SOC 2 · AICPA Trust Services Criteria

Unlock US enterprise sales with SOC 2

SOC 2 is the trust signal US enterprise buyers look for before signing. Normado generates your Trust Services policies, maps your controls to Security, Availability, and Confidentiality criteria, and tracks evidence continuously — so you arrive at the auditor ready, not anxious.

First 100 customers get all Enterprise features at €49/mo for year one.

You're on the list! We'll be in touch soon.

Example SOC 2 dashboard

app.normado.io/gap-analysis

SOC 2 · Live Compliance

Trust Services criteria covered52 / 59

Security controls implemented24 / 28

Evidence artifacts tracked89

Months of observation window3

What SOC 2 actually requires

Three pillars, plain language

SOC 2 is an AICPA attestation (not a certification). It evaluates your systems against five Trust Services Criteria — but most companies only need Security, and often add Availability and Confidentiality. Here's what it actually involves.

Define your scope & criteria

Pick which Trust Services Criteria apply — Security is mandatory, others are optional. Scope the audit to your production environment, not your whole company. Most SaaS companies start with Security only.

Implement & document controls

Write policies covering access control, change management, risk assessment, incident response, vendor management. Map each policy to the Trust Services Criteria. Operate them consistently.

Collect evidence continuously

Type I audits a point in time; Type II audits 3-12 months of operation. The difference is evidence — access review logs, change tickets, incident records, training completions, backup tests.

Want the full breakdown? Read our SOC 2 deep-dive.

How Normado covers it

Built end-to-end for SOC 2

✓
AI-generated Trust Services policiesAccess control, change management, risk assessment, incident response, vendor management, HR security — mapped directly to the Common Criteria.
✓
All 59 Trust Services Criteria points pre-loadedSecurity (CC1-CC9) plus optional Availability, Confidentiality, Processing Integrity, and Privacy — with plain-language guidance.
✓
Evidence management with expiry trackingOrganize access reviews, change tickets, training certificates, vulnerability scans, and backup tests by criterion — with alerts before anything goes stale.
✓
ISO 27001 overlap mappingOne control implemented once (e.g. access review) satisfies both Trust Services and Annex A. If you have ISO 27001, you are typically 6-8 weeks from SOC 2 Type I.
✓
Auditor-ready reportingExport by criterion, by control, or by evidence type — structured exactly how the CPA firm asks for it. Less back-and-forth, shorter audit cycle.

Example org compliance

88%SOC 2

Policies24 / 25

Controls22 / 25

Risks19 / 25

Evidence23 / 25

A living platform, not a one-off project

What ongoing compliance looks like

Consultants deliver a snapshot in time — then you maintain it yourself, re-engage every year, and answer auditor questions from static Word docs. Normado is the living system underneath: always current, always auditable, owned by your team.

Consultant engagement

€15,000 – €50,000

6 – 12 months per cycle

Tailored through months of interviews and workshops
Static deliverables you maintain yourself afterward
Evidence collection, version control, audit prep on you
Re-engage every year for refreshes and new frameworks
Expertise leaves when the engagement ends

Normado platform

€49 – €299 / month

Audit-ready in weeks

AI-generated policies tailored to your org in minutes
Gap analysis, risk register, and controls all in one place
Evidence management with expiry tracking built in
Always current — new frameworks and requirements rolled out automatically
Your team owns the system, always audit-ready

Frequently asked

SOC 2 questions we hear most

Do I need SOC 2 Type I or Type II?

Type I is a point-in-time attestation — fastest to get (4-6 weeks), shows your controls are designed appropriately on a specific date. Type II examines operating effectiveness over a period (typically 3-12 months). US enterprise buyers generally want Type II. Common pattern: get Type I to unblock early sales conversations, transition to Type II with a 3-month window, then renew annually with 12-month windows.

Do EU companies actually need SOC 2?

Only if you sell to US enterprise customers who ask for it in security questionnaires. Many EU enterprise buyers accept ISO 27001 as equivalent. If your pipeline is 80% European, ISO 27001 is usually the right first certification. If US deals justify it, add SOC 2 later — the overlap with ISO 27001 means the marginal cost is modest.

How much does SOC 2 cost?

Typical all-in first-year cost for an EU SaaS company: €25,000 – €60,000. Breakdown: audit fee €10,000 – €30,000 (Type I + first Type II), compliance tooling €0 – €15,000/year, plus 150-300 hours of internal time across engineering, security, and leadership. Renewal Type II audits run €12,000 – €20,000 annually.

Do I need a Big Four auditor?

No — and for a first report, specialist SOC 2 boutique firms deliver the same report at roughly one-third the price of a Big Four firm. The buyer only cares the auditor is a licensed US CPA, not which firm. You can upgrade later if enterprise customers specifically require a top-tier name.

Can I combine SOC 2 with ISO 27001?

Yes, and you should. The two frameworks overlap roughly 60-70%. One control (e.g. quarterly access review) satisfies both SOC 2 CC6.3 and ISO 27001 Annex A 5.18. Normado's controls module auto-maps a single control to all applicable frameworks.

Does Normado also cover other frameworks?

Yes — all Normado-supported frameworks are available in Professional and Enterprise tiers. One control implemented once often satisfies multiple frameworks simultaneously.