SOC 2 Type II Readiness: A 12-Week Checklist

SOC 2 Type II has become the most common enterprise requirement I see for SaaS companies, fintech platforms, and service providers. Most organizations come to me with the same story: a customer asked for the report, and suddenly they have 12 months to produce one. This is my working 12-week readiness plan, based on having run this exercise enough times to know what actually moves the needle and what's polish that doesn't matter to an auditor. The authoritative reference is the AICPA Trust Services Criteria.

Type I vs Type II

One quick scope reminder before we start, because I see people conflate Type I and Type II constantly. Type I evaluates control design at a point in time. Type II evaluates whether those controls actually operated effectively over 6-12 months. Type II is what enterprise customers want. Type I is a valid stepping stone, not a destination. Most organizations do Type I first to validate design, then enter the observation period for Type II. My 12-week plan gets you to Type I readiness and builds the evidence pipeline you need for the observation period that follows.

Week 1-2: Scoping and Gap Assessment

Week 1-2 is scoping and gap assessment. Pick your Trust Services Criteria. Security is always in. Availability, Confidentiality, Processing Integrity, and Privacy are optional, and I usually recommend Security plus Availability for first-time audits. Add Confidentiality if you have contractual confidentiality obligations. Add Processing Integrity if you process financial or healthcare transactions. Add Privacy only if GDPR or CCPA pushes you there. Every TSC you add expands the audit, the cost, and the ongoing operational burden. Start narrow, widen in year two if needed. Starting broad and narrowing is expensive.

The gap assessment itself means mapping your current controls against the Common Criteria (CC1-CC9) and the TSC points of focus. The gaps I find in most mid-market organizations cluster in the same five places: formal policies don't exist or are stale, access reviews aren't on a regular cadence, change management lacks documented approval workflows, vendor risk assessments aren't captured for critical third parties, and incident response procedures exist on paper but have never been tabletop-tested. The output is a remediation list with effort estimates. That list is your plan for weeks 3-12.

Week 3-4: Policies

Week 3-4 is policy work. SOC 2 requires documented policies covering information security, access control, change management, vendor management, incident response, business continuity, and data classification. Most organizations I work with already have ad-hoc policies, but they're often outdated, contradictory, or missing required elements. Start with a baseline policy set (Vanta and Drata both provide templates, or you can use OpenTrust), tailor to your environment, and get executive signoff. Review and update annually.

One thing I want to emphasize here, because I see it go wrong often: don't over-engineer policies. Auditors test whether policies are in place and followed, not whether they're elegant or comprehensive. A five-page access control policy that your team actually follows is more valuable than a thirty-page one that's ignored. Keep policies specific to what you actually do. Vague language like 'shall implement appropriate access controls' invites auditor follow-up questions that can surface gaps you didn't want found.

Week 5-6: Technical Controls

Week 5-6 is technical controls. The ones auditors actually test: MFA enforced on all administrative access and most user access, role-based access control with least privilege, endpoint encryption on laptops, encryption in transit for all customer data, logging retained for 90+ days with automated alerting on suspicious patterns, monthly vulnerability scanning at minimum, and annual penetration testing. Deploy anything missing now. Your operating effectiveness evidence for Type II starts accumulating from the moment the control is in place, so earlier is better.

Identity and access management deserves extra attention in this phase because it's where I see the most audit findings. Auditors test access reviews rigorously. They want evidence that access rights were reviewed quarterly or at least annually, that reviews identified and remediated inappropriate access, and that terminations triggered same-day access removal across every system with customer data. If your IAM is still spreadsheet-driven, automate it now. SailPoint, Okta Identity Governance, or Microsoft Entra ID Governance all work. Pick based on your existing stack, not on brochures.

Week 7-8: Evidence Pipeline

Week 7-8 is where you build the evidence pipeline. Type II requires operating effectiveness evidence over the entire observation period, which means you have to collect it continuously, not produce it retroactively. The evidence types auditors sample: change tickets with approval, access review results, incident tickets with resolution documentation, vendor assessments, training completion records, vulnerability scan reports, penetration test reports, business continuity test results, backup restoration tests. Centralize in a GRC platform or a structured evidence repository. Manual collection at audit time is the pattern that kills first-time Type II engagements.

Automated evidence is strongly preferred over manual, for two reasons. First, automation scales across the observation period without anyone having to remember to collect. Second, auditors trust automated evidence more than self-reported attestations. GRC platforms like Vanta, Drata, Secureframe, and Hyperproof integrate directly with AWS, Azure, GCP, Okta, GitHub, Jira, and the rest of a modern stack to pull control evidence continuously. Target 70-80% automated evidence coverage. The remaining 20-30% (tabletop exercises, policy signoffs, vendor reviews) will always have some manual component.

Week 9-10: Vendor Risk Management

Week 9-10 is vendor risk management. Your vendors are your risk during the audit too. For every critical vendor, meaning anyone who processes, stores, or transmits customer data or has privileged access to your systems, you need a current SOC 2 or ISO 27001 report under NDA, a completed security assessment questionnaire (CAIQ, SIG Lite, or your own), contractual security terms covering encryption, breach notification, and data handling, and an annual review record. Critical vendors in practice always include your cloud provider, payment processor, email provider, CRM, identity provider, and any analytics or support tool with customer data access.

Week 11: Tabletop and BC Testing

Week 11 is tabletop exercises and business continuity testing. Auditors want evidence that you've actually tested your incident response and business continuity plans, not just documented them. Run a tabletop. That's a facilitated discussion where leadership walks through a realistic scenario (ransomware, cloud provider outage, key-person unavailability), with a scribe capturing decisions, lessons, and action items. Run a backup restoration test. Literally restore a backup and document that it worked. Both artifacts take under a day to produce and satisfy multiple controls in one exercise.

Week 12 is the pre-audit dry run. Engage your auditor for a readiness assessment, or have an internal or consulting team simulate the audit. They'll sample your evidence repository, interview key personnel, and find the gaps. Fix what they surface. In my experience, first-time audits have 3-8 surprises at this stage. Finding them now is the point. Finding them during the real audit is expensive.

During the 6-12 month observation period that follows, the job shifts from building to maintaining. Quarterly access reviews, quarterly risk assessments, quarterly vendor reviews. Monthly vulnerability scans and SOC/NOC reports. Continuous log retention, evidence collection, and incident response operation. Do not let controls lapse. Type II audits surface any operating effectiveness gaps across the entire observation period, and one month of missed access reviews can result in a qualified opinion. Control drift is the enemy. Build the habits that prevent it.

The pitfalls that derail first-time Type II engagements are all avoidable and all common. Trying to achieve Type II without first-time Type I validation, which skips the design-review stage where most organizations find their real gaps. Waiting until month 10 of the observation period to start collecting evidence, which means you're producing evidence retroactively for a period when controls may not have been fully operating. Scope creep, like adding Privacy or Processing Integrity halfway through, which changes the audit scope and invalidates prior evidence. Insufficient engineering ownership, meaning SOC 2 lives in the compliance team while controls actually operate in engineering systems. And relying on policy-as-document without controls-as-code, where a policy says MFA is enforced but nobody has enforced it programmatically.

On cost expectations, because this surprises people. Self-managed with a GRC platform is about $15K-$40K/year for the platform plus $25K-$60K for the audit itself. With a vCISO or managed compliance partner, expect $80K-$150K all-in for the first Type II across readiness, observation, and audit. Second-year Type II is significantly cheaper because controls are operational from day one. The first year pays for the muscle building. Later years pay for maintaining it.

GRC platform selection drives 70% of your evidence automation, so it matters. The four mainstream options in 2026 are Vanta, Drata, Secureframe, and Hyperproof. Vanta has the largest market share, the broadest integration library, and fits cloud-native organizations pursuing first-time SOC 2 well. Drata offers deeper multi-framework coverage (SOC 2, ISO 27001, HIPAA, PCI, GDPR in parallel) and is preferred when you're pursuing multiple certifications at once. Secureframe has strong auditor relationships that compress time-to-audit, useful for aggressive timelines. Hyperproof is enterprise-oriented and fits organizations with complex existing control inventories. Expect $18K-$50K per year depending on employee count and framework breadth. Any of the four will do the job. The right answer depends on your auditor preference, your stack integrations, and your framework roadmap.

The audit surprises I see most often in first-time engagements fall into five patterns, and all of them are pre-emptable. Terminated employees retain access in edge systems that aren't integrated with your identity provider. Auditors sample terminations and test access removal within 24 hours, which is the bar most contracts require. Pre-empt this by running a terminated-user access audit across every system with customer data access every month. Change management tickets lack documented approval, because approval happened in Slack or verbally but wasn't captured in the ticket. Pre-empt this by requiring approval gates in your CI/CD pipeline. Vulnerability scans show criticals past remediation SLA, because the SLA is documented but not enforced. Pre-empt this by making remediation deadlines enforced by tooling, not by human memory. