SOC-R
SOC 2 / SOC 3 Readiness
Get audit-ready without surprises. Illumant prepares SaaS and service organizations for SOC 2 and SOC 3 attestation by identifying gaps, designing and documenting controls, and coordinating directly with your CPA firm.
SOC reports — the family
Service Organization Control (SOC) reports are a closely-related family of attestation reports — SSAE 18, SAS 70, AT 101, WebTrust, SysTrust. Despite the naming churn, the purpose is constant: an independent CPA's opinion that your controls are designed and operating effectively to protect customer data. SOC reports have become table stakes for selling SaaS upmarket — increasingly required by enterprise procurement before signing.
| Report | Standard | Types | Purpose |
|---|---|---|---|
| SOC 1 | SSAE 18 (formerly SAS 70) / AT-C 320 | Type I, Type II | Internal controls relevant to user entities' financial reporting (ICFR). |
| SOC 2 | AT-C 105 + AT-C 205 | Type I, Type II | Controls over Security, Availability, Processing Integrity, Confidentiality, Privacy. Restricted use. |
| SOC 3 | AT-C 105 + AT-C 205 | — | Same trust criteria as SOC 2 but a public-facing summary report (formerly SysTrust / WebTrust). |
| Agreed-Upon Procedures | AT-C 215 | — | Restricted-use report on procedures defined by the client. |
Illumant focuses on SOC 2 and SOC 3. Both can be obtained in parallel for incremental cost over a single report.
The five Trust Services Criteria
Security
Common Criteria — required for every SOC 2. Logical & physical access, change management, risk assessment, incident response, monitoring.
Availability
Capacity, environmental controls, backup/restore, business continuity, disaster recovery.
Processing Integrity
System processing is complete, valid, accurate, timely, and authorized. Especially relevant for transaction processors.
Confidentiality
Information designated as confidential is protected per commitments and requirements (NDA, contractual data, IP).
Privacy
Personal information is collected, used, retained, disclosed, and disposed of per the AICPA's Generally Accepted Privacy Principles.
Our readiness process
Scoping & report selection
We help you choose between SOC 1, SOC 2, SOC 3, and which Trust Services Criteria to include — based on your customers' contractual demands and your service description.
Gap analysis
Side-by-side comparison of existing controls against the selected criteria. Output: a prioritized gap register with effort estimates.
Control design & documentation
Design or refine controls, write the system description (the 'Section III' that auditors read first), and document policies and procedures.
Evidence collection
Build the evidence collection workflow that you'll re-run quarterly: tickets, change records, access reviews, log samples, training records.
Audit-ready handoff
Draft management's assertion, walk through findings, and coordinate directly with your CPA firm to keep surprises out of the final report.
Highlights
- Selection of appropriate SOC report type and Trust Services Criteria
- Gap analysis vs. SOC 2 / SOC 3 requirements
- Control design and documentation
- Description of the in-scope 'system' or service
- Policies and procedures development
- Evidence collection workflow design
- Draft management's assertion about controls
- Direct auditor communication and coordination
- Type I and Type II preparation
Related security assessments
What we typically pair with a SOC engagement.
PSA
Perimeter Security Assessment & Penetration Testing
Find the weaknesses in your perimeter before hackers do.
WASA
Web Application Security Assessment
OWASP-aligned testing of the apps your business runs on.
CloudSA
Cloud Security Assessment
Configuration and architecture review for AWS, Azure, and GCP.
ADSA
Active Directory Security Assessment
AD is the keys to the kingdom — make sure they're locked.
PPPA
Policies, Procedures and Practices Assessment
Review the documents — and whether anyone follows them.
RA
Risk Assessment
Quantify, prioritize, and govern information-security risk.
Ready to start a conversation?
Talk to a senior consultant — we'll scope an engagement that fits your environment.