<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

We're blowing the whistle on Legacy PAM 🏀 Join us for an Access Madness Webinar on March 28

Search
Close icon
Search bar icon

How Long Does It Take To Complete a SOC 2 Audit

A Timeline To Plan for SOC 2
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen

You scheduled your on-site SOC 2 testing. While the initial step is complete, there is still a lot of process and time before you’re past the finish line. This post will help plan and manage time expectations and establish a timeline of deliverables - working backward from your SOC audit start date.

The Purpose of SOC 2 Audits

SOC is a system of service organization controls. SOC stands for “system and organization controls,” and controls are a series of standards designed to help measure how well a given service organization regulates its information, user entities, and sensitive data - particularly customer data. The purpose of SOC standards is to create a level of confidence and trust for organizations when they engage third-party vendors. A SOC-certified organization (hey, that will be you soon!) has been audited by an independent certified public accountant who worked with your organization on a readiness assessment and has determined the firm has the appropriate SOC guardrails, risk management, and attestation standards established by the American Institute of Certified Public Accountants (AICPA).

Quantify Risk

First, during the SOC audit project kick-off, build a financial model to quantify the revenue at risk. Methodologies such as FAIR (Factor Analysis of Information Risk) can help you better understand, analyze and quantify information risk in financial terms. This exercise will also establish how critical your tasks are and build consensus within your company.

Gap Analysis/Readiness Assessment

Next up is the gap analysis, which will take about 2-4 weeks from start to finish. You can work through the analysis internally with your SOC 2 team, but it also makes sense to get help from a third-party service auditor. The auditor will assess your environment in its current state and then compare it to the SOC 2 requirements - specifically the trust services principles: security, availability, processing integrity, confidentiality, and privacy. Some of the SOC audit procedures will need to be performed on-site - such as those involved in environmental or physical security functions - and others can be performed remotely. Coming out of the analysis, you will have identified areas with apparent deficiencies and are ready to move forward with a punch list of items to tackle first. Some examples of items commonly on this list:

  • Lack of core policies, such as an information security policy, to define how your organization is protecting internal data, as well as customer data.
  • Employee background checks need to be conducted consistently.
  • Lack of system password complexity policy (this one should be easy to remedy prior to your test period).
  • Employment agreements that need to be adjusted or are missing altogether.

Key trust services principle missing from the scope - for example, if your organization provides financial/e-commerce services, you will likely want to add processing integrity as a criterion for your audit.

🎉 Have you heard? StrongDM offers a free and completely self-paced online SOC 2 Course.

Remediation periods

After your readiness assessment is complete, your first remediation period begins. It could be as short as two months or as long as nine months. The timing depends on what is uncovered during your gap analysis and how willing management is to dedicate resources to close those gaps. This remediation period is the bulk of the process and is where your teams will feel the impact of the changes required by SOC 2. You may end up bringing on new hires or changing your software development process during your remediation efforts. Afterward, there will likely be a second remediation period that comes after your audit, based on the findings of your auditors.

Receive information request list

In advance of the SOC audit, your audit firm will send a substantially complete manifest of everything you are expected to deliver. The manifest will also reveal everything that is currently missing. Expect that you will have many gaps, and give yourself enough time to address them. Some common gaps include:

  • Your HR documentation might include a procedure for how to evaluate employee performance but probably does not include a meta-document that states when and how that document is distributed to managers.
  • You might have adequate controls and checklists for employee onboarding, but the process for handling an employee’s job function change - or termination - is not fully documented and formalized.
  • You are lacking a full inventory of assets and/or the processes and procedures to keep that inventory accurate and up to date.
  • Your core policies - such as the information security policy - are complete, but you are missing other supporting documentation, such as standard operating procedures.
  • Your customer data are missing key security controls.

There will also be things in the information request list that are not applicable to your business. You can push back on these with your auditor, but be ready to explain why they don’t apply. For example, you will be asked to create tickets for even the most mundane compliance-related tasks. If you do a backup/restore test and you’re the only team member to do it, it should have a ticket - even if it’s self-assigned to demonstrate retroactively that you completed the task.

Documentation coalition

You will need to create a large amount of documentation as part of SOC 2 compliance, so delegate this workload to as many people and teams as possible. Your role will be to assign tasks, track the status and ultimately store responses. For example, HR will need to send you an example of a completed background check for a new hire or an executed employment agreement. Gather all this evidence in a centralized repository as requested by the auditor.

Scheduling SOC 2 is an essential step in achieving compliance. Understanding what the auditor will ask of you ahead of time, as well as the time and effort involved in gathering the requested evidence, will better prepare you for your auditor’s on-site visit.

To learn more about how StrongDM helps companies with SOC 2 compliance, make sure to check out our SOC 2 Compliance Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

ISO 27001 vs SOC 2
ISO 27001 vs. SOC 2: Understanding the Difference
SOC 2 and ISO 27001 both provide companies with strategic frameworks and standards to measure their security controls and systems against. But what’s the difference between SOC 2 vs. ISO 27001? In this article, we’ll provide an ISO 27001 and SOC 2 comparison, including what they are, what they have in common, which one is right for you, and how you can use these certifications to improve your overall cybersecurity posture.
Answering auditor questions in a SOC 2 review
Answering Auditors’ Questions in a SOC 2 Review
We recently completed our own SOC 2 audit, so we thought we’d review how we dogfooded our own product. We’ll share tips and tricks to make the audit process a little easier, whether you’re wrapping up your own or about to dive into the coming year’s audit. Here are the questions auditors asked us during our own SOC 2 audit and the commands and strongDM tooling we used to gather the evidence they requested.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Audit
Everything You Need to Know About SOC 2 Audits
Whether you’re looking to achieve SOC 2 compliance, or just want to learn more about it, your Googling is bound to lead you to a wealth of articles chock full of buzzwords and acronym soup. ‍In this post, we will provide a guide with definitions, links and resources to gain a solid understanding of everything you need to know about SOC 2 audits.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.