Why SOC 2 Is Now Table Stakes for B2B SaaS
Enterprise customers aren't asking if you have SOC 2 anymore β they're requiring it before procurement. If you're selling to companies with 500+ employees, legal or IT security will block your deal without a report.
SOC 2 Type II reports cover security controls over a 6β12 month observation period. Type I reports (point-in-time) are losing acceptance β most enterprise procurement teams now require Type II.
Here's the practical checklist: what you need, what auditors check, and how to scope your first audit without overspending.
The Trust Service Criteria β What You're Being Audited On
SOC 2 uses the AICPA Trust Services Criteria (TSC). You choose which criteria to include:
| Criterion | What It Covers | Required? |
|-----------|----------------|-----------|
| Security (CC) | Access controls, monitoring, change management | Always required |
| Availability (A) | Uptime, performance, incident response | Common for SaaS |
| Processing Integrity (PI) | Accurate, complete data processing | For fintech/data |
| Confidentiality (C) | Data classification, protection of confidential info | Increasingly required |
| Privacy (P) | Personal data handling per AICPA Privacy Principles | If you process PII |
Startup recommendation: Start with Security only. Availability is often added in Year 2. Privacy is worth adding if you process significant personal data.
The SOC 2 Readiness Checklist
Access Controls (CC6) β the Largest Category
Identity and access management:
- [ ] MFA required for all production systems, cloud consoles, and email
- [ ] Role-based access control (RBAC) documented and enforced
- [ ] Quarterly access reviews β remove terminated users within 24 hours
- [ ] Privileged access inventory β who has admin/root access and why
- [ ] No shared credentials β service accounts documented with owners
- [ ] Password policy enforced via SSO (Okta, Google Workspace, etc.)
Network security:
- [ ] Production environment isolated from development
- [ ] Firewall/security group rules documented with business justification
- [ ] VPN required for internal system access
- [ ] Web application firewall (WAF) on public endpoints
Risk Assessment (CC3)
- [ ] Annual risk assessment documented (threats, vulnerabilities, likelihood, impact)
- [ ] Risk register maintained and reviewed quarterly
- [ ] Vendor risk assessments for critical third parties
Change Management (CC8)
- [ ] All code changes go through pull request review before merge to main
- [ ] Production deployments logged with who deployed, what, and when
- [ ] Rollback procedures documented and tested
- [ ] Vulnerability scanning integrated into CI/CD pipeline
Monitoring and Logging (CC7)
- [ ] Centralized logging for all production systems (CloudWatch, Datadog, etc.)
- [ ] Log retention minimum 90 days, 1 year recommended
- [ ] Alerting on failed login attempts, privilege escalation, and anomalous access
- [ ] Security incident response plan documented and tested annually
Vendor Management (CC9)
- [ ] Inventory of all SaaS vendors with access to customer data
- [ ] Security review (questionnaire or SOC 2 review) for critical vendors
- [ ] Data processing agreements (DPAs) signed with all vendors handling personal data
HR Controls (CC1)
- [ ] Background checks for employees with access to production systems
- [ ] Security awareness training completed during onboarding and annually
- [ ] Acceptable use policy signed by all employees
- [ ] Termination checklist that includes revoking all access within 24 hours
What Auditors Actually Check (vs. What People Think)
Common misconceptions:
"We need to be perfectly secure."
No. SOC 2 tests whether your controls are designed and operating effectively for your stated scope. You need to show evidence that controls exist and are followed consistently β not that you've never had an issue.
"Every finding means a qualified opinion."
No. Minor gaps during the observation period may result in an "exception" noted in the report rather than a failed audit. Auditors expect startups to have some control gaps β they're evaluating your overall control environment.
"We need to build everything from scratch."
No. If you're using AWS, GCP, or Azure, their SOC 2 reports cover significant infrastructure controls. You scope out what your cloud provider covers and focus your controls on the application layer.
Scoping Your First SOC 2 Audit β Avoid the $150K Surprise
Audit costs range from $15,000 to $150,000+ depending on scope. Here's how to keep costs reasonable:
Narrow your system scope. Only include the systems that store, process, or transmit customer data. If your billing system, analytics platform, or internal HR tools aren't part of your product's data flow, exclude them.
Use a compliance platform. Vanta, Drata, and Secureframe automate evidence collection and run continuous control monitoring. For a first audit, these platforms typically pay for themselves by reducing auditor time.
Get a readiness assessment before your audit. Identify and fix gaps before the observation period starts. Starting your observation period with known control failures is expensive β you'll either fail or have to explain them in your report.
Choose a 6-month observation period for your first Type II. Some startups try to start with a 3-month period to move faster. Most auditors won't accept less than 6 months for a meaningful Type II.
The Timeline: From Zero to SOC 2 Type II
| Phase | Duration | Activities |
|-------|----------|------------|
| Readiness assessment | 2β4 weeks | Gap analysis, scope definition |
| Remediation | 4β12 weeks | Implement missing controls |
| Observation period | 6β12 months | Controls operate and evidence is collected |
| Audit fieldwork | 4β8 weeks | Auditor reviews evidence, conducts interviews |
| Report issuance | 2β4 weeks | Review and finalize |
Total realistic timeline: 9β18 months from start to report
Tools That Make SOC 2 Easier
- Compliance automation: Vanta ($15Kβ25K/yr), Drata ($20Kβ35K/yr), Secureframe ($15Kβ25K/yr)
- Identity/SSO: Okta, Google Workspace, JumpCloud
- Endpoint management: Jamf (Mac), Microsoft Intune
- SIEM/Logging: Datadog, Splunk, AWS CloudWatch
- Vulnerability scanning: Qualys, Tenable, or free tools like OpenVAS for smaller scope
Start With Your Security Posture Score
Before engaging an auditor or compliance platform, run a baseline security assessment. It maps your current controls to SOC 2 criteria and shows you exactly where the gaps are.
Our free assessment covers access controls, logging, incident response, vendor management, and training β the core of what SOC 2 auditors check.
Related Research
For a deeper look at the compliance landscape, the SOC 2 Compliance Guide for SMBs covers the full timeline, cost breakdown, and 10 core controls you need to implement β including a Type I vs Type II comparison. For broader context on why compliance matters now, the SMB Cybersecurity Report 2026 has the breach data that enterprise procurement teams are using to justify SOC 2 requirements.
Take our free cybersecurity risk assessment
Score your security posture in 5 minutes β then get your personalized Cyber Pulse brief with live threats and compliance deadlines for your industry.