A consulting-grade GRC portfolio documenting a full SOC 2 Type I readiness engagement for CloudSync Operations, a B2B workflow automation platform on AWS with 85 employees and three enterprise contracts stalled pending audit completion. SOC 2 TSC (Security · Availability · Confidentiality) · ISO 27001-aligned controls · AICPA Trust Services Criteria — 9 deliverables built as an interconnected readiness system. Every control maps to a Trust Services Criterion. Every policy is tailored to the platform's actual operating environment.
| Field | Detail |
|---|---|
| Client | CloudSync Operations |
| Industry | SaaS — B2B Workflow Automation |
| Engagement Period | March 2026 – April 2026 |
| Frameworks | SOC 2 TSC, AICPA Trust Services Criteria |
| Methodology | SHIELD Framework (designed by Stephanie Uzama) |
| Trust Service Categories | Security, Availability, Confidentiality |
| Common Criteria Assessed | 33 |
| Controls Documented | 47 |
| Policies Developed | 8 |
| Evidence Owners Assigned | 12 |
| Deliverables Produced | 9 |
| Engagement Status | Closed — Audit-ready |
CloudSync Operations is a B2B SaaS company that builds workflow automation tooling for mid-market and enterprise teams. At the time of engagement, the company had 85 employees, a multi-tenant architecture on AWS, and a sales pipeline that included three enterprise contracts in late-stage negotiation. Each of the three deals had a shared blocker: the procurement teams at the target enterprise customers required SOC 2 Type I before they would sign.
One deal had already been lost twelve months prior due to the same issue. The security team had implemented technical controls informally over time, but nothing was documented, tested, or mapped to any compliance framework. The leadership team understood they had roughly 8 to 10 weeks before two of the three pipeline deals would move to a competitor.
The engagement objective was to build a genuine SOC 2 Type I readiness posture, not surface-level documentation, but a real control environment that would pass independent auditor scrutiny.
The most common and costly GRC failure in SaaS startups is not a lack of security controls. It is a lack of documented, evidenced, and mapped controls.
CloudSync had built a functional security environment. Engineers had set up access controls, logging, encryption, and change management processes over several years of product development. The problem was that none of it existed on paper. There was no inventory of controls, no mapping to the Trust Services Criteria, no evidence collection process, and no formal policy that described how the environment was supposed to operate.
From a SOC 2 perspective, an undocumented control is not a control. The auditor tests against documented commitments and criteria. Without documentation, CloudSync had no SOC 2 posture at all, regardless of what was running in the environment.
This is the defining challenge of SOC 2 readiness for engineering-led SaaS companies: closing the gap between what actually exists in the environment and what can be proven to an independent auditor.
| Section | What It Contains | |
|---|---|---|
| 01 \ | Project Overview | Business context, engagement framing, and team structure |
| 02 \ | Methodology — SHIELD Framework | How SHIELD was applied to a SOC 2 readiness context |
| 03 \ | Scope and TSC Mapping | Trust Services Categories selected, criteria in scope, exclusions |
| 04 \ | Gap Analysis | Current-state assessment across all 33 Common Criteria |
| 05 \ | Control Design and Documentation | 47 controls documented and mapped to TSC |
| 06 \ | Policy Suite | 8 policies developed for the platform's operating environment |
| 07 \ | Evidence Framework | Evidence collection guide, owner matrix, retention schedule |
| 08 \ | Audit Preparation | Pre-audit readiness checklist and testing log |
| 09 \ | Engagement Closure | Debrief summary, residual gaps, 90-day roadmap |