SOC 2 Readiness Support
SOC 2 isn't a certification. It's a report. We get you ready to earn it.
Type 1 and Type 2 readiness — we take you to the attestation report issued by an independent CPA firm.
SOC 2 readiness support is a structured engagement that prepares your organization for the examination conducted by an independent CPA firm and for obtaining a SOC 2 report aligned with the AICPA's Trust Services Criteria (TSC) 2017 (with revised points of focus in 2022). Factero leads the client-side process: report type selection (Type 1 or Type 2) and criteria selection (Security mandatory, plus Availability, Processing Integrity, Confidentiality, Privacy), gap analysis, control implementation, System Description drafting, internal audit, and support through the CPA examination. We prepare — we don't issue the report. The SOC 2 report is issued exclusively by an independent CPA firm in accordance with AICPA SSAE No. 23 standards. That's what gives it value. Engagement led by a CISA-certified principal associate, with TSC 2017 as the target and NIST-CSF as supporting framework.
Who is it for?
SaaS vendors, cloud platforms, and B2B providers receiving security questionnaires from US or international corporate clients — where SOC 2 has become a standard commercial prerequisite.
Quebec and Canadian technology companies selling into the US market and discovering that SOC 2 is the common language of B2B North America.
Growing organizations preparing a funding round, acquisition, or international expansion — where SOC 2 is an expected maturity signal for investors and acquirers.
Vendors handling sensitive data for clients in financial services, healthcare, or US tech — where the absence of SOC 2 disqualifies you at the questionnaire stage.
Companies that already have a SOC 2 Type 1 and now need to move to Type 2 (controls operating effectively over time, typically 6 to 12 months).
Organizations whose previous SOC 2 report expired or contained exceptions (qualified opinion) and who want to structure the next observation period correctly.
When does it help?
If you recognize yourself in any of these situations, this service is designed for you.
- A US client requires a recent SOC 2 report (less than 12 months) and you don't have one — or your report is 2 years old.
- You're completing more and more client security questionnaires and want a process that answers 80% of them once and for all, with a report you can share under NDA.
- You're hesitating between SOC 2 Type 1 (faster, lighter) and Type 2 (required by most large clients) — and you want an outside perspective to decide.
- Your CPA firm tells you you're "ready" — but your internal team knows it's not quite true.
- You received a SOC 2 report with exceptions (qualified) last time and need to ensure the next observation period is clean.
- You're already compliant with Law 25, ISO 27001, or CAN/DGSI 104 and want to build on that work for SOC 2 without starting over.
- You're planning a funding round or acquisition within 12 months and know SOC 2 will come up in due diligence.
- Your organization has grown fast; the informal controls that worked at 10 employees don't hold at 50 — and SOC 2 is the opportunity to structure.
What will you receive?
A clear Type 1 or Type 2 recommendation, justified by your commercial timeline, client contracts, and current maturity — not by commercial preference.
A relevant criteria selection among the 5 Trust Services Criteria: Security (mandatory — also called "common criteria"), plus Availability, Processing Integrity, Confidentiality, Privacy based on your service commitments. We avoid including criteria you don't need — each added criterion increases cost and exception risk.
A complete gap analysis between your current posture and the selected TSC, with a plan prioritized by risk and effort.
The System Description drafted to AICPA standards — a central deliverable of the SOC 2 report, often underestimated and poorly done.
The required policies, procedures, and records, drafted and adapted to your reality — not a pile of generic copy-paste templates.
Implementation of missing technical controls with your product and IT teams: MFA, encryption, logging, access management, periodic reviews, change management, etc.
A preliminary internal audit with an independent external perspective — to identify potential exceptions before the CPA, not during.
An organized evidence file structured to the CPA auditor's expectations: evidence per criterion, samples ready, documentation available without last-minute scramble.
Active support during the CPA examination (walkthrough, sampling, remediation) to translate auditor requests and structure your teams' responses.
An annual continuity plan: for Type 2, controls must operate continuously — we establish the evidence collection cadence that allows the next observation period to run without friction.
Not a good fit?
- SOC 2 is a demanding engagement — especially Type 2, which requires controls to operate effectively over 6 to 12 months. It requires an internal owner (typically the CTO, VP Engineering, or a dedicated compliance lead) with a mandate to integrate controls into day-to-day operations. Without that anchor, even the best external support can't carry through.
- If your clients aren't asking for SOC 2 and don't intend to — for example a Quebec SME selling to other Quebec SMEs without export ambitions — ISO 27001 or CAN/DGSI 104 will likely be more relevant and less costly. SOC 2 is an American standard: its value comes from the commercial signal it sends to North American clients.
