Getting Started
Quick Start Architecture
AI Agents
MSP Hunter Threat Researcher Tech Support Compliance Agent Account Manager Onboarding Agent
Compliance
HIPAA SOC 2 PCI-DSS NIST
Guides
First 30 Days Scaling
API
Overview Endpoints

SOC 2 Compliance Guide

📋 Compliance 25 min read Updated June 2026

SOC 2 (Service Organization Control 2) is the gold standard certification for SaaS companies and managed service providers. It proves to your clients that you have implemented rigorous controls to protect their data — and that those controls actually work over time. This guide covers everything your MSP needs to know, plus how Gridlock's Compliance Agent compresses a typical 6-month audit prep into 30 days.

Related Reading

See our deep-dive blog post SOC 2 in 30 Days: How MSPs Are Closing Deals Faster with Automated Compliance for real-world MSP case studies and revenue impact data.

What is SOC 2 and Who Needs It?

SOC 2 is a voluntary compliance framework created by the American Institute of Certified Public Accountants (AICPA). It evaluates whether a service organization has effective controls in place to protect the security, availability, processing integrity, confidentiality, and privacy of customer data.

While voluntary, SOC 2 has become a de-facto requirement for any business that stores, processes, or transmits customer data in the cloud. Enterprise procurement teams routinely gate vendor approvals on a current SOC 2 report. For MSPs, a SOC 2 Type II report is increasingly the difference between winning and losing mid-market and enterprise clients.

Organizations that need SOC 2

MSP-Specific Risk

As an MSP, you are a high-value target. You hold privileged access credentials for dozens or hundreds of client environments. A single breach at the MSP level cascades across every client. SOC 2 is not just a sales tool — it is your operating license for the enterprise market.

The 5 Trust Services Criteria

SOC 2 is organized around five Trust Services Criteria (TSC). Security is the only required criterion — the remaining four are selected based on what is relevant to your service commitments and system requirements.

CC — Security

Required

Protection of information and systems from unauthorized access, use, disclosure, modification, or destruction. Covers logical access, change management, risk assessment, monitoring, and incident response.

A — Availability

Optional

Systems are available for operation and use as committed or agreed. Covers uptime monitoring, capacity planning, disaster recovery, and business continuity.

PI — Processing Integrity

Optional

System processing is complete, valid, accurate, timely, and authorized. Most relevant for financial transaction processors and data transformation pipelines.

C — Confidentiality

Optional

Information designated as confidential is protected as committed. Covers encryption, access classification, data minimization, and secure disposal.

P — Privacy

Optional

Personal information is collected, used, retained, disclosed, and disposed of in conformity with commitments in your privacy notice and AICPA Generally Accepted Privacy Principles (GAPP).

Which criteria should MSPs include?

For most MSPs, the recommended scope is Security + Availability + Confidentiality. This covers the three areas that enterprise procurement teams care most about and matches the standard MSP service commitment profile. Processing Integrity is only relevant if you operate financial systems; Privacy becomes relevant when handling personal data subject to GDPR or CCPA.

Criterion Relevant For MSPs Gridlock Coverage
Security (CC) Always — all MSPs Automated
Availability (A) If you provide uptime SLAs or managed infrastructure Automated
Confidentiality (C) If you handle confidential client data Automated
Processing Integrity (PI) Only if you process financial transactions Partial
Privacy (P) If you handle personal data under GDPR/CCPA Partial

Key Security (CC) control domains

The Security criterion is organized into Common Criteria (CC) categories. Understanding these helps you map your existing controls and identify gaps:

Type I vs Type II — Key Differences

There are two varieties of SOC 2 report. Understanding the difference is critical for setting client expectations and planning your audit timeline.

Attribute SOC 2 Type I SOC 2 Type II
What it proves Controls are designed appropriately at a single point in time Controls are designed appropriately and operating effectively over a period of time
Audit period Single day (point-in-time) Minimum 6 months; typically 6–12 months
Time to obtain 2–4 months total 6–14 months total (includes observation period)
Client acceptance Accepted by some; many enterprise buyers require Type II Gold standard; accepted by all enterprise procurement teams
Auditor testing Design evaluation only Design evaluation + operating effectiveness testing with samples
Evidence required Policies, procedures, configuration screenshots All of the above + months of log data, access reviews, change records, incident records
Cost $15,000–$30,000 $30,000–$80,000
Renewal One-time (bridged with Type II) Annual renewal
Recommended Path for MSPs

Start with Type I to unblock deals while your observation period accumulates. Target Type I completion within 60–90 days of engaging an auditor. Begin your Type II observation period immediately after Type I. With Gridlock collecting evidence continuously from day one, your Type II audit prep time is dramatically reduced.

