Below is a breakdown of every SOC 2 cost, including unexpected expenses and the time required from your staff. While we can’t tell you whether or not it’s right for your organization, we can tell you what you need to know - from both a cost and time perspective - if you decide to pursue it. Here is your SOC 2 compliance checklist.
Expect the cost of an auditor for SOC 2 Type 1 to be in the $12k-$17k range. But the cost of the audit itself is just the beginning. You will need months of dedicated time from your existing staff or consultants. Once the audit is complete, you will have a laundry list of items to remediate, which may necessitate the purchase of additional tools and training as well.
First, assign someone to own the SOC 2 process from start to finish. Expect this to become a full time focus for the duration of the project. This is a hidden SOC 2 cost that may not be obvious to account for. This responsibility is not something that can be delegated to your IT or security team, nor can it be handled by junior staff. The initiative needs to be led by someone who has sufficient familiarity with technical systems to be efficient with the team’s time. That person will also need to be sufficiently senior to successfully cut through the company politics and get things done.
Cost: 50% FTE or consultant, ~$50-75k
Time: 6 months
Next, you will need a readiness assessment. This assessment is designed to educate your team on the audit scope and conduct preliminary investigative and prep work, including: identifying data stores, mapping workflow, and creating an inventory of technical systems. It’s also the right time to give some of your key teams - like legal and HR - a heads up that some of your company’s documentation and policies will need to be changed.
Cost: productivity loss of dedicated team
Time: 2 weeks full time internal team
Review with your attorney all customer agreements, vendor and contractor agreements and employment agreements. These agreements will establish a foundation of responsibility assignment that allow you to make assertions in your policies regarding confidentiality, privacy and security. You may need to revisit these annually with each audit. Anticipate this will be an ongoing SOC 2 cost.
Time: 2 weeks spread out over 3 months
Depending on your existing infrastructure and security posture, you may need to roll out several new tools as you ramp up your SOC 2 program. Tools that can collect asset inventory, generate tickets for capturing compliance tasks, as well as manage security and compliance reporting. You will also need tools for threat and intrusion detection, file integrity monitoring and vulnerability management.
Cost: $5-$50k depending on mix of commercial and DIY
Time: 2 months
Another important cost to consider is security training. You will want to start conducting annual security awareness training, either in house or through a third party, if you don’t already. Someone will need to make sure the entire company attends the training, and that all employees sign off on receiving it. Expect this to incur logistical costs and impact team productivity, which is a lesser known SOC 2 cost.
Time: 1 week
To summarize your SOC 2 compliance checklist, set realistic expectations and anticipate the time and cost you will need to invest in SOC 2. Delegate SOC 2 responsibilities to senior staff members who can own the project from start to finish, involve your legal team in refining agreements and ensure all staff members receive regular security awareness training. Expect the cost and time requirements to equal: