SOC 2 certification guide
SOC 2 has become the entry ticket for B2B SaaS companies selling to enterprises. When your prospect's security team asks "Do you have SOC 2?", you need to say yes—or watch the deal slip away to a competitor who can.
This guide covers everything you need to know about SOC 2: what it is, how the audit works, how long it takes, what it costs, and how to get there without derailing your business.
What is SOC 2?
SOC stands for System and Organization Controls. SOC 2 is a reporting framework developed by the American Institute of Certified Public Accountants (AICPA).
A SOC 2 report is an independent auditor's opinion on whether your controls meet the Trust Service Criteria. It's technically an "attestation" rather than a "certification"—but everyone calls it certification anyway.
SOC 1 vs. SOC 2 vs. SOC 3
| Report | Purpose | Audience | Use case |
|---|---|---|---|
| SOC 1 | Financial reporting controls | Auditors of your customers | Your service affects their financials (payroll, accounting) |
| SOC 2 | Security, availability, processing, confidentiality, privacy | Customers, prospects, partners | General security assurance |
| SOC 3 | Same as SOC 2, but public summary | General public | Marketing (not detailed enough for security teams) |
Most SaaS companies need SOC 2. SOC 1 is primarily for financial services. SOC 3 is rarely requested because it lacks detail.
Type I vs. Type II
This is the most important distinction:
| Aspect | Type I | Type II |
|---|---|---|
| What it proves | Controls are designed appropriately | Controls operated effectively over a period |
| Audit scope | Point in time (single date) | Period of time (typically 6-12 months) |
| Customer value | "They have controls" | "Their controls actually work" |
| Time to achieve | 2-4 months | 6-12 months |
| Cost | Lower | Higher |
| Customer acceptance | Some accept, many prefer Type II | Universally accepted |
Recommendation: Start with Type I to demonstrate progress quickly, then pursue Type II. Most enterprise customers want Type II.
The Trust Service Criteria (TSC)
SOC 2 evaluates controls against five Trust Service Criteria:
| Criteria | What it covers | Required? |
|---|---|---|
| Security (Common Criteria) | Protection against unauthorized access | Always required |
| Availability | System uptime and accessibility | Optional |
| Processing Integrity | Processing is complete, accurate, timely | Optional |
| Confidentiality | Information designated confidential is protected | Optional |
| Privacy | Personal information collection, use, retention, disposal | Optional |
For most SaaS companies: Start with Security only. Add Availability if you have SLAs. Add Confidentiality or Privacy based on customer requirements.
Security (Common Criteria) categories:
| Category | Description | Examples |
|---|---|---|
| CC1 | Control environment | Leadership commitment, ethics, oversight |
| CC2 | Communication and information | Policy communication, internal/external |
| CC3 | Risk assessment | Risk identification, fraud risk |
| CC4 | Monitoring activities | Ongoing monitoring, evaluation of issues |
| CC5 | Control activities | Policies, technology controls |
| CC6 | Logical and physical access | Authentication, authorization, physical security |
| CC7 | System operations | Change management, incident management |
| CC8 | Change management | Change control procedures |
| CC9 | Risk mitigation | Vendor management, business continuity |
Who needs SOC 2?
