When customers ask for SOC 2 and what they really mean

In this article: the situations in which the question comes up, what customers usually really mean by it, and what you can say when you don't have a report but don't want to lose the deal.

The question rarely comes out of nowhere

We see three patterns in which SOC 2 comes up:

Pattern 1: the American procurement questionnaire. A Dutch SaaS company is doing business with an American enterprise. The sales conversation is going well, pricing is being discussed, and then a 73-question PDF arrives. Under question 41: "Please attach your SOC 2 Type II report." Sometimes that's negotiable, sometimes it isn't. A founder told me that in this situation he lost six weeks because his ISO 27001 certificate had to be manually mapped to SOC 2 controls question by question.

Pattern 2: an existing customer runs a vendor review. You already have a contract and have been delivering for two years. Suddenly the procurement department asks for a recent report for their annual supplier assessment. This happens more often than founders expect, and it's more dangerous than a sales process, because you already have revenue that depends on the answer.

Pattern 3: an investor or acquisition candidate. During due diligence, SOC 2 comes up as an indicator of operational maturity. Here it's less about security and more about signal: a company with no formal compliance in place is perceived as less mature.

In all three cases: the later in the process the question arrives, the more expensive it becomes to address.

What they're really asking

SOC 2 is not a law. It's a framework from the American Institute of CPAs, aimed at service providers that process customer data in the cloud. Five Trust Service Criteria, of which only Security is mandatory (the other four -- Availability, Processing Integrity, Confidentiality, and Privacy -- are added at the customer's request). An audit by a certified accountant, with a report as the outcome.

But when the buyer on the other end asks for SOC 2, they're usually asking for something else. They want to know that you're not the weakest link in their attack surface. They want to be able to demonstrate internally that they've done due diligence. They don't want to have to explain to the board three months later why they approved a vendor without proof of security.

That explains why an ISO 27001 certificate is often an acceptable alternative, and why a detailed security questionnaire sometimes is too. The buyer needs documentation they can share internally. The report is packaging for that need, not a goal in itself.

The numbers back this up. Industry data from 2024 shows that SOC 2 adoption grew by around 40% that year, and that more than a third of organisations have already lost deals due to a missing security certificate. It's estimated that the average IT decision-maker spends around 6.5 hours per week on vendor risk assessments. A report cuts that time in half. That's a legitimate reason they ask for it.

Type I vs. Type II: what they actually care about

A Type I report says your controls were well designed at a specific point in time. A Type II report says they demonstrably worked for at least six months. Enterprise customers almost always want Type II. Type I is rarely accepted intentionally, but it is tolerated as a bridge when you show that the Type II audit is planned.

What many founders don't realise: the observation period is not an administrative formality. Your controls need to work throughout those six to twelve months, and evidence has to be collected continuously. If you only start setting things up when the first customer request comes in, you're looking at a minimum of nine to fifteen months before you have a report in hand. For a six-week sales process, that's too late.

What to say when you don't have a report

Three scenarios that work in practice.

Scenario A: you have ISO 27001, no SOC 2. ISO 27001 is broader and stricter than SOC 2 in several respects. Send a short mapping showing which SOC 2 controls you already cover through your ISMS. For European customers, this is usually sufficient. For American customers, you can say: "We hold ISO 27001 certification, an international standard that substantially overlaps with the Trust Service Criteria. Our controls have been independently audited by an accredited certification body. Here's the mapping. If you require SOC 2 in addition, we can work towards that."

Scenario B: you have nothing. Be explicit about what you do have. A security policy, a Trust Center, mandatory MFA, encryption at rest and in transit, an incident response plan that was tested last quarter. Write that up on one page, with dates and owners. Add your timeline. An honest answer with a concrete plan lands in 70% of cases; a vague answer lands in 0%.

Scenario C: you're already working on SOC 2. Share your gap analysis and your planned audit date. Many buyers will accept a Type I report plus a commitment to Type II as a bridge. Some will even accept just a Letter of Engagement from your auditor.

The mistake founders almost always make

Waiting. A Dutch founder I spoke to recently (B2B SaaS, 18 employees, two American logos landed in 2025) told me: "We thought we'd only need SOC 2 when someone asked for it. Then they asked, and we were stuck in four months of procurement negotiations while our auditor was just getting started."

The solution isn't to plan a SOC 2 audit at the moment you incorporate. It is to set up controls in a way that fits both frameworks, ISO 27001 and SOC 2. Access management, encryption, change management, incident response, vendor management: these are nearly identical across both frameworks. Anyone who builds them in a platform that tracks the mapping can move towards audit within three to six months as soon as a customer asks.

That's exactly what Tidal Control is built for. Pre-built controls with mapping across ISO 27001, SOC 2, NIS2 and GDPR, automated tests via integrations with AWS, Azure, GitHub and Jira, and continuous evidence collection that builds up the Type II observation period without manual effort.

Want to know where your company stands?

Before you decide whether SOC 2, ISO 27001, or a combination is the right path, you'll want to know where you stand today. Which controls do you already have implicitly in place? What documentation is missing? How far are you from a first audit?

Take the free Quickscan in 3 minutes and get a first picture of your compliance position, along with logical next steps. No sales call, no obligations.

Take the free Quickscan

Frequently asked questions

Why do customers specifically ask for SOC 2 and not ISO 27001?

In North America, SOC 2 is the common language for vendor security. ISO 27001 is known among larger enterprises but is often seen as more relevant to other continents such as Europe. The preference for SOC 2 is partly a market convention, not always a substantive requirement.

Do customers always expect Type II?

For enterprise customers: yes. Type I is sometimes accepted as a bridge in an early stage, or for smaller deals. For a lasting place on a Fortune 1000 company's vendor list, Type II is the standard.

What do I do if a customer only accepts SOC 2 and we don't have it?

Send a Letter of Intent from your auditor along with a timeline. Add a Type I report as a bridge if that's possible. In roughly a third of these situations, a commercial extension is granted on the basis of a concrete plan.

How long does it really take to get a Type II report?

Between nine and fifteen months from scratch. Three to six months to set up controls, then a six-to-twelve-month observation period, followed by the audit itself, which takes a minimum of seven days depending on FTE.

Is SOC 2 still relevant if you have ISO 27001?

In Europe: usually not. In North America or with international customers: yes, because of the market convention. An integrated platform that serves both frameworks prevents duplicate work.