Does Lavawall® perform the SOC 2 audit?

No. SOC 2 audits must be performed by an AICPA-certified independent auditor. Lavawall® produces the evidence; the auditor samples and attests. ThreeShield offers CISSP/CISA-led readiness work but is not the SOC 2 auditor of record.

Type 2 is what most enterprise procurement processes expect. Type 1 is sometimes used as an interim deliverable for organisations not yet ready for the period-based evidence Type 2 requires.

Does Lavawall® cover ISO 27001 alongside SOC 2?

Yes. ISO 27001 is one of the 15+ frameworks. The control overlap means a single evidence base supports both audits.

Best SOC 2 software for MSPs (2026)

SOC 2 (System and Organization Controls 2, attested by AICPA-certified auditors) has become procurement-table-stakes for SaaS, fintech, and many B2B-services companies. The audit attests an organisation's controls against the AICPA Trust Services Criteria — Security (mandatory), and any combination of Availability, Processing Integrity, Confidentiality, and Privacy.

For MSPs, SOC 2 is two relationships: the MSP's own SOC 2 audit (essential for serving SOC-2-conscious clients) and SOC 2 readiness delivered as a service to client tenants. Both require continuous evidence collection mapped to the Trust Services Criteria.

What to look for

AICPA Trust Services Criteria mapping. Direct mapping to the Common Criteria (CC1–CC9) and the Additional Criteria (Availability A1, Processing Integrity PI1, Confidentiality C1, Privacy P1–P8).
Multi-tenant for MSP delivery. Per-client isolation, per-client billing, co-branded reports for client-facing audit deliverables.
Continuous endpoint and cloud evidence. Patch state, configuration, MFA enforcement, audit logging, change management — collected from actual endpoints and cloud tenants continuously, ready for auditor sampling.
Audit-firm collaboration tools. Auditor read-only access scopes, evidence request workflow, sampling support, request-for-evidence tracking.
SOC 2 Type 2 maturity. Type 1 attests to design effectiveness at a point in time; Type 2 attests to operating effectiveness over a period. Look for tooling that supports the period-based evidence Type 2 demands.
Bundled with the rest of the MSP stack. Standalone SOC 2 platforms add another invoice. Bundled MSP platforms keep evidence collection contiguous with patching, breach detection, and helpdesk.

Options to evaluate

Lavawall®Multi-tenant MSP platform with SOC 2 framework first-class

Direct AICPA Trust Services Criteria mapping (CC1–CC9, A1, PI1, C1, P1–P8). Continuous evidence from Windows / macOS / Linux endpoints and M365 / Entra / Azure / Google Workspace tenants. Multi-tenant by design. SSP / POA&M generation. Built and used by ThreeShield, an audit firm with CISSP- and CISA-credentialled staff.

Best when: MSPs delivering SOC 2 readiness as a service across multiple client tenants and pursuing SOC 2 for themselves.

Vanta / Drata / SecureframeSingle-tenant SaaS GRC platforms

Polished onboarding for a single SaaS company chasing first SOC 2 attestation. Not designed for MSP multi-tenant delivery to many client orgs.

Best when: A single SaaS company chasing first SOC 2 attestation.

HyperproofEnterprise compliance program management

Mature program-management platform with broad framework coverage. Lives downstream of evidence collected by other tools.

Best when: Mid-market enterprises with dedicated GRC teams and existing evidence collection.

SharePoint + audit-firm engagementDocumentation-led approach

The pre-platform approach: SharePoint or Confluence for control documentation, Excel for control inventory, audit firm handles sampling. Works for one-time audits; does not scale to a continuous-evidence operating model.

Best when: Organisations with one-off SOC 2 needs and dedicated internal audit support.

How Lavawall® fits

Lavawall® treats SOC 2 as a first-class framework alongside CMMC 2.0, NIST CSF, CIS, ISO 27001, HIPAA, PCI DSS, and the Canadian privacy bundle. The AICPA Trust Services Criteria map directly to live evidence Lavawall® already collects.

Multi-tenant by design lets an MSP deliver SOC 2 readiness to multiple client tenants from one console. Per-client isolation, per-client billing, and co-branded reports are native concepts.

For MSPs pursuing SOC 2 for themselves, the same platform produces the evidence base for both the MSP's own audit and the client tenants the MSP supports. ThreeShield, the audit firm that built Lavawall®, has direct experience advising on SOC 2 audits.

Frequently asked

Does Lavawall® perform the SOC 2 audit?: No. SOC 2 audits must be performed by an AICPA-certified independent auditor. Lavawall® produces the evidence; the auditor samples and attests. ThreeShield offers CISSP/CISA-led readiness work but is not the SOC 2 auditor of record.
Type 1 or Type 2?: Type 2 is what most enterprise procurement processes expect. Type 1 is sometimes used as an interim deliverable for organisations not yet ready for the period-based evidence Type 2 requires.
Does Lavawall® cover ISO 27001 alongside SOC 2?: Yes. ISO 27001 is one of the 15+ frameworks. The control overlap means a single evidence base supports both audits.