S2
SOC 2 Certification Directory
Back to Blog
compliance

Getting Started with SOC 2: Your First 90 Days Roadmap

Step-by-step guide to starting your SOC 2 compliance journey. Learn how to prepare, scope your audit, build your team, and achieve certification in your first 90 days.

May 8, 202412 min read

Starting your SOC 2 compliance journey can feel overwhelming. With dozens of controls to implement, policies to write, and evidence to collect, where do you even begin? This guide provides a practical 90-day roadmap to help you start strong, avoid common pitfalls, and build momentum toward achieving your SOC 2 certification.

Before You Start: Understanding SOC 2

What is SOC 2?

SOC 2 (Service Organization Control 2) is an auditing standard developed by the American Institute of Certified Public Accountants (AICPA) that evaluates how service organizations manage and protect customer data. It's based on five Trust Service Criteria:

  1. Security (mandatory): Protection against unauthorized access
  2. Availability (optional): System uptime and accessibility
  3. Processing Integrity (optional): Accurate, complete, timely processing
  4. Confidentiality (optional): Protection of confidential information
  5. Privacy (optional): Personal information handling

SOC 2 Type I vs. Type II

  • Type I: Evaluates the design of controls at a specific point in time
  • Type II: Evaluates both design and operating effectiveness over a period (typically 6-12 months)

Most customers require Type II, which provides stronger assurance.

Why Pursue SOC 2?

  • Customer Requirements: Enterprise customers often require SOC 2 before signing contracts
  • Competitive Advantage: Demonstrates security maturity and commitment to data protection
  • Risk Management: Identifies and addresses security gaps
  • Regulatory Alignment: Supports compliance with various data protection regulations

Is Your Organization Ready?

Before diving into SOC 2, assess your readiness:

Green Light Indicators (Ready to Start):

  • You have at least basic security controls in place (firewalls, access controls, etc.)
  • You have some written policies and procedures
  • You have dedicated resources (even if part-time) to lead the effort
  • You have executive support and budget allocation
  • Your technology environment is reasonably stable

Yellow Light Indicators (Prepare First):

  • Security controls are ad-hoc or inconsistent
  • No documented policies or procedures
  • No clear owner for security and compliance
  • Limited budget or executive buy-in
  • Significant technical debt or ongoing major system changes

Red Light Indicators (Not Yet Ready):

  • No security controls in place
  • Active security incidents or known major vulnerabilities
  • Complete lack of documentation
  • No resources available for the project
  • Imminent major system migrations or acquisitions

If you're in the "yellow" or "red" category, spend 1-3 months building foundational security before pursuing formal SOC 2 compliance.

The 90-Day Roadmap

Days 1-15: Lay the Foundation

Week 1: Assemble Your Team and Get Executive Buy-In

Day 1-2: Secure Executive Sponsorship

  • Schedule meeting with CEO/CFO to discuss SOC 2 goals and business value
  • Present estimated budget (software, consulting, audit fees: typically $50K-150K for first year)
  • Obtain formal approval and budget allocation

Day 3-5: Build Your SOC 2 Team

Identify and assign roles:

  • Project Lead (SOC 2 Manager): Owns the overall program (could be Security Manager, Compliance Manager, or VP of Engineering)
  • Technical Lead: Typically CISO or senior engineer; handles technical control implementation
  • Documentation Lead: Writes policies, procedures, and collects evidence (could be Operations Manager)
  • Executive Sponsor: Provides air cover and resources (typically CEO, CFO, or COO)

Even small companies need at least 1-2 people dedicating 25-50% of their time to SOC 2 for the first 3-6 months.

Day 6-7: Choose Your Approach

Decide whether to:

  1. DIY: Leverage internal resources only (lowest cost, longest timeline, highest risk)
  2. Platform-Assisted: Use compliance automation platform (Vanta, Drata, Secureframe, etc.)
  3. Consultant-Led: Hire SOC 2 consulting firm to guide implementation
  4. Hybrid: Platform + consulting for specific areas

For most organizations, a compliance automation platform provides the best balance of cost, speed, and effectiveness.

Week 2: Scope Your Audit

Day 8-10: Define Audit Scope

Determine what's "in scope" for your audit:

  • Systems: Which applications, infrastructure, and data stores will be audited? (e.g., production environment, customer data, core SaaS platform)
  • Trust Service Criteria: Which criteria beyond Security will you include? (Availability, Processing Integrity, Confidentiality, Privacy)
  • Locations: Which physical offices or data centers?
  • Timeframe: For Type II, what will be your audit period? (6 or 12 months)

Scoping Tip: Start narrow. It's easier to expand scope later than to contract it mid-audit.

Day 11-12: Identify Your Technology Stack

Create an inventory of all in-scope systems:

  • Cloud infrastructure providers (AWS, Azure, GCP)
  • SaaS applications (Google Workspace, Slack, GitHub, etc.)
  • Databases and data stores
  • Development and deployment tools
  • Security tools (firewalls, antivirus, SIEM, etc.)
  • Third-party integrations

This inventory will guide your evidence collection and integration setup.

