Updated: Feb 16
What's the timeline for obtaining a SOC 2 report? What are the key milestones and activities? What's the best way to communicate your plans to customers?
The main difference between clients that take weeks to a few months, to those that take a year or longer, is the level of commitment from senior management. The current level of process maturity also plays a role.
The total amount of work required to become SOC 2 compliant is proportional to the company size, with more work for larger organisations. However, with an increasing company size, generally comes a higher level of process maturity which can offset that, requiring less implementation of new compliance activities, policies and procedures.
Our infographic provides an overview of the steps involved. The timing is primarily dependent on you, the service organisation.
Note: This was prepared in 2020. We've seen these steps condense and work more in parallel since then, but the same activities apply and it shows the logical connection between them.
What's the best way to communicate your plans to customers?
When it comes to communicating your plans to your customers, it's always best to add a buffer. It's easy to overcommit while trying to win business or build the relationship, but managing the expectation will save you in the long run.
A timeline may allow:
One (1) month for the readiness review;
Three to Six (3-6) months for remediation of the control gaps identified;
The period of time you choose for the Type 2 Report (3-12 months);
One-Two (1-2) months for the audit and reporting after the compliance date (Type 1) or period end (Type 2).
That means ideally ~9 months to issue a Type 1 Report, 12-24 months to issue a Type 2 Report. Of course you can do it quicker, but better to under-promise and over-deliver!
That seems like an unreasonably long timeframe, right?
Well, what's important about SOC 2 is the journey, not the outcome. In contrast to other certifications where you can tick-the-box with template policies and the "design" of best practice processes, SOC 2 is more about embedding and operating those processes and controls. This improves the process maturity and demonstrates operating effectiveness of the internal controls. During the period leading up to the issuance of reports, updates can be provided that demonstrate progress which usually keeps customers satisfied while waiting for the reports.