- If your client is asking for "SOC 2" for a deployment in Quebec's health network, there's confusion — the health network requires TGV certification, not SOC 2. We clarify before you invest in the wrong path.
- If you're at a very early stage (product in beta, < 10 employees, no significant revenue), SOC 2 may be premature. A Factero audit or CAN/DGSI 104 preparation can be a more cost-effective foundation short-term, before aiming for SOC 2 when the first corporate clients arrive.
How does the process work?
A rigorous and transparent approach, step by step.
Scoping Type 1 or Type 2
We start with the strategic question: which report type, and which criteria. Type 1 attests to the design of controls at a specific point in time — faster, but often insufficient for demanding clients. Type 2 attests that controls operate effectively over an observation period (typically 6 to 12 months) — what most large clients want to see. We review your commercial timeline, signed and in-negotiation contracts, and current maturity to decide. Criteria selection (Security mandatory, plus relevant optional ones) determines examination scope. Deliverable: reasoned recommendation, engagement plan, realistic timeline estimate.
Gap analysis on TSC
We map your environment against applicable Trust Services Criteria 2017, with the revised 2022 points of focus integrating recent technological developments. We identify what's already in place and documentable, what's missing, and what needs adjustment. Deliverable: gap report prioritized by risk and effort.
Controls and System Description
We implement missing controls with your teams — MFA, encryption, logging, access management, change management, monitoring, incident management. Guiding principle: every control must be lived, not just documented. In parallel, we draft the System Description — a central SOC 2 deliverable precisely describing scope, infrastructure, data flows, responsibilities. Poorly done, it invalidates the report. We draft it on your behalf, then validate with your team.
Internal audit before the CPA
We conduct a formal internal audit before the official examination — an independent external perspective identifying potential exceptions while there's still time to fix them. It's the difference between "we hope to pass" and "we know we'll pass." This step is particularly critical for Type 2: an exception identified after the observation period has begun is hard to correct without extending the timeline.
Observation period (Type 2)
For Type 2, controls must operate for a period typically between 3 and 12 months (6 months is the common minimum for a first report, 12 months for renewal reports). During this period, we establish the evidence collection cadence — documented periodic reviews, retained logs, change management tickets, timestamped evidence. Without this discipline, the CPA will find gaps during sampling.
CPA examination support
We support you through the examination conducted by the CPA firm you've chosen. Our role: translate the auditor's requests into concrete actions, prepare walkthroughs, manage any exceptions and remediation plans. Choice of CPA remains yours — we can present several qualified firms, with no commercial tie to any of them. Our Charter of Independence requires this.
Annual renewal
A SOC 2 report covers a specific period. Clients want a recent report (typically less than 12 months). Most organizations issue a report each year — meaning the evidence collection cadence and control discipline must hold over time. We remain available to prepare each annual cycle, without an imposed recurring contract.
Frequently Asked Questions
Answers to the questions our clients ask before reaching out.
Type 1 or Type 2 — which to choose?
The answer depends on what your clients accept. Type 1 attests to the design of controls at a specific date — faster (3 to 6 months preparation), less expensive, often sufficient for a first demonstration. But more and more corporate clients now accept only Type 2, which attests that controls operate effectively over a period (typically 6 to 12 months). If your clients accept Type 1, it's a smart intermediate step that lets you deliver quickly while preparing Type 2 in the background. If your biggest prospects require Type 2 upfront, we aim directly for Type 2 — it takes longer but avoids paying for two examinations. Factero reviews your current contracts and recently received questionnaires to decide — not by default, not by commercial preference.
How long does it take?
For Type 1, expect 4 to 6 months from engagement start to report receipt. For Type 2, 9 to 15 months is realistic. Type 2 includes an observation period of 3 to 12 months during which controls must operate — you can't short-circuit this period, it's structural. Very short timelines advertised elsewhere ("SOC 2 in 90 days") apply only to Type 1 and only to organizations that already have everything in place. Factero gives a realistic estimate from the gap analysis onward, based on your actual situation — not a marketing range. If your commercial deadline is shorter than what's cleanly achievable, we'll say so and look at alternatives (Type 1 first, letter of intent from the auditor, etc.).
What does it cost — and what's not included?
