L Lumina Risk Advisory

SOC 2 Readiness

Pass your SOC 2.
First try.

SOC 2 is the security framework enterprise buyers ask for before they sign. We build the controls, write the policies, organize the evidence, and brief you for the audit — so you pass without the chaos of figuring it out as you go.

Book a free scoping call See the process

Type I or Type II · Auditor-agnostic

Timeline

10–12 weeks

Engagement

Fixed-fee project

Best for

SaaS & tech companies

Output

SOC 2 Type I or II report

The qualifier

Do you actually
need SOC 2?

SOC 2 is worth it if any of these apply to your company right now:

  • An enterprise prospect has sent you a security questionnaire or a vendor trust letter

  • A deal is stalled at the security review stage

  • Your procurement contact has asked when you'll have a SOC 2 report

  • You're building toward an IPO and need a controls baseline

  • A board member or investor has flagged information security as an open risk

  • You handle regulated data (healthcare, financial, government) and need independent attestation

Not sure yet? That's exactly what the free scoping call is for. We'll tell you whether SOC 2 is the right framework, what scope makes sense, and what it'll realistically take.

Book the call

Trust Services Criteria

Five criteria.
One is required.

SOC 2 is built around the AICPA Trust Services Criteria. Security (Common Criteria) is mandatory in every report. The other four are optional — we help you decide which to include based on what your buyers actually ask for.

CC Required

Security

Logical and physical access controls, system operations, change management, and risk mitigation. Required in every SOC 2 report.

A Optional

Availability

Uptime, performance monitoring, and incident response. Add this if your customers have SLA-dependent workloads.

CI Optional

Confidentiality

Encryption, data classification, and destruction policies. Typically added by companies handling sensitive customer data.

PI Optional

Processing Integrity

Complete, valid, timely processing. Add this for fintech, payments, or data-processing platforms.

P Optional

Privacy

Personal information collection, use, and disclosure. Relevant if you hold personal data and want GDPR-aligned evidence.

Report types

Type I vs Type II — which do you need?

Type I

Point-in-time report

Covers the design and existence of your controls at a specific date. Answers: "Do your controls exist, and are they designed correctly?"

  • Fastest path to a SOC 2 report
  • No observation period required
  • Unblocks enterprise deals immediately
  • Foundation for Type II the following year
  • Typical timeline: 10–12 weeks from kickoff

Best for: first-time SOC 2, blocking deals, fast timelines

Type II

Gold standard

Operating effectiveness report

Covers the operating effectiveness of your controls over an observation period (6–12 months). Answers: "Did your controls actually work, consistently, over time?"

  • Required by most Fortune 500 procurement teams
  • Requires minimum 6-month observation period
  • Significantly more valuable than Type I
  • Annual renewal keeps the program credible
  • We stay available throughout the observation period

Best for: enterprise sales, regulated sectors, long-term trust

Our process

Six stages.
No guesswork.

Every SOC 2 readiness engagement follows this sequence. You know what happens each week, what you need to provide, and what we deliver. No surprises, no scope creep, no last-minute scramble.

01 Week 1–2

Scoping & gap assessment

We define your system boundary, select the right criteria, and run a full gap assessment. You receive a prioritized remediation roadmap and a fixed-fee proposal for the remaining work.

02 Week 2–4

Control design

We design controls that fit how your team actually operates, not a generic template. Each control is mapped to the TSC, assigned an evidence owner, and written for auditor consumption.

03 Week 4–6

Policy & procedure authoring

We write your policy library from scratch (or redline what exists). 30+ policies, written in plain English, reviewed by your team, and formatted to auditor standards.

04 Week 4–8

Evidence library build

We work alongside engineering, IT, and HR to gather, label, and organize evidence for every control. No last-minute scramble when the auditor arrives.

05 Week 8–10

Internal walkthrough & testing

We conduct an internal walkthrough mimicking the auditor's process, identifying weak evidence, missing controls, and documentation gaps before they become findings.

06 Week 10–12

Auditor readiness & handoff

We brief you on auditor expectations, handle the initial evidence request, and stay available throughout the audit to answer questions and respond to testing notes.

Stages 01–04 run largely in parallel. Total duration: 10–12 weeks to Type I readiness. Type II observation period begins on audit start date.

In practice

What a typical SOC 2
engagement looks like.

Starting point

No controls

Result

SOC 2 Type I

Timeline

11 weeks

A 40-person SaaS company was losing enterprise deals at the security review stage. They had no documented controls, no policy library, and a SOC 2 requirement from three prospects simultaneously.

We ran gap assessment, designed 34 controls, authored the full policy library, built the evidence package, and supported the audit. SOC 2 Type I report issued in eleven weeks. All three deals unblocked.

Sample engagement · CTO, mid-market SaaS · Details anonymized

FAQ

Questions
we hear every time.

How long does SOC 2 readiness take?

Type I can be achieved in 10–12 weeks from a standing start. Type II requires a minimum observation period (typically 6 months) before the auditor can issue a report. Most clients start with Type I to unblock deals immediately, then layer in Type II.

What is the difference between Type I and Type II?

A Type I report covers the design of your controls at a point in time — it answers "do the controls exist and are they designed correctly?" A Type II report covers the operating effectiveness of your controls over an observation period (usually 6–12 months) — it answers "did the controls actually work, consistently, over time?" Enterprise buyers increasingly require Type II.

Who performs the actual audit?

The SOC 2 report is issued by a licensed CPA firm, not by us. We are your readiness advisor. We prepare you so that when the CPA auditor arrives, you pass on the first try. We can recommend auditors and liaise with them throughout the process.

How much does SOC 2 readiness cost?

Our readiness engagements are fixed-fee, scoped after the initial gap assessment. The audit itself (issued by the CPA firm) is a separate cost, typically in the range of $15k–$50k depending on scope and auditor. We will help you select a firm and understand what drives their fees.

Get started

Ready to pass
your SOC 2?

Book a free scoping call. We'll review your current state, scope the right criteria, and send a fixed-fee proposal within 48 hours.

Book the scoping call Compare all services

Fixed-fee proposal in 48 h · Auditor-agnostic