Menu
Buyer questions, answered first.
8 of the questions we hear most from people considering SOC 2. Each page leads with the answer in three to six sentences, sources it, and links to the deeper read if you want it.
Most buyers do not want a 3,000-word article. They want the answer, the source, and a way to verify. That is what these are.
Can customers see my SOC 2 report?
Yes, but not publicly. SOC 2 reports are confidential by industry convention and shared only under a signed NDA. The report contains detailed system descriptions, control procedures, and sometimes specific exceptions, information that would be useful to an attacker or a competitor. The standard process is to share the full report with customers and serious prospects after a mutual NDA, and to post a public trust center page that confirms your report type, audit period, auditor name, and scope without disclosing the report itself. Most GRC platforms include a trust center feature that automates the NDA-gated distribution and logs who has accessed the report.
Can I do SOC 2 without an auditor?
No. You can prepare for SOC 2 on your own, but the final attestation report must be issued by an independent, licensed CPA firm, and this is a non-negotiable requirement under AICPA attestation standards. A self-produced 'SOC 2-style' document carries no weight with informed buyers because the entire value of the report comes from the auditor's independence. What you can do internally is implement controls, write policies, collect evidence, and run a readiness assessment. Doing that preparation work yourself before engaging a CPA firm typically cuts audit fees by 30 to 50 percent compared to handing everything to a full-service consultant.
Do I need a pen test for SOC 2?
SOC 2 does not explicitly mandate penetration testing in its written criteria, but in practice auditors expect it. Under CC4.1 of the AICPA Trust Services Criteria, organizations must demonstrate that controls are present and functioning through a combination of ongoing monitoring and 'separate evaluations,' and penetration testing is the most widely accepted form of evidence for that requirement. Without a credible, scoped, third-party pen test with documented remediation, auditors will ask for it or note the gap. The test must cover all systems in your audit scope, fall within or close to your audit period, and include remediation evidence for any findings, not just the findings themselves.
Do I need SOC 2 if I have ISO 27001?
It depends on which market you sell into, and the two frameworks do not substitute for each other. SOC 2 is a confidential attestation report issued by a licensed CPA firm under AICPA standards. ISO 27001 is a public certification issued by an accredited certification body. US and Canadian enterprise procurement teams typically ask for SOC 2; EU, UK, and APAC customers ask for ISO 27001. If your pipeline spans both geographies, you will likely need both, but start with whichever framework your current largest deal requires. Some firms offer combined engagements that can cut total cost by 20 to 30 percent versus running two separate projects.
Does SOC 2 cover GDPR?
No, SOC 2 does not cover GDPR, though the two frameworks overlap on security controls. SOC 2 is a voluntary attestation focused on how your organization protects data in its systems. GDPR is an EU law focused on individual rights over personal data, and it applies to any company processing EU residents' data regardless of where you are located. A mature SOC 2 program addresses roughly 50 to 60 percent of GDPR's technical and organizational measures, and adding the SOC 2 Privacy criterion raises that to about 70 to 75 percent. The remaining GDPR requirements, covering legal basis for processing, data subject rights (access, deletion, portability), Data Protection Impact Assessments, and potentially a Data Protection Officer, are not addressed by SOC 2 at all.
How long does SOC 2 take for a 10-person startup?
For a 10-person startup starting from scratch, plan on roughly 10 to 14 weeks for a Type 1 report and 8 to 12 months end-to-end for a Type 2. The Type 1 timeline covers readiness assessment, gap remediation, and audit fieldwork. The Type 2 timeline is dominated by the observation period, typically a minimum of three months and more commonly six, during which the auditor samples evidence that controls actually operated as documented. The audit fieldwork itself is the smallest phase; the preparation and observation period are what eat the calendar. Using a compliance automation platform can compress the preparation phase significantly, but it does not shorten the observation period.
Is SOC 2 worth it for pre-seed startups?
Generally no, unless a specific deal requires it. Pre-seed companies are still finding product-market fit, and SOC 2 is a market requirement driven by enterprise buyers, not a legal one. The first-year cost for a startup typically runs $20,000 to $60,000 once you add audit fees, compliance tooling, and internal engineering time. The ROI math only works when there is a deal or procurement process actively blocked by the absence of a report. If no enterprise prospect has asked for it, that money is better spent on product. The calculus changes once you start closing contracts above $50,000 ARR and procurement teams begin sending security questionnaires.
What happens if I fail my SOC 2 audit?
SOC 2 is not pass/fail. The auditor issues one of four opinions: unqualified (clean), qualified (limited issues), adverse (controls broadly failed), or disclaimer (insufficient evidence). A qualified opinion, the most common unfavorable outcome, means the auditor found specific control exceptions but the rest of the report is still valid. Sophisticated procurement teams read the exceptions, not just the opinion type, so a single administrative finding is very different from a pattern of operational failures. The path forward is a written remediation plan, corrected controls, a new observation period, and a subsequent audit. Most qualified opinions are recoverable within 6 to 12 months.