You need SOC 2 if:
-
You sell to enterprises
- Enterprise sales require SOC 2 in 70%+ of deals
- Security questionnaires take weeks without it
- Competitors with SOC 2 have an advantage
-
You handle customer data
- SaaS platforms
- Cloud services
- Data processing
- API providers
-
You want to scale sales
- SOC 2 eliminates per-customer security reviews
- One report satisfies most requirements
- Reduces sales cycle by 2-4 weeks
-
Your customers' auditors ask
- Banks, healthcare, public companies
- Their auditors require vendor SOC 2 reports
- Part of their own compliance
You might not need SOC 2 if:
- You only sell to consumers (B2C)
- You don't handle sensitive data
- Your customers never ask
- You're pre-product or pre-revenue
- Your market is exclusively Europe (ISO 27001 may be more valuable)
SOC 2 vs. ISO 27001 decision matrix
| Your situation | Recommendation |
|---|---|
| US SaaS, selling to US enterprises | SOC 2 first |
| US SaaS, expanding to Europe | SOC 2 first, add ISO 27001 |
| EU SaaS, selling to EU enterprises | ISO 27001 first |
| EU SaaS, expanding to US | ISO 27001 first, add SOC 2 |
| Global enterprise customers | Both (prioritize based on current demand) |
| Regulated industry (healthcare, finance) | Industry-specific + SOC 2 |
How SOC 2 helps business
Direct business value
| Benefit | Impact |
|---|---|
| Win enterprise deals | Often a mandatory requirement |
| Faster sales cycles | Replace 2-week security review with report sharing |
| Competitive differentiation | Stand out among uncertified competitors |
| Reduce questionnaire burden | SOC 2 report answers 80%+ of security questions |
| Insurance discounts | Lower cyber insurance premiums |
Real examples
Before SOC 2:
- Security review with each enterprise prospect: 15-20 hours
- Custom questionnaires: 100-200 questions each
- Security call with their team: 1-2 hours per prospect
- Deal lost due to security concerns: 20% of enterprise pipeline
After SOC 2:
- Share SOC 2 report (plus brief addendum if needed)
- Most customers skip additional questions
- Security call only for specific follow-ups
- Loss due to security concerns: under 5%
Revenue impact: For a company with $5M in enterprise pipeline, reducing loss from 20% to 5% = $750K in additional closed revenue.
The SOC 2 audit process
Phase 1: Scoping (2-4 weeks)
Define what's being audited:
| Scope element | What to include |
|---|---|
| System | Your SaaS platform, supporting infrastructure |
| Services | What you provide to customers |
| Location | Offices, data centers (or cloud regions) |
| People | Teams with access to in-scope systems |
| Time period | Type I: specific date. Type II: 3-12 month window |
| Criteria | Security (required) + any optional criteria |
Scope decisions:
| Decision | Impact |
|---|---|
| Include internal tools? | More work, usually not needed |
| Include all products? | Start with flagship only if resources limited |
| Include contractors? | If they access in-scope systems, yes |
| Include physical office? | Cloud-native companies can often exclude |
Phase 2: Readiness assessment (3-6 weeks)
Before the audit, assess your gaps.
What to evaluate:
For each control area:
- Do policies/procedures exist?
- Are they implemented in practice?
- Can you provide evidence?
- Any known exceptions or gaps?
Common gap areas:
| Area | Typical gaps |
|---|---|
| Access control | No access reviews, orphaned accounts, over-privileged users |
| Change management | Changes not documented, missing approvals |
| Incident response | No formal plan, incidents not logged |
| Vendor management | Vendors not assessed, no security terms in contracts |
| Encryption | Data at rest not encrypted, weak TLS |
| Logging | Incomplete logging, short retention |
| HR processes | No background checks, missing security in onboarding |
Phase 3: Remediation (4-12 weeks)
Fix the gaps identified in readiness assessment.
Prioritization framework:
| Priority | Criteria | Action |
|---|---|---|
| P0 | Will cause audit failure | Fix immediately |
| P1 | Significant exception, affects multiple controls | Fix before audit |
| P2 | Minor exception, manageable | Fix or document exception |
| P3 | Nice to have | Address post-audit |
Typical remediation items:
| Item | Effort | Tools/Approach |
|---|---|---|
| Document policies | 2-4 weeks | Use templates, customize |
| Implement MFA everywhere | 1-2 weeks | IdP enforcement |
| Set up access reviews | 1 week | Quarterly calendar, spreadsheet |
| Configure logging | 1-2 weeks | Cloud-native logging |
| Deploy endpoint protection | 1-2 weeks | EDR solution |
| Background checks for new hires | Process change | HR procedure update |
| Vendor security assessments | 2-4 weeks | Prioritize critical vendors |
| Incident response plan | 1-2 weeks | Template + tabletop |
Phase 4: Evidence collection (ongoing)
SOC 2 is evidence-based. Auditors sample controls and ask for proof.
