SOC 2 · Evidence requests
The SOC 2 questionnaire: what buyers are really asking, and how to respond.
"SOC 2 questionnaire" gets used for two different documents, and knowing which one you're holding changes everything about how to respond. This guide untangles the terms, lists what buyers actually request, and shows how to answer credibly — including when you don't have a SOC 2 report yet.
SOC 2 report vs SOC 2 questionnaire — they are not the same thing
A SOC 2 report is an independent audit: a CPA firm examines your controls against the Trust Services Criteria and writes an opinion. Type I covers a point in time; Type II covers a period (usually 6–12 months of evidence).
A SOC 2 questionnaire — what buyers usually mean — is one of:
- A security questionnaire organized around SOC 2 domains, sent because the buyer's risk process is anchored to the Trust Services Criteria.
- A SOC 2 evidence request: "send your report, bridge letter, pen test, and proof of these specific controls."
- A readiness checklist from a buyer assessing whether you're on a credible path to certification.
The first move is always the same: identify which of the three you've received, because the right response to each is different — and only one of them strictly requires a report.
What buyers typically request
- The report itself (under NDA), plus a bridge letter if the audit period has lapsed.
- Penetration test summary — recent, scoped to the product they're buying.
- Control evidence — access review cadence, encryption at rest and in transit, incident response process, backup and recovery testing, vendor management.
- Policies — information security, acceptable use, business continuity; sometimes verbatim, sometimes summarized.
- Subprocessor list — who else touches their data through you.
Responding without a SOC 2 report
Not having the report is common and survivable — smaller vendors win enterprise deals on evidenced answers all the time. What works:
- Answer the underlying question, not the missing document. The buyer wants assurance about access control, not the PDF for its own sake. Describe the control you run and cite the evidence.
- Be specific where you're strong. Named tools, dated reviews, real cadences. Specificity is what substitutes for the auditor's signature.
- Structure the gaps. "Not yet — compensating control today, certification roadmap with timeline." Buyers accept roadmaps; they reject vagueness.
- Never imply a report exists when it doesn't. That one gets discovered in procurement follow-up, and it costs the whole answer set its credibility.
If you do have the report
Lead with it — many buyers will accept it for entire questionnaire domains and only ask deltas. Attach the bridge letter proactively if your period has lapsed, and keep a one-page summary of scope and exceptions ready; it pre-answers the follow-up call.
Turning it around in days
SOC 2 evidence requests stall for the same reason all questionnaires stall: the answers live in five heads and nobody owns the response. ThinSky's Questionnaire Rescue takes the request end-to-end — truthful answers cited to your actual controls, a gap map before you commit anything to writing, and a reusable answer library — in about 3 days, introductory fixed price of $750.
Common questions.
Is a SOC 2 report the same as a security questionnaire?
No. A SOC 2 report is an independent auditor's opinion on your controls over a period. A security questionnaire is the buyer asking you directly. Having SOC 2 shortens questionnaires — many buyers accept the report for whole domains — but it rarely eliminates them.
Can we answer a security questionnaire without a SOC 2 report?
Yes. Answer to the controls you actually run and cite them specifically. Many buyers accept strong, evidenced answers plus a roadmap in place of a report — especially from smaller vendors. What they won't accept is a vague 'we take security seriously.'
What do buyers ask in a SOC 2 evidence request?
Typically: your most recent SOC 2 report, bridge letter if the report period has lapsed, penetration test summary, proof of specific controls (access reviews, encryption, incident response, vendor management), and sometimes policies themselves. Each item maps to a Trust Services Criteria domain.
How fast can a SOC 2 evidence request be turned around?
If your documentation exists and someone owns the response, days. ThinSky completes SOC 2 evidence requests and security questionnaires as a done-for-you service in about 3 days, citing your real controls — introductory fixed price of $750.