What buyers actually ask, and when
The 8 questions on this page do not all arrive at the same stage of a buyer's SOC 2 process. They cluster into three groups: decisions that come before any audit work starts, operational questions that arise once the program is running, and practical questions about what to do with the report once it exists. Most SOC 2 FAQ pages ignore this structure entirely, which means buyers at different stages have to skim a long list to find what is relevant right now.
Below, we have organized all 8 guides by stage. Each section includes a brief framing of what buyers are really asking under the surface. For cost data and auditor selection, see our SOC 2 audit cost guide and how to choose a SOC 2 auditor.
Pre-audit: am I doing this at all?
Four of the eight questions are really one question in different forms: is this worth the spend, and is now the right time? The answers are not obvious because the compliance industry has strong commercial reasons to make SOC 2 sound urgent and universal. It is neither.
Is SOC 2 worth it for pre-seed startups?
Usually no, unless a specific enterprise deal is blocked on it. The first-year spend for a small team runs $20,000 to $60,000 once audit fees, compliance tooling, and internal engineering time are added up. The ROI math only works when a named prospect has SOC 2 in their security questionnaire and the deal is otherwise advancing. If no one has asked for it, the money belongs on product. Read the full answer at Is SOC 2 worth it for pre-seed startups? It includes a cheaper interim move: a trust center page with documented policies and a roadmap, which many buyers will accept for a 12-month bridge.
Do I need SOC 2 if I have ISO 27001?
The two frameworks do not substitute for each other, even though the underlying security controls overlap substantially. ISO 27001 produces a public certificate. SOC 2 produces a confidential, NDA-gated report with an auditor opinion letter. US enterprise procurement questionnaires ask for the SOC 2 report by name. Answering "we have ISO 27001 instead" rarely closes that question. If your pipeline spans the US and the EU, you will likely need both eventually. Some firms run combined engagements that cut total cost by 20 to 30 percent. Do I need SOC 2 if I have ISO 27001? covers the combined-engagement option and the one geography where each framework alone is sufficient. The frameworks reference on this site maps both frameworks side by side.
Can I do SOC 2 without an auditor?
No. The final attestation report must come from a licensed CPA firm under AICPA attestation standards. A self-produced "SOC 2-style" document has no weight with an informed procurement reviewer because the entire value of the report comes from the auditor's independence. What you can do internally, implement controls, write policies, collect evidence, run a readiness assessment, typically cuts audit fees by 30 to 50 percent. The confusion here is partly caused by compliance platforms (Vanta, Drata, and similar) that automate evidence collection and get marketed as SOC 2 solutions. They are readiness tools, not audit firms. The full answer is at Can I do SOC 2 without an auditor? Our auditor directory lists 180 licensed CPA firms that conduct SOC 2 examinations.
Does SOC 2 cover GDPR?
No. SOC 2 covers roughly 50 to 60 percent of GDPR's technical and organizational measures. Adding the optional SOC 2 Privacy criterion raises that to about 70 to 75 percent. The remaining gap includes legal basis for processing, data subject rights (access, deletion, portability), Data Protection Impact Assessments, and international transfer mechanisms. None of those are security controls; they are legal and governance obligations that need a separate program. US SaaS teams selling into the EU regularly assume SOC 2 satisfies their GDPR obligations. It does not. Does SOC 2 cover GDPR? maps exactly where the overlap is real and where it stops.
In-audit: how does this actually work?
Two questions arrive once the decision to pursue SOC 2 is made and the program is underway. Both reveal the same underlying surprise: SOC 2 is a program with hard calendar constraints and required third-party inputs, not a one-time purchase that can be hurried.
How long does SOC 2 take for a 10-person startup?
Plan on 10 to 14 weeks for a Type 1 and 8 to 12 months end-to-end for a Type 2. The Type 2 timeline is dominated by the observation period, the window during which the auditor samples evidence that controls actually operated as documented, typically a minimum of three months and more commonly six. No compliance platform or extra budget can compress that window. What you can compress is the preparation phase: teams that arrive with mature documentation and tested controls typically spend 6 to 8 weeks preparing instead of 12. A practical sequencing: get the Type 1 in hand for early enterprise prospects, then immediately roll into the Type 2 observation period so both land within 12 months of starting. Full breakdown at How long does SOC 2 take for a 10-person startup?
Do I need a pen test for SOC 2?
SOC 2 does not explicitly require penetration testing in the AICPA's written Trust Services Criteria, but auditors expect one in practice. Under CC4.1, organizations must demonstrate controls through a combination of ongoing monitoring and "separate evaluations." A scoped third-party pen test, with documented remediation of findings, is the most widely accepted form of evidence for that criterion. A vulnerability scan alone is not equivalent: the two are treated as distinct evidence types. The pen test must cover all systems in audit scope, fall within or close to the audit period, and show remediation evidence alongside the findings. Cost typically runs $8,000 to $25,000 for a SaaS product. The full picture is at Do I need a pen test for SOC 2?
Post-audit: how does the report play in the world?
Two questions arrive after the report ships. Both are about what the report actually does in the hands of buyers and what to do when it does not come back clean.
Can customers see my SOC 2 report?
