What Am I Getting Into?
I wildly underestimated the cost of our first SOC 2 Type 1 audit — both in time and expense. I figured an auditor would come in for a few months, offer suggestions on how to improve, and then sign off. The total cost would be a little distraction plus the auditor’s fee. I could not have been more wrong.
A SOC 2 audit is a huge undertaking that involves senior representatives from almost every team, including HR, Legal, Engineering, Sales, Customer Support, and others.
How much does SOC 2 cost?
Taking into account lost productivity, build vs. buy decisions for new tools, and security training, we estimate the cost at $147,000 all-in.
Let’s dig into each of these points to help you understand the costs you may encounter.
How much will an Auditor charge for a SOC 2 Type 1 audit?
Expect the cost of an auditor for SOC 2 Type 1 to be in the $12k-$17k range.
But the cost of the auditor is just the beginning. You will need months of dedicated time from your existing staff or consultants. Once the audit is complete, you will have a laundry list of items to remediate, which may necessitate the purchase of additional tools and training as well.
First, assign someone to own the SOC 2 process from start to finish. Expect this to become a full time focus for the duration of the project. This is a hidden SOC 2 cost that may not be obvious to account for. This responsibility is not something that can be delegated to your IT or security team, nor can it be handled by junior staff. The initiative needs to be led by someone who has sufficient familiarity with technical systems to be efficient with the team’s time. That person will also need to be sufficiently senior to successfully cut through the company politics and get things done.
Cost: 50% FTE or consultant, ~$50-75k
Time: 6 months
Next, you will need a readiness assessment. This assessment is designed to educate your team on the audit scope and conduct preliminary investigative and prep work, including: identifying data stores, mapping workflow, and creating an inventory of technical systems. It’s also the right time to give some of your key teams – like legal and HR – a heads up that some of your company’s documentation and policies will need to be changed.
Cost: productivity loss of dedicated team
Time: 2 weeks full time internal team
Review with your attorney all customer agreements, vendor and contractor agreements and employment agreements. These agreements will establish a foundation of responsibility assignment that allow you to make assertions in your policies regarding confidentiality, privacy and security. You may need to revisit these annually with each audit. Anticipate this will be an ongoing SOC 2 cost.
Time: 2 weeks spread out over 3 months
Build vs Buy Decisions
Depending on your existing infrastructure and security posture, you may need to roll out several new tools as you ramp up your SOC 2 program. Tools that can collect asset inventory, generate tickets for capturing compliance tasks, as well as manage security and compliance reporting. You will also need tools for threat and intrusion detection, file integrity monitoring and vulnerability management. You’ll face many build vs buy decisions. If you have time, but not budget, you may choose a DIY approach. In that example, your Access Onboarding & Termination Policy might consist of open source tools and custom scripts. If you need to move faster, you could buy a tool like strongDM to automate onboarding, termination and auditing.
Cost: $5-$50k depending on mix of commercial and DIY
Time: 2 months
Another important cost to consider is security training. You will want to start conducting annual security awareness training, either in house or through a third party, if you don’t already. Someone will need to make sure the entire company attends the training, and that all employees sign off on receiving it. Expect this to incur logistical costs and impact team productivity, which is a lesser known SOC 2 cost.
Time: 1 week
🎉 Have you heard? strongDM offers a free and completely self-paced online SOC 2 Course.
To summarize your SOC 2 compliance checklist, set realistic expectations and anticipate the time and cost you will need to invest in SOC 2. Delegate SOC 2 responsibilities to senior staff members who can own the project from start to finish, involve your legal team in refining agreements and ensure all staff members receive regular security awareness training. Expect the cost and time requirements to equal:
We’ve created an open source SOC 2 templates tool for every single SOC 2 policy. You can download each and customize them to suit your specific business needs. They’re 100% free.
To learn more on how strongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.