Types of evidence:
| Evidence type | Examples |
|---|---|
| Documentation | Policies, procedures, network diagrams |
| Screenshots | MFA configuration, access control settings |
| Logs | Access logs, change tickets, incident records |
| Reports | Vulnerability scans, access review summaries |
| Personnel records | Training completion, background check confirmations |
| Contracts | Vendor agreements with security terms |
Evidence collection tips:
- Start early — Don't wait until auditors ask
- Automate — Compliance platforms collect evidence continuously
- Timestamp everything — Evidence must be from the audit period
- Consistent format — Makes auditor's job easier
- Secure storage — Evidence itself contains sensitive info
Phase 5: Audit fieldwork (2-4 weeks)
The auditor examines your controls.
What happens:
- Document request — Auditor sends list of needed evidence
- Walkthrough — Auditor interviews process owners
- Testing — Auditor samples controls (e.g., 25 access reviews from the year)
- Issue identification — Gaps or exceptions documented
- Management response — You respond to findings
Sample sizes:
| Control | Frequency | Typical sample |
|---|---|---|
| Monthly | 12 per year | 2-5 samples |
| Quarterly | 4 per year | 2-3 samples |
| Per-occurrence | Varies | 25-40 samples |
| Annual | 1 per year | 100% |
Exception handling:
If a control failed in some instances, you'll have an exception noted. Options:
- Accept it (minor exceptions are common)
- Show remediation (if fixed during period)
- Provide context (why it happened, impact)
Phase 6: Report issuance (2-4 weeks)
After fieldwork:
- Draft report — Auditor writes report
- Your review — Check system description and management assertions
- Final report — Signed by auditor
- Receive report — PDF document for sharing with customers
Report sections:
| Section | Contents |
|---|---|
| I. Auditor's opinion | Their assessment |
| II. Management assertion | Your claims about controls |
| III. System description | How your system works |
| IV. Trust Service Criteria | Mapping of your controls |
| V. Control tests | Tests performed and results |
| Other | Complementary user entity controls (CUECs) |
SOC 2 Type I vs. Type II: the path
Recommended approach
| Phase | Timeline | What happens | Output |
|---|---|---|---|
| Readiness + Remediation | Months 1–2 | Gap analysis, policy creation | Controls in place |
| Type I Audit | Months 3–4 | Auditor reviews controls | Report showing controls exist |
| Controls Operating | Months 5–10 | Collect evidence, demonstrate operation | 6+ months of evidence |
| Type II Audit | Months 11–12 | Auditor reviews evidence period | Report showing controls worked over time |
Type I deliverables
- Report stating controls are suitably designed
- Snapshot as of a specific date
- Valuable for showing progress
- Gets you in the door for deals
Type II deliverables
- Report stating controls operated effectively
- Covers a review period (6-12 months)
- Proves sustained security practices
- What most customers ultimately want
Timeline and costs
Timeline by scenario
| Scenario | Type I | Type II | Total |
|---|---|---|---|
| Starting from zero | 3-4 months | +6-8 months | 10-12 months |
| Some controls exist | 2-3 months | +6-7 months | 8-10 months |
| Mature security program | 1-2 months | +6 months | 7-8 months |
| Using compliance platform | 2-3 months | +6 months | 8-9 months |
Cost breakdown
| Cost category | Small (under 50 emp) | Mid (50-200) | Notes |
|---|---|---|---|
| Readiness assessment | $5-10K | $10-20K | Consultant or internal |
| Remediation | $5-20K | $15-40K | Tools, implementation |
| Compliance platform | $10-20K/yr | $20-40K/yr | Vanta, Drata, etc. |
| Type I audit | $15-25K | $25-40K | CPA firm |
| Type II audit | $20-35K | $35-60K | CPA firm |
| Annual renewal | $25-40K | $40-70K | Audit + platform |
Total first year (Type I + II):
- Small company: $50K-$90K
- Mid-size: $100K-$180K
Annual ongoing:
- Small company: $35K-$60K
- Mid-size: $60K-$110K
Hidden costs to budget
| Hidden cost | Typical amount | Notes |
|---|---|---|
| Employee time | 100-300 hours | Across team members |
| Remediation delays | $10-30K | Things take longer than planned |
| Tool purchases | $5-20K | MDM, logging, training |
| Urgent requests | $5-10K | Rush fees for auditors, consultants |
Choosing an auditor
What to look for
| Criterion | Why it matters |
|---|---|
| CPA firm | Required — only CPAs can issue SOC 2 reports |
| SOC 2 experience | Understands the criteria deeply |
| Industry experience | Knows your technology stack |
| Size match | Big 4 for enterprise, boutique for startups |
| Communication | Responsive, clear expectations |
| Pricing | Transparent, competitive |
CPA firms that do SOC 2
| Type | Examples | Best for |
|---|---|---|
| Big 4 | Deloitte, PwC, EY, KPMG | Large enterprises, brand recognition |
| National firms | BDO, Grant Thornton, RSM | Mid-market companies |
| Specialized boutiques | Schellman, A-LIGN, Coalfire, BARR | Tech companies, startups |
For most startups: Specialized boutiques offer better value and tech understanding.