Day 13-15: Select Initial Auditor (Optional but Recommended)

While you don't need your auditor to start implementation, engaging one early provides benefits:

  • Guidance on scope and control design
  • Clarity on evidence requirements
  • Ability to ask questions throughout the process
  • Smoother audit execution

Request proposals from 3-5 CPA firms that specialize in SOC 2 for companies in your industry and size range.

Days 16-45: Implement Core Controls

Week 3-4: Establish Foundational Policies

Critical Policies to Create or Update:

  1. Information Security Policy

    • Overall security program objectives and scope
    • Roles and responsibilities
    • Risk management approach
    • Reference to other security policies

  2. Access Control Policy

    • User provisioning and deprovisioning procedures
    • Password requirements
    • Multi-factor authentication (MFA) requirements
    • Access review frequency

  3. Incident Response Policy

    • Definition of security incident
    • Incident detection and reporting
    • Response and containment procedures
    • Post-incident review requirements

  4. Change Management Policy

    • Change request and approval process
    • Testing requirements
    • Emergency change procedures
    • Change documentation requirements

  5. Acceptable Use Policy

    • Permitted and prohibited uses of company systems
    • BYOD policies
    • Data handling requirements
    • Consequences of policy violations

Documentation Tips:

  • Start with templates (many available free online or from your compliance platform)
  • Keep policies concise (2-5 pages each)
  • Focus on what you actually do, not aspirational practices
  • Have legal review if policies include HR or termination procedures

Week 5-6: Implement Technical Controls

Priority 1: Access Controls

  • Multi-Factor Authentication (MFA): Deploy MFA for all critical systems (production environment, cloud admin consoles, code repositories, email)

    • Tools: Google Authenticator, Okta, Duo, etc.
    • Enforcement: Make MFA mandatory, not optional

  • Single Sign-On (SSO): Centralize authentication where possible

    • Tools: Okta, Azure AD, Google Workspace
    • Benefits: Easier provisioning/deprovisioning, centralized access control

  • Password Management: Enforce strong password policies

    • Minimum length: 12+ characters
    • Complexity requirements
    • Password manager for shared credentials (LastPass, 1Password, etc.)

Priority 2: Endpoint Security

  • Endpoint Protection: Deploy antivirus/EDR on all company devices

    • Tools: CrowdStrike, SentinelOne, Microsoft Defender
    • Enforcement: Prevent devices without protection from accessing corporate resources

  • Disk Encryption: Enable full-disk encryption on all laptops

    • Mac: FileVault
    • Windows: BitLocker
    • Enforcement: MDM-enforced encryption requirement

  • Patch Management: Ensure operating systems and applications are up-to-date

    • Automated patching for critical security updates
    • Monthly patching cycle for non-critical updates

Priority 3: Network Security

  • Firewall: Configure and document firewall rules

    • Principle of least privilege (deny by default)
    • Regular review and justification of rules

  • VPN for Remote Access: If applicable, secure remote access

    • VPN required for access to production systems
    • MFA for VPN access

Priority 4: Logging and Monitoring

  • Centralized Logging: Collect logs from critical systems

    • Cloud infrastructure logs (CloudTrail, Azure Activity Log)
    • Application logs
    • Authentication logs

  • SIEM or Log Analysis: Basic log analysis and alerting

    • Tools: Splunk, Datadog, CloudWatch, etc.
    • Alert on critical events (failed logins, unauthorized access attempts, etc.)

Week 7: Vendor Management

Vendor Risk Assessment:

  • Identify all critical vendors (subservice organizations)
  • Request SOC 2, ISO 27001, or security documentation
  • For vendors without certifications, send security questionnaire
  • Document vendor risk assessment and risk acceptance

Vendor Agreements:

  • Ensure contracts include data protection clauses
  • Business Associate Agreements (BAAs) for healthcare data
  • Data Processing Agreements (DPAs) for personal information

Days 46-75: Operationalize and Document

Week 8-9: Establish Ongoing Processes

Quarterly Access Reviews:

  • Create list of critical systems requiring access review
  • Assign review owners (typically managers)
  • Document review process and evidence collection
  • Conduct first access review

Security Awareness Training:

  • Select or create training content
    • Options: KnowBe4, SANS, custom content
  • Assign training to all employees
  • Track completion
  • Plan for annual refresher training

Vulnerability Management:

  • Schedule regular vulnerability scans (monthly minimum)
  • Define remediation timelines based on severity
    • Critical: 15 days
    • High: 30 days
    • Medium: 60 days
    • Low: 90 days
  • Document exceptions and risk acceptance

Backup and Recovery:

  • Document backup procedures
  • Define Recovery Point Objective (RPO) and Recovery Time Objective (RTO)
  • Test backup restoration (at least annually)
  • Document test results

