SOC 2 in 90 Days: What That Timeline Actually Requires

Ninety days from kickoff to a SOC 2 readiness is achievable. It is not achievable for every company, and the companies that hit it make deliberate tradeoffs to get there. Understanding what those tradeoffs are, and what the week-by-week reality looks like, is the difference between a realistic plan and a timeline that creates pressure without delivering results.

The short version: 90 days works for companies that already have some security foundations in place, are willing to narrow scope, and can dedicate internal resources to the process. It does not work for companies starting from zero, running complex multi-cloud environments, or attempting to cover multiple Trust Services Categories in their first report.

Who Can Realistically Hit 90 Days

The companies that achieve SOC 2 in 90 days share a set of characteristics. Not all of these need to be present, but the more that are missing, the more the timeline extends.

The Week-by-Week Timeline

Weeks 1-2: Scoping and Assessment

The first two weeks set the boundaries for everything that follows.

Scope definition determines what systems, processes, and data are included in the SOC 2 report. For a 90-day timeline, the scope should be as narrow as defensible. A single product line, a defined infrastructure boundary, and the teams that support it. Expanding scope to include every system the company touches extends the timeline.

Trust Services Category selection. Security (Common Criteria) is always in scope. Adding Availability, Processing Integrity, Confidentiality, or Privacy adds controls. For a 90-day timeline, Security-only is the standard approach. Additional categories can be added in the Type 2 examination.

Gap assessment identifies what exists, what needs to be built, and what needs to be documented. A thorough readiness assessment is the foundation for every decision that follows. A company with strong foundations might have 15 to 20 gaps. A company with minimal security practices might have 60 or more, which pushes the timeline beyond 90 days.

Auditor engagement. The auditor should be selected and engaged during the first two weeks. Auditor availability can be a bottleneck. Firms with heavy audit seasons (Q4, early Q1) may not have capacity for an accelerated engagement.

Weeks 3-6: Build

This is the intensive phase. The gap register drives the work.

Policy development. Core policies need to be written, reviewed, and approved: information security, access control, acceptable use, incident response, change management, risk management, vendor management. These need to reflect how the company actually operates, not template language with the company name swapped in.

Control implementation. The technical controls that close gaps: enabling audit logging, configuring access reviews, setting up vulnerability scanning schedules, implementing endpoint protection, establishing change management workflows. For cloud-native companies, this is primarily configuration work.

GRC platform configuration. Integrations get connected, evidence collection gets automated, and the control library gets scoped to match the actual engagement. The platform accelerates evidence collection but does not replace the policy and process work.

Evidence collection begins. Even for a Type 1 (point-in-time), auditors want to see that controls are operating, not just designed. Starting evidence collection in week 3 means several weeks of operational evidence by the time the auditor arrives.

Weeks 7-8: Readiness and Remediation

Internal readiness review. Walk through every control in scope. Is it implemented? Is there evidence? Can the team explain how it works and why? Controls that exist on paper but cannot be demonstrated need remediation.

Remediation sprint. Address the gaps found during readiness review. This is where the dedicated internal resource matters most. Remediation tasks often require system access and configuration changes that only internal team members can make.

Auditor pre-engagement review. Share the scope, control matrix, and sample evidence with the auditor before fieldwork begins. This reduces the risk of surprises during the examination.

Weeks 9-12: Examination

Auditor fieldwork. The auditor examines controls against the Trust Services Criteria, reviews evidence, and interviews key personnel. For Type 1, this typically takes 2 to 4 weeks depending on scope complexity and auditor availability.

Finding resolution. If the auditor identifies issues during fieldwork, the company has a window to remediate. Minor findings can often be addressed during the examination period. Material findings may delay the report.

Report issuance. The SOC 2 Type 1 report is issued, typically 2 to 4 weeks after fieldwork concludes.

The Tradeoffs of Speed

A 90-day timeline is not free. The decisions that make it possible have downstream implications.

