How Should a Company Prepare for a SOC 2 Audit?
On This Page
- Step 1: Define scope and select your tools
- Step 2: Write policies that reflect reality
- Step 3: Lock down access control
- Step 4: Implement change management controls
- Step 5: Set up monitoring and logging
- Step 6: Protect your data
- Step 7: Manage your vendors
- Step 8: Complete training and prepare incident response
- Step 9: Run a pre-audit readiness assessment
- The SOC 2 readiness checklist
- The readiness timeline
- Five gaps auditors find most often in startups
- Frequently Asked Questions
Step 1: Define scope and select your tools
Getting these two decisions right at the start shapes the cost and timeline for everything that follows.
- Security (Common Criteria) — required in every SOC 2 report; the right starting point for nearly all companies
- Availability — adds uptime and resilience commitments; relevant when customers depend on your system around the clock
- Processing Integrity — covers whether your system delivers complete, accurate, and timely results; relevant for financial and data processing platforms
- Confidentiality — covers how sensitive information is protected; relevant when you handle confidential business data
- Privacy — covers collection, use, retention, and disposal of personal information; relevant for consumer-facing products
For your auditor, look for a firm with experience at your stage and in your industry. Large national accounting firms carry larger price tags; boutique firms that specialize in SOC 2 for software companies often move faster and communicate more clearly with technical teams. For your compliance automation platform, look for one that integrates with your existing infrastructure — your cloud provider, identity provider, and code repository — to pull evidence automatically rather than requiring your team to gather it manually.
Step 2: Write policies that reflect reality
The core policy set for a SOC 2 scoped to the Security criteria typically includes:
- Information security policy — the governing document that sets overall security commitments and assigns accountability
- Access control policy — how access is granted, reviewed, and revoked
- Change management policy — how changes to production systems are reviewed and approved
- Incident response policy — how security incidents are identified, escalated, and resolved
- Data classification policy — how data is categorized and what handling rules apply to each tier
- Acceptable use policy — how employees may use company systems and data
- Vendor management policy — how third-party service providers are evaluated and monitored
- Risk assessment policy — how the company identifies and addresses security risks
Each policy should be written in plain language, assigned a named owner, and linked to the specific controls that implement it. Auditors will check that the policies you have documented are the ones your team actually follows.
Step 3: Lock down access control
The controls auditors look for most consistently are:
- Multifactor authentication — enforce it everywhere it is available: cloud infrastructure, source code repositories, identity providers, and administrative consoles
- Least-privilege access — provision access by role, not by individual preference, and avoid standing administrative access to production systems
- Quarterly access reviews — schedule formal reviews of who has access to what, and document the outcome; ad hoc reviews do not satisfy this control
- Offboarding procedures — access should be removed on the day of departure or before; document the process and keep evidence of completion
Before your audit, pull a full list of users with access to each key system. If you cannot generate that list quickly, that is itself a gap worth addressing.
Step 4: Implement change management controls
What auditors test in change management:
- Peer review before merge — code review should be required, not optional, and enforced through your source control platform rather than relying on team norms
- Separate environments — development, staging, and production should be isolated; developers should not have standing write access to production
- Documented change records — your issue tracker, pull requests, and deployment logs together create the audit trail; make sure they are linked and retained
- Rollback capability — auditors will want to see that production changes can be reversed if a problem is detected
Step 5: Set up monitoring and logging
The monitoring program auditors expect to see:
- Centralized log collection — aggregate logs from your cloud infrastructure, identity provider, and production systems into a single destination
- Alerts on meaningful events — define and configure alerts for events like failed authentication spikes, privilege escalation, and unusual access patterns; document what each alert means and who responds
- Defined retention periods — know how long logs are retained and make sure that period covers your audit window
- Evidence of review — auditors may ask for documentation showing that alerts have been reviewed and acted on during the audit period
Step 6: Protect your data
Data protection controls to have in place before the audit:
- Encryption in transit — enforce HTTPS/TLS for all external communications and for internal service-to-service communication where sensitive data moves
- Encryption at rest — encrypt databases, object storage, and backups; document which encryption standard is in use
- Sensitive data inventory — maintain a current map of where sensitive data is stored, processed, and transmitted; auditors will test this against your actual architecture
- Tested backup restoration — run and document a backup restoration test before the audit; a successful restore test is the only evidence that your backup program works
Step 7: Manage your vendors
Vendor management controls auditors test:
- Current subprocessor list — maintain a list of third-party services that process customer data; review it at least annually and update it when vendors change
- Vendor security review — document how you evaluate a vendor's security posture before onboarding; a review of their SOC 2 report or security questionnaire qualifies
- Data protection agreements — confirm that data processing agreements or business associate agreements are in place with applicable vendors; keep copies
Many startups manage vendors informally through individual relationships. If your subprocessor list lives in someone's head rather than a document, start there.
