The Pragmatic SOC 2 Timeline
An honest breakdown of what each phase of a SOC 2 actually costs in calendar time and internal effort, for organizations of 25–200 people.
Almost every SOC 2 project we inherit is late, and it’s late for the same reason: someone sold the audit as a software purchase. Buy the compliance platform, connect the integrations, watch the dashboard turn green. The dashboard does turn green, but green controls are not the same as operating controls, and a Type II report attests to controls operating over a window of time, not to a tidy snapshot.
This is the timeline we actually run for organizations between 25 and 200 people. It assumes you are starting close to zero: no formal security program, no dedicated security hire, and a leadership team that needs the report to close deals. We’ll be specific about calendar time and, more importantly, about the internal effort each phase demands, because that is the number that gets underestimated and the reason projects slip.
⏱ The short version
From a standing start, a credible SOC 2 Type II takes 9–12 months: roughly 6–10 weeks of readiness work, then a 3-month minimum observation window (6 months is more common and more credible), then 4–8 weeks of fieldwork and report drafting. A Type I can land in 8–12 weeks because it tests design at a point in time, useful as a milestone, rarely sufficient on its own for enterprise buyers.
Type I vs. Type II, Decide This First
A Type I report says your controls are designed appropriately as of a single date. A Type II says they operated effectively across a period, three months at the absolute minimum, six or twelve months for most buyers. The distinction matters because it sets your entire calendar.
Our default recommendation: if a specific enterprise deal is gated on the report and the buyer will accept it, lead with a Type I to unblock the deal, then roll straight into a Type II observation window. If there’s no immediate deal pressure, skip Type I and run a single 6-month Type II. Paying for two audits to save a few weeks rarely pencils out unless revenue is genuinely waiting on it.
Phase 1, Scoping (Weeks 1–2)
The single highest-leverage decision in the whole engagement is scope: which Trust Services Criteria you include, and which systems are “in scope.” Everyone includes Security (the common criteria). Whether you add Availability, Confidentiality, Processing Integrity, or Privacy should be driven by what your customers’ contracts and security questionnaires actually ask for, not by ambition.
- Effort: 8–16 hours from leadership and your eventual control owners.
- Where it stalls: teams scope in Availability “to be safe,” then discover they have no real change-management or capacity-monitoring evidence and spend two months building it for a criterion no customer requested.
Get a system description down on paper: the product, the infrastructure, the data flows, the subservice organizations (your cloud provider, your auth provider). Pick your auditor now, too, their availability, not yours, often dictates the back half of the calendar.
Phase 2, Readiness & Remediation (Weeks 2–10)
This is the real work, and it’s the phase that compliance-tool marketing pretends doesn’t exist. A readiness assessment maps each in-scope criterion to evidence you can actually produce, and surfaces the gaps. Then you close them.
Typical gaps for an organization at this stage:
- Identity & access: MFA isn’t universal, offboarding is ad-hoc, there’s no quarterly access review, and admin rights are over-distributed.
- Change management: code ships without a documented review/approval trail, or infrastructure changes happen by hand with no record.
- Endpoint & vulnerability management: no managed EDR, no patch cadence you can evidence, no asset inventory.
- Policy suite: the dozen or so written policies an auditor expects simply don’t exist yet.
- Vendor management: no list of subprocessors, no review of their SOC 2 reports.
- Logging & monitoring: logs exist but nobody reviews them and there’s no alerting that maps to an actual response.
⚠ The honesty test
A control you wrote down last week but have never followed will fail a Type II audit, because the auditor samples evidence from across the window. The point of starting the observation window after remediation is so your controls have a real operating history. Backdating is not a strategy; it’s a finding.
- Effort: this is where the hours live. Budget 0.25–0.5 FTE of internal time for 6–10 weeks across engineering, IT, and an owner who drives the program. With a vCISO running it, your internal load drops substantially, but it never goes to zero, because the controls have to belong to your people.
- Where it stalls: no single accountable owner. “Compliance is everyone’s job” means it’s nobody’s job. Name a directly-responsible individual and put the milestones in their goals.
Phase 3, The Observation Window (3–12 Months)
Once controls are designed and operating, you “start the clock.” For a Type II, the auditor will sample evidence from across this window: access reviews that actually happened on schedule, tickets that show change approvals, alerts that were triaged, onboarding/offboarding that followed the checklist.
Calendar-wise this is the longest phase, but the internal effort is low if the program is real, you’re mostly just operating your controls and letting the evidence accumulate. The teams that struggle here are the ones who treated readiness as a paperwork exercise; their controls quietly stop operating in month two and the gap shows up in fieldwork.
- Effort: light but continuous, a few hours a week of operating and capturing evidence. This is exactly the kind of run-rate work a managed partner carries for you.
- Window length: 3 months is the floor. 6 months is the sweet spot for credibility versus speed. 12 months is for mature programs and the most demanding buyers.
Phase 4, Fieldwork & Report (Weeks +4 to +8)
The auditor requests evidence, samples it, interviews control owners, and drafts the report. Expect rounds of follow-up requests; respond fast, because the report can’t be finalized until every sample is satisfied. A clean engagement produces an unqualified opinion with no exceptions; a few exceptions aren’t fatal but they’re worth avoiding through honest readiness.
- Effort: 20–40 hours concentrated over a few weeks, mostly evidence retrieval and answering auditor questions.
- Where it stalls: evidence that lives in someone’s head or in a Slack thread. If it isn’t captured in a system, you’ll spend fieldwork reconstructing it.
What It Actually Costs
Two cost lines that are easy to conflate:
| Line item | Typical range (25–200 people) |
|---|---|
| Auditor (CPA firm), Type II | $12k–$45k depending on scope & criteria |
| Compliance automation platform (annual) | $7k–$25k |
| Readiness + program build (advisory / vCISO) | varies; often the difference between 9 and 18 months |
| Internal time | the cost everyone forgets, see effort notes above |
The platform is a useful evidence-collection and monitoring layer. It is not the program. Buying the platform without someone to design and operate the controls is the most common way a SOC 2 ends up six months late.
The Five Things That Actually Move the Date
- Name one accountable owner with the authority to make engineering change.
- Scope tightly, only the criteria your customers require.
- Close access & change-management gaps first; they’re the highest-frequency evidence and the most-sampled.
- Start the window only when controls are genuinely operating. An early start with hollow controls costs more than a late one.
- Capture evidence in systems, not heads, so fieldwork is retrieval, not archaeology.
How we run this
For most clients we engage as a vCISO to own the program end-to-end: readiness, remediation, control operation through the window, and auditor liaison during fieldwork, while your team keeps shipping product. We’ve taken organizations from zero to SOC 2 Type II with no qualifications in nine months. Talk to us for a worked example.