Each of these tradeoffs is manageable. Narrower scope can be expanded in the Type 2. Security-only TSC satisfies most procurement requirements. Multi-framework alignment happens as a second phase. The key is making these decisions deliberately rather than discovering mid-engagement that the timeline does not accommodate the original plan. Understanding what the full engagement actually costs helps set expectations before the clock starts.

The Strategic Move: Type 1 Now, Type 2 Immediately

The companies that execute this well treat the 90-day Type 1 as the first phase of a continuous program, not as the finish line.

The Type 1 report satisfies the immediate procurement requirement. The observation period for Type 2 starts the day the Type 1 controls are in place. If the program is designed to operate from day one, the Type 2 examination can happen 6 to 12 months later without a separate build phase.

This is where the build-to-operate distinction matters. A 90-day sprint that ends with a Type 1 report and a team that has no plan for ongoing operations is a sprint that will need to be repeated. A 90-day sprint that transitions into an operating cadence, with someone running the program continuously, produces both the Type 1 report and the foundation for Type 2.

Negotiating Type 1 with the Buyer

When an enterprise buyer requires SOC 2 and the timeline is tight, most companies assume they need a Type 2 report because that is what the RFP says. The conversation worth having: will the buyer accept a Type 1 now with a contractual commitment to Type 2 within twelve months?

This ask works more often than companies expect. The buyer's concern is whether the vendor has a security program. A Type 1 report demonstrates that controls are designed and in place. A written commitment to Type 2 with a defined timeline demonstrates that the vendor takes compliance seriously enough to invest in ongoing operations. Most procurement teams view this as a reasonable bridge, particularly when the alternative is waiting 12 to 18 months for a Type 2 from scratch.

The companies that do not ask this question end up in one of two scenarios: they attempt to compress a Type 2 timeline (which requires an observation period that cannot be compressed), or they lose the deal while waiting for the observation period to pass. Neither is necessary if the Type 1 conversation happens early.

Ninety days to SOC 2 Type 1 is a realistic timeline for companies with security foundations in place and the willingness to narrow scope for speed. The companies that succeed treat it as the start of a continuous program, not a one-time project. The Type 1 unblocks the deal. The operating cadence that follows is what makes the program sustainable.

Frequently Asked Questions

Can you get SOC 2 Type 1 in less than 90 days?

It is possible for companies with strong existing security practices and a narrow scope. Companies that already have MFA, access management, documented policies, and endpoint protection in place can sometimes reach Type 1 readiness in 6 to 8 weeks. The constraint is typically auditor availability and fieldwork scheduling, not the readiness work itself.

What is the difference between SOC 2 Type 1 and Type 2?

Type 1 attests that controls are designed and in place at a specific point in time. Type 2 attests that controls operated effectively over an observation period, typically 6 to 12 months. Type 1 is faster to achieve and sufficient for many procurement requirements. Type 2 provides stronger assurance and is increasingly expected by enterprise buyers.

How much does a 90-day SOC 2 engagement cost?

Total costs include the GRC platform subscription ($5K to $15K annually), auditor fees ($15K to $40K depending on scope), and consultant fees if external support is engaged. The total investment for a 90-day Type 1 with consultant support typically ranges from $30K to $70K depending on scope complexity and existing program maturity.

What happens if the audit finds issues during a 90-day timeline?

Minor findings can often be remediated during the examination period without extending the timeline. Material findings, particularly gaps in control design or missing evidence, may delay the report. The readiness review in weeks 7-8 is designed to surface these issues before the auditor arrives. Companies that skip the readiness review face higher risk of audit delays.

Should we hire a consultant for a 90-day SOC 2 or do it ourselves?

The 90-day timeline leaves minimal room for the learning curve that a first-time team experiences. Companies with no prior compliance experience benefit from consultant support for scoping, control design, and auditor management. The SOC 2 consultant evaluation checklist covers what to look for. Companies with an internal team member who has SOC 2 experience can execute the build internally with a GRC platform. The decision depends on internal expertise and risk tolerance for timeline delays.