← Wiki

Real World SOC2

Practical guidance for SOC2 compliance

Security Programs Jul 2023 (edited Dec 2025)

Getting Started

• Latacora: The SOC2 Starting Seven
• Vanta: SOC2 Compliance Guide
• Drata: SOC2 Checklist

Type I vs Type II

• Type I: Point-in-time assessment of controls design
• Type II: Assessment of controls effectiveness over 3-12 months

Start with Type I, move to Type II for ongoing compliance.

Trust Service Criteria

1. Security (required)
2. Availability
3. Processing Integrity
4. Confidentiality
5. Privacy

Most startups start with Security only.

Automation Platforms

• Vanta
• Drata
• Secureframe
• Laika
• Thoropass (formerly Laika)

Timeline

• Preparation: 2-4 months
• Type I audit: 1-2 weeks
• Type II observation period: 3-12 months
• Type II audit: 2-4 weeks