The questions we hear most — about SOC 2, ISO 27001, HIPAA, and how engagements with Infinite Nerds actually work. Don't see your question? Ask us directly.
Most teams underestimate this. From the day you decide to pursue SOC 2 to the day you have a signed report in hand, plan on 6–12 months — broken roughly into: 2–6 weeks of readiness work, 3–6 months of evidence collection (the audit period), then 4–8 weeks of fieldwork and report finalization. Through the Managed Program, the audit period feels like business-as-usual because evidence is already being captured continuously.
Type I is a point-in-time snapshot — auditors verify that your controls are designed correctly on a specific date. Type II verifies that those controls actually operated effectively over a period (usually 3–12 months). Most enterprise buyers want to see Type II. We typically recommend going straight to Type II unless you have a hard deadline and need the Type I as an interim deliverable.
Security is required for every SOC 2. Beyond that, the choice depends on what you do and what your customers ask for. Availability for SaaS uptime commitments. Confidentiality for customer data protection beyond access control. Processing Integrity for financial or transactional systems. Privacy for PII handling. Most SaaS companies start with Security + Availability + Confidentiality.
Usually yes, if your buyers are US-based and ask for SOC 2 in their procurement process. The two reports overlap significantly on controls (we map them once in Adalace), but they're not interchangeable. ISO 27001 is the better story for European buyers and regulated industries; SOC 2 is the default for US SaaS procurement. Many of our clients carry both — and we run both programs continuously instead of treating each as an annual scramble.
The audit itself runs roughly $15K–$60K depending on scope, auditor firm, and Trust Services Criteria included. Readiness work — implementing controls, building evidence, training the team — can be the bigger line item, often $30K–$150K+ if you start from scratch. Through the Managed Program, readiness is folded into the ongoing engagement so you're not paying for it as a separate project every year.
Yes — we have working relationships with several CPA firms that audit SOC 2 reports and can introduce you to ones that fit your size, sector, and timeline. We don't take referral fees from auditors, so the introduction is for fit, not commission. If you already have an auditor selected, we work with whoever you bring to the table.
Plan on 9–14 months from kickoff to certification. The process: Stage 1 audit (documentation review), 3+ months of operating the ISMS, then Stage 2 audit (operational effectiveness). Certifications are good for 3 years with annual surveillance audits. We've shortened this for clients who already have mature security programs — but most teams need the full timeline to build the management system correctly.
Yes. The 2022 revision reorganized the controls (Annex A went from 114 to 93) and added new ones for cloud, threat intelligence, and data masking. All new certifications use 2022, and certifications under 2013 must transition by October 2025. If you're starting today, you're on 2022 — and Adalace's mappings are already built around it.
Yes — the SoA is mandatory for ISO 27001. It documents which Annex A controls you've implemented, which you've excluded, and why. Auditors read this first. We generate the SoA from your live program data in Adalace, so it stays current as your controls evolve — no more reconstructing a stale Word document the week before the audit.
An Information Security Management System is the documented framework — policies, procedures, risk assessments, control objectives, and operating cadences — that runs your security program. For ISO 27001, yes, you absolutely need one; the certification is for the ISMS itself, not just individual controls. The good news: you probably already have most of the components, just scattered. We consolidate them in Adalace and align them to the standard.
On the auditor side, usually 1–3 people for small-to-mid-size organizations. On your side, expect to dedicate part-time effort from your CISO/security lead, IT, HR (for training records), and a designated point-of-contact for evidence requests. With a Managed Program in place, the time burden on your internal team during the audit is dramatically reduced because we handle the evidence requests directly.
No. HIPAA is a regulation, not a certification scheme — there's no government-issued HIPAA certificate. What exists are HIPAA compliance attestations from third-party assessors (like HITRUST) and self-attestations backed by documented risk analysis, policies, and controls. Many of our clients pursue HITRUST for the credibility, or layer HIPAA controls into their SOC 2 (using the HIPAA-aligned Trust Services Criteria) for efficiency.