Auditor selection process
- Get 3+ quotes — Pricing varies significantly
- Check references — Ask for similar-size tech companies
- Understand scope — What's included vs. extra
- Clarify timeline — Availability matters
- Ask about process — How do they communicate? What do they need?
- Evaluate fit — You'll work with them annually
Red flags
- Won't provide references
- Unclear pricing (lots of "it depends")
- No experience with your tech stack
- Slow to respond during sales process
- Pushing unnecessary scope
Preparation roadmap
Month 1-2: Foundation
Week 1-2: Kickoff
- Get executive buy-in
- Assign SOC 2 owner
- Select compliance platform (if using one)
- Define initial scope
Week 3-4: Gap assessment
- Assess current controls against Trust Service Criteria
- Identify documentation gaps
- Identify technical gaps
- Prioritize remediation
Week 5-8: Policy development
- Write/update information security policy
- Document access control procedures
- Document change management process
- Document incident response plan
- Document vendor management process
- Document HR security procedures
Deliverables:
- Gap analysis report
- Prioritized remediation plan
- Core policies and procedures
Month 3: Technical remediation
Week 9-10: Access controls
- Enforce MFA on all systems
- Implement role-based access
- Remove orphaned accounts
- Set up access review process
Week 11-12: Security controls
- Deploy endpoint protection
- Configure logging (centralized)
- Set up vulnerability scanning
- Encrypt data at rest
- Verify TLS configuration
Deliverables:
- MFA enforced everywhere
- Logging configured
- Endpoint protection deployed
Month 4: Process remediation
Week 13-14: Change management
- Implement change approval process
- Set up change tracking
- Document change procedures
Week 15-16: Vendor and HR
- Assess critical vendors
- Update vendor contracts
- Implement background checks
- Update onboarding/offboarding
Deliverables:
- Change management in place
- Vendor assessments started
- HR processes updated
Month 5: Pre-audit
Week 17-18: Evidence collection
- Gather all required documentation
- Collect screenshots of configurations
- Prepare sample access reviews
- Document any exceptions
Week 19-20: Auditor engagement
- Select auditor (should start earlier)
- Schedule Type I audit
- Complete auditor information request
- Conduct internal readiness review
Deliverables:
- Evidence package ready
- Type I audit scheduled
Month 6-7: Type I audit
Week 21-24: Audit
- Host auditor kickoff
- Respond to evidence requests
- Participate in walkthroughs
- Address any questions
- Receive draft report
- Review and finalize
Deliverables:
- SOC 2 Type I report
Month 8-12: Operating period
Ongoing activities:
- Maintain all controls
- Conduct quarterly access reviews
- Log all incidents
- Document all changes
- Collect evidence continuously
Month 12: Type II preparation
- Compile evidence from operating period
- Schedule Type II audit
- Conduct internal review
Month 13-14: Type II audit
Audit activities:
- Submit 6-12 months of evidence
- Support auditor testing
- Address any exceptions
- Receive Type II report
Deliverables:
- SOC 2 Type II report
Common mistakes
Mistake 1: Starting too late
Problem: Customer asks for SOC 2, you promise "soon," but it takes 6+ months.
Solution: Start SOC 2 when you start enterprise sales, not when you close your first deal.
Mistake 2: Over-scoping
Problem: Including every system, every product, every office. More scope = more work = higher cost.
