Usually companies aren’t thinking about getting a SOC 2 report until it shows up on a security questionnaire & it is blocking a major deal.

You’re trying to sell your product, close a client, and you get slapped with the “hey can I see your SOC 2 report” just as you’re about to cross the finish line. We often talk to founders panicking about the quickest way to “obtain SOC 2” worried that this process is going to stop them from being able to sell into their new potential client.

This article is going to outline not just the fastest way to possibly get a SOC 2 report, but how to avoid some of the most common pit falls + mistakes, and how to ultimately unblock your sale.

First, what is a SOC 2 report?

The fastest way to not just get a SOC 2 report, but to unblock your sale, is to understand that what your potential user really cares about is your security posture.

When someone asks you your SOC 2 report what they are really trying to say is “hey, we care about security, and if you want us to buy from you we need you to prove that you are secure.”

A SOC 2 report is just a list of your security controls that has then been verified for accuracy by a 3rd party CPA. What this means is that if you can convince your potential user that you are actually secure, you often won’t need a finalized SOC 2 report.

If you can tell them:

1. I have authentically implemented all of the controls you care about.

2. I can talk intelligently about these controls.

3. I have a penetration test done, would you like to see the report?

4. I have a vCISO through Oneleet.

5. I’m in the process of obtaining a SOC 2 report.

This has unblocked a LOT of business for our users without them ever having needed to get that finalized SOC 2 report. This turns a process that can take up to 6 months waiting to get a SOC 2 type 2 attestation, down to something that can be unblocked in less than a month.

This doesn’t always work, but this is the scrappiest fastest way to unblock the security questionnaire - by actually being secure, and delivering value on what they actually care about.

How long does it take to implement a SOC 2 program?

The answer to this is going to change depending on the stage of the company & industry you are operating within, but we see most companies get through implementation of their SOC 2 program with somewhere between 20 - 100+ hours.

For an early stage pre-seed startup with 2 founders, no employees, and a very small product - it will be on the lighter end. If you are a 100+ person corporation with a giant technical product, it will be on the higher end.

The major categories of work that will cause you to take longer (or shorter) during implementation are:

1. How secure is your current infrastructure? Some providers like Heroku, Digital Ocean, and Vercel aren’t built from a “security-first” point of view & will sometimes have flaws that require engineering work.

2. What security controls do you already have in place? Do your employees have company owned devices? Do you already have a MDM implemented? The more strong security practices you already have in place the less you will need to implement.

3. How many people are in your organization? The more humans we need to ensure are following & signing policies, the more work there is to track them all down and make sure everyone is completing what they need to do.

4. How many vendors are touching production customer data? Needing to ensure controls like data encryption at rest or 2FA is in place for 1 vendor vs 30, can significantly impact the scope of work.

Every company is going to be different depending on what industry they are serving, how far along their product is, and what they are built in. Having strong security expertise on your team will also allow you to drastically speed up or slow down the time it takes to implement the right security controls.

The average amount of time we see companies take to implement their security program is usually between 30-60 hours, and they will normally get through this in about 4-6 weeks. You can definitely rush through it MUCH faster though if you are dedicating the right resources + time to implementing your program.

How quickly can you get a SOC 2 type 1 vs SOC 2 type 2?

After you have implemented your security program, we move onto the next bottleneck when it comes to speed, which is the actual auditing process.

There are two types of audits that are possible within the context of SOC 2, a “type 1” audit and a “type 2” audit.

• SOC 2 Type 1 - This is what is referred to as a “point in time” audit. If we say “this door is locked right now”, is that actually true at this moment of time? What this type of audit doesn’t do is determine if the door remains locked.

• SOC 2 Type 2 - This audit type involves both the description of controls that is present in the type 1, but also includes a 3 month (or longer) monitoring window to make sure they remain in effect over a period of time.

The SOC 2 type 1, you will normally be able to obtain this within about a week after you have implemented your security controls. A SOC 2 type 2 audit will generally take at least 3 months.

So you can obtain the type 1 report much faster, however the gold standard within the SOC 2 world is a SOC 2 type 2 report. 95% of the time when someone is asking you for a SOC 2 report they are requesting a SOC 2 type 2 report.

You will also need to pay to have two audits done if you want to complete both types of audits.

Because of this we almost always recommend clients going straight for the SOC 2 type 2 report. Very rarely will you actually even need the SOC 2 type 1 report.

The reason for this is that if you’re able to tell your potential user “I have an engagement letter with Oneleet, we have implemented strong security controls, we have a penetration test done, and we’re in the process of obtaining a SOC 2 type 2 report,” this will actually help you get through a LOT of the same security reviews that a type 1 report will help with.

Again - people just want you to be secure. If you can convince them you are secure that’s what really matters.

So the SOC 2 type 1 report usually exists in this narrow window where explaining what’s already doesn’t wasn't enough, but also they will accept something less than a SOC 2 type 2.

TLDR

• The fastest way to convince someone you are secure, is to actually just be secure and have good controls in place.

• Implementation of SOC 2 controls will take between 20 - 100 + hours, with the average being about 40-60. Most companies will get through this in 4-6 weeks but it can be done much quicker with the right motivation + resources.

• A SOC 2 Type 1 audit is a “point in time” audit and can be completed within about a week (although usually fairly useless).

• A SOC 2 Type 2 audit involves a 3 month monitoring period, and will take at least 3 months to complete the audit.

Still have questions about how long it will take to obtain your SOC 2 report or want to get started asap? Request to have a call! We can run as fast as you want. We know speed is often a major factor when it comes to obtaining a SOC 2 report and our product & services are built around empowering you to get this done properly as quickly as possible.