The timeline, steps, and what’s involved for SOC 2 and other attestations

Audit requirements, steps involved and associated timelines are steps that go hand in hand. We often hear claims in the market that it will take you (insert unrealistic expectation) to achieve SOC 2. This article will provide a realistic overview of how the audit process works in practice.

The timeline for an initial SOC 2 audit

As an illustrative example, we spent 80 hours on our own initial SOC 2 process for our audit management platform, Pillar. That’s not including time spent on related activities that weren’t performed specifically for compliance, e.g., implementing our infrastructure security and employee performance review process. That 80 hours could theoretically be done in a week or two, but there are practical reasons why that’s often not realistic: 

1. Compliance often competes with other top business priorities. When time and resources are scarce, it often can take a back seat behind other initiatives. 
2. It touches lots of different business activities, often with multiple people and lead times involved.
3. The audits require back and forth between the client and auditor. Even with our agile and collaborative audit approach to optimise this process, it requires time and effort for your team to provide the right evidence and clarifications. 
4. Compliance implementation is the best opportunity to get things set up right. You may be able to box-tick for the sake of compliance, but a little extra time goes a long way for real business benefits and ensuring it will actually meet the audit requirements.

We spent 80 hours over 3 months, after some initial planning and “starting” it 3 months earlier. The median timeframe we see for our clients is 3 months, ranging from 3 weeks to 18 months. 

Sure you can do it in a week if you don’t sleep, make it the top priority, and forgo the opportunity to get real benefits from it, but we don’t recommend that!
 
The practical steps to SOC 2 attestation

The below steps were traditionally carried out sequentially during the audit process. In modern compliance, they’re often tackled in parallel. 

That’s the purpose of our agile, collaborative audit process, which gives timely feedback, end-to-end guidance, and a clear view of progress for all stakeholders. The key steps involved are:

1. Planning: Which audit firm will you use? Will you use a compliance platform? What resources are required? What tools will you use to aid the audit process? What timeline will you target? 
2. Readiness Assessment: You can use a compliance platform like Vanta or Drata, or a free tool like our readiness assessment software to see where you do and don’t comply with your chosen standards.
3. Implementation: Undertake the necessary activities to meet the compliance standards (ie. remediate any evidence or control process gaps), and ensure you can prove those to your auditor.
4. Evidence gathering: Collect and provide the evidence of those activities for your auditor to verify independently.
5. Audit: The auditor reviews and provides feedback, asks additional questions, and ultimately signs off on your compliance.
6. Reporting: The attestation report (SOC 2) is issued to share with your customers.
7. Maintenance: You manage your compliance activities in business-as-usual until the next audit or as part of a continuous audit process that follows.

There's more work required initially to achieve compliance, which then becomes much easier to maintain over time. That is why we advise our clients to invest the necessary time up front - the more work done to ensure the initial audit is successful, the less maintenance work that will be required during subsequent periods. As the saying goes, A good start is half the battle!  

What’s involved in SOC 2 attestation audits?

The activities required during a SOC 2 attestation process can vary greatly. That’s a good thing; although it can make it harder to understand compliance and what’s required, it means you can do things in a way that makes sense for your company. This is where some companies opt for the generic strategy to compliance - to keep it simple and take out the guesswork. Compliance activities include the following types:

Systematic controls (10-35%)
Systematically configured functions are tested with automation or screenshots. These include:

• Infrastructure (eg. AWS): encryption, firewalls, system monitoring and logging.
• Enterprise software (eg. Google Workspace): tracking your people, information assets, and enforcing MFA for logins.
• Code repository: restricting access, enforcing peer reviews, and oversight of the code changes for software development.
• Mobile device manager: enforced policies on user devices like operating system updates, anti-virus software, device firewalls and encryption, screen timeout.

Policies, procedures and plans (20-35%)
Documented responsibilities, business requirements and the design of processes and plans that support your compliance requirements.

Event-driven activities (15-30%)
When events occur, they are managed in accordance with defined policies, procedures and plans. For example, when new joiners are onboarded, conducting background checks, employment contracts, and security awareness training. This also includes when incidents occur, changes are released, vulnerabilities are identified, and assets are disposed of, to ensure they are managed effectively.

Periodic meetings and reviews (20-30%)
Board and management meetings, risk assessments and vendor governance reviews are conducted periodically (quarterly, annually) to maintain oversight of the organisation. There are also penetration tests, business continuity and disaster recovery exercises, and other periodic tests to check whether compliance activities are effective.

Other ad-hoc items (~10%)
This category is here for completeness. There are a few things that may not fall into the above, like having a documented architecture diagram, customer contracts or terms of service, and cyber insurance.

Interested in discussing the next steps?

A key step to achieving compliance is having the right audit partner. Get in touch with us below to discuss how we can help you on this journey.