To get straight to the answer of how long it takes to reach SOC 2 compliance – in general, you can expect 6 months to acquire SOC 1 Type 1 and 12 months for the SOC 2 Type 2 report. However, this will vary per size of the organisation and readiness level. It seems like a long project timeline to reach compliance, right? Well, no. If you consider that SOC 2 compliance is a journey and not just a tick box certification. SOC 2 will enable you to embed processes and controls to improve security maturity – demonstrating the operating effectiveness of these controls.
If your organisation is certified to ISO 27001 then you can expect your timeline to be a bit shorter as you should already have measures in place to minimise security threats and now you will need to provide evidence that those security systems are in scope with SOC 2 Trust Criteria. Read more about the difference between ISO 27001 and SOC in our blog.
Other factors to consider for the time it will take your organisation include:
- The number of systems you’re running
- If you have multiple locations
- The sensitivity of your customer data
- Level of commitment from senior management
Once you understand these factors, you can now look at each stage of the timeline and make educated estimates of the time length needed to achieve SOC 2. So, let’s now dive into what to expect at each stage in a typical 12-month project – again bearing in mind that SOC 2 is a journey to security and not just a tick box for compliance.
TIP: AICPA’s, Section 801 reads “A type 2 report that covers a period that is less than six months is unlikely to be useful to user entities and their auditors” when performing SOC 2 audits. Therefore, you should schedule your SOC 2 audit at regular 6 to 12-month intervals — to ensure regular and thorough compliance.
Month 1: Getting approval from the board & shortlisting auditors
The board will want to see the ROI from achieving SOC reports. Let’s face it – it will be easy to get approval if you have a customer tender requiring SOC 2. If this is not the case, there are many benefits to compliance such as increasing your security posture to gain a competitive advantage that you can present to the board/
The next step is to find auditors to shortlist. SOC 2 should be audited by a licensed CPA firm. Do note there are unlicensed firms that can perform the security audit, but it may not be recognised globally and could be unacceptable to your potential and current client requirement.
TIP: In this first month, it is advisable to form a small risk and compliance team to oversee the project with at least one highly technical and an operational focused member. The team can help champion the project and ensure no business functions are disrupted during the compliance timeline.
Month 2: Choose your auditor & scoping
Take your time. It’s worth taking a month or two to find the right auditor as your partner to achieve compliance and it will make the journey a lot smoother process.
We recommend finding companies that have several SOC reports under their belts. If you are a new tech-focused company – it’s good to find an auditor that understands the specific needs of start-ups. For instance, if you can find an auditor who generally understands the impact of cloud-based information data storage and other compliance considerations unique to your organisation then this will help keep your timeline on track. An auditor who does not have tech expertise could still be considered but this may slow down the audit process.
TIP: If this is your organisation’s first time achieving SOC 2 don’t expect the auditor to hold your hand throughout the process. It’s advisable to employ a consultant to help with your readiness for the audit.
Once the auditor is selected, it’s time to confirm the scope. Depending on the reason for the SOC 2 report, the scope may cover the controls in one or all five of the Trust Service Criteria (TSC). If all five are not included, then this will cut down your timeline as well.
TIP: Consider any legal, contractual, or compliance requirements you may have to help identify specific TSC requirements. For example, if you are in Europe and under the GDPR, data privacy will be crucial, and you may need more focus more time on the privacy TSC.
Month 3: Confirm schedules, acquire a checklist & begin control mapping
The auditor should provide you with tools such as the audit checklist and a purposed work schedule.
Now you that know what the auditor will expect, you can begin mapping controls. Depicting the relationship between policies and testing will provide clear evidence that SOC 2 TSCs can be met. Connecting the dots in this way simplifies and streamlines the Auditor’s work providing the essential data needed for the report.
If controls are insufficient or not present to demonstrate compliance to a selected TSC will need remedial actions to demonstrate compliance. Now that you have identified your gaps, you should be able to now see the larger picture of what the practical final timeline will be.
TIP: The gap analysis stage may take between 2-4 weeks. However, SOC fieldwork and auditing can be performed remotely to speed things up without on-site visits.
Month 4, 5 and 6: Remediation and readiness audit
In these three months, remediation will take place. Depending on your organisation’s needed remediations and the resources available to fix the gaps, this length of time may be shorter or longer. Once again, this is where employing an outside consultant can come in handy to speed remediation along. A readiness audit should be performed before the auditor begins verification in the next month.
Month 7: Verification and fieldwork to achieve the SOC 2 Type 1 Report
The auditor will begin to verify fieldwork, which may involve them coming on-site. You should receive a list from them of all documentation that will be expected to deliver as part of the process. This could include organisational charts, change management information, asset inventories, and on-boarding and off-boarding processes.
TIP: Designate someone to coordinate what tasks and documentation are needed by all so that every relevant department knows what is expected of them and when it is due.
Once the fieldwork is complete, it could take the auditor a month to complete the SOC 2 Type 1 report. Which now puts you at the end of month 7 to receive the report.
Month 8 through finish date: SOC 2 Type 2 auditing begins
Now that you’ve done all the hard leg work, it’s time to put it into practice and demonstrate evidence of compliance. The audit should take place over 6-12 months. Some organisations that are gaining SOC 2 compliance to satisfy a customer requirement may need to speed up this timeframe. It’s advised that if this is the case, you should plan for a full 12-month audit period on your annual compliance renewal. However long your project takes to reach SOC 2 compliance, it will be well worth it.
TIP: Ask your auditor if they can issue a ‘Bridge Letter’ that can function as transitional validation, which will allow the Sales team to use for leveraging customer conversations that show your organisation is dedicated to achieving SOC 2 and is committed to security diligence.
SOC 2 Target Month: SOC 2 Type 2 report issued
Congratulations. Your auditor will now provide you with your SOC 2 Type 2 report. You can show off your organisation’s commitment to compliance by adding the applicable AICPA-approved logos to your website.
TIP: You should be proud of your SOC 2 certification. Your organisation’s security maturity is improving and demonstrates the operating effectiveness of the internal controls.
Of course, your project does not end here. Your organisation will continue to embrace and adjust new policies and procedures as needed. Just like other certifications such as ISO 27001, SOC 2 will require an annual renewal to show that your service organsation is committed to upholding the Trust Services Criteria.
Get helpful SOC 2 advice and resources
To get started on your journey to achieving a SOC 2 Type 2 report, we’ve created a typical timeline and checklist. Our crew, Risk Crew, is here for you. If you would like to ask a few SOC 2 questions or schedule a consultation, feel free to contact us directly.
Get Started with a Timeline & Checklist Book a Consultation