MythBuster: Can You Really Achieve SOC 2 Compliance in 2 Weeks?

Satya Moutairou

8 Sep 2021

TL;DR: Proving once again that any headline that ends in a question mark can be answered by the word “no”: no, you can’t.

You need to close a deal with a customer, and your customer is asking for a SOC 2 report. Or maybe you’ve realized that having a SOC 2 attestation is the best way to build trust with your customers and show your commitment to keeping their data secure.

Regardless of your motivation (and SOC 2 is, after all, the most widely adopted and requested compliance certification in the United States), you’ve started to research SOC 2 compliance. After reading a copious number of blog posts, you find yourself wondering: how fast can I get this done?

And — as if Google and LinkedIn read your mind — you start to see ads promising that you can achieve SOC 2 compliance in just 2 weeks. Isn’t that wonderful!

We know this sounds like music to your ears. But before you send that email to your CEO promising that you can get it done by end-of-quarter with that helpful vendor you found online, slow your roll for a second and let’s see what it takes to be SOC 2 compliant, and answer the question: can you really become compliant in two weeks?

If you need to get ready for, and then complete, a SOC 2 Type II audit, we’re afraid the answer is a resounding ‘hell no!’

Why?

Because here’s just a taste of what a truthful SOC 2 compliance program includes:

Risk Program

  • A risk assessment, and a verifiable process for one to be conducted quarterly.
  • Setting company goals and objectives that address gaps and potential risks.
  • Conducting regular self-assessments, and reporting the results to your Board.

Accurate processes and documentation that reflect how you run your business

  • Documented processes: Not only do you have policies, but you have related procedures that describe how you do things. Think of policies as “what” you do, and procedures as “how” you do it. Policies paint the broad strokes, and procedures fill in the details.
  • A wide variety of documented artifacts and activities including your employee handbook, employee onboarding and termination process, business continuity and disaster recovery procedures, and many others.

Vendor Management

  • A process for conducting thorough due diligence and documenting your research when onboarding a new vendor or third-party service provider.
  • A way to monitor critical vendors to ensure that they are not adding any security risks to your business and technology stack.

Security testing, tracking and awareness

  • Tracking all access requests and security incidents in a ticketing system.
  • Clear definitions for security events and incidents, and a formal process to analyze and remediate them.
  • Having a strategy when it comes to ransomware, and implementing a process to prevent attacks.
  • Conducting penetration testing at least annually. Having a process for analyzing findings and remediating any vulnerabilities found through a formal incident response process.
  • Having a training program in place, not only to provide security awareness training but also to develop the skills of your employees.

Business Operations

  • Documenting all critical meetings, with descriptive agendas and recorded meeting notes.

This list is not comprehensive in the least. The full list is a lot longer.

We wish it really were possible to achieve compliance in two weeks, but the reality is that you’d have to cut so many corners to even get close, you’d be left with a circle. When your customers do their due diligence on your “express” report, they’ll see right through it, and you’ll lose their trust (and their business). Now, do you see why it simply isn’t possible to achieve compliance in two weeks?

In the same way that you wouldn’t click on ads that promise to help you lose 100 lbs in two weeks, don’t be fooled into believing that you’ll be able to create and audit a SOC 2 compliance program in that amount of time. The actual process can take up to a year and comes with a sizable price tag. Our automated platform can, however, help you get ready in just 8 – 12 weeks and a fraction of the cost. Let us show you how. 15 minutes of your time will save you months of work.

If you’d like to continue learning more about the SOC 2 audit process and what you can do to prepare, check out our blog post: “How to Prepare for a SOC 2 Audit”