Step 8: Complete training and prepare incident response
Training and incident response requirements:
- Security awareness training — all employees should complete training at least annually; record completion dates and keep evidence; include coverage of phishing, acceptable use, and data handling
- Acceptable use acknowledgment — collect signed or electronically recorded acknowledgments of your acceptable use policy from all staff
- Incident response plan with defined roles — the plan should name who is responsible for detection, containment, communication, and recovery; generic documents without named roles do not satisfy this control
- Tabletop exercise — test the plan with a structured tabletop exercise before the audit; document the scenario, participants, findings, and any improvements made
Step 9: Run a pre-audit readiness assessment
A readiness assessment typically produces a prioritized gap report organized by Trust Services Criteria, a remediation roadmap with time estimates, and documentation guidance for controls that are operationally in place but not yet written down. The output gives you a clear picture of what remains before you are audit-ready and how long each item will take.
Running the assessment 8 to 10 weeks before your planned audit start date leaves enough time to close most gaps without rushing.
The SOC 2 readiness checklist
The table below summarizes the key controls in each domain and what auditors look for. Use it as a self-assessment before engaging an auditor or readiness partner.
| Domain | Key controls | What auditors look for |
|---|---|---|
| Scope & governance | Criteria selected; auditor and platform chosen; risk assessment completed | Defined system boundaries; documented risk register with owner |
| Policies | Core policy set documented; named owners; annual review dates | Policies match actual practices; evidence of review |
| Access control | MFA enforced; least-privilege provisioning; quarterly access reviews; offboarding process | Evidence of review completion; no orphaned accounts; MFA active on key systems |
| Change management | Peer review enforced; separate environments; documented change records | Pull request history; no direct production pushes without review |
| Monitoring & logging | Centralized log collection; configured alerts; defined retention | Logs from key systems; evidence alerts were reviewed and acted on |
| Data protection | Encryption in transit and at rest; sensitive data inventory; tested backups | Encryption in place; documented restore test with results |
| Vendor management | Current subprocessor list; vendor security reviews; data protection agreements | Evidence of review; agreements on file; list current |
| Training & incident response | Training completion records; IR plan with named roles; tabletop exercise completed | Training records for all staff; tabletop documentation |
The SOC 2 readiness timeline
| Phase | Typical duration | Key activities |
|---|---|---|
| Scope and kick-off | Week 1 to 2 | Select criteria, define system boundary, choose auditor and platform |
| Gap assessment | Week 2 to 4 | Map current controls against criteria, identify gaps, prioritize remediation |
| Remediation | Week 4 to 10 | Write policies, implement controls, complete training, run tabletop |
| Evidence collection | Week 8 to 12 | Gather and organize evidence; finalize documentation |
| Type I audit | Shortly after readiness | Point-in-time examination; auditor issues report |
| Type II observation window | Three to six months | Controls operate and evidence accumulates |
| Type II fieldwork and report | A few weeks | Auditor tests and issues the Type II report |
Starting readiness before a buyer demands it is the clearest advantage you can give yourself. Companies that begin the process in response to a live deal negotiation are almost always working against an artificial deadline.
Five gaps auditors find most often in startups
| Gap | Why it happens | How to close it |
|---|---|---|
| MFA not enforced on key systems | MFA was enabled but not required; exceptions accumulated over time | Audit current MFA enforcement; remove exceptions; enforce via identity provider policy |
| Access reviews skipped | Access reviews were scheduled but not completed or not documented | Complete a formal access review before the audit window; document results and any access removed |
| Backups never tested | Backups run automatically and were assumed to work | Run and document a restore test; schedule quarterly tests going forward |
| Incident response plan untested | A plan was written but never exercised | Run a tabletop exercise with leadership and document the outcome before the audit |
| Policies misaligned with practice | Policies were copied from templates without being adapted to how the company actually works | Review each policy against current operations; update to match reality, then maintain with annual reviews |
Frequently Asked Questions
Where to go from here
If you are ready to start, the most useful first step is understanding where your controls stand today. Read our guides on what SOC 2 is and the difference between Type I and Type II and how much a SOC 2 audit costs and how long it takes. If you are comparing frameworks, see our explainer on choosing between SOC 2 and ISO 27001. For a broader view of compliance as a growth asset, see investor-ready compliance for tech startups.