SOC 2. The enterprise security standard.
SOC 2 is the security standard demanded by US enterprise clients and increasingly by large UK organisations. A SOC 2 Type II report proves your controls are not just designed correctly but operating effectively over time. IP Four guides you from readiness to report.
SOC 2 Type I or Type II. We support both.
Most businesses start with Type I to satisfy an immediate requirement, then progress to Type II for ongoing enterprise assurance. We plan the most efficient path for your situation.
SOC 2 Type I
A point-in-time assessment confirming that your controls are suitably designed to meet the Trust Services Criteria. Faster to achieve and often used as a stepping stone to Type II.
What We Do
- Scoping and Trust Services Criteria selection
- Gap analysis against selected criteria
- Control design and documentation
- Readiness assessment
- Auditor engagement and Type I report
Best For
Businesses that need to demonstrate security posture quickly to close a deal or satisfy an initial procurement requirement.
SOC 2 Type II
An assessment of control effectiveness over a defined observation period, typically 6 to 12 months. The gold standard for enterprise and US-market clients who require ongoing assurance.
What We Do
- Everything in SOC 2 Type I
- Observation period monitoring
- Evidence collection and management
- Continuous control testing
- Auditor engagement and Type II report
Best For
Businesses selling to enterprise clients, US-market customers, or regulated industries that require independently verified, ongoing assurance.
Five criteria. Security is always required.
SOC 2 is built around five Trust Services Criteria. Security is mandatory. The others are selected based on your business model and what your clients require.
Security
The system is protected against unauthorised access, both physical and logical. Required for all SOC 2 reports.
Availability
The system is available for operation and use as committed or agreed. Relevant for SaaS and cloud service providers.
Processing Integrity
System processing is complete, valid, accurate, timely, and authorised. Relevant for transaction processing systems.
Confidentiality
Information designated as confidential is protected as committed or agreed. Relevant for businesses handling sensitive client data.
Privacy
Personal information is collected, used, retained, disclosed, and disposed of in conformity with the commitments in the entity's privacy notice.
Enterprise clients are asking for it. We help you deliver it.
UK SaaS Businesses Targeting the US Market
SOC 2 is the de facto security standard for US enterprise procurement. UK SaaS companies without a SOC 2 report are routinely excluded from US enterprise deals. We help you get compliant and competitive.
Managed Service Providers
MSPs handling client data, infrastructure, or systems are increasingly required to hold SOC 2 reports by their enterprise clients. It demonstrates that your controls are independently verified, not just self-assessed.
Cloud and Infrastructure Providers
Businesses providing cloud hosting, data processing, or infrastructure services to enterprise clients need to satisfy security questionnaires and procurement requirements. SOC 2 Type II provides the audited evidence they need.
Businesses Handling Sensitive Data
Any organisation processing sensitive personal, financial, or health data for enterprise clients will face SOC 2 requirements. We help you build the controls and get the report that closes the deal.
From gap analysis to SOC 2 report. We handle everything.
SOC 2 is complex and the evidence burden is significant. We have done this many times. We know what auditors look for and how to get you there efficiently.
Scoping and Criteria Selection
We define the scope of your SOC 2 engagement and select the Trust Services Criteria relevant to your business. Getting scope right avoids unnecessary work and cost.
Gap Analysis
We assess your current controls against the selected criteria and produce a prioritised remediation plan with clear effort estimates.
Control Implementation
We implement the required technical and organisational controls, working alongside your team to embed them into day-to-day operations.
Readiness Assessment
Before engaging your auditor, we conduct a readiness assessment to confirm all controls are operating effectively and evidence is in order.
Auditor Support
We manage the auditor relationship, coordinate evidence requests, and attend as technical advisors throughout the audit process.
Ongoing Compliance
SOC 2 Type II requires continuous control operation. We manage your compliance programme on an ongoing basis so you are always audit-ready.
Start with a free SOC 2 readiness assessment. Know exactly where you stand.
Our free SOC 2 readiness assessment tells you which Trust Services Criteria apply to your business, what controls you already have in place, and what you need to build before engaging an auditor.