SOC 2 (Type 1 and Type 2)
Trust Services Criteria attestation for service organizations.
Overview
What it is, in plain English.
SOC 2 is the de facto trust signal for B2B SaaS, MSPs, and any organization handling customer data. It is an attestation against the AICPA's Trust Services Criteria — proving that your controls over Security (and optionally Availability, Processing Integrity, Confidentiality, and Privacy) are designed (Type 1) and operating effectively over time (Type 2). Lyra runs the entire lifecycle: readiness, remediation, evidence collection, and auditor liaison — so your engineering and security teams can keep building.
We support clients through SOC 2 Type 1 and Type 2 readiness, control design, evidence collection, and audit support — across Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria.
Who needs it
Built for organizations that have to get this right.
SaaS and cloud platforms whose enterprise customers ask for a SOC 2 report
Managed service providers, fintech, and healthcare-adjacent vendors
Companies in security questionnaires losing deals over a missing report
Series A+ startups preparing to move upmarket
Our approach
How we get you audit-ready and keep you there.
We don't drop policy templates and disappear. We design controls, implement them in your environment, prepare every artifact, and walk with you through the audit — then operate the program after certification so you stay compliant year over year.
- 01
Scope & Gap Assessment
We map your environment, business processes, and existing controls against the framework to find every gap, redundancy, and risk.
- 02
Remediation & Control Design
We design and implement the technical and administrative controls — policies, configurations, monitoring, and evidence pipelines.
- 03
Evidence & Documentation
We build the artifact library auditors expect: policies, SSPs, risk registers, control matrices, and continuous evidence collection.
- 04
Audit Support & Continuous Monitoring
We sit with you through the audit, respond to auditor requests, and operate the program after certification so you stay compliant year-round.
Key controls
What's actually in scope.
Logical access controls and least-privilege access reviews
Change management and SDLC governance
Vulnerability management, patching, and endpoint protection
Logging, monitoring, and incident response runbooks
Vendor risk management and continuous third-party monitoring
HR controls — onboarding, offboarding, background checks, training
Deliverables
What you walk away with.
SOC 2 readiness report with prioritized remediation plan
Policy library aligned to Trust Services Criteria
Control matrix with evidence mapping
Auditor liaison and audit-window project management
Type 1 attestation, then Type 2 over a 3–12 month observation window
Timeline
Type 1: 8–12 weeks. Type 2: an additional 3–12 month observation period, depending on the audit window you choose.
Questions we hear
Straight answers to the real questions.
- Should we start with Type 1 or go straight to Type 2?
- If you have a near-term sales deal that requires SOC 2, Type 1 gets you a defensible report fast. If you have runway, going straight to a short-window Type 2 (3–6 months) is more efficient and what most enterprise buyers actually want.
- Do you bring the auditor?
- We are not the auditor — independence rules forbid that. We partner with several CPA firms and can introduce you, or we work seamlessly with the auditor you already have.
- Which Trust Services Criteria should we include?
- Security is required. We help you decide whether Availability, Confidentiality, Processing Integrity, or Privacy are worth adding based on what your customers actually ask for.
Other frameworks we support
ISO 27001
ISO/IEC 27001 ISMS
Learn moreCMMC
Cybersecurity Maturity Model Certification
Learn moreNIST 800-171
Protecting CUI in non-federal systems
Learn moreNIST CSF (including 2.0)
NIST Cybersecurity Framework
Learn moreHIPAA / HITRUST
Healthcare privacy and security
Learn morePCI DSS
Payment Card Industry Data Security Standard
Learn more
24 / 7 Recovery
When the worst day hits, every minute matters.
Our breach team is standing by — call, email, or submit a request and we respond within minutes.