At a Glance
| Sector | Technology / Network Infrastructure |
| Starting point | No formal SOC 2 programme, inconsistent control documentation, no continuous evidence collection |
| Timeline | Type I readiness in 8 weeks; Type II clean opinion over 12-month observation period |
| Frameworks | SOC 2 — Security, Availability, Confidentiality, Processing Integrity, Privacy |
| Environment | Multi-data-centre, multiple jurisdictions, Microsoft 365 |
The Challenge
Enterprise customers — particularly in financial services, healthcare, and government-adjacent industries — were requiring SOC 2 Type II before adding the provider to their approved vendor lists. Three significant contracts were stalling because the answer to “can you provide a SOC 2 report?” was “not yet.”
The complicating factor was scale and complexity. This wasn’t a startup with a simple, contained environment. The provider operated across multiple data centres, served clients in several jurisdictions, and had network infrastructure that touched customer environments directly. The Trust Services Criteria weren’t just a documentation exercise — they needed to reflect real operational controls across a complex estate.
The specific gaps at the start of the engagement:
- No formal security programme mapped to TSC — controls existed but weren’t structured against the five Trust Services Categories
- Inconsistent control evidence — some controls were well-documented, others were tribal knowledge with no audit trail
- No continuous monitoring — controls were being operated but not systematically evidenced over time, making a Type II opinion unsupportable
- Availability and processing integrity underdocumented — the two criteria most relevant to a network provider had the weakest evidence
- Vendor management gaps — third-party risk assessments were incomplete or outdated
Three six and seven-figure contracts were waiting. The cost of “not yet” was measurable and growing.
Our Approach
SOC 2 Type II requires something that Type I doesn’t: evidence of operating effectiveness over time. You can’t sprint to Type II — you have to operate controls consistently across the observation period and capture evidence as you go. The programme was designed around this reality from day one.
1. Type I foundation (weeks 1–8)
Mapped all five Trust Services Criteria to the provider’s existing control environment. Identified gaps, documented control descriptions, and built the evidence collection infrastructure. Type I readiness was achieved at week 8 — confirming that controls were designed and implemented appropriately.
2. Continuous evidence programme (months 2–12)
Built automated evidence collection workflows — monitoring logs, access review exports, change management records, incident tickets, and vendor assessment outputs. The goal was to make evidence a byproduct of normal operations, not a project that happened before an audit.
Key controls formalised and continuously evidenced:
- Security — access controls, MFA enforcement, vulnerability management, penetration testing
- Availability — uptime monitoring, incident response, disaster recovery testing with documented results
- Confidentiality — data classification, encryption in transit and at rest, third-party data handling
- Processing Integrity — change management, quality assurance, error detection and correction
- Privacy — data collection notices, consent management, data subject request handling
3. Vendor and third-party risk
Rebuilt the vendor risk assessment process — prioritised critical vendors, conducted structured assessments, established an annual review cadence. Vendor security evidence was included in the Type II audit pack.
4. Type II audit support
Supported the full Type II audit — evidence presentation, auditor sampling, assessor Q&A, and finding response. The observation period produced clean opinions across all five Trust Services Criteria.
Results
SOC 2 Type II — clean opinions across all Trust Services Criteria. The three stalled enterprise contracts moved forward. Security reviews that previously took weeks now took hours.
The commercial impact was direct and measurable:
- The three contracts that had been stalled on SOC 2 requirements moved forward
- Enterprise procurement reviews that previously required weeks of manual document gathering now took hours — evidence was continuously maintained and instantly accessible
- New enterprise sales cycles shortened materially — security reviews completed in days, not weeks
- The provider had a reusable, repeatable evidence infrastructure that supports future audits without starting from scratch
The continuous evidence programme also delivered an operational benefit: leadership had real visibility into control performance across the observation period, not just at audit time.
Key Deliverables
- Trust Services Criteria gap assessment and control mapping across all five categories
- Control descriptions and risk assessment documentation (Type I readiness pack)
- Continuous evidence collection infrastructure — automated workflows, monitoring exports, access review cadence
- Vendor risk assessment programme rebuild with annual review process
- Penetration test facilitation and finding remediation tracking
- SOC 2 Type II audit support — evidence presentation, assessor Q&A, finding response
- Post-audit evidence maintenance programme and SOC 2 report management
The Bottom Line
SOC 2 Type II isn’t a project you complete — it’s an operating state you maintain. The difference between organisations that get clean opinions and those that scramble before every audit is whether evidence collection is embedded in operations or bolted on at the last minute.
This provider built it properly from the start, achieved clean opinions on the first Type II report, and now has a compliance infrastructure that supports ongoing enterprise sales without annual disruption.