How Gridlock's Compliance Agent Maps to SOC 2 Controls

Gridlock's Compliance Agent was built with SOC 2 Trust Services Criteria as a first-class design target. Every major control category has automated monitoring, evidence collection, and gap alerting.

Automated Compliance Coverage

Gridlock automates evidence collection across all nine Common Criteria control families. What traditionally requires a full-time compliance analyst managing spreadsheets is handled by the Compliance Agent running 24/7 across your entire client portfolio.

SOC 2 Control Category What Gridlock Monitors Evidence Type
CC6 — Access Controls MFA enforcement status, privileged account inventory, access reviews, account deprovisioning timeliness, SSH key management Configuration exports, access logs, review records
CC7 — System Operations Vulnerability scan results, patch deployment status, antimalware coverage, intrusion detection alerts, incident response records Scan reports, patch deployment logs, alert history
CC8 — Change Management Change ticket compliance, deployment authorization records, configuration drift detection, code review completion rates Change records, approval logs, drift reports
CC3 — Risk Assessment Risk register currency, risk scoring trends, third-party vendor risk ratings, emerging threat mapping Risk assessment reports, vendor scorecards
CC4 — Monitoring SIEM alert triage rates, anomaly detection coverage, control effectiveness metrics, exception reporting Monitoring dashboards, exception logs
CC9 — Vendor Management Vendor contract inventory, SOC 2 report currency for subprocessors, vendor risk questionnaire status Vendor inventory, report expiry tracking
A1 — Availability Uptime metrics, SLA compliance, capacity utilization, DR test results, backup verification Uptime reports, DR test records, backup logs
C1 — Confidentiality Encryption at rest and in transit, data classification coverage, secure disposal records, NDA tracking Encryption configuration exports, disposal records

Evidence Collection Automation

The most time-consuming part of a SOC 2 Type II audit is not the audit itself — it is the evidence collection. Auditors request hundreds of pieces of evidence: screenshots, configuration exports, log samples, policy documents, access review records, and more. Without automation, this burden falls on your engineers and compliance team for weeks.

What Gridlock auto-collects

Evidence Category Examples Frequency
Access control evidence MFA enrollment reports, privileged user lists, access review completion logs, terminated employee deprovisioning records Daily
Vulnerability management Scan results with severity breakdowns, patch deployment records, open vulnerability aging reports, remediation timelines Weekly
System configuration Firewall rule exports, encryption settings, logging configuration, endpoint protection coverage maps On change + weekly snapshot
Incident records Security incident log with detection time, response time, resolution, and post-incident review records Continuous
Change management Change request records with approver documentation, emergency change log, deployment records Per-event
Availability metrics Uptime reports per system, SLA breach records, capacity trending, backup success/failure logs Daily
Policy acknowledgments Employee security policy sign-off records, security training completion certificates Annual + on hire
Vendor management Third-party subprocessor inventory, current SOC 2 report links, vendor assessment completion dates Quarterly
Auditor-Ready Evidence Packages

When your auditor sends a fieldwork request list (PBC — Provided By Client), Gridlock generates a structured evidence package mapped to each request. Instead of spending two weeks hunting for screenshots and log exports, you export a package in minutes. Most Gridlock clients report a 70–85% reduction in PBC fulfillment time.

The 30-Day Readiness Timeline

A traditional SOC 2 readiness engagement (before auditor engagement) takes 3–6 months with a consulting firm charging $50,000–$150,000. Gridlock compresses this to 30 days by automating the gap assessment, evidence collection setup, and control mapping.

1
Days 1–3

Connect and Discover

Deploy Gridlock connectors to your environment. The Compliance Agent auto-discovers in-scope systems, data flows, and existing controls. An automated inventory of assets, access points, and data repositories is generated within 24 hours.

2
Days 4–7

Gap Assessment

The Compliance Agent maps your discovered controls against all SOC 2 Trust Services Criteria. A color-coded gap report is generated showing: controls that pass, controls with gaps, and controls that are missing entirely. Severity is ranked by audit risk impact.

3
Days 8–14

Remediate Critical Gaps

Address high-severity gaps identified in the assessment. Gridlock provides remediation playbooks for each finding: exact steps, example policies, configuration templates, and verification tests. Common quick wins: enabling MFA everywhere, formalizing change management, setting up centralized logging.

4
Days 15–21

Policy Library

Generate and finalize required SOC 2 policies. Gridlock includes pre-built policy templates for: Information Security Policy, Access Control Policy, Change Management Policy, Incident Response Policy, Business Continuity Plan, Vendor Management Policy, and Acceptable Use Policy.

5
Days 22–28

Evidence Collection Activation

Activate automated evidence collection across all control families. Verify that evidence is being gathered correctly by reviewing sample evidence packages. Begin building the evidence repository that your auditor will draw from.

