Updated: Feb 16
What's the timeline for obtaining a SOC 2 report? What are the key milestones and activities? What's the best way to communicate your plans to customers?
The main difference between clients that take three (3) months, to those that take a year or longer, is the level of commitment from senior management. The current level of process maturity also plays a role.
The total amount of work required to become SOC 2 compliant is proportional to the company size, with more work for larger organisations. However, with an increasing company size, generally comes a higher level of process maturity which can offset that.
Our infographic provides an overview of the steps involved. The timing is primarily dependent on you, the service organisation.
What's the best way to communicate your plans to customers?
When it comes to communicating your plans to your customers, it's always best to add a buffer. It's easy to overcommit while trying to win business or build the relationship, but managing the expectation will save you in the long run.
A timeline may allow:
One (1) month for the readiness review;
Six (6) months for remediation of the control gaps identified;
The period of time you choose for the Type 2 Report (3-12 months);
Two (2) months for the audit and reporting after the compliance date (Type 1) or period end (Type 2).
That means 9 months to issue a Type 1 Report, 12-24 months to issue a Type 2 Report.
That seems like an unreasonably long timeframe, right?
Well, what's important about SOC 2 is the journey, not the outcome. In contrast to other certifications where you can tick-the-box with template policies and the "design" of best practice processes, SOC 2 is more about embedding and operating those processes and controls. This improves the process maturity and demonstrates operating effectiveness of the internal controls. During the period leading up to the issuance of reports, updates can be provided that demonstrate progress which usually keeps customers satisfied while waiting for the reports.