Solution: Start with minimum viable scope: core product, key infrastructure, primary location.
Mistake 3: Ignoring the period
Problem: Preparing for Type II but controls only "working" for 2 months. Auditor needs 6+ months.
Solution: Start controls operating on Day 1 of your Type II period. Get Type I first if needed for customers.
Mistake 4: Documentation fiction
Problem: Beautiful policies that don't reflect reality. Auditors test actual practice.
Solution: Write policies that describe what you actually do (or will do). Then do it.
Mistake 5: Evidence hoarding
Problem: Waiting until audit to collect evidence. Missing key samples.
Solution: Continuous evidence collection. Compliance platforms automate this.
Mistake 6: Underestimating employee time
Problem: "The platform does everything." Reality: lots of human involvement needed.
Solution: Budget 100-300 person-hours across the organization.
Mistake 7: Choosing the wrong auditor
Problem: Cheapest option = inexperienced auditor = painful process.
Solution: Get references, prioritize experience over price.
Real certification stories
Story 1: The 4-month sprint
Company: 30-person SaaS startup, basic security controls in place.
Approach:
- Used Vanta from day 1
- CEO mandated 10% time from engineering
- Outsourced policy writing to consultant
- Started with Security + Availability
Timeline:
- Month 1-2: Remediation
- Month 3: Type I audit
- Month 4: Report received
Cost: $45K total (Vanta + audit + consultant)
Key insight: "Having the compliance platform made all the difference. Evidence collection was 90% automated."
Story 2: The painful first time
Company: 80-person company, minimal security program.
What went wrong:
- Underestimated remediation (planned 4 weeks, took 12)
- No one owned the project full-time
- Auditor found 15 exceptions in Type I
- Had to delay Type II by 3 months
What they learned:
- Assign a dedicated owner
- Start earlier than you think
- Compliance platform is worth the cost
- Type I exceptions aren't the end of the world
Total time: 14 months (vs. planned 10) Total cost: $95K (vs. planned $65K)
Story 3: The annual renewal
Company: 100-person company, second Type II audit.
What changed from Year 1:
- Evidence collection was continuous (platform)
- Controls were mature, fewer changes needed
- Team knew what to expect
- Audit took 2 weeks vs. 4 weeks
Year 2 cost: $50K (down from $90K in Year 1)
Key insight: "The first year is brutal. Year 2 is maintenance. Year 3 is routine."
SOC 2 Bridge Letters
Between annual audits, customers may ask: "Is your SOC 2 still valid?" A bridge letter addresses this gap.
What's a bridge letter?
A formal letter from your company (or auditor) stating:
- Controls described in the SOC 2 report are still in place
- No significant changes have occurred
- No known issues affecting control operation
When you need one
| Scenario | Solution |
|---|---|
| Report is 6+ months old | Bridge letter from management |
| Report is 9+ months old | Bridge letter + consider accelerating next audit |
| Customer specifically requests | Provide bridge letter |
| Significant change occurred | Be transparent, may need auditor involvement |
Bridge letter template
[Company Letterhead]
Date: [Date]
RE: SOC 2 Type II Bridge Letter
To Whom It May Concern:
This letter serves as a bridge between [Company Name]'s most recent
SOC 2 Type II report (dated [Report Date], covering the period
[Start Date] to [End Date]) and the current date.
We confirm that:
1. The controls described in our SOC 2 report continue to operate
as described.
2. There have been no significant changes to our control environment,
service commitments, or system requirements since the report date.
3. We are not aware of any control deficiencies or incidents that
would materially affect the conclusions in our SOC 2 report.
4. Our next SOC 2 Type II audit is scheduled for [Month Year],
covering the period [Start Date] to [End Date].
If you have questions, please contact [Name] at [Email].
Sincerely,
[Name]
[Title]
[Company]
What NOT to do
- Don't issue a bridge letter if significant changes occurred
- Don't let auditor sign unless they've done review work
- Don't provide a bridge letter for reports over 12 months old
Sharing your SOC 2 report
You paid for the report. Now how do you share it?