Factero's engagement covers the full preparation — scoping, gap analysis, control implementation, System Description drafting, internal audit, support through CPA examination. Costs not included and paid directly by you: the CPA firm fees (the examination itself and report issuance), any technical investments identified during the engagement (MFA licenses, logging tools, GRC platforms like Drata/Vanta/Secureframe if relevant), and your internal team's time — always the biggest investment. We provide a full estimate of all three from the gap analysis onward.
Is SOC 2 a certification?
No — and it's important to say so correctly to your clients. SOC 2 is an attestation report issued by an independent CPA (Certified Public Accountant) firm in accordance with AICPA SSAE No. 23 standards. There's no "SOC 2 certificate" nor an accredited certification body like for ISO 27001. The report is a detailed document (often 40-80 pages) describing your system, in-place controls, tests performed by the CPA, and any exceptions. It's confidential — typically shared with clients under NDA. If you want a public version, that's SOC 3 — a SOC 2 summary intended for general distribution, but much less used in practice. Saying "we're SOC 2 certified" is technically incorrect — the accurate phrasing is "we obtained a SOC 2 Type [1/2] report for the period from [date] to [date]." (Source: AICPA, SSAE No. 23.)
Does SOC 2 replace ISO 27001, CAN/DGSI 104, or Law 25?
No — these frameworks aren't interchangeable, but they overlap significantly. SOC 2 is American (AICPA), based on Trust Services Criteria and designed for service organizations processing data on behalf of clients. ISO 27001 is international, focused on the Information Security Management System (ISMS). CAN/DGSI 104 is Canadian, sectoral, based on baseline controls for SMEs. Law 25 is a legal Quebec obligation specific to personal data protection. Technical controls overlap 60-80% across these frameworks — a solid ISO 27001 ISMS provides a strong base for SOC 2. But target audiences differ: SOC 2 is required by US clients, ISO 27001 by international clients, CAN/DGSI 104 by the Canadian federal government, Law 25 by Quebec legislation. Factero can run multiple processes in parallel reusing common documentation — often the right strategy when you target multiple markets.
Which Trust Services Criteria should we choose?
Security (also called "common criteria" or CC1–CC9) is mandatory in every SOC 2 report. The other 4 criteria are optional and selected based on your service commitments: Availability if you commit to uptime SLAs (most SaaS), Processing Integrity if you process critical transactions (payments, records), Confidentiality if you handle sensitive non-personal data (IP, commercial data), Privacy if you process personal information (broadly — names, emails, addresses, etc.). Each added criterion increases examination scope, costs, and exception risk. Factero reviews your client contracts, public policy pages, and SLA commitments to recommend the minimum combination that meets your commercial needs — not the maximum to impress. (Source: AICPA, 2017 Trust Services Criteria, points of focus revised 2022.)
Our MSP already manages our infrastructure. Can they also prepare us for SOC 2?
Your MSP is a key player in technical implementation — but preparing you for SOC 2 is a separate role, and the CPA will pay attention to it. SOC 2 requires documenting roles and responsibilities, including vendors (vendor management). If your MSP manages your infrastructure and drafts your security policies and prepares your System Description, the CPA will raise independence questions. In some cases, the MSP itself must provide a SOC 2 or an assurance letter on the controls they operate for you — and that's where tensions emerge. Factero has no commercial ties to your MSP: we structure the process, document reality, and let your MSP do what they do well — operations. We work with them, not in their place, exactly as in an independent audit.
What's an "exception" in a SOC 2 report and how do we avoid them?
An exception means the CPA found a case where a control didn't operate as intended during the observation period. For example: an admin account created without documented approval, a production change deployed without review, an access not revoked within timelines after a departure. Exceptions aren't necessarily failures — they're documented in the final report, and your clients will see them. A report with exceptions (sometimes called a qualified opinion) is generally acceptable if exceptions are few, minor, and accompanied by remediation plans. But a report with many exceptions loses commercial value. Factero emphasizes exception prevention: evidence collection cadence, documented periodic reviews, internal audit before the CPA. That's where the difference between "we passed SOC 2" and "we're proud to share our report" is decided.
What methodology do you use?
Factero relies on AICPA's 2017 Trust Services Criteria (with revised points of focus in 2022) as the target, complemented by the NIST Cybersecurity Framework (NIST-CSF) to structure risk assessment and prioritize recommendations. SOC 2 controls are integrated with the COSO 2013 framework — the 17 COSO principles form the backbone of common criteria. The principal associate holds the CISA certification (Certified Information Systems Auditor) from ISACA — the international reference in information systems auditing. The approach is adapted to each organization's size and complexity: we don't build the same setup for a 20-employee SaaS and a 300-employee financial platform. Each control is evaluated on actual applicability and cost/risk ratio.
