The situation: “We need SOC 2… but we don’t know what buyers really care about”
A Canadian B2B SaaS company (about 120 employees) was trying to land larger customers. Late-stage sales kept repeating the same requests:
- “Send your SOC 2.”
- “Complete our security questionnaire.”
- “How do you protect customer data in Microsoft 365 and the cloud?”
- “What’s your incident response timeline?”
- “Do you review vendors?”
They didn’t have SOC 2 yet. They were “working on it.” But the real blocker was scope confusion:
- too many systems listed “just in case”
- no agreement on what the SOC 2 “system” actually was
- evidence scattered across tickets, email threads, and cloud consoles
- control owners unclear (everything fell on one security lead)
That’s how SOC 2 projects drag out: not because teams don’t care because scope and evidence aren’t designed.
The vCISO move: treat the questionnaire as scope intelligence
Instead of starting with a generic SOC 2 checklist, the vCISO asked for:
- the last 5 customer security questionnaires
- one recent procurement security email thread
- the current architecture diagram (even if rough)
- a list of the top 10 vendors
Then every questionnaire question was tagged into one of four buckets:
The 4-bucket method
- In-scope SOC 2 control requirement (must be evidenced)
- System boundary decision (scope clarification)
- Sales narrative / trust asset (needs standardized answer)
- Nice-to-have (not required for first cycle)
This revealed the truth: buyers weren’t asking for “everything.” They were asking for a predictable set of outcomes.
Step-by-step: How the questionnaire became a SOC 2 scope
Step 1: Identify the “buyer-critical” Trust Services Criteria
The questionnaires overwhelmingly focused on access control, logging/monitoring, incident response, vendor management, change management, and retention/deletion.
That mapped cleanly to Security (always) and optionally Confidentiality.
Decision
Start with SOC 2 Security as the base. Add Confidentiality only where commitments were already being made in contracts and onboarding docs.
Step 2: Convert questionnaire answers into a scope boundary
One question showed up repeatedly: “What systems are used to store or process our data?”
The company’s initial scope draft included everything prod, staging, CRM, marketing site, “everything in AWS.”
That would have made SOC 2 painful.
The tightened scope (buyer-aligned)
- In scope: production application and production infrastructure that stores/processes customer data
- Supporting processes in scope: access management, change management, incident response, vendor management
- Out of scope: marketing site, sales CRM (unless it stores regulated customer data), ad tracking tools, personal devices not used for production administration
Step 3: Build a “question-to-control” matrix (the hidden accelerator)
The vCISO created a simple mapping sheet:
Question → SOC 2 control objective → Evidence source → Owner → Frequency.
It converted questionnaire claims into evidence requirements and assigned ownership so nothing became “someone’s problem later.”
| Question |
SOC 2 objective |
Evidence source |
Owner |
Frequency |
| Do you enforce MFA? |
Logical access controls |
Entra ID/M365 settings export |
IT owner |
Quarterly review |
| Do you review admin access? |
Privileged access governance |
Admin role export + sign-off |
Security owner |
Quarterly |
| Do you have incident response? |
IR readiness |
IR plan + tabletop record |
vCISO |
Annual |
| How do you manage vendors? |
Vendor risk controls |
Vendor register + review pack |
Procurement owner |
Annual (+ quarterly for critical) |
Step 4: Evidence-first design (to avoid the screenshot scramble)
The biggest SOC 2 time sink is evidence collection after the fact. So the vCISO set up an evidence system:
- control register with owners and evidence frequency
- evidence folder structure by month/quarter
- a naming rule: control + period
- monthly reminders for recurring evidence (log reviews, access reviews)
- an auditor-friendly “pack view”
Result: “Q1 access review evidence” and “March log review sign-off” were findable in minutes not days.
Step 5: Questionnaire-driven trust assets (to speed approvals and create leads)
Many questionnaire questions weren’t audit questions. They were trust questions. So the vCISO created three assets sales could send early:
The 3 “send early” assets
- 1-page SOC 2 Trust Package (scope + controls + how to request report under NDA)
- Subprocessor/vendor summary (what vendors touch customer data)
- Retention & deletion statement (clear and factual, including backup disclosure)
What changed (and why they passed faster)
Before
- SOC 2 scope bloated
- evidence unassigned and scattered
- questionnaire answers inconsistent
- audit prep reactive
After
- scope matched buyer concerns
- evidence cadence defined and repeatable
- control owners assigned
- trust assets ready for sales enablement
Outcome: a clean SOC 2 Type I faster than expected, then Type II with an evidence pipeline already running.
Lessons you can copy (even if you’re starting from scratch)
- Your best scoping input is your customers: last 5 questionnaires + buyer objections + sales security emails.
- Don’t scope for ego scope for evidence: smaller scope passes faster if it covers buyer needs.
- Convert questionnaire answers into evidence requirements: if you can’t show it, don’t promise it.
- Build trust assets while you build SOC 2: your program should generate leads early.
Want the templates from this case study?
Get the free bundle and build the same accelerator system.
Bundle includes:
- questionnaire-to-control mapping sheet template
- SOC 2 scope boundary worksheet
- 1-page Trust Package template
- evidence folder structure + naming rules
Follow Canadian Cyber
Practical cybersecurity + compliance guidance:
