Episode 60 · Module 12 · Compliance & Governance

SOC 2, Penetration Testing and Security Certification

19 May 2026 · 8:40 · Security for Legal SaaS

8:40 8:40

You have implemented access controls, encrypted data at rest and in transit, deployed audit logging, and built an incident response plan. Your system is genuinely secure. Now a prospective client — a 200-lawyer firm evaluating your contract management platform — asks a single question: "Can you prove it?" This is where security certifications enter the picture. They are not security controls themselves. They are structured, externally validated evidence that your controls exist and work. For legal SaaS vendors, the right certification at the right time is often the difference between closing an enterprise deal and losing it to a competitor who can produce the paperwork.

Today’s Lesson

Security for Legal SaaS — Episode 60: SOC 2, Penetration Testing and Security Certification

The Proof Problem

This is where security certifications enter the picture. They are not security controls themselves. They are structured, externally validated evidence that your controls exist and work. For legal SaaS vendors, the right certification at the right time is often the difference between closing an enterprise deal and losing it to a competitor who can produce the paperwork.

SOC 2: The Industry Standard for SaaS

SOC 2 (System and Organisation Controls 2) is an auditing framework developed by the American Institute of Certified Public Accountants (AICPA) that evaluates a service organisation's controls over customer data.¹ It is the dominant security certification for B2B SaaS vendors in North America and increasingly globally.

Trust Services Criteria

SOC 2 evaluates controls against five Trust Services Criteria (TSC):

Criterion	Description	Required?
Security (CC series)	Protection against unauthorised access, both physical and logical	Yes — always included
Availability (A series)	System uptime and operational resilience	Optional
Processing Integrity (PI series)	Data processing is complete, valid, accurate, and timely	Optional
Confidentiality (C series)	Protection of information designated as confidential	Optional
Privacy (P series)	Collection, use, retention, and disposal of personal information	Optional

Security is mandatory in every SOC 2 report. The other four criteria are selected based on the commitments you make to your customers. For legal SaaS, Confidentiality and Availability are typically expected alongside Security — law firms need assurance that their client data is protected and that the platform stays accessible.²

Type I vs. Type II

	SOC 2 Type I	SOC 2 Type II
What it proves	Controls are properly designed at a specific point in time	Controls operated effectively over a period (typically 6–12 months)
Audit scope	Design review only	Design + operational effectiveness testing
Time required	Weeks to months of preparation	6–12 month observation window after controls are in place
Enterprise acceptance	Acceptable for early-stage companies	Required by most enterprise procurement teams

Key distinction: Type I says "on the day the auditor looked, our controls were properly designed." Type II says "for six months, someone watched us follow our own rules, and we actually did." Enterprise clients overwhelmingly prefer Type II because it demonstrates sustained discipline, not a one-day performance. According to Metomic, 78% of enterprise clients now require SOC 2 Type II from their service providers.³

Penetration Testing as Evidence

Penetration testing — or pentesting — is a controlled simulation of an attack against your application and infrastructure, conducted by a qualified security professional. While SOC 2 does not explicitly require penetration testing, it has become a de facto expectation.⁴

Why Auditors Want Pentest Results

SOC 2 Trust Services Criteria CC4.1 requires management to use "ongoing and separate evaluations" to assess the effectiveness of controls. Auditors evaluating vulnerability management and access control effectiveness routinely request penetration test evidence as part of this evaluation — it demonstrates that you didn't just build controls, you tested them against real attack techniques.⁵

For ISO 27001, Annex A 8.8 (management of technical vulnerabilities) and Annex A 5.36 (compliance with policies and standards) effectively require security testing, and auditors universally expect penetration testing as evidence.⁶

Pentest Scope and Frequency

Component	Recommended Scope	Frequency
Web application	OWASP Top 10, business logic, authentication, authorisation	Annually + after major releases
API	Authentication, authorisation, injection, rate limiting	Annually + after major releases
Infrastructure	Network segmentation, cloud configuration, credential management	Annually
Social engineering	Phishing simulation, physical security (optional)	Annually

What to Do with Findings

A penetration test that finds nothing is either excellent news or evidence of an inadequate test. What auditors want to see:

Scoped engagement letter — defining what was tested and what was excluded
Detailed findings report — each vulnerability classified by severity (Critical, High, Medium, Low, Informational)
Remediation plan — documented timelines for fixing each finding
Retest evidence — proof that Critical and High findings were fixed and verified
Trend analysis — comparison with prior year's results showing improvement

ISO 27001: The International Standard

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS).⁷ Where SOC 2 evaluates specific controls, ISO 27001 evaluates whether you have a management system — a framework for continuously identifying, assessing, and treating information security risks.

