Decide Type 1 vs Type 2 and which Trust Service Criteria to include
2-4 hr decision + alignment
CC1.1: Code of conduct + ethics policy
Drafted. Need legal review + employee acknowledgement.
Q2 access review. 3 dormant accounts removed.
Scope the audit: systems, people, vendors, locations
1-2 days
CC2.1: Risk assessment
Tabletop completed Q1. Document 30+ identified risks + mitigations.
Snyk vulnerability scan, 0 high/critical.
Pick a compliance automation tool (or run manually)
1-2 days to evaluate, 1 week to onboard
CC6.1: Logical access controls
SSO + MFA enforced. Quarterly access review needed.
Q2 vendor risk review. 12 vendors assessed; 2 flagged for follow-up.
Write the 12 core policies
3-5 days
CC7.1: Vulnerability scanning
Snyk + Dependabot in CI. Need monthly summary report.
Penetration test report from external auditor; 0 critical findings.
Implement core technical controls (SSO, MFA, encryption, logging)
1-2 weeks
SOC 2 Type 1 audit kickoff; auditor onboarded with evidence portal access.
Run quarterly access reviews
Quarterly, ~1 day per cycle
Set up vendor management and risk assessment
1 week
Implement change management and incident response processes
1-2 weeks
Pick an auditor and run the readiness assessment
4-6 weeks (Type 1)
Maintain Type 2 evidence + handle customer security questionnaires
Ongoing, ~1 day/month after initial setup