What Am I Getting Into?
Before our first SOC 2 Type 1 audit, I assumed you pay an auditor, they come in make a few suggestion on how to improve and sign-off. It might take a few months, but the total cost would be some distraction plus the auditor’s fee.
That could not be farther from the truth. If you want to skip ahead to the hard numbers, our estimate is $147,000 all-in (download the breakdown here). To learn more about the breakdown, it takes into account:
- Lost Productivity
- Build vs Buy Decisions for New Tools
- Security Training
It’s a huge undertaking that involves senior representatives from almost every team, including HR, Legal, Engineering, Sales, Customer Support and more. If you try to carry the entire burden yourself without involving other teams, you’re wasting your time and will fail the audit. No one person can complete SOC 2 certification. They won’t have the domain expertise to figure out what is appropriate to include in each policy nor will they have enough hours in the day.
So let’s dig into each cost center to understand where the unexpected costs are.
How much will an Auditor charge for a SOC 2 Type 1 audit?
Expect the cost of an auditor for SOC 2 Type 1 to be in the $12k-$17k range.
But the cost of the auditor is just the beginning. You will need months of dedicated time from your existing staff or consultants. Once the audit is complete, you will have a laundry list of items to remediate, which may necessitate the purchase of additional tools and training as well.
First, assign someone to own the SOC 2 process from start to finish. Expect this to become a full time focus for the duration of the project. This is a hidden SOC 2 cost that may not be obvious to account for. This responsibility is not something that can be delegated to your IT or security team, nor can it be handled by junior staff. The initiative needs to be led by someone who has sufficient familiarity with technical systems to be efficient with the team’s time. That person will also need to be sufficiently senior to successfully cut through the company politics and get things done.
Cost: 50% FTE or consultant, ~$50-75k
Time: 6 months
Next, you will need a readiness assessment. This assessment is designed to educate your team on the audit scope and conduct preliminary investigative and prep work, including: identifying data stores, mapping workflow, and creating an inventory of technical systems. It’s also the right time to give some of your key teams – like legal and HR – a heads up that some of your company’s documentation and policies will need to be changed.
Cost: productivity loss of dedicated team
Time: 2 weeks full time internal team
Review with your attorney all customer agreements, vendor and contractor agreements and employment agreements. These agreements will establish a foundation of responsibility assignment that allow you to make assertions in your policies regarding confidentiality, privacy and security. You may need to revisit these annually with each audit. Anticipate this will be an ongoing SOC 2 cost.
Time: 2 weeks spread out over 3 months
Build vs Buy Decisions
Depending on your existing infrastructure and security posture, you may need to roll out several new tools as you ramp up your SOC 2 program. Tools that can collect asset inventory, generate tickets for capturing compliance tasks, as well as manage security and compliance reporting. You will also need tools for threat and intrusion detection, file integrity monitoring and vulnerability management. You’ll face many build vs buy decisions. If you have time, but not budget, you may choose a DIY approach. In that example, your Access Onboarding & Termination Policy might consist of open source tools and custom scripts. If you need to move faster, you could buy a tool like strongDM to automate onboarding, termination and auditing.
Cost: $5-$50k depending on mix of commercial and DIY
Time: 2 months
Another important cost to consider is security training. You will want to start conducting annual security awareness training, either in house or through a third party, if you don’t already. Someone will need to make sure the entire company attends the training, and that all employees sign off on receiving it. Expect this to incur logistical costs and impact team productivity, which is a lesser known SOC 2 cost.
Time: 1 week
To summarize your SOC 2 compliance checklist, set realistic expectations and anticipate the time and cost you will need to invest in SOC 2. Delegate SOC 2 responsibilities to senior staff members who can own the project from start to finish, involve your legal team in refining agreements and ensure all staff members receive regular security awareness training. Expect the cost and time requirements to equal:
What To Read Next
Here are four practices to consider when creating your IT vendor management policy: 1. Evaluate vendors IT services vendors are generally very good at assuring…
HIPAA. NIST. ISO. FedRAMP. FISMA. SOC 2. These are just a few of the acronyms for compliance frameworks that your customers may be asking you…
There are several different levels of SOC (Service Organization Control) reports and types, so it is easy to get them confused. A SOC 2 Type…