6
Days 29–30

Auditor Engagement

Share your readiness report with your selected CPA firm. The report includes your control inventory, gap closure status, policy library, and evidence collection preview. Most auditors can begin fieldwork within 2 weeks of receiving this package.

Traditional Path

3–6 months + $50K–$150K

With Gridlock

30 days + audit fees only

What the SOC 2 Audit Process Looks Like

Understanding the audit mechanics helps you know exactly what to prepare and what your auditor will do. A SOC 2 audit is conducted by an independent CPA firm licensed to perform SOC examinations (not all CPA firms qualify).

Phase 1: Engagement setup (weeks 1–2)

You and the auditor agree on scope (which Trust Services Criteria, which systems), the observation period (for Type II), and the audit timeline. The auditor provides an initial request list — this is where Gridlock's evidence packages save the most time.

Phase 2: Fieldwork (weeks 2–8 for Type I; weeks 2–16 for Type II)

The auditor reviews your documentation, tests your controls, and may conduct interviews with your team. For Type II, the auditor samples evidence from throughout the observation period — for example, reviewing 25 randomly selected change tickets to verify your change management process was followed consistently. Gridlock's continuous evidence collection means every one of those samples is immediately available.

Phase 3: Findings review (weeks 1–2)

The auditor presents draft findings. If exceptions are noted, you have an opportunity to provide management responses — explaining context or compensating controls. Gridlock's exception tracking makes it easy to demonstrate remediation timelines.

Phase 4: Report issuance

The final SOC 2 report is issued. It includes the auditor's opinion, your system description, and (for Type II) the test of controls with any exceptions noted. This report is what you share with clients and prospects under NDA.

Choosing a SOC 2 Auditor

Not all CPA firms are equal for SOC 2. Look for firms with a dedicated technology/cybersecurity practice and proven SOC 2 experience with companies similar to yours. Avoid general accounting firms that offer SOC 2 as a side service — they often lack the technical depth to evaluate modern cloud controls efficiently. Budget $30,000–$80,000 for a Type II audit from a reputable firm.

Common MSP Client SOC 2 Questions

Your clients will have questions. Here are the most common ones, with answers you can use directly.

"Do you have a current SOC 2 Type II report?"

With Gridlock, you can answer: "Yes. Our most recent SOC 2 Type II report covers [period] and is available under NDA upon request. We also maintain continuous compliance monitoring using Gridlock's automated platform, which provides real-time evidence of ongoing control effectiveness between audit periods."

"How do you handle access to our systems?"

"All privileged access is managed through our PAM (Privileged Access Management) solution. Access is granted on least-privilege principles, requires MFA, and every session is logged and reviewed. Gridlock provides continuous access control monitoring with automated alerts on anomalous access patterns. Our access control evidence is available as part of our SOC 2 documentation."

"What happens if there's a security incident affecting our data?"

"We have a documented Incident Response Plan that meets SOC 2 CC7.3–CC7.5 requirements. Incidents are detected by our automated monitoring (Gridlock), triaged within 1 hour, and you are notified within 24 hours of confirmed impact to your data. All incidents are logged with full timeline documentation as part of our ongoing SOC 2 evidence."

"How often are your controls tested?"

"Gridlock performs continuous automated control testing — not just annual point-in-time snapshots. Critical controls like MFA enforcement and encryption status are verified daily. Vulnerability scans run weekly. We also conduct formal quarterly internal reviews and an annual SOC 2 Type II audit by an independent CPA firm."

"What subprocessors do you use, and are they SOC 2 certified?"

"Our subprocessor inventory is maintained in our SOC 2 documentation. We require SOC 2 Type II reports (or equivalent) from all subprocessors that handle client data, and Gridlock tracks the currency of those reports with automated alerts when they expire. Our current subprocessor list is available upon request."

"Is SOC 2 the same as ISO 27001?"

No, but they share significant overlap. SOC 2 is a US-based attestation standard governed by the AICPA; ISO 27001 is an international certification standard. SOC 2 focuses on reporting on controls to customers; ISO 27001 focuses on building and certifying an information security management system (ISMS). Most US enterprise buyers prefer SOC 2; European and multinational buyers often require ISO 27001. Gridlock's control framework maps to both, making dual certification efficient.

SOC 2 Readiness Checklist

Use this checklist to track your SOC 2 readiness. Click each item to mark it complete.

Scope and governance

Policies and documentation

Technical controls

Gridlock automation

You Are Ready to Engage an Auditor When...

All critical-severity gaps are remediated, required policies are in place and acknowledged, technical controls are documented, and Gridlock's evidence collection has been running for at least 30 days. Most MSPs in this state achieve a clean Type I opinion within 6–8 weeks of auditor engagement.