The Complete Guide to SOC 2 Compliance

SOC 2 (System and Organization Controls 2) is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA). It evaluates how organizations manage customer data based on five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Unlike prescriptive standards like PCI DSS that tell you exactly what to implement, SOC 2 is principles-based. You define the controls that make sense for your organization, then an independent auditor evaluates whether those controls are properly designed and operating effectively.

The Security criterion (also called Common Criteria) is required for every SOC 2 audit. The other four criteria are optional and chosen based on what your customers and business require.

Any organization that stores, processes, or transmits customer data should consider SOC 2 certification. In practice, these are the most common drivers:

Enterprise sales requirements: Larger companies increasingly require SOC 2 reports from their vendors before signing contracts. If you sell B2B SaaS, a prospect's security team will likely ask for your SOC 2 report during due diligence.

Customer trust: A SOC 2 report demonstrates to customers that you take data security seriously. It is particularly important for SaaS companies, cloud service providers, and managed service providers.

Competitive advantage: In crowded markets, SOC 2 certification differentiates you from competitors who cannot demonstrate the same level of security maturity.

Regulatory alignment: While SOC 2 is not a legal requirement, many industry regulations (HIPAA, GDPR, state privacy laws) share overlapping controls. SOC 2 compliance often satisfies a significant portion of these requirements — particularly for healthtech companies navigating HIPAA and fintech companies in regulated markets.

Security (Common Criteria): Required for all SOC 2 audits. Covers logical and physical access controls, system operations, change management, and risk mitigation. Key criteria include CC6.1 (logical access security), CC6.2 (user access provisioning), CC7.2 (monitoring for anomalies), and CC8.1 (change management).

Availability: Evaluates whether systems are available for operation as committed. Important for SaaS products with uptime SLAs. Covers capacity planning, disaster recovery, and incident response.

Processing Integrity: Ensures system processing is complete, valid, accurate, and timely. Critical for financial services, payment processing, and data analytics platforms.

Confidentiality: Addresses how confidential information is identified, protected, and disposed of. Relevant when handling trade secrets, intellectual property, or business-sensitive data beyond personal information.

Privacy: Covers the collection, use, retention, disclosure, and disposal of personal information in accordance with your privacy notice. Most relevant for companies handling significant personal data.

The SOC 2 audit process typically follows these stages:

Readiness assessment: Before engaging an auditor, conduct an internal review of your controls. Identify gaps between your current security practices and SOC 2 requirements. This is where tools like SimpleAudit help you understand where you stand.

Gap remediation: Address the gaps identified during readiness. This typically involves writing policies (information security, access control, incident response, etc.), implementing technical controls, and establishing monitoring procedures.

Auditor selection: Choose a CPA firm licensed to perform SOC 2 audits. Look for firms experienced with companies your size and in your industry. Fees typically range from $7,000 to $36,000 for companies under 300 employees, depending on scope and how many Trust Services Criteria you include.

Audit execution: The auditor reviews your controls against the Trust Services Criteria. For Type 1, they evaluate design at a point in time. For Type 2, they test operating effectiveness over a period (typically 3-12 months).

Report delivery: The auditor issues a SOC 2 report containing their opinion, a description of your system, the applicable criteria, and the results of their testing. This report is what you share with customers and prospects.

The total timeline depends on your starting point, but here are typical ranges:

Readiness assessment: about 1–2 weeks to understand where you stand and what gaps remain.

Build and remediation: typically 4–10 weeks, driven mostly by your starting maturity. Teams with no controls yet should budget around 8–10 weeks; teams with partial controls 6–8 weeks; teams already operating most controls 4–6 weeks. AI-generated policies and guided remediation are what compress this phase from the traditional several months down to weeks. Larger teams add coordination time (roughly +2 to +6 weeks).

Type 1 audit: 4-8 weeks. The auditor evaluates control design at a single point in time. This is the faster path to your first SOC 2 report.

Type 2 observation period: 3-12 months. After Type 1, you need to demonstrate that controls operate effectively over time. Most companies start with a 3-month or 6-month observation window.

Type 2 audit: 4-8 weeks after the observation period. The auditor tests a sample of control activities from the observation period.

Total: Most startups can get their first Type 1 report in 3-6 months and their first Type 2 report in 9-18 months from starting.

SOC 2 costs are larger and more varied than the audit fee alone. The main buckets:

Audit fees: $7,000-$25,000 for a security-only Type 2 at a seed or small company (a boutique CPA firm can come in near $7,000 for the smallest teams); $25,000-$36,000 for mid-size companies up to ~300 employees.

Annual penetration test and incident response testing: roughly $7,000-$10,000 and $8,000-$10,000 respectively. Auditors typically expect both, and they recur every year - and both are easy to leave out of a first budget.

Security and monitoring tooling: $3,000-$12,000/year for a small team (SSO, device management, endpoint protection, log management, vulnerability management, and more). Vulnerability management in particular carries recurring time, not just a subscription.

Compliance platform: $0-$50,000/year depending on the platform. Enterprise tools like Vanta and Drata charge $10,000-$50,000/year; SimpleAudit starts at $199/mo billed annually.

Internal effort: the hidden cost. Someone on your team owns the program - typically an engineering lead or operations manager spending 15-25% of their time during preparation and 5-10% ongoing.

Total first-year cost for a lean seed or small team: roughly $37,000-$84,000 all-in; mid-size companies run $95,000-$185,000. Year-two costs fall about 20-35% because the one-time policy and control work is done, though the audit and annual testing recur. See the full cost breakdown for line-by-line detail by company size.

If you are starting your SOC 2 journey, here is a practical roadmap. The right starting point depends on your stage — B2B SaaS companies typically need Security + Availability at minimum, while earlier-stage companies can often start with Security alone.

Step 1: Understand your scope. Which Trust Services Criteria do your customers require? Start with Security (required) and add others based on customer contracts and your business model.

Step 2: Assess your current state. Review your existing security policies, access controls, monitoring, and incident response procedures. Identify what exists and what needs to be created.

Step 3: Write your policies. You need approximately 19 core policies covering information security, access control, change management, incident response, risk management, vendor management, data classification, and more.

Step 4: Implement controls. Ensure your policies are backed by actual technical and operational controls. Enable MFA, configure logging, set up access reviews, implement encryption, and establish change management processes.

Step 5: Collect evidence. Start documenting your control activities. Save screenshots, export logs, and maintain records that demonstrate your controls are operating as designed.

Step 6: Engage an auditor. Select a CPA firm and schedule your Type 1 audit. Use the readiness period to address any remaining gaps.

SimpleAudit helps with steps 2-5 by using AI to generate policies, identify risks, and track your readiness across all compliance areas.