The Security Rule requires Administrative, Physical, and Technical safeguards — split across Required implementation specifications (you must do these) and Addressable ones (you must consider these and document your decision). Required items include things like a security management process, workforce training, audit controls, and transmission security. Addressable items get tailored to your environment. We map every requirement to a tracked control in Adalace.
BAAs (Business Associate Agreements) make the legal relationship clear with vendors who touch PHI, but they don't cover your own internal compliance. You still need the full Security Rule implementation, an active risk analysis, breach notification procedures, and the documentation to prove it all. We track BAAs as part of the vendor management cadence in Adalace, so renewal dates and scope changes don't fall through the cracks.
HIPAA requires notification within 60 days for breaches affecting fewer than 500 individuals, or without unreasonable delay (and to HHS and the media) for larger breaches. The clock starts when you discover the breach or should have discovered it. The response — investigation, notification letters, HHS reporting, mitigation — is intense and must happen alongside ongoing operations. We help clients build incident response runbooks that map directly to HIPAA breach notification requirements, so the response is rehearsed rather than improvised.
Possibly. HIPAA applies to covered entities (providers, plans, clearinghouses) and business associates (any vendor that handles PHI on behalf of a covered entity). If you're a SaaS company whose product touches PHI — patient data, claims data, ePHI of any kind — you're likely a business associate and need to comply. If you're not sure, the right starting point is mapping your data flows; we do this as part of the Posture Scan.
Most security consultancies sell hours and deliverables — reports, gap assessments, roadmaps. We sell a continuously operated program backed by Adalace, the platform our team runs on your behalf. The output isn't a report you read once; it's a live dashboard, evidence captured as it happens, and a board-ready summary generated from real program data. We're operators, not auditors.
Adalace is how we operate efficiently and how we keep evidence continuous. If you have existing tools — Vanta, Drata, ServiceNow, JIRA, GRC platforms — we can integrate with them, but we won't operate on a tool we can't trust. Most clients find that consolidating to Adalace simplifies the program rather than adding to it. Our Consulting engagements (fCISO, vCIO) can operate on your existing stack if Adalace isn't the right fit.
A Posture Scan is a fixed-fee, two-week baseline assessment across 10 control domains, mapped to whichever frameworks apply to you (SOC 2, ISO, HIPAA, NIST, PCI, etc.). You walk away with an executive report, a remediation roadmap, and a 30-minute readout call. Most clients use it as a no-commitment starting point — see where they actually stand, then decide whether to engage the Managed Program. More on engagement tiers →
fCISO (Fractional CISO) is executive leadership for your security and compliance program — board reporting, risk strategy, audit accountability. vCIO (Virtual CIO) is broader: technology roadmap, vendor selection, IT operations, budget planning. The two overlap (a CISO touches IT; a CIO touches security), but the buying motivation differs. Most clients engage one or the other; some engage both. More on Consulting engagements →
Posture Scans typically kick off within a week of contract signature. Managed Program engagements take 2–4 weeks to fully onboard (data integration, evidence baseline, team introductions). Consulting engagements (fCISO/vCIO) can start as quickly as the next board meeting if there's a hard deadline. The fastest way to find out is to book a walkthrough.
Most of our clients are mid-market organizations (50–500 employees) — large enough to have real compliance obligations and customer-facing risk, small enough that a full-time CISO/CIO isn't yet the right hire. We also work with later-stage startups preparing for their first audit, and with larger organizations who want a specialist team running a specific framework alongside their internal program.
A working guide to what SOC 2 Type II actually requires, how to plan your timeline, and where most programs quietly go wrong — from a team that's been on both sides of the auditor's table. No fluff, no marketing filler.
The fastest way to get a real answer is a 30-minute working call. No slide deck, no pitch — just your situation and our take.
Book a Walkthrough →