.svg)
If you've already read SOC 2 Explained: What It Is and Why Enterprises Require It and you're ready to move, this is the operational post for teams of 10 or fewer: the three phases, how long each takes, what a GRC platform does, what it costs, and the sequence that gets a small team to Type 1 fastest.
The Three Phases
SOC 2 readiness follows a consistent structure regardless of company size: Assess, Build, Operate.
Phase 1: Assess
The gap analysis. You map where the program stands today against what SOC 2 requires and identify what's missing. For cloud-native teams with modern infrastructure, this phase is quick, often one to two weeks. Most infrastructure controls are already available in GCP, AWS, or Azure and just need to be enabled. The bigger gaps are almost always on the documentation and process side.
Phase 2: Build
Where most of the work happens. You write and publish policies, configure technical controls, set up your GRC platform, run the initial risk assessment, build out your vendor inventory, and document your incident response process. For a 10-person team treating this as a priority, Build takes eight weeks. In practice, it runs alongside product work, so eight to twelve weeks is the realistic range. The pace is almost always limited by one or two people running this alongside their other responsibilities, not by the complexity of the work itself.
Phase 3: Operate
The ongoing phase. You run the security program according to the policies built in the previous phase, collect evidence as controls execute, and demonstrate that everything is working consistently over time. This is what SOC 2 Type 2 requires: not just that a program was built, but that it ran for a defined period. The observation period begins the moment the program starts operating, which means starting earlier produces a more complete evidence record.
On a team of 10, SOC 2 typically falls on one person
That person is usually the founder, CTO, or a senior engineer with other full-time responsibilities. GRC platforms are designed for exactly this: automated evidence collection means you're not manually pulling logs, and policy templates mean you're editing, not writing from scratch. The work is real but it is manageable alongside a regular workload.
The observation period starts the moment your program starts operating
A team that kicks off today begins building its Type 2 evidence record immediately. A team that waits until a deal forces the issue starts that clock six to twelve months later, and shows up to the security review with a shorter, thinner evidence record.
Cloud-Native Teams Have a Head Start
If infrastructure runs on GCP, AWS, or Azure, the technical layer of SOC 2 is substantially easier than it was for teams running on-premises infrastructure five years ago.
Most of what SOC 2 requires at the technical level, including audit logging, encryption at rest and in transit, multi-factor authentication, and access controls, is already available in these platforms. The work is configuration, not construction. Enable audit logging. Enforce MFA. Verify encryption settings. Review access policies and ensure least-privilege is applied.
For code repositories, GitHub's paid tier covers most of the CI/CD security controls SOC 2 expects: vulnerability scanning, protected branches, dependency review. When a team is already on these platforms, a large portion of the technical control work is enabling and documenting existing features.
Controls that require active work regardless of stack
Vulnerability management, penetration testing, and operational security processes, including access reviews, incident response drills, and risk assessments, cannot be automated by a cloud platform. For a small team, these are manageable, but they need to be designed and run deliberately.
What a GRC Platform Does
A GRC (governance, risk, and compliance) platform manages the evidence collection, policy storage, and auditor access for a compliance program. The major platforms, including Vanta, Drata, Secureframe, and others, do roughly the same things.
They connect to cloud infrastructure and pull configuration data automatically. When GCP or AWS is connected, the platform maps settings to SOC 2 controls and flags failures with remediation instructions. Over time, this continuous sync builds the evidence trail a Type 2 audit requires.
They also store policies. Templates are provided; you adapt them to the actual environment, publish them, and team members acknowledge them through the platform. Those acknowledgements are timestamped and stored, which is exactly what an auditor looks for.
When the audit happens, the auditor logs into the same platform through a dedicated portal, reviews all collected evidence and policies, and requests any additional documentation through the system. If the program was built and operated correctly, most of what they need is already there.
A detailed comparison of the major GRC platforms covers the meaningful differences in integration depth, pricing, and features like dynamic application security testing. The platforms are more similar than different, but the right choice depends on your stack and how you want to run the program long-term.
What It Costs
Budget roughly $10,000 USD as the minimum baseline for year one:
| Cost Item | Typical Range | Notes |
| GRC platform license | $5,000 USD/year | Most platforms offer startup tiers below 25 employees; confirm pricing with the vendor |
| Auditor fees | $5,000+ USD | Combined Type 1 and Type 2 from a competitive firm; some bundled offerings include this |
| Penetration test | Varies by scope | A focused cloud-native test sits at the lower end; some GRC bundles include it in year one |
Year two costs less
The program is already built. The platform license continues, but the audit is lighter because you're demonstrating continued operation rather than building from scratch. Most of the first-year cost is setup, not ongoing operations.
