← ALL POSTS
CYBERSECURITY EXPLAINER

SOC 2 prep without the panic

SOC 2 usually arrives as an ultimatum. A big prospect's procurement team asks for your SOC 2 report, you don't have one, and the deal stalls. Then you google it, find quotes ranging from twenty to eighty thousand dollars and timelines measured in a year, and the panic sets in. Take a breath. SOC 2 is a real project, but for a small company with reasonably sane IT, it's a manageable one, and most of the panic comes from not understanding the shape of it.

What SOC 2 actually is

SOC 2 is not a certification you pass. It's an audit report: a licensed CPA firm examines your security controls and writes an opinion on them. Customers ask for it because it saves them from auditing you themselves. The report is built around the Trust Services Criteria, five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Here's the first scope decision, and the first place to save money: only Security is mandatory. Most first-time reports cover Security alone, or Security plus Availability if customers care about uptime. Adding categories adds controls, evidence, and cost. Start narrow. You can expand later.

What's actually in the Security criteria is unsurprising if you've done any of this before: access control and MFA, offboarding, change management, vendor review, risk assessment, monitoring and logging, incident response, backups. SOC 2 doesn't prescribe specific tools. It asks whether you've defined controls that address the criteria and whether you follow them.

Type I vs Type II, in one paragraph

A Type I report says "on this date, the controls were designed properly and in place." A snapshot. A Type II report says "over this period, usually three to twelve months, the controls actually operated," and the auditor tests evidence across that whole window. Type II is what mature procurement teams want, and some will reject a Type I outright. The common path for a first-timer: get audit-ready, optionally do a quick Type I to have paper in hand for the stalled deal, then let the Type II observation window run and deliver the Type II. Ask your actual prospect which they'll accept before deciding. Sometimes a Type I plus a signed security questionnaire unblocks the deal today.

Evidence is the real work

Here's the thing nobody tells you up front: the hard part of SOC 2 isn't having good security. It's proving it, continuously, with artifacts. The auditor doesn't take your word that offboarding happens; they pick three departed employees and ask for the tickets showing access was removed, with dates. Every control needs evidence that it ran: access review spreadsheets with sign-offs, change approvals in pull requests, screenshots of MFA enforcement settings, incident response test records, signed policy acknowledgments from every employee.

This is why compliance automation platforms (Vanta, Drata, Secureframe, and similar) have taken over the small-company SOC 2 market. They connect to your systems (Microsoft 365 or Google Workspace, AWS, GitHub, your device management) and collect much of the evidence automatically, plus give you policy templates and a checklist of gaps. They cost real money, typically five figures a year at small-company scale, but for a team without a compliance person they usually pay for themselves in not-hiring-a-compliance-person. They are not magic: someone still has to own the program, close the gaps, and do the reviews the platform nags about.

A realistic six-month runway

For a small company starting from decent-but-undocumented IT, here's a schedule that actually works:

  1. Month 1: scope and gap assessment. Pick criteria (Security, maybe Availability). Stand up the automation platform or a manual tracker. Run the readiness assessment and get your gap list. Pick your audit firm now too, because good ones book out.
  2. Months 2-3: close the gaps. This is IT work: enforce MFA everywhere, get every laptop into device management with encryption verified, formalize offboarding into a checklist that leaves a record, turn on centralized logging, write and adopt the core policies, set up background checks and security training. Most small companies have 60-70% of this half-done; the project is finishing and documenting it.
  3. Month 3: start the Type II observation window. The clock can't start until controls are actually operating. A three-month window is the common minimum for a first report.
  4. Months 3-6: operate and collect. Do the quarterly access review. Run a tabletop incident response exercise. Approve changes properly. Let the evidence pile up. This stretch is boring on purpose; boring means the controls are running.
  5. Month 6: audit fieldwork. The auditor samples evidence from the window and asks questions. The report follows a few weeks later.

Budget-wise, plan for the audit itself (commonly in the range of ten to twenty thousand for a small-scope Type II from a reputable firm), the platform subscription, and the internal or outsourced hours to close gaps. Cheaper audit quotes exist; procurement teams sometimes recognize the rubber-stamp firms, which defeats the purpose.

How to know you're doing it right

One named person owns the program. Your gap list is shrinking on a schedule, not being rediscovered monthly. Evidence collects itself as work happens instead of being reconstructed the week before fieldwork. And the controls you adopted are ones you'd keep with no auditor watching, because they're just good IT hygiene with receipts. That last part is the honest test. If SOC 2 prep feels like theater, the controls were designed for the auditor instead of the business, and those programs fall apart in year two. Build the boring, real version once and the annual renewal becomes routine.

Stuck on this, or want it done for you? That's the job.

Email us →
RELATED READING
Do you still need a VPN? Explainer
Zero trust, minus the buzzwords Explainer
Dark web monitoring: useful signal or scare tactic? Explainer
The first 24 hours after a breach: what to do, in order Explainer
HIPAA IT compliance: the checklist without the lawyer bill Explainer
NO FORMS. JUST EMAIL.
mason@hurbs.io
or (832) 457-4317, LA and Houston