SOC 2 · AICPA TRUST SERVICES

SOC 2 Type I & Type II
Readiness, Evidence & Audit Preparation

SOC 2 is the de facto security certification for SaaS companies and service organizations. Lavawall® collects Type II evidence automatically year-round. ThreeShield's CISSP/CISA team guides your readiness program and delivers the typically 200+ gap assessment that makes your formal audit predictable.

Book Assessment See Engagement Options →

SOC 2 Trust Services Criteria

Security (CC) - Required

The Common Criteria are required for all SOC 2 reports. Covers logical and physical access controls, system operations, change management, and risk mitigation.

Availability (A) - Optional

System availability commitments. Relevant for SaaS companies with uptime SLAs. Requires monitoring, incident response, and disaster recovery documentation.

Confidentiality (C) - Optional

Protection of confidential information. Relevant for B2B companies handling client confidential data - financial projections, business plans, trade secrets.

Processing Integrity (PI) - Optional

System processing is complete, valid, accurate, timely, and authorized. Most relevant for financial processing, healthcare data processing, and payment systems.

Privacy (P) - Optional

Collection, use, retention, disclosure, and disposal of personal information aligns with AICPA's Privacy Management Framework - and PIPEDA/GDPR.

Type I vs Type II

Type I: Point-in-time assessment - are controls designed adequately as of a specific date? Type II: Were controls operating effectively over an observation period (typically 6-12 months)? Enterprise clients almost always require Type II.

The Type II Evidence Problem - and How Lavawall® Solves It

SOC 2 Type II requires evidence that controls operated consistently throughout the observation period. Most organizations scramble to collect this evidence in the weeks before their audit. Lavawall® collects it continuously and automatically - patch logs, MFA status, access reviews, encryption state, backup records - so when your auditor asks, the evidence is already organized and timestamped.

The ThreeShield SOC 2 Readiness Timeline

Week 1-2: Scope & Gap Assessment

Define SOC 2 scope (Trust Services Criteria, system boundary, service commitments). CISSP/CISA gap assessment against all applicable criteria. Lavawall® deployed for continuous evidence collection baseline.

Month 1-3: Remediation

Remediate critical and high findings from gap assessment. Policy and procedure development (15-25 documents typically required). Vendor management documentation. Access control implementation.

Month 3-9: Type II Observation Period

Lavawall® collects evidence continuously. ThreeShield monitors for control exceptions. Quarterly reviews confirm observation period evidence is clean and complete.

Month 8-9: Pre-Audit Testing

Internal control testing before formal audit. Identify and remediate any remaining gaps. Prepare evidence packages for each Trust Services Criterion.

Month 9-12: Formal Audit

External auditor conducts Type I or Type II assessment. ThreeShield supports the audit process and responds to auditor requests. SOC 2 report issued.

Frequently Asked Questions

Yes - SOC 2 is an attestation engagement that must be performed by a licensed CPA firm. ThreeShield is not a CPA firm and does not issue SOC 2 reports. We prepare you for the audit and make it predictable and efficient - then a qualified CPA auditor performs the formal assessment. We work with several audit firms and can recommend partners.

Audit fees vary by auditor, scope, and organization complexity - typically $15,000-$80,000 for a Type II report from a credible CPA firm. ThreeShield's preparation engagement is separate and typically reduces total cost by making the audit more efficient. Organizations with Lavawall® continuous evidence collection typically see faster and lower-cost audits because evidence is already organized.

Drata and Vanta provide evidence collection for SOC 2, similar to Lavawall®. ThreeShield adds the human expertise layer: CISSP/CISA gap assessment, remediation guidance, policy development, and formal audit support. We can work alongside your existing platform or replace it with Lavawall® GRC. For Canadian-specific frameworks (Alberta HIA, CPA Canada, PIPEDA), Lavawall® provides significantly better coverage than Drata or Vanta.

Three Ways to Engage - DIY to Done-for-You

ThreeShield meets you at your current security maturity. Every level includes Lavawall®.

Self-Serve

DIY via Lavawall®

For lean IT teams and cost-conscious organizations with internal security capacity

  • Lavawall® GRC with SOC 2 control mapping
  • Continuous automated evidence collection
  • Live compliance dashboard and score
  • Policy template library
  • AI-generated compliance status reports
Start with Lavawall®
Recommended for MSPs & Lean IT

Supported

Expert guidance alongside your team - ideal for MSPs and organizations with some internal IT capacity

  • Everything in DIY tier
  • CISSP/CISA gap assessment
  • Prioritized remediation roadmap
  • Policy and procedure development
  • Quarterly compliance review calls
  • MSP white-label available
Get Supported Engagement
Fully Managed

Done-for-You

Full compliance delivery - ThreeShield manages the entire program end to end

  • Everything in Supported tier
  • Full compliance program management
  • CISSP/CISA-executed formal assessment
  • findings methodology (typically 200+ findings)
  • Complete documentation package
  • Annual reassessment included
Book Done-for-You

Ready to Get Compliant?

Choose your engagement model: DIY via Lavawall®, supported by ThreeShield's CISSP/CISA team, or fully done-for-you. Every model includes continuous monitoring so you stay compliant year-round.

Book a Scoping Call

DIY · Supported · Done-for-You · Available globally