SOC 2 Consulting & Readiness Services

Pivot Point Security provides consulting services to help organizations achieve and maintain compliance with the SOC 2 standard. Our team will work together with yours to ensure that all of your security policies, procedures, and practices meet the requirements set forth in the SOC 2 Trust Services Principles and Criteria. We will also provide guidance on how to best address potential risks to data privacy and integrity so that your organization can reach its desired level of security maturity. With Pivot Point Security’s SOC 2 expertise, you can trust us to help ensure that your organization achieves provable security and compliance.

Are your clients requesting (a.k.a. requiring) you to have a SOC 2 attestation? If SOC 2 attestation is holding up a signature on new deal or expanding work with a current client, you are not alone and you came to the right place.

With Pivot Point Security as your trusted partner, achieving and maintaining SOC 2 (Type I or Type II) attestation is a guaranteed reality. Our customers are able to sign new clients as well as keep and grow current customers, all while gaining an expert’s assessment and direction on their information security program.

What is SOC 2?

SOC 2 is a third-party attestation, a report built by an objective third-party (a CPA firm) that outlines the results of their testing against a robust set of information security controls (the Trust Services Criteria). Key types of SOC 2 Assessments include:

SOC 2 Type I (Type 1)

A SOC 2 Type 1 report attests to the design and documentation of a service provider’s controls and procedures as of a specific date. However, the SOC 2 Type 1 report does not cover the actual operation of the controls.

SOC 2 Type II (Type 2)

Like a SOC 2 Type 1 report, a SOC 2 Type 2 report covers the design and documentation of controls. A SOC 2 Type 2 report also provides evidence as to how the organization operated its controls over a period of time (usually six months or more).


Generally speaking, when a SOC2 report is requested, the expectation is for a SOC2 Type 2 report covering a one-year observation period.

Why Choose PPS for SOC 2 Services?

✔ You get the Big 4 experts without the Big 4 price tag – many of our consultants began their careers working for one (or more) of the Big 4 CPA firms. Working with PPS means you get top talent on your projects without paying for the big name.

✔ Our core values – we are honest and transparent; basically, we will hold you accountable. If you want a consultant to say nothing but “yes”, we are not a good fit for you.

✔ Our information security expertise extends to all information security domains – SOC 2 may be your most immediate concern but because we have extensive expertise and experience in other domains including ISO 27001, Privacy, Network Security, App Security, and Third Party Risk Management (TPRM). We bring value beyond your SOC 2 attestation letter.

✔We understand audits and information security – this is key… we know what is a “check the box” need vs what will really provide information security and risk management value.


How SOC 2 Services Work

✔ Scope Determination – Here we determine what portions of your business should be included in the SOC 2 attestation. This is also where we help you determine what trust principles/trust services criteria optimally apply to your business based on the types of clients you serve and information you process.

✔ Gap Assessment– Here we learn about your existing information security controls and determine the gap between your current state and SOC 2 ready.

✔ Risk Assessment– Here, we determine where your organizations information security risks are greater than your risk appetite and develop a Risk Remediation plan to address them.
✔ Readiness Assessment (optional) – Here one of our SOC 2 experts will conduct an internal audit to ensure the controls are working as intended and generating the evidence that you will need for a “clean” SOC 2 external audit and report. Our auditor will be objective and fully independent of the consultative team that worked with you on the SOC 2 implementation.

What You Can Expect

If you decide to partner with Pivot Point Security for CCPA Compliance Services, you can expect to:

✔ Attain and maintain CCPA compliance and the ability to prove it.

✔Have a strategic roadmap to achieve both short- and long-term privacy goals.

✔ Have confidence in your privacy standing.

✔ Gain a competitive advantage to win more business.

✔ Have some laughs, hear some “The Office” references, and get quality, actionable advice from experts who live at the juncture of privacy and security every day.

If you decide to go another direction, we wish you nothing but success! But if you find yourself lost on a winding road, unsure where to turn and in need of a guide… you know where to find us.

What is SOC 2 compliance?

SOC 2 is an auditable information security standard developed by the American Institute for CPAs (AICPA) that provides guidance on critical security processes and practices for managing customer data. SOC 2 compliance is validated during a CPA firms audit against one or more of the five SOC 2 “Trust Services Criteria”: security, availability, processing integrity, confidentiality, and privacy. Firms decide which of the five criteria are relevant to address, based on their products and/or services.

What does SOC 2 stand for?

SOC 2 stands for “Service Organization Control 2.”

What are SOC 2 requirements?

SOC 2 requirements are generally somewhat non-prescriptive and open to interpretation. Each organization seeking a SOC 2 report determines how it can best achieve the goals of those requirements it deems applicable. Of the five SOC 2 Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) only Security is considered applicable to all organizations.

What does achieving SOC 2 attestation cost?

The general cost range for companies to prepare for and undergo a SOC 2 compliance audit and rescieve a SOC 2 Type 2 Service Auditors Report is $40,000 to $140,000. Keep in mind that a SOC 2 report is not a certification, but rather a description of audit findings.

Some of the factors that can impact SOC 2 audit costs include:

  • The scope of the Information Management System that are in scope for the audit
  • The number of locations in scope
  • The number of Trust Services Criteria that are in scope for the audit
  • The size of the organization being audited
  • The “gap” between current controls and policies and what SOC 2 requires
  • Needs for additional security technology, employee training, etc., to close current gaps
  • Needs for consulting and other outsourced services to prepare for the SOC 2 audit
  • The type of SOC 2 audit desired (SOC 2 Type 1 or SOC 2 Type 2)

What is the difference between SOC 2 Type 1 and a SOC 2 Type 2?

There are two types of SOC 2 reports:

  • SOC 2 Type 1 reports on the effectiveness of an organization’s security systems and controls at the point in time in which the SOC 2 audit was conducted.
  • SOC 2 Type 1 reports on the effectiveness of an organization’s security systems and controls at the point in time in which the SOC 2 audit was conducted.