Solutions · SOC 2

SOC 2, audit-ready by design

A SOC 2 report is your service organisation proving, to an independent auditor, that the controls behind the Trust Services Criteria are designed and operating. Acuna runs that programme in one place: the criteria mapped to controls with named owners, evidence collected on a cadence, and audit readiness held as a live state rather than a pre-examination scramble.

Trust Services Criteria on one systemSOC 2 mapped alongside ISO 2700150+ frameworks on one core

In short

SOC 2 is an attestation, defined by the AICPA, in which an independent auditor examines a service organisation’s controls against the Trust Services Criteria (security, and where relevant availability, processing integrity, confidentiality, and privacy). A Type I report assesses the design of controls at a point in time; a Type II report assesses their operating effectiveness over a period. Acuna is a multi-framework GRC platform that maps the criteria once, ties every control to an owner and to evidence collected on a cadence, and keeps you examination-ready.

Turn the examination into a state you hold, not a season you dread

For most service organisations SOC 2 is a sales gate: enterprise customers will not buy without the report. That makes the real cost not the audit fee but the disruption, the weeks your team spends assembling evidence the auditor could have seen all along. The organisations that handle SOC 2 well are the ones where the controls, their owners, and their evidence run continuously, so a Type II period is documented as it happens rather than reconstructed at the end.

One system for the whole SOC 2 programme

SOC 2 is organised around the Trust Services Criteria rather than a fixed control catalogue, so Acuna maps those criteria once across the four core panes, then the access-control depth the criteria demand is carried by the extension your programme needs.

Map the Trust Services Criteria once and crosswalk them to the frameworks you already run, so the security criteria you meet for ISO 27001 carry straight into SOC 2 rather than being rebuilt.

Turn the criteria into controls with named owners, so each Trust Services criterion has an accountable person and a described control, which is what the auditor tests.

Keep the controls operating on a cadence, so a Type II period is evidenced continuously as it runs, not reconstructed the week before the examination.

Give your auditor a live evidence view instead of a shared drive assembled under pressure, so the examination reads what has been running all along.

Framework-specific extension
RBACExtension

The Common Criteria CC6 (logical and physical access controls) are central to every SOC 2 examination. RBAC implements the access restrictions and periodic access reviews CC6 expects, and produces the review records the auditor asks for. See access control for the full capability.

What it unlocks, and what waiting costs

What a running SOC 2 programme unlocks vs What waiting costs
What a running SOC 2 programme unlocksWhat waiting costs
The report your enterprise deals are gated on, produced from a programme that runs continuously.Evidence assembled under deadline, with gaps discovered mid-examination.
A Type II period documented as it happens, so evidence collection is not a quarter-end sprint.The same security control described once for SOC 2 and again for ISO 27001.
Security controls that carry between SOC 2 and ISO 27001 instead of being maintained twice.Access reviews that were meant to happen quarterly and are reconstructed at audit time.
Access reviews that exist as records, not as a promise you scramble to back up.

We are early, so we will not quote a customer count. The mechanism is the argument: a Type II report attests to controls operating over a period. If the controls and their evidence run in one system across that period, the examination reads a record rather than triggering a reconstruction.

The hesitations worth naming

GRC ROI is genuinely hard to prove precisely. Use your own numbers below to build the internal case. These inputs are yours; the output is your estimate, not ours.

Pipeline at risk

Enterprise deal value

typical affected deal, annualised

CHF 200K

CHF 10KCHF 1M

Deals blocked or slowed

per year, your estimate

3 deals

015

Security questionnaires

your team fills out, per month

5 / month

020 / month

Questionnaire overhead

Hours per questionnaire

across all people involved (SIG/CAIQ often run 6–12 hrs)

6 hrs

1 hr40 hrs

All-in hourly cost

fully-loaded: salary + overhead of the person filling it

CHF 125

CHF 25CHF 500
Pipeline at riskCHF 600'000
Questionnaire overhead / year (5×/mo × 6 hrs × CHF 125)CHF 45'000
Total identifiable costCHF 645'000

Acuna starts from

CHF 5'388 / year, all frameworks included

120×

your est. cost

These are your estimates, not ours. GRC ROI is notoriously hard to measure: most of the value is in deals not lost, incidents not escalated, and audits not rebuilt from scratch. Use this to structure the internal conversation, not as a number we stand behind.

Built by people who ran the programmes

Acuna is built and operated by an established Swiss GRC group led by practitioners with decades of combined experience in audit, security, and governance. The platform models how a mature control programme actually runs, which is exactly what a Type II examination rewards.

  1. Trust Services Criteria map once and reuse across ISO 27001 and beyond.

  2. Access reviews produce the CC6 records auditors ask for.

  3. Priced per organisation, so every control owner and auditor is included.

  4. Data hosted in Switzerland and the EU.

SOC 2: common questions.

Get started

Be SOC 2 ready all year, not all-nighter

See how the criteria, controls, and evidence run in one place.