Week 10: Risk Assessment

Conduct Formal Risk Assessment:

  1. Identify Threats: Internal and external threats to your systems and data
  2. Identify Vulnerabilities: Weaknesses that could be exploited
  3. Assess Likelihood and Impact: For each risk, estimate probability and potential damage
  4. Prioritize Risks: Create risk register ranked by criticality
  5. Define Risk Treatment: For each high/medium risk, document mitigation plan (or acceptance with justification)

Document Risk Assessment:

  • Risk register with all identified risks
  • Risk scoring methodology
  • Mitigation plans and owners
  • Executive review and approval

Days 76-90: Evidence Collection and Audit Prep

Week 11-12: Gather Evidence

Create Evidence Repository:

  • Organized folder structure (by control or TSC category)
  • Naming conventions for files
  • Access controls on evidence folder

Evidence to Collect:

  • Policies and procedures (all updated and approved)
  • Organizational chart with security roles
  • Background check confirmations for employees in sensitive roles
  • Training completion records
  • Access review reports
  • Vulnerability scan results and remediation evidence
  • Incident response plan and tabletop exercise documentation
  • Change management logs
  • Vendor risk assessments and SOC 2 reports
  • System architecture diagrams
  • Data flow diagrams
  • Backup and recovery test results
  • Risk assessment and risk register

Week 13: Audit Readiness Assessment

Internal Audit Checklist:

  • All required policies created and approved
  • MFA enabled for all critical systems
  • Endpoint protection deployed on all devices
  • Disk encryption enabled on all laptops
  • Centralized logging in place
  • Firewall rules documented and reviewed
  • Quarterly access review completed
  • Security awareness training assigned and tracked
  • Vulnerability scans running and remediation documented
  • Vendor risk assessments completed
  • Risk assessment documented
  • Incident response plan created and tested
  • Change management process documented
  • Backup and recovery tested
  • Evidence organized and accessible

Mock Audit:

  • Assign team member not involved in implementation to review evidence
  • Identify gaps or weak evidence
  • Remediate before engaging auditor

After Day 90: The Audit Process

Audit Kick-off (Month 4):

  • Finalize scope and timeline with auditor
  • Provide system description and evidence repository access
  • Schedule audit fieldwork dates

Audit Fieldwork (Month 5-6):

  • Respond to auditor requests for information (RFIs)
  • Facilitate system walkthroughs
  • Support control testing
  • Address any findings or exceptions

Report Issuance (Month 6-7):

  • Review draft report
  • Remediate any findings
  • Receive final SOC 2 report
  • Communicate success to customers and stakeholders

Common First-Time Mistakes and How to Avoid Them

Mistake 1: Underestimating Time and Effort

Solution: Allocate sufficient resources. Expect 200-400 hours of internal effort for initial implementation.

Mistake 2: Scope Creep

Solution: Start with a narrow, well-defined scope. You can always expand later.

Mistake 3: Policies Don't Match Reality

Solution: Document what you actually do. Don't copy/paste generic policies that don't reflect your environment.

Mistake 4: Poor Evidence Organization

Solution: Create a structured evidence repository from day one. Future you will thank current you.

Mistake 5: Last-Minute Scrambling

Solution: Start evidence collection immediately, not the week before the audit. Continuous monitoring is key.

Mistake 6: Choosing the Wrong Auditor

Solution: Select an auditor with experience in your industry and company size. Get references.

Mistake 7: Not Testing Controls

Solution: Test controls before the auditor does. If they don't work, you won't pass.

Tools and Resources to Accelerate Your Journey

Compliance Automation Platforms

  • Vanta: Best for startups and fast-growing companies
  • Drata: Strong for multi-framework compliance
  • Secureframe: Budget-friendly option
  • Sprinto: Good for international companies

Policy Templates

  • SANS Policy Templates (free)
  • Compliance automation platform templates
  • Industry association templates (e.g., Cloud Security Alliance)

Training Resources

  • AICPA SOC 2 Guide
  • Compliance automation platform documentation
  • Industry blogs and webinars
  • Peer networks and communities

Conclusion

The first 90 days of your SOC 2 journey set the tone for success. By following this roadmap—securing buy-in, defining scope, implementing core controls, and organizing evidence—you'll build a strong foundation that not only helps you pass your audit but genuinely improves your security posture.

Remember: SOC 2 is a marathon, not a sprint. Pace yourself, celebrate milestones, and view it as an ongoing commitment to security excellence rather than a one-time checkbox exercise. With the right approach, achieving SOC 2 compliance becomes a strategic advantage that builds customer trust and strengthens your organization.

Ready to Start Your SOC 2 Journey?

Our platform connects you with experienced SOC 2 auditors and automation tools that can help you navigate these challenges successfully. Get quotes from vetted providers who understand the pitfalls and know how to avoid them.

Find Experienced SOC 2 Partners