and in place. It's a snapshot. The audit window is effectively a single day.

A SOC 2 Type 2 report attests that those controls operated effectively over a period — usually three, six, or twelve months. It's a movie. You can't fake a Type 2 by sprinting for a week; the auditor samples evidence across the entire window.

If you've never been audited before, Type 1 is the honest starting point. It forces you to write down your controls, prove they exist on day zero, and gives you a defensible artifact to hand to a buyer while you collect the evidence Type 2 will require later.

What SOC 2 actually is

SOC 2 is an attestation framework defined by the AICPA, based on the five Trust Services Criteria:

  • Security (required for every engagement)
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

You scope your engagement to whichever criteria are relevant. Most first-time reports cover Security only, plus Confidentiality if you process customer data that has nondisclosure obligations attached. Privacy is the heaviest and usually deferred.

The thing first-time teams find most surprising: SOC 2 doesn't tell you what controls to implement. It audits what you say your controls are, against the relevant criteria. The framework gives you the questions; you define the answers; the auditor checks that your answers match what's actually happening. This is empowering and dangerous in equal measure.

"Aligned" vs "audited" — pick your words carefully

A claim worth defending: "Our platform is SOC 2-aligned" means you have designed and operate the controls a Type 1 auditor would expect to see, even if no report has been issued. It's an honest statement when it's true, and a useful one for SMEs who can't yet justify the cost of a formal audit.

"Our platform is SOC 2-certified" or "SOC 2-compliant" is a stronger claim and, importantly, is only honest if you can produce a current report from a CPA firm. Don't blur the line — sophisticated buyers will catch it, and your eventual auditor will not be amused.

The five buckets of work

For a small team aiming at a Type 1 report, the work breaks down into five buckets that almost always need attention:

  • Identity and access. SSO for production systems, MFA enforced, role-based access, a documented joiner/mover/leaver process, and quarterly access reviews. The most common shortfall is not the policy — it's not having the evidence (the access-review email thread, the off-boarding ticket, the SSO config screenshot).
  • Change management. Pull requests with mandatory review, deployment via CI/CD with audit logs, separation between the person who writes code and the person who can push it to production, documented rollback procedures.
  • Monitoring and incident response. Logs from production are collected and retained, alerts route to a named on-call rotation, you have a written incident response procedure, and you've actually run it at least once (a tabletop counts).
  • Vendor management. A list of every third-party SaaS your production system depends on, the data each one receives, and the DPA or equivalent agreement on file.
  • Policies and training. Written policies on security, acceptable use, data handling, incident response, business continuity. Annual security awareness training for the team, with completion evidence.

None of this is exotic. Most of it should already exist in some form. The work is mostly turning informal practice into documented practice, and being able to prove the documented practice with logs, tickets, and screenshots.

A realistic 90-day path

For a small team starting from a reasonable baseline (CI/CD, version control, cloud hosting, SSO in some form), a typical timeline:

  • Weeks 1–2: Choose an auditor and a scope. Pick a compliance automation tool if budget allows (Drata, Vanta, Secureframe — these dramatically reduce the evidence-collection burden, but they don't make you compliant).
  • Weeks 2–6: Draft policies, close obvious control gaps (MFA enforcement, access reviews, vendor DPAs), wire up evidence collection.
  • Weeks 6–10: Pre-audit / readiness assessment, fix anything flagged, finalize the system description.
  • Weeks 10–12: Formal audit, point-in-time evidence collection, report issuance.

Twelve weeks is achievable if leadership is genuinely engaged. Six months is more realistic if the team is also shipping a product. Anything claiming "SOC 2 in 30 days" is selling a tool subscription, not an audit.

What your customers actually want

The under-discussed truth is that many enterprise buyers don't strictly need the SOC 2 report. They need an answer to "are you a serious vendor?" The Type 1 report is a strong, defensible answer; a thorough completed security questionnaire backed by demonstrable controls is often acceptable as a bridge.

Ask the buyer what they actually need. "Type 1 in flight, Type 2 in twelve months" is a credible position for a small vendor. "We don't have anything and we'd rather not talk about it" is not.

The actual takeaway

SOC 2 Type 1 is less about earning a certificate and more about forcing your security practice to become legible — to a buyer, to an auditor, to the engineer who joins next month. The teams that get the most out of the process treat the report as a byproduct of doing the work, not the goal. Do the controls because they're correct; the audit just confirms it.

← More writing from Black Iris