Distribution approaches
| Approach | Pros | Cons |
|---|---|---|
| NDA required | Protects sensitive details | Friction in sales process |
| Trust portal | Self-service, tracked access | Setup effort |
| Upon request | Maximum control | Manual process |
| Public summary (SOC 3) | No friction | Lacks detail customers want |
Recommended approach
- Prospects — Provide upon request, NDA required (most companies accept standard mutual NDA)
- Customers — Include in security documentation, access via portal
- Public — SOC 3 or security page summary
Trust portals
Tools for sharing security documentation:
| Tool | Cost | Features |
|---|---|---|
| SafeBase | $1K+/month | Full trust center |
| Conveyor | $500+/month | Document sharing |
| Whistic | $1K+/month | Vendor network |
| DIY | Free | Google Drive + NDA |
What to redact (if anything)
SOC 2 reports typically don't need redaction. But consider:
- Specific IP addresses or network details
- Names of subprocessors (if confidential)
- Detailed architecture that aids attackers
Most companies share the complete report.
Mapping SOC 2 to ISO 27001
If you have (or want) both, significant overlap exists.
Control overlap
| SOC 2 Criteria | ISO 27001 Equivalent | Overlap |
|---|---|---|
| CC1 (Control Environment) | A.5 (Organizational) | ~80% |
| CC2 (Communication) | A.5.1, A.5.10 | ~70% |
| CC3 (Risk Assessment) | Clause 6.1, A.5.8 | ~90% |
| CC4 (Monitoring) | Clause 9, A.8.16 | ~85% |
| CC5 (Control Activities) | Various A.5-A.8 | ~70% |
| CC6 (Logical/Physical Access) | A.5.15-A.5.18, A.7 | ~90% |
| CC7 (System Operations) | A.8.6, A.8.13-A.8.15 | ~80% |
| CC8 (Change Management) | A.8.32 | ~85% |
| CC9 (Risk Mitigation) | A.5.19-A.5.23, A.5.29-A.5.30 | ~75% |
Overall: ~70-80% overlap. Having one makes the other significantly easier.
Strategy for both
| Your situation | Strategy |
|---|---|
| Need SOC 2 first, ISO later | Implement with ISO mapping in mind |
| Need ISO first, SOC later | ISO covers most SOC 2; add evidence collection |
| Need both simultaneously | Use unified control framework |
Unified audit benefits
Some auditors offer combined audits:
- One audit covers both standards
- Reduced audit fatigue
- Cost savings (typically 20-30% less than separate audits)
- Aligned reporting periods
Common control deficiencies and solutions
Based on auditor observations, these issues appear frequently:
Access control deficiencies
| Deficiency | Impact | Solution |
|---|---|---|
| No periodic access reviews | Users retain unnecessary access | Quarterly reviews, documented |
| Orphaned accounts | Former employees still have access | Automated offboarding via HR integration |
| Shared accounts | Accountability lost | Individual accounts for all users |
| Over-privileged access | Blast radius increased | Least privilege review, just-in-time access |
| No MFA on critical systems | Easy account compromise | Enforce MFA in IdP |
Change management deficiencies
| Deficiency | Impact | Solution |
|---|---|---|
| Undocumented changes | No audit trail | Require tickets for all changes |
| Missing approvals | No separation of duties | Enforce PR reviews in Git |
| Emergency changes untracked | Gaps in evidence | Post-hoc documentation process |
| No rollback testing | Recovery risk | Include in change process |
Incident management deficiencies
| Deficiency | Impact | Solution |
|---|---|---|
| No incident log | Can't prove incidents handled | Simple log (spreadsheet is fine) |
| Undefined severity levels | Inconsistent handling | Document severity matrix |
| No root cause analysis | Repeated incidents | Require RCA for medium+ |
| Missing notification process | Customers not informed | Document and follow notification SLA |
Vendor management deficiencies
| Deficiency | Impact | Solution |
|---|---|---|
| No vendor inventory | Don't know exposure | Build and maintain list |
| No security assessment | Unknown vendor risk | Tiered assessment program |
| No security in contracts | No recourse if breached | Standard security addendum |
| No ongoing monitoring | Vendor risk changes | Annual reassessment |
HR/people deficiencies
| Deficiency | Impact | Solution |
|---|---|---|
| No background checks | Unknown employee risk | Add to hiring process |
| No security training | Employees make mistakes | Annual training + phishing simulation |
| No security in termination | Access persists after leaving | Offboarding checklist |
| No acceptable use policy | Unclear expectations | Document and have employees sign |
Complementary User Entity Controls (CUECs)
SOC 2 reports include CUECs — controls YOUR customers must implement for your service to be secure.