Aspect	SOC 2	ISO 27001
Developed by	AICPA (US)	ISO/IEC (International)
Focus	Control effectiveness	Management system maturity
Output	Attestation report (not a certification)	Certification (pass/fail)
Validity	Report covers a specific period	Certificate valid for 3 years (annual surveillance audits)
Geographic preference	North America, increasingly global	Europe, Asia-Pacific, global
Cost	$30K–$150K+ depending on scope and firm	$20K–$100K+ for initial certification

For legal SaaS vendors selling to both US and European law firms, having both SOC 2 Type II and ISO 27001 certification covers the broadest market — SOC 2 for North American enterprise procurement and ISO 27001 for European and Asia-Pacific clients.⁸

Cyber Essentials (UK)

Cyber Essentials is a UK government-backed certification scheme managed by the National Cyber Security Centre (NCSC).⁹ It covers five basic technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. Cyber Essentials Plus adds external vulnerability testing.

For legal SaaS vendors targeting UK law firms, Cyber Essentials is increasingly a minimum requirement — particularly for firms that handle government or public sector work, where Cyber Essentials certification is mandatory for suppliers.

Choosing the Right Certification at the Right Time

Stage	Recommended Certification	Rationale
Pre-revenue / MVP	None — focus on building secure foundations	Premature certification wastes resources
First paying clients	SOC 2 Type I or Cyber Essentials	Demonstrates intent; satisfies initial due diligence
Growth / 10+ clients	SOC 2 Type II	Enterprise procurement teams require it
Enterprise / international	SOC 2 Type II + ISO 27001	Covers global markets; often required in RFPs
UK public sector	Add Cyber Essentials Plus	Mandatory for government suppliers

The enterprise sales inflection point: There is a specific moment in every legal SaaS company's growth where the absence of SOC 2 Type II starts costing deals. It typically arrives when you land your first Am Law 200 firm or Magic Circle prospect. Their procurement team will not proceed without it. Plan your certification timeline 12–18 months ahead of when you expect to need it.

What's Next

Episode 61 covers Customer Trust and Security Reviews — how to handle the security questionnaires, trust centres, and DPA negotiations that come after (or sometimes before) your certification is in place.

Sources & Further Reading

Sources & references

AICPA, SOC 2 — SOC for Service Organizations — Trust Services Criteria framework overview.
Cloud Security Alliance, The 5 SOC 2 Trust Services Criteria Explained — detailed breakdown of each criterion.
Metomic, SOC 2 Type II: A Complete Guide & Checklist — Type I vs. Type II comparison and enterprise requirements.
Blaze InfoSec, SOC 2 Penetration Testing Requirements Explained — when and why pentesting is expected for SOC 2.
Q-Sec, SOC 2 Penetration Testing: What Auditors Actually Expect — auditor expectations and evidence requirements.
Pentest Testing, ISO 27001 Penetration Testing Audit Evidence Guide — ISO 27001 pentest evidence requirements.
ISO, ISO/IEC 27001 — Information Security Management — standard overview.
Bright Defense, SOC 2 Trust Services Criteria: A Practical View — selecting criteria for SaaS compliance.
NCSC, Cyber Essentials — UK government certification scheme.
Cherry Bekaert, SOC 2 Trust Services Criteria Guide — practical audit preparation guide.
Netragard, SOC 2 Penetration Testing Requirements for 2026 — updated pentest requirements and methodology.

Alice: Welcome back to Security for Legal SaaS. I'm Alice.

Dan: And I'm Dan. Episode 60 — security certifications. SOC 2, pen tests, ISO 27001. Alice, we've spent fifty-nine episodes building security controls. This episode is about proving they work to someone who doesn't trust your word for it.

Alice: That's exactly what it is. You can have the most secure platform in the world, but when a 200-lawyer firm evaluates your contract management tool, they're going to ask one question: can you prove it? And "we take security seriously" is not proof. A SOC 2 Type II report is proof. A penetration test report is proof. An ISO 27001 certificate is proof.

Dan: Mm. So let's start with SOC 2, since that seems to be the one everyone asks about. What is it?

Alice: SOC 2 stands for System and Organisation Controls 2. It's an auditing framework developed by the AICPA — the American Institute of Certified Public Accountants. It evaluates whether a service organisation — that's you, the SaaS vendor — has effective controls for protecting customer data. The audit measures you against five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security is always included. The others are optional depending on what commitments you make to your customers.

Dan: Right. For a legal SaaS vendor, which of those five would you typically include?

Alice: Security is mandatory. Beyond that, legal SaaS vendors should almost always include Confidentiality — because you're handling privileged client data — and Availability — because law firms need to know your platform won't go down during a filing deadline. Processing Integrity and Privacy are included less often but may be relevant depending on your product.

