Bernard Gallagher
Listen to: "Our Guideline of a SOC 2 Timeline: Know What to Expect"

When you’ve scheduled your SOC 2 testing, you are well on your way to demonstrating the trustworthiness of your company. However, scheduling your on-site test is not the end of your preparation. There are a number of additional steps along the way. Not sure what your timeline is or what to expect? Read on to learn more about each stage of the process:

See our foundational guide, SOC’s trust service principles:

Quantifying Your Risk

The kickoff of a SOC 2 audit involves quantifying the business revenue that is at risk. There are a number of methodologies that can be used to accurately quantify your financial risk. During the kickoff, you and your audit partner will also establish how critical your preparation tasks are and set up expectations for the rest of your preparation.

Next Up: Gap Analysis

The gap analysis stage typically takes anywhere from two to four weeks. This is a stage where the assistance of a third-party service auditor like I.S. Partners is especially valuable.

During gap analysis, your auditor will assess your current environment and how it compares to SOC 2 requirements. How well does your organization fit SOC’s trust service principles:

  • security.
  • availability.
  • processing integrity.
  • confidentiality.
  • privacy.

Some SOC audit procedures can be performed remotely. Others will require an on-site appointment. Procedures that fall into the latter group include environmental and physical security functions.

At the end of this analysis, you and your auditor will have identified the areas where you can improve to serve customers’ privacy needs better and to earn SOC certification. Common issues often identified in this phase can include:

  • A need for core policies that define how your organization protects internal and customer data.
  • A need for consistent employee background checks.
  • A need to adjust or create employment agreements that emphasize security needs.
  • A need for a password complexity policy that meets the latest best practice recommendations.

There may also be key trust service principles that are specific to your business and industry. For instance, if you are working in the e-commerce sector, you will need to add processing integrity to your SOC audit.

Onto Remediation

Once the gap analysis and readiness assessment is completed, you’ll start your first remediation period. This can last anywhere from two to nine months. The length of remediation will depend on what you discover during the gap analysis and what resources are available to seal up the gaps.

This is the part of the process where teams will feel the impact of the changes that SOC 2 requires. It is not uncommon to make new hires to meet requirements. You may also change your software development process to align with security needs.

After this remediation period, another assessment will be performed. There may also be a second remediation period based on your auditor’s findings at this time.

The Information Request List

In the time before your SOC audit, you’ll receive a list of all of the documentation you will be expected to deliver as part of the process.

This list will also highlight what you are currently missing. Most enterprises go into the process with a number of gaps. Giving yourself time to address them will ensure a higher level of success. Some of the most common gaps include:

  • A full asset inventory, as well as the process that keeps your inventory updated and accurate.
  • Human resources documentation that includes procedures for evaluating employee performance, as well as a meta-document that outlines how and when these evaluations are distributed to the applicable managers.
  • Controls and checklists for employee onboarding.
  • A formal process for employee termination or change from one position in the company to another.
  • Core policies, including standard operating procedures and an information security policy.
  • Key security controls for your customer data.
  • Your request list may also include items that do not apply to your specific business. Explain to your auditor which items don’t belong and the reasons why. In some cases, your auditor may not agree with you and will explain why certain items that are not currently in your procedures are important.

    Getting Together Your Documentation

    This stage involves a large quantity of documentation. Make sure you have someone tasked with coordinating it all so that every relevant department knows what is expected of them and when. All of the information should be pulled together in a central repository so that it is easily available to your auditor.

    Related article: Are Pen Tests & Vulnerability Scans Needed for SOC 2 Report Compliance?

    Summing Up

    The process of getting ready for your SOC 2 certification is a long one. It is important to have the right help along the way. By understanding what is required of you, as well as understanding the scope of the time and effort involved, you can make your certification process go more smoothly.

    Looking for expert help? I.S. Partners has assisted organizations in a range of industries. Call us at 215-675-1400, or send us a message to learn more!

    About The Author

    Get Hassle-free Pricing in 3 Easy Steps

    Request a quote using the form below
    Allow us to create a customized plan
    We'll get you an accurate, no-obligation quote
    Untitled-1 Asset 1 Request a Quote Background

    Request a Quote

    Please fill out the fields below and one of our compliance specialists will contact you shortly. Want to speak to us now? Call us at (866) 335-6235

    Request a Quote (Keep)

    I.S. Partners is serious about privacy. We will never share your information with third parties. Please read our Privacy Policy for more information.


    Great companies think alike!

    Join hundreds of other companies that trust I.S Partners for their compliance, attestation and security needs.

    Teladoc VeriClaim DentaQuest VisioNet Verifacts Sterling AV Med DOE Legal