A prospect or existing client just told you they need to see your SOC 2 report before they can do business with you. You've heard of SOC 2 but have no idea what's actually involved or how much pain you're signing up for.
Fair reaction. Here's the practical version — no acronym soup, no compliance theater.
What SOC 2 Actually Is
SOC 2 (System and Organization Controls 2) is a framework developed by the American Institute of CPAs (AICPA) that evaluates how a company protects customer data. It's not a certification you pass or fail — it's an audit that results in a report describing your controls and whether they're operating effectively.
The audit is performed by a licensed CPA firm (not a cybersecurity firm, though some firms do both). The auditor evaluates your controls against one or more Trust Service Criteria.
There are two types:
Type I evaluates whether your controls are properly designed at a specific point in time. It's a snapshot: "As of this date, these controls exist and are appropriately designed."
Type II evaluates whether your controls operated effectively over a period of time, typically 6-12 months. It's a movie, not a photograph: "Over this period, these controls were in place and functioning."
Type II is what most clients want. Type I is sometimes used as a stepping stone to demonstrate progress while you build the track record for Type II.
The Trust Service Criteria (Simplified)
SOC 2 is built around five categories. You must include Security (it's mandatory). The other four are optional — you pick what's relevant to your business.
Security (required). Protection against unauthorized access. This covers firewalls, access controls, intrusion detection, MFA, encryption, vulnerability management, and incident response. If you only include one criterion, this is it.
Availability. Your systems are operational and accessible as committed. Relevant if you provide SaaS or services with uptime SLAs. Covers monitoring, disaster recovery, capacity planning, and backup procedures.
Processing Integrity. Your systems process data accurately, completely, and on time. Relevant for companies that process transactions, calculations, or data transformations on behalf of clients.
Confidentiality. Sensitive information is protected from unauthorized disclosure. Covers data classification, encryption, access restrictions, and secure disposal.
Privacy. Personal information is collected, used, retained, and disclosed in accordance with your privacy notice. Relevant if you handle consumer personal data extensively.
For most small B2B companies, Security alone or Security + Availability covers what clients are asking about.
What's Actually Required (Technical vs. Policy)
SOC 2 isn't purely a technical exercise. Roughly half the work is policy and process documentation. Here's the split:
Technical Controls
- Multi-factor authentication on all systems in scope
- Encryption at rest and in transit for customer data
- Centralized logging and monitoring
- Vulnerability scanning on a regular schedule
- Endpoint protection (EDR/antivirus)
- Network segmentation and firewall rules
- Automated backup and tested recovery procedures
- Access provisioning and deprovisioning procedures
Policy and Process Requirements
- Information security policy
- Acceptable use policy
- Incident response plan (documented and tested)
- Change management process
- Vendor management / third-party risk program
- Risk assessment (at least annual)
- Security awareness training for all employees
- Business continuity / disaster recovery plan
- Access review process (periodic review of who has access to what)
The Timeline
Be realistic: if you're starting from scratch, expect 6-12 months to get audit-ready for a Type II report. Here's why:
Months 1-2: Readiness assessment. Evaluate your current state against SOC 2 criteria. Identify gaps. This is where a cybersecurity firm adds value — they can assess your technical controls and tell you exactly what needs to change.
Months 2-4: Remediation. Implement missing controls, write policies, deploy monitoring tools, enable MFA everywhere, set up logging. This is the heavy lift.
Months 4-5: Evidence collection begins. Once your controls are in place, you start the audit observation period. For Type II, the auditor needs to see these controls operating over a sustained period.
Months 5-10: Observation period. The auditor (or your compliance platform) collects evidence that your controls are functioning. This is largely passive — you just operate normally while maintaining your controls.
Months 10-12: Audit and report. The CPA firm reviews the evidence, conducts their testing, and issues the SOC 2 report.
You can compress this timeline somewhat with a Type I report first (no observation period required), then transition to Type II. Some clients will accept a Type I as interim evidence while you build toward Type II.
How to Start Without Losing Your Mind
Step 1: Define your scope narrowly. SOC 2 applies to specific systems and services, not your entire company. The narrower your scope, the less work required. If clients only care about your SaaS product, scope the audit to that product's infrastructure.
Step 2: Get a readiness assessment. Before engaging a CPA firm for the audit, have a cybersecurity firm evaluate your current controls against SOC 2 criteria. This shows you exactly where you stand and what you need to fix. It's significantly cheaper than discovering gaps during the actual audit.
Step 3: Pick your tools. Compliance automation platforms (Vanta, Drata, Secureframe, Thoropass) can dramatically reduce the manual evidence collection burden. They integrate with your cloud providers, identity systems, and endpoints to continuously collect and organize audit evidence. Budget $10,000-$25,000/year for the platform.
Step 4: Write policies that reflect reality. Don't download policy templates and submit them unchanged. If your policy says you do quarterly access reviews but you've never done one, the auditor will flag that as a control failure. Write policies that describe what you can actually sustain.
Step 5: Engage the auditor. Select a CPA firm experienced with companies your size. Large firms (Big Four) are expensive and optimized for enterprise clients. Regional CPA firms with SOC 2 practices are often a better fit for small businesses — equally qualified, more responsive, and more affordable.
What It Costs
Ballpark figures for a small business SOC 2 engagement:
- Readiness assessment: $5,000-$15,000
- Compliance automation platform: $10,000-$25,000/year
- Technical remediation: Highly variable — $5,000 if you're close, $50,000+ if you're starting from zero
- CPA audit fees (Type II): $20,000-$50,000
- Total first year: $40,000-$100,000+ depending on your starting point
The Honest Assessment
SOC 2 has real value as a framework for building a security program, but the compliance industry has also turned it into a cottage industry of expensive consulting and checkbox exercises. Stay focused on actual security outcomes, not just audit artifacts.
The controls that make you SOC 2 compliant are the same controls that protect your business. Approach it as building a real security program that happens to produce a SOC 2 report, not the other way around.
Ready to see where you stand? Start with a compliance readiness assessment — we'll map your current controls against SOC 2 criteria and give you a clear roadmap with realistic timelines and costs.