Dan: Mm-hmm. Now, I've heard there's a Type I and a Type II. What's the difference?

Alice: Type I says "on the day the auditor looked, our controls were properly designed." It's a snapshot. Type II says "for the past six to twelve months, an auditor watched us operate, and our controls worked consistently over that entire period." Type II is what enterprise clients want because it proves sustained discipline, not a one-day performance.

Dan: Yeah. So Type I is like passing a driving test, and Type II is like having a clean driving record for a year.

Alice: That's a good analogy. And the numbers back it up — roughly seventy-eight percent of enterprise clients now require SOC 2 Type II from their service providers. If you're selling to large law firms, Type II is the expectation. Type I is acceptable as a stepping stone while you build your observation period, but it's not the destination.

Dan: Hmm. What about penetration testing? Where does that fit?

Alice: <sigh> This is one of the most misunderstood areas. SOC 2 does not technically require a penetration test. It's not in the criteria. But SOC 2 does require that management uses "ongoing and separate evaluations" to assess control effectiveness. In practice, auditors routinely ask for penetration test results as evidence of that evaluation. And enterprise clients absolutely ask. So while it's not a formal requirement, it's a de facto one.

Dan: Mm. What does a good pentest look like?

Alice: A qualified external security firm tests your web application, your APIs, and your infrastructure — trying to break in using the same techniques real attackers would use. They test against the OWASP Top 10, which we covered back in Episode 3, plus business logic flaws, authentication and authorisation weaknesses, and injection vulnerabilities. The test produces a findings report, each vulnerability classified by severity — Critical, High, Medium, Low. What matters after the test is not just the report — it's what you do with it. Auditors want to see a remediation plan with timelines, retest evidence showing critical findings were fixed, and ideally a trend analysis comparing this year's results with last year's.

Dan: Right. A pentest that finds nothing is either great news or a bad test.

Alice: Exactly. Every real application has findings. The question is whether they're minor or severe, and whether you fix them promptly.

Dan: Mm. Now, ISO 27001 — that's the international one. How does it compare to SOC 2?

Alice: ISO 27001 is an international standard for information security management systems — an ISMS. Where SOC 2 asks "do your controls work?" ISO 27001 asks "do you have a system for continuously identifying, assessing, and treating security risks?" SOC 2 produces an attestation report. ISO 27001 produces a certification — pass or fail — valid for three years with annual surveillance audits. Geographically, SOC 2 dominates in North America. ISO 27001 is preferred in Europe and Asia-Pacific. For a legal SaaS vendor selling internationally, having both gives you the broadest coverage.

Dan: Yeah. That sounds expensive though. What does certification actually cost?

Alice: SOC 2 typically ranges from thirty thousand to over a hundred and fifty thousand dollars, depending on the scope and the audit firm. ISO 27001 initial certification runs twenty thousand to a hundred thousand. The hidden cost is preparation time — getting your controls documented, implemented, and evidence-ready before the auditor arrives. For a small team, that preparation can take six to twelve months.

Dan: Mm. So when should a legal SaaS startup start thinking about this?

Alice: There's a clear maturity curve. Before you have paying clients, don't certify — focus on building secure foundations. When you land your first few clients, consider SOC 2 Type I or Cyber Essentials in the UK — it signals intent and handles basic due diligence. Once you have ten or more clients and you're targeting enterprise law firms, SOC 2 Type II becomes the priority. And if you're selling internationally — to European or Asia-Pacific firms — add ISO 27001. The critical thing is to plan twelve to eighteen months ahead of when you expect to need it. If you wait until a prospect asks, you're already too late.

Dan: Right. I want to mention Cyber Essentials briefly — you brought it up. What is that?

Alice: It's a UK government-backed certification managed by the National Cyber Security Centre. It covers five basic technical controls — firewalls, secure configuration, user access control, malware protection, and patch management. Cyber Essentials Plus adds external vulnerability scanning. For legal SaaS vendors targeting UK law firms, especially those handling government or public sector work, Cyber Essentials is often a minimum requirement. It's less rigorous than SOC 2 or ISO 27001, but for UK markets it's expected alongside those certifications, not instead of them.

Dan: Mm-hmm. So the takeaway is: build the security, then prove the security, and time the proof to your sales pipeline.

Alice: That's exactly it. Certification is not a security measure — it's a business measure backed by security evidence. The security controls we've covered over sixty episodes are what the auditor tests. The certification is what your client's procurement team sees.

Dan: Next episode — customer trust and security reviews. How to handle the questionnaires, trust centres, and DPA negotiations that follow the certification.

Alice: Until then, I'm Alice.

Dan: And I'm Dan.

Alice: Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.

Security for Legal SaaS is a series written with AI assistance. Alice and Dan are AI-generated voices — no professional advice here, just education.