What is the difference between Type I and Type II?

Type I attests that controls are designed appropriately at a point in time, a snapshot. Type II attests they operate effectively across an observation period (6 or 12 months). Enterprise buyers strongly prefer Type II; Type I is mostly useful as an interim credential while observation period evidence accumulates.

Which Trust Service Criteria should we include?

Security is mandatory. Availability is essential for any service organisation where uptime matters to customers. Confidentiality is common where customer data is sensitive. Processing Integrity applies to systems that calculate financial or other critical outputs. Privacy is added where PII is processed. We recommend the right scope during initial scoping.

How long is the observation period?

Minimum is 3 months; typical is 6 or 12 months. Enterprise buyers strongly prefer 12-month Type II reports as they cover full annual cycles. We typically recommend 6 months for first audit, transitioning to 12-month cycles thereafter, but the right choice depends on your sales context.

Do you support continuous compliance tooling?

Yes, we work with the major continuous compliance platforms (Drata, Vanta, Secureframe, Tugboat) and can deploy them as part of your SOC 2 programme. These tools reduce audit evidence burden by 60-80% but require careful configuration to produce audit-grade evidence.

How does SOC 2 compare to ISO 27001?

SOC 2 is a US-originating attestation framework strongest in North American markets; ISO 27001 is the international ISMS standard with broader global recognition. Many organisations need both. The good news: controls overlap 70%+, so a well-designed compliance programme produces evidence usable for either.

How much does SOC 2 cost?

Type I audits typically £25,000-£50,000; Type II £40,000-£90,000 depending on TSC scope and environment complexity. Sectoral variants (healthcare, AI, MSP) run higher reflecting additional control work. We provide a fixed-fee quote after scoping.

FedRAMP Advisory & Readiness

Who this is for

This service is a fit if you’re..

Cloud service providers

CSPs targeting U.S. federal agency customers needing an Authority to Operate (ATO).

SaaS scaling to gov

Commercial SaaS expanding into U.S. public sector who need FedRAMP Ready or full authorisation.

Re-authorisation prep

CSPs with existing FedRAMP authorisation preparing for re-authorisation or impact level uplift.

What is FedRAMP

U.S. federal cloud authorisation, without the surprises

The Federal Risk and Authorization Management Program (FedRAMP) is the U.S. government's standardised approach to security assessment and continuous monitoring for cloud products and services. For cloud service providers selling to federal agencies, an Authority to Operate (ATO) is non-negotiable. We help CSPs reach FedRAMP Ready and authorisation efficiently, with a clear-eyed view of effort, cost, and timeline.

How we engage

The four phases of FedRAMP advisory

Gap Assessment

Map your current control environment to NIST 800-53 baseline controls at the target impact level. Identify what's in place, what's partial, and what's missing, including the supply chain controls most CSPs underestimate.

Boundary & Architecture

Define an authorisation boundary that's defensible and minimises ongoing burden. We work with engineering to draw the boundary precisely, so what's in scope is what genuinely needs to be in scope.

SSP & Evidence

Produce the System Security Plan, supporting documentation, and evidence library a 3PAO can audit against. We've seen common 3PAO findings before; we work to eliminate them up front, not after.

3PAO Liaison

Coordinate with your 3PAO during assessment, prepare your team for interviews, manage POA&Ms, and support continuous monitoring activities post-authorisation.

Impact levels

We support all three FedRAMP baselines

Low

FedRAMP Low

For systems where the loss of confidentiality, integrity, or availability would have limited adverse effect. 125 controls.

Moderate

FedRAMP Moderate

The most common baseline. For systems handling sensitive but unclassified federal data. 325 controls.

High

FedRAMP High

For systems handling government data where loss would have severe or catastrophic adverse effect. 421 controls.

Who we work with

For CSPs at any stage of the journey

Whether you're scoping FedRAMP for the first time, working toward FedRAMP Ready, or preparing for re-authorisation, our advisory team brings practical experience with NIST 800-53, cloud-native architectures (AWS GovCloud, Azure Government, GCP Assured Workloads), and the realities of working with 3PAOs. We complement, not compete with, your 3PAO, and we work alongside your engineering, security, and legal teams to keep the programme on track.

Start scoping

Ready to scope a FedRAMP engagement?

A 30-minute scoping call is the fastest way to understand what authorisation will involve for your system and what a realistic timeline looks like.

Book a scoping call

What you receive

Every engagement includes

✓ Scoping call. A 30-minute call to define scope, timeline, and authorisation boundaries.
✓ Test plan. Written test plan covering targets, methodology, and rules of engagement.
✓ Technical report. Detailed findings with reproduction steps, evidence, and remediation guidance.
✓ Executive summary. Board-ready 1-2 page summary with risk ratings and business impact.
✓ Audit-ready evidence. Findings letter formatted for auditors, customers, and supervisory authorities.
✓ Retest letter. Free retest of remediated findings within an agreed window. Confirmation letter included.
✓ Remediation call. A call with our lead tester to walk through findings and remediation strategy.

How we deliver

Our process, end to end

1
Scoping call & fixed-scope quote

A 30-minute call. We define scope, targets, timeline. You get a fixed-scope quote within one working day. No surprise invoices.
2
Test plan & authorisation

Written test plan covering methodology, targets, and rules of engagement. Authorisation letter signed before any testing begins.
3
CREST-aligned execution

Senior tester runs the engagement. Critical findings flagged immediately during testing. Daily updates if you want them.
4
Technical + executive report

Detailed technical findings with reproduction steps. Board-ready executive summary. Delivered within agreed working days.
5
Remediation call & retest

Walkthrough with our lead tester. Retest of remediated findings within the agreed window. Confirmation letter for your auditors.

Engagement scope

What shapes the quote

Small scope

Single app, focused scope, smaller surface. 5-7 working days.

Medium scope

Multi-role platform, several user types, integrations. 8-12 working days.

Enterprise scope

Complex environment, multiple targets, compliance evidence. 12-25 working days.

Fixed-scope quote within 1 working day

No surprise invoices, no scope-creep. We commit to a number before you commit to us.

Why RedSecLabs

Grounded reasons clients choose us

⚑

UK-based team

Testers based in the UK. Data stays within UK/EU jurisdiction for sensitive engagements.

❄

CREST member company

CREST-aligned methodology. Senior testers hold CREST CRT or CCT certifications.

⚙

Manual testing, not scanner-only

Automated scanners catch the obvious. Our human testers find the issues that matter.

✎

Clear executive reporting

Reports your board can read and your developers can act on. No jargon padding.

♚

Compliance-aware delivery

PCI, SOC 2, ISO 27001, DORA, GDPR. We map findings to your compliance framework.

↺

Retest support included

Free retest of remediated findings within agreed window. Confirmation letter for auditors.