The Sequence That Gets You to Type 1 Fastest
For teams that need to show progress in an active procurement conversation, the order matters:
- Select and connect a GRC platform. The integration immediately surfaces control gaps. You know exactly what to fix, ranked by impact.
- Start policy work in parallel. The platform provides templates. Read each one, adapt it to the actual environment, and publish. This is the most time-consuming part of Build.
- Run the initial risk assessment and vendor inventory. Both are required for Type 1 and both take less time than teams expect. If key vendors already have SOC 2 reports, that simplifies the assessment significantly.
- Engage an auditor early. Good auditors are booked out. Committing to an audit date early creates a forcing function and surfaces questions before they become blockers.
- Start enterprise conversations now. A program in progress with a committed timeline is a legitimate answer to a procurement security review. Lead with the program, not with an apology for not having the report yet.
The observation period for Type 2 starts the moment the program begins operating. A team that starts today and finishes Build in ten weeks begins its Type 2 clock immediately, putting them in a position to deliver a Type 2 report roughly five to fifteen months from now depending on the observation period they choose.
SOC 2 Is an Ongoing Program, Not a One-Time Certification
Type 2 reports cover a specific period, with twelve months being most common, and enterprise customers typically expect annual renewal. The annual audit is lighter than the first: the program is already built and you're demonstrating continued operation. But it requires consistent evidence collection throughout the year, which is what the GRC platform handles.
As the company grows, the program scales. More employees means more training to track and more access to review. New enterprise customers may bring new frameworks into scope. ISO 27001 for European buyers, HIPAA for health data, PCI DSS for payment processing. The SOC 2 foundation carries over to these frameworks. They're extensions, not restarts.
The companies that move through enterprise procurement fastest are not the ones that started SOC 2 when a deal required it. They're the ones that built the program before the deal was on the table, and showed up to the security review with evidence already in hand.
For the conceptual foundation on what SOC 2 is, the Trust Services Criteria breakdown, and the Type 1 vs. Type 2 distinction, see SOC 2 Explained: What It Is and Why Enterprises Require It.
Start Your SOC 2 Program
We help security-conscious teams build an effective security program, then run it, so audits are an outcome, not a scramble.
Frequently Asked Questions
How long does SOC 2 take from scratch?
Eight to twelve weeks to complete the Build phase for a small team, then three to twelve months of observation before a Type 2 audit. A Type 1 report can be issued within three to four weeks of completing Build.
What does SOC 2 cost?
Budget $10,000 USD minimum for year one: roughly $5K for the GRC platform license and $5K for auditor fees. Penetration testing adds to that, with cost varying by scope. Annual renewal is less expensive once the program is established.
Do we need a penetration test for SOC 2?
SOC 2 does not mandate penetration testing by name, but vulnerability management, including periodic testing, is expected as part of a mature program. Most auditors will look for evidence of regular vulnerability assessment. A focused pentest satisfies this and is often bundled into first-year compliance packages.
What is a GRC platform and do we need one?
A GRC (governance, risk, and compliance) platform automates evidence collection by connecting to cloud infrastructure, stores and manages policies, and provides the audit portal. Technically, a team could manage SOC 2 manually with spreadsheets and a shared drive. In practice, the time savings and audit readiness that a platform provides make it worth the license cost for almost every team.
When should we start the SOC 2 process?
Before an enterprise deal requires it. The Type 2 observation period starts when the program starts operating. A team that starts today is building evidence that a team that waits six months won't have. Starting early also means having something concrete to say in sales conversations: a program in progress is more credible than a blank answer.
What is the difference between SOC 2 Type 1 and Type 2?
Type 1 is a point-in-time report: it confirms that controls are designed correctly as of a specific date. Type 2 covers a defined period, typically six to twelve months, and confirms that those controls operated effectively throughout. Enterprise procurement teams almost always want Type 2. Type 1 is a useful interim milestone while the Type 2 observation period runs.
Ready to Start Your Compliance Journey?
Get a clear, actionable roadmap with our readiness assessment.
About the Author
Former security architect for Bank of Canada and Payments Canada. 20+ years building compliance programs for critical infrastructure.
How Ready Are You for SOC 2?
Score your security program in under 5 minutes. Free.
Take the Scorecard