Yes, under NDA, not publicly. SOC 2 reports are confidential by industry convention and shared only after a signed mutual NDA because the system description is effectively a detailed map of your production architecture and control procedures. The standard setup is a public trust center page that confirms your report type, audit period, auditor name, and scope, plus an NDA-gated request flow for the full PDF. Posting the full report publicly on your website is not recommended: most auditors advise against it, and many engagement letters explicitly restrict unrestricted public distribution. The side effect of this NDA convention is that buyers cannot comparison-shop on actual report quality. They see the opinion type and must ask pointed questions to understand what is behind it. Details and a practical trust center setup are at Can customers see my SOC 2 report?
What happens if I fail my SOC 2 audit?
SOC 2 is not pass/fail. The auditor issues one of four opinions: unqualified (clean), qualified (specific exceptions, rest of report still valid), adverse (controls broadly failed), or disclaimer (insufficient evidence to form an opinion). Most unfavorable outcomes land in "qualified," which is recoverable. Sophisticated procurement reviewers read the exceptions section, not just the opinion type. A documented remediation plan for administrative gaps often keeps deals alive. Auditors also have structural incentives not to issue adverse opinions: they typically flag exceptions during fieldwork so organizations can remediate before the report ships. A flat adverse opinion is rare; most organizations get a chance to address findings before the report is finalized. Full recovery from a qualified opinion typically takes 6 to 12 months: remediation, a new observation period, and a subsequent audit. The full breakdown is at What happens if I fail my SOC 2 audit?
Why these questions keep recurring
The questions on this page are basic. They are also questions that a first-time buyer genuinely cannot answer from vendor marketing, because the compliance industry has commercial reasons not to make the answers clear. A few concrete examples:
"SOC 2 certification" does not exist. SOC 2 is an attestation, not a certification. Certifications come from certification bodies and produce a public certificate (ISO 27001 is the most common example). An attestation comes from a CPA firm and produces a confidential report with an auditor opinion. The distinction matters because the deliverables are different, the audiences are different, and the buying motion is different. Marketing copy that says "SOC 2 certified" is technically wrong, but it persists because buyers do not know to push back on it.
"HIPAA certified" also does not exist as a formal designation, yet vendors in the healthcare SaaS space use it regularly. Buyers who hear this term usually mean HITRUST, which is an actual certification program, or they mean HIPAA-compliant as a contractual claim, which is a legal assertion rather than a third-party-verified one. The confusion costs buyers time when they finally talk to a CPA firm and discover the deliverable they thought they were buying does not exist.
Compliance automation platforms are sold as "SOC 2 solutions" but they do not produce a SOC 2 report. They automate evidence collection and readiness tracking. The actual examination and the opinion letter come from a separate, independent CPA firm. Buyers who think the platform is the audit find out at the procurement stage that they still need an auditor. This is not a small misunderstanding: the cost of an audit firm is typically the second-largest line item after the platform, not a minor add-on.
Pen tests are required in practice but not in writing. The AICPA's Trust Services Criteria document (CC4.1) does not use the words "penetration test." Most auditors require one anyway because it is the accepted evidence type for the "separate evaluations" requirement. Buyers who read the criteria carefully and conclude a pen test is optional find themselves arguing with their auditor during fieldwork. The gap between what the standard says and what auditors expect is a recurring source of budget surprises.
The NDA requirement on reports means buyers cannot comparison-shop on report quality. They can see that a vendor has a Type 2 report. They cannot see whether the auditor found 12 exceptions or none without asking pointed questions and reviewing the exceptions section themselves. This opacity benefits auditors and vendors with weaker reports equally. The insights library has longer reads on how to evaluate what you actually receive.
Failing a SOC 2 audit, in the adverse-opinion sense, is rare. Auditors flag exceptions during fieldwork and give organizations a chance to remediate before the report is finalized. The common outcome for a team with genuine control gaps is a qualified opinion, not an adverse one, and qualified opinions are routinely managed through a remediation plan and a subsequent audit. The framing of SOC 2 as binary pass/fail, which many compliance platforms use to sell readiness services, is inaccurate and inflates buyers' anxiety about audit outcomes.
How a question becomes a guide here
We publish a guide when a question arrives more than once in our inbox. That rule keeps the list short and the answers useful: every guide on this page reflects something buyers actually asked, not a keyword we decided to target. The current set of 8 covers the questions that recur most often from people in early conversations with their first auditor or in procurement cycles where a deal is gating on a SOC 2 report.
If you have a question that is not covered here, email hello@soc2auditors.org. If it comes in more than once, it gets a page. If it is specific to your situation and you want a direct answer, the same address works. We read it.
For questions about which auditor to use, the auditor directory lists 180 licensed CPA firms with scope information, and how to choose a SOC 2 auditor walks through the evaluation criteria. For questions about overlapping frameworks, the frameworks reference covers SOC 2, ISO 27001, GDPR, and others side by side.
A question we did not answer?
Email hello@soc2auditors.org. If a question shows up more than once, it gets a guide.
For deeper treatment of any of these topics, browse our insights library or the frameworks reference.