Johanson Group's positioning
Johanson Group LLP is a licensed CPA firm specialising in SOC 1, SOC 2, and SOC 3 attestations, ISO 27001 certification (with ISO 27017/27018 extensions), HIPAA, GDPR, CCPA, NIST, and PCI DSS work. The firm operates with a smaller team than mid-tier firms but covers a broader framework catalog than the tightest SOC-focused boutiques, sitting in what would be considered the upper boutique band. The firm was founded in 2014, is headquartered in Colorado Springs, Colorado, and serves customers across the US with a distributed team. The positioning is described on the Johanson Group site at johansonllp.com.
The defensible differentiator within the boutique tier is the dual credential: Johanson Group is an AICPA member firm enrolled in the Peer Review Program and also holds IAS accreditation as an ISO 27001 certification body. Most boutique CPA firms can attest SOC 2 but must hand the ISO 27001 certificate to a separate accredited certification body. Johanson delivering both under one engagement is structurally unusual at boutique pricing and is the right fit for a specific buyer profile: SaaS that needs SOC 2 plus ISO 27001 (commonly for simultaneous US and international enterprise sales) and wants one firm, one evidence cycle, and boutique fees rather than a mid-tier combined engagement.
Pricing by scope, with realistic ranges
Johanson Group SOC 2 audit fees scale on report type, criteria count, and company complexity in the same shape as Linford & Co. The pricing tends to land 5 to 10 percent above Linford on the equivalent scope, reflecting the firm's slightly larger team and broader framework catalog. The table below presents realistic engagement fees triangulated from public buyer disclosures.
| Engagement Scope | Typical Fee Range |
|---|---|
| SOC 2 Type 1, Security only | $8K-$13K |
| SOC 2 Type 2, Security only | $10K-$17K |
| SOC 2 Type 2, Security + 1 add-on criterion | $13K-$20K |
| SOC 2 Type 2, Security + 2 add-on criteria | $15K-$22K |
| SOC 2 Type 2 + ISO 27001 combined | $18K-$30K |
Three concrete engagement scenarios
Scenario A: 30-employee Series A SaaS, SOC 2 Type 2 Security only
A 30-employee Series A SaaS pursuing its first SOC 2 Type 2 on Security only typically receives a Johanson Group quote in the $11,000 to $15,000 range. The Linford & Co quote at the same scope would land $9,000 to $14,000; the small price premium versus Linford reflects the firm's slightly larger engagement-team scale. The Schellman or A-LIGN equivalent would land $20,000 to $30,000.
Scenario B: 75-employee Series A SaaS, SOC 2 plus ISO 27001 in one engagement
A 75-employee Series A SaaS pursuing SOC 2 Type 2 and ISO 27001 together typically receives a Johanson Group quote in the $20,000 to $30,000 range for the combined engagement. This is the scenario where the dual credential pays off: because Johanson is both a licensed CPA firm and an IAS-accredited ISO 27001 certification body, the buyer gets one firm, one evidence-collection cycle, and one engagement timeline where most boutique alternatives would require contracting a separate certification body for the ISO side. The equivalent two-firm boutique combination typically runs $25,000 to $40,000 with two timelines to manage.
Scenario C: 150-employee Series B healthcare SaaS, SOC 2 plus ISO 27001 plus HIPAA
A 150-employee Series B healthcare SaaS pursuing SOC 2 plus ISO 27001 plus a HIPAA attestation in parallel typically receives a Johanson Group quote in the $25,000 to $40,000 range across the three engagements. The multi-framework efficiency at this scope is real because all three sit inside one firm: the SOC 2 and HIPAA work under the CPA licence, the ISO 27001 certificate under the IAS accreditation, with one shared evidence cycle. The total cost is competitive with a Schellman or A-LIGN combined engagement at this scope. Note Johanson does not offer HITRUST; healthcare SaaS needing HITRUST CSF certification requires a HITRUST-authorised assessor firm.
Where Johanson Group wins versus Linford & Co
Johanson Group wins versus Linford when the buyer needs ISO 27001 alongside SOC 2 and wants both delivered by one firm under one evidence cycle, or when the buyer wants a broader framework catalog (ISO 27017/27018, HIPAA, GDPR, PCI DSS) than Linford's tighter SOC focus. Linford wins when the buyer is purely commercial SaaS with no federal roadmap and the slight price advantage on the lower end of the boutique range matters, or when the buyer values Linford's specific reputation for clear communication and tight engagement timeline.
Both boutique firms lose to mid-tier alternatives when the buyer's enterprise procurement team specifically requires a mid-tier or Big 4 brand, when the buyer is multi-framework today with a tight one-engagement timeline that boutique two-firm approaches cannot match, or when the buyer is on an IPO track and Big 4 brand value matters more than boutique price advantage.
Negotiation playbook
Discount room at Johanson Group is similar to Linford: 5 to 10 percent on multi-year engagement contracts, with Q2 or Q3 scheduling helping on both pricing and lead time. Bringing a Linford & Co or Prescient Assurance competing quote is the most effective lever within the boutique tier. For SaaS bundling ISO 27001 with SOC 2, a combined-engagement quote from A-LIGN or Schellman as a mid-tier alternative creates additional negotiation room because Johanson is positioning itself as the boutique-priced alternative to those combined engagements.