Common CUECs:
| CUEC | What it means |
|---|---|
| "User entity is responsible for managing user access" | Customer must manage their user accounts properly |
| "User entity is responsible for protecting credentials" | Customer must keep their API keys secure |
| "User entity is responsible for network security" | Customer must secure their own network |
Why this matters:
- Sets expectations with customers
- Limits your liability
- Appears in your SOC 2 report
Tools and resources
Compliance platforms
| Platform | Starting price | Best for |
|---|---|---|
| Vanta | $10-15K/yr | Startups, SOC 2 focus |
| Drata | $10-15K/yr | Multi-framework |
| Secureframe | $10-12K/yr | Fast implementation |
| Sprinto | $8-12K/yr | Cost-conscious |
| Laika | $15-20K/yr | Comprehensive |
Policy templates
| Resource | Cost | Link |
|---|---|---|
| Aptible Comply | Free (basic) | aptible.com |
| Blissfully | Included with platform | blissfully.com |
| SANS Policy Project | Free | sans.org/information-security-policy |
Reading material
| Resource | What it covers |
|---|---|
| AICPA Trust Service Criteria | Official criteria documentation |
| Latacora's SOC 2 Starting 7 | Minimum viable SOC 2 |
| Vanta's SOC 2 Guide | Comprehensive walkthrough |
Workshop: SOC 2 planning
Part 1: Business case (1 hour)
- Count deals requiring SOC 2 in past year
- Estimate revenue delayed or lost
- Calculate time spent on security questionnaires
- Compare to SOC 2 investment
- Build executive presentation
Deliverable: SOC 2 business case
Part 2: Scope definition (1 hour)
- List all products/services
- Identify which must be in scope (customer-facing)
- List supporting systems (cloud, tools)
- Determine locations (if applicable)
- Select Trust Service Criteria
Deliverable: Draft scope statement
Part 3: Gap assessment (2-3 hours)
For each Trust Service Category, assess:
- Policy exists? (Y/N/Partial)
- Implemented? (Y/N/Partial)
- Evidence available? (Y/N/Partial)
- Gap severity (High/Med/Low)
Deliverable: Gap assessment spreadsheet
Part 4: Roadmap (1 hour)
- Prioritize gaps by severity
- Assign owners
- Estimate effort per item
- Build timeline
- Identify resource needs
Deliverable: SOC 2 preparation roadmap
How to explain this to leadership
The pitch:
"SOC 2 is the standard way B2B SaaS companies prove their security to customers. Right now, we spend 15-20 hours per enterprise prospect on security reviews. With SOC 2, we share one report and move on. We're also losing deals to competitors who have it."
The numbers:
"In Q4, we encountered 12 prospects requiring SOC 2. We lost 4 outright and spent 180 hours on security reviews for the other 8. SOC 2 would have saved most of that time and likely won those 4 deals worth $[X]."
The investment:
"Year 1 cost is approximately $60-90K including a compliance platform and audit fees. Ongoing is $40-60K annually. ROI is positive if we win one additional enterprise deal or save 200+ hours annually on security reviews."
The timeline:
"With a compliance platform, we can achieve Type I in 3-4 months and Type II 6 months later. I need [person-hours/week] commitment from engineering, IT, and HR, plus budget for tooling and the audit."
The outcome:
"We'll have a professional report we can share with any customer. Security becomes a sales advantage instead of a delay."
Conclusion
SOC 2 is the entry credential for selling to enterprises. Once you have it, security questionnaires get shorter, procurement gets faster, and the conversations shift from "can we trust you" to "what's your roadmap."
The work to get there is also the work that makes your security program more rigorous. That's not incidental — it's the point.
What's next
Next: building an information security team — when it's time to move beyond a single Security Champion and build a function.