A Customer Sent You a Security Questionnaire and You Have No SOC 2. Now What?
A customer wants assurances you do not have on paper — but a missing SOC 2 report is rarely the dealbreaker it feels like. Here is how to respond credibly.
The short version
- A missing SOC 2 is rarely the real blocker. SOC 2 is a US attestation report, not a UK certification — most UK buyers are looking for evidence you take security seriously, not that one specific document.
- You almost certainly have more than you think. The controls a SOC 2 would describe — access control, backups, encryption, a breach plan — mostly already exist in your business; they have just never been written down in one place.
- UK buyers often accept alternatives. Cyber Essentials, IASME Cyber Assurance, and honest, well-evidenced answers frequently satisfy the same underlying concern.
- Honesty is the credible move. Marking a genuine gap as 'in progress' with a plan beats overstating what you have — and it is what protects you if the truth is ever tested.
You open the email and there it is. A customer you have courted for weeks is ready to move ahead, but their procurement team needs a completed security questionnaire first, and somewhere in it sits the question you have been dreading. “Please attach your current SOC 2 report.” You do not have one. You never have. A deal that felt won suddenly feels at risk over a document you do not possess.
Take a breath. Facing a security questionnaire without SOC 2 is one of the most common situations a growing UK business runs into, and far more workable than it first appears. A missing SOC 2 report is rarely the genuine blocker it seems. This guide walks you through what the buyer is actually asking for, what UK buyers often accept instead, and how to answer honestly. Done right, you can even turn the whole episode into a head-start.
First, do not panic — you have more than you think
A missing SOC 2 report does not mean you have nothing to show. Most of the controls such a report would describe already exist in your business; they have simply never been gathered in one place.
SOC 2 is a report describing how an organisation manages things like access control, system monitoring, encryption, backups, and incident response over time. Read that list again. You almost certainly do several already. You use multi-factor authentication (a second login step beyond a password), you back up your data, you chose reputable cloud providers, and someone responds when something goes wrong. None of that disappears because you lack a particular American report.
The challenge for most small UK suppliers is not an absence of security. It is that their security has never had to be explained. The practices live in different tools, people’s heads, the occasional email thread, and a questionnaire forces one joined-up account of it for the first time. That is a documentation gap, not necessarily a security gap, and a very fixable one. Our walkthrough on how to answer a security questionnaire covers the general method; this article is about the no-certification situation specifically.
What the buyer is really asking for
When a buyer asks for SOC 2, they are usually asking a simpler underlying question: “Can I trust this supplier with my data and systems?” There is more than one credible way to answer it.
Procurement teams often write “SOC 2” into a questionnaire because it is the shorthand they know, or because a template handed it to them. That exact report is rarely the only acceptable answer. What sits beneath the request is a concern about risk: their insurer, their own customers, or their compliance team needs reassurance that working with you will not expose them. That is the question to answer well.
It helps to know what SOC 2 actually is, so you can speak to it confidently rather than apologetically. It is an attestation report produced under the standards of the American Institute of Certified Public Accountants (AICPA), the US accountancy body, in which an independent examiner reports on a service organisation’s controls across criteria such as security, availability, confidentiality, and privacy. It is a US-origin report, not a UK certification, and something a buyer requests and reviews rather than a badge you hold.
SOC 2 IS NOT A UK CERTIFICATION
SOC 2 originates in American assurance practice; the UK has its own recognised schemes. Knowing this lets you answer the SOC 2 question without treating a missing US report as a personal failing. It often simply is not the right yardstick for a UK supplier.
So when the SOC 2 line appears, you are not stuck. You can explain what you do have, offer a recognised alternative where you have one, and answer the substance honestly. For many UK buyers, that is enough.
What UK buyers often accept instead of SOC 2
In the UK, buyers frequently accept Cyber Essentials, IASME Cyber Assurance, or honest and well-evidenced answers in place of a SOC 2 report, though no certification ever guarantees a specific buyer will be satisfied.
Here are the credible alternatives, roughly in order of how readily a UK supplier can reach them.
Cyber Essentials
Cyber Essentials is a UK government-backed certification, developed by the National Cyber Security Centre (NCSC) and delivered through the IASME Consortium. It covers five core technical control areas: firewalls, secure configuration, user access control, malware protection, and security update management. Between them, those answer many of the same questions a security questionnaire asks. It is achievable for small organisations and recognised across UK supply chains, with annual renewal. It will not satisfy every buyer, but a current certificate is a strong, widely-understood signal that you meet a recognised UK baseline.
IASME Cyber Assurance
IASME Cyber Assurance is a UK governance standard a step beyond Cyber Essentials. Where Cyber Essentials covers technical controls, it adds the governance wrapper around them: risk management, incident planning, supply chain oversight, staff awareness. For a buyer worried about how you manage security rather than which tools you run, it speaks directly to that concern, without the cost and complexity of a full enterprise standard such as ISO 27001.
Honest, well-evidenced answers
This is the one suppliers most often underrate. Even with no certification at all, a carefully answered questionnaire can be entirely persuasive, as long as each response is backed by a real policy, record, or clear description of what you do. A buyer reading “Yes, all staff use MFA; our access policy is attached; we review access quarterly” is reassured by the substance, certificate or not. Evidence is what assurance ultimately rests on.
A certification is shorthand for trust. But trust can also be earned the long way round, with honest answers and real evidence, and that route is open to you today.
A word of caution: do not promise that any certification guarantees acceptance. These alternatives commonly satisfy UK buyers and demonstrate genuine diligence. But where a buyer truly mandates SOC 2 specifically, ask them directly whether an alternative is acceptable. Often it is.
How to answer honestly when you genuinely lack a control
When you genuinely do not have a control the questionnaire asks about, say so plainly, note what you are doing about it, and never overstate. An inaccurate answer can cost you far more than the gap itself.
Somewhere in the questionnaire you will hit a question where the honest answer is “we do not currently do this.” That is not a moment to bluff. It is a moment to be clear. For each genuine gap, choose the honest framing:
- Not yet in place. You do not do this today. Say so, and where you intend to address it, add a brief note: “Not currently implemented; planned for Q3.” A plan reads very differently from a blank.
- In progress. You have started but not finished. Note where you are and, where the questionnaire allows, a target date.
- Not applicable. The question does not fit your business. Explain why, briefly and factually, rather than leaving it blank.
The reason this matters goes beyond etiquette. An inaccurate answer, claiming a control you do not have, can void a contract, trigger liability clauses, and destroy trust if the truth surfaces later. And it tends to surface, during an audit or after an incident. There is a real difference between saying you are secure and being secure. The first might win today’s deal, but only the second protects your business when something actually goes wrong or an insurer investigates a claim. A buyer almost always respects a candid “not yet, but here is our plan” over a confident answer that does not hold up. If a long questionnaire is genuinely putting a deal at risk, honesty plus a credible plan is what keeps the conversation alive.
Turning this questionnaire into a head-start for the next one
The work you do answering this questionnaire, gathering evidence, documenting controls, closing quick gaps, is reusable, so each future request starts from a far stronger position than this one.
Here is the good news hiding inside the stress. Everything you assemble to answer this questionnaire is an asset you keep: the password policy you finally write down, the access-review process you describe, the evidence your team completed training, the list of where your data lives. None of it has to be rebuilt next time. You can draft many of these documents in a single focused session. The operational habits behind them take longer, but only once.
A practical sequence to leave yourself better off:
- Write down what you already do. Turn the controls in your head into short, plain documents. This is the bulk of the value, and it moves quickly.
- Close the easy gaps. Where a missing control is a quick win, say a written backup process or a documented joiner/leaver routine, do it now and mark it done.
- Consider a recognised baseline. If buyers keep asking, working towards Cyber Essentials gives you a credible, reusable answer to many future questions at once.
- Keep the evidence in one place. A buyer-facing summary of your security posture, sometimes called a trust centre, turns repeated questionnaire pain into a link you can send.
Done this way, the questionnaire stops being a hurdle and becomes the moment your business genuinely levelled up. The next request, whether from a customer, an insurer, or a framework, starts from strength rather than dread.
The organising principle
A buyer asking for SOC 2 is really asking whether they can trust you with their data. You answer that with what you actually do, evidenced honestly, and where it helps, a recognised UK certification. The missing report is rarely the real obstacle. Scattered, undocumented security is.
SecurSentry is launching soon to help UK SMEs answer security questionnaires question by question. It maps each one to the controls your business actually needs, guides you as you close the gaps, and helps you draft honest, evidence-backed answers, so you become genuinely more secure as you respond. Join the waitlist to be first to know when we open.
This article is general information, not legal or compliance advice. If you have specific contractual, regulatory or certification obligations, please seek qualified professional guidance.