Should we use a GRC tool like Drata, Vanta, or Secureframe?
They're useful tools, but not shortcuts. GRC platforms (Drata, Vanta, Secureframe, Thoropass, etc.) automate evidence collection by connecting to your systems (AWS, Azure, GitHub, Okta, etc.) and extracting control evidence automatically. They genuinely help manage the Type 2 observation period — fewer manual screenshots, fewer oversights. Factero has no commercial partnership with these vendors: if the tool fits, we support its deployment; otherwise, we document differently. The trap to avoid: these tools are excellent collection automata, but they don't replace thinking about controls, drafting the System Description, or human judgment on an exception. Organizations that succeed at SOC 2 often use a GRC tool; those that fail sometimes think the tool alone is enough.
How do we choose our CPA firm?
Not all CPA firms are equal for SOC 2. A good SOC 2 auditor is a CPA firm (not a consultant) with a regular SOC practice, knowledge of your industry, and capacity to issue reports within reasonable timelines. For a Quebec company, major Canadian firms (Deloitte, KPMG, EY, PwC, Grant Thornton, BDO, Richter, MNP) all offer SOC 2 services. Several specialized North American firms (A-LIGN, Schellman, Prescient Assurance, Johanson Group, Insight Assurance, Barr Advisory, Linford & Co) also target the Canadian market. Criteria that matter: SOC 2 experience with companies of your size and sector, recent readable reports, capacity to issue within your timeline, transparent fees, and human compatibility with your team (you'll interact with them for 3 to 6 months). Factero can present several options with no commercial tie — the Charter of Independence requires it. Final choice is yours.
Is it confidential?
Yes, every support engagement conducted by Factero is governed by a formal confidentiality agreement in favor of the client, signed before any work begins. No information — findings, analyzed documents, drafted policies, internal audit results — is shared with any third party, provider, or partner without your explicit written authorization, in accordance with our privacy protection policy and Law 25 requirements. Materials provided to the CPA firm are shared under your control and with your approval. This standard applies across all our engagements, without exception.
Does this commit us to ongoing work?
No. The engagement ends naturally with the first SOC 2 report issuance. For annual renewals — maintaining the evidence cadence, preparing the next observation period, adjustments if your scope evolves — some organizations prefer to keep us on a light cadence. Others internalize after the first cycle, often with a dedicated compliance lead and a GRC tool. Our Charter of Independence prohibits creating artificial dependency — we never recommend follow-up you don't need. If your team can take over, that's a good outcome.
Why Factero for this engagement — what sets you apart?
Before signing with a support firm, verify a few fundamental elements. A serious firm demonstrates them without hesitation and in writing.
The firm itself is certified — Factero holds the CyberSecure Canada (CAN/DGSI 104:2021 / Rev 1:2024) certification, publicly verifiable through the IAF CertSearch registry and through our Trust Center. We apply to our own organization the same standards we support for our clients. A firm guiding you toward a recognized certification should, by consistency, hold one itself.
Incorporated and established since 2022 — Factero Service Conseil is duly incorporated with the Quebec Enterprise Registrar (REQ) since 2022, with no insolvency or bankruptcy proceedings on record. The legal status of any candidate firm can be verified free of charge through the REQ; insolvency and bankruptcy proceedings appear in the registry of the Office of the Superintendent of Bankruptcy Canada (osb-bsf.ic.gc.ca).
Complete team and operational continuity — Factero relies on an interdisciplinary team covering information technology, human resources, and accounting — the three dimensions that intersect in most governance engagements. A certification engagement extends over 6 to 18 months; the firm supporting you must have the team depth to go the distance, not just the availability of a single person.
Professional liability and cyber insurance — Factero maintains active professional liability (E&O) and cyber insurance coverage, adapted to its IT governance and cybersecurity consulting activities. A firm that recommends cyber insurance to you should, by consistency, hold one itself. Ask for the certificate before signing.
Written and public independence — Our engagements are governed by a public Charter of Independence that prohibits commissions, rebates, and commercial arrangements with vendors, brokers, or markets.
Public procurement registration — Factero is registered with the SEAO (Quebec) and the Ontario Tenders Portal — a process that involves regulatory verifications and up-to-date tax attestations.
These criteria are not commercial arguments. They are the minimum conditions to require of any candidate firm. The absence of a clear answer to any of these questions is, in itself, an answer.
Need to move forward on this?
Let's discuss your specific situation. No commitment, just expert advice.