Understanding the SOC 2 Bridge Letter

If your company is pursuing SOC 2 compliance or reviewing SOC 2 reports from vendors, you may have come across the term "Bridge Letter."
But what exactly is a SOC 2 Bridge Letter, and why is it used?

In this guide, we’ll explain what a SOC 2 Bridge Letter is, how it works, and when it can help you maintain customer trust between audit cycles.

Why SOC 2 Reports Have a Timing Gap

A SOC 2 Type II report typically covers a specific audit period of three to twelve months.
But audits take time to complete, and once your auditor submits the report, a new audit cycle begins, leaving a gap between the end of the previous report and the start of the next one.

During this gap, your customers or prospects may ask:
"How do I know your controls are still working today, even though your SOC 2 report only covers last quarter?"

That’s where the SOC 2 Bridge Letter comes in.

What Is a SOC 2 Bridge Letter?

A SOC 2 Bridge Letter is a brief, formal letter issued by your company’s management to address the period between the end of your last SOC 2 report and the issuance of your following report.

The letter typically states that:

• No significant changes to the control environment have occurred since the last report’s coverage period ended

• Controls continue to operate as described in the prior SOC 2 report

• Any known exceptions or material changes would be disclosed if applicable

Think of the Bridge Letter as a trust continuity document—it helps assure customers that your controls remain effective even during the reporting gap.

Who Prepares the Bridge Letter?

Unlike the SOC 2 report itself, which an independent auditor prepares, the Bridge Letter is authored by your organization’s executive leadership—usually your CISO, CEO, or General Counsel.

It is not audited, and it is not a substitute for a full SOC 2 report.
Rather, it provides an interim assurance to customers who are reviewing your compliance status between audit periods.

When Should You Use a Bridge Letter?

You should prepare a Bridge Letter whenever there is a gap of more than a few weeks between the coverage end date of your last SOC 2 report and the current date, especially if:

• A major prospect is performing a security review

• A customer’s procurement team requests updated assurance

• A renewal deal hinges on your compliance status

Bridge Letters are familiar and well-understood in the market, particularly in industries where customers expect continuous security validation.

What a Bridge Letter Typically Includes

While the format of a Bridge Letter can vary, it generally contains:

• The date range of the gap period is covered

• A reference to the prior SOC 2 report

• A statement regarding the continued operation of controls

• Disclosure of any material exceptions or changes

• A signature from executive leadership

For example, a typical statement might read:
"As of the date of this letter, no material changes or known exceptions have occurred in our control environment since the end of the prior SOC 2 report period."

It’s worth noting that frameworks such as HIPAA and ISO 27001 also emphasize the importance of continuous control effectiveness, which is precisely what the Bridge Letter is designed to address.

Common Misconceptions

It’s essential to recognize that a SOC 2 Bridge Letter is not a substitute for an updated SOC 2 report.
It provides interim assurance, but customers should still expect to receive your full SOC 2 report once it is issued.

Additionally, if there have been material changes or incidents affecting your control environment, these must be disclosed in the letter.

Transparency is key—Bridge Letters work best when they reinforce trust rather than attempt to mask gaps.