SOC 2 Compliance Software

Your Security, Independently Verified. Every Audit Period.

What is SOC 2?

SOC 2 is the American standard for proving that a service organization handles customer data securely. Developed by the AICPA, it results in an independent auditor's report assessing your controls against five Trust Service Criteria: security (required in every report), availability, processing integrity, confidentiality, and privacy. There are two report types: Type I assesses whether controls are designed appropriately at a point in time, Type II whether they operated effectively over 6-12 months. Type II is what enterprise buyers expect.
Any service organization whose customers demand formal proof of data security. In practice: SaaS companies selling to US enterprises, managed service providers handling customer data, and cloud infrastructure or storage providers. For EU companies, the trigger is almost always the same: a US enterprise deal stalling at security review. A SOC 2 Type II report is what removes that blocker.

Already ISO 27001 certified? The Security criterion overlaps heavily with controls you already run, so SOC 2 builds on that work instead of repeating it.

Who Needs SOC 2?

Hosted in EU Icon
100% Hosted in the eu
ISOPlanner™ Supports These ISO SOC2 Versions
SOC2-TSP 100
How ISOPlanner™ Supports SOC2

SOC2: Security Framework for US

SOC 2 is the standard US enterprise buyers use to assess the security practices of service providers. ISOPlanner™ structures your SOC 2 program inside Microsoft 365, using your existing environment rather than adding another compliance tool.

Pre-mapped SOC2 controls

ISOPlanner™ includes a pre-built SOC2 framework mapped to the Trust Service Criteria. Controls are structured and ready to assign, no gap analysis from scratch, no blank spreadsheet to fill in.

1
Embedded ML
API Calling ML
2

AI-generated tasks

The AI Assistant reads your active SOC2 controls and generates specific work items for responsible team members. Control owners receive tasks tied to the specific requirements they need to fulfil, without manual translation from framework language to operational steps.

Continuous evidence collection

Evidence for the observation period, a specific requirement of SOC2 Type II, is collected and stored in SharePoint continuously. For Microsoft-native controls, including MFA verification and Secure Score, this is automated. Evidence is organized by control and available to auditors without last-minute preparation.

3
ML Platform
API Calling ML
4

Audit planning and audit trail

Schedule your internal readiness assessments and manage auditor access directly within ISOPlanner™. The full audit trail, control assignments, evidence submission, review records, is maintained in SharePoint.

Trust service criteria, ongoing posture not a last-minute scramble.

Book a demo
Municipality of Waterland - Netherlands

Structured Compliance from the Ground Up.

The Municipality of Waterland needed a structured approach to meet the BIO standard without building a heavy new system. ISOPlanner™ gave them clear ownership, organised tasks, and audit readiness from day one.
Read the Waterland Case
Answered

Frequently Asked Questions

01.

What is the difference between a SOC 2 Type I and Type II report?

A SOC 2 Type I report evaluates whether an organisation's controls are suitably designed to meet the selected Trust Services Criteria at a specific point in time. A SOC 2 Type II report goes further: it tests whether those controls operated effectively over an observation period of typically six to twelve months. Type II carries significantly more weight with enterprise customers because it demonstrates sustained operational security, not just a snapshot. ISOPlanner™ structures evidence collection continuously so organisations are always audit-ready for Type II.

02.

What are the five Trust Services Criteria in SOC 2?

SOC 2 is built around five Trust Services Criteria defined by the AICPA. Security is mandatory for all SOC 2 reports and covers access controls, incident response, and risk management. The four additional criteria are: Availability (system uptime and performance), Processing Integrity (accuracy and completeness of processing), Confidentiality (protection of confidential information), and Privacy (handling of personal information). Organisations select the criteria relevant to their service commitments.

03.

How long does a SOC 2 audit typically take?

A SOC 2 Type I audit takes approximately two to four months: readiness assessment, gap remediation, and audit fieldwork. A Type II audit requires an additional observation period of six to twelve months. Organisations pursuing Type II for the first time typically complete the full process in nine to fifteen months from kickoff. ISOPlanner™ accelerates preparation with structured control documentation and automated evidence collection from day one.

04.

Who is qualified to deliver a SOC 2 report?

SOC 2 reports are issued by licensed Certified Public Accountants (CPAs) or CPA firms performing attestation engagements under AICPA standards. Unlike ISO 27001, which is handled by accredited certification bodies, SOC 2 is an attestation: the auditor provides an opinion rather than issuing a certificate. Organisations should select an auditor with specific experience in technology and cloud services, as the work requires deep understanding of security controls in those environments.

05.

How does SOC 2 relate to ISO 27001?

SOC 2 and ISO 27001 are complementary but serve different audiences. ISO 27001 is a certifiable management system standard primarily required by enterprise buyers in Europe. SOC 2 is an attestation report most commonly required by US-based enterprise customers. Many organisations pursue both: ISO 27001 builds the control framework and SOC 2 uses that same evidence to produce a customer-facing trust report. ISOPlanner™ maps SOC 2 Trust Services Criteria to ISO 27001 Annex A controls so evidence collected for one serves the other.

06.

Is a SOC 2 report confidential and who can receive it?

Yes. Unlike ISO 27001 certificates, which are public documents, SOC 2 reports are confidential and intended for restricted distribution. Organisations typically share them with customers and prospects under NDA as part of vendor security reviews. The report contains detailed descriptions of controls and any auditor exceptions, making unrestricted distribution inadvisable. A SOC 3 report is a public summary version that can be shared freely when an organisation wants to demonstrate compliance without disclosing the full report.

07.

What types of evidence are needed for a SOC 2 audit?

SOC 2 auditors require evidence that controls are in place and operating effectively across the observation period. Common evidence types include: access control configurations and user access reviews, vulnerability scan and penetration test results, incident and change management records, background check documentation, vendor risk assessments, system monitoring alerts and logs, and security awareness training completion records. ISOPlanner™ automates evidence collection for each control area, generating an audit-ready pack aligned to the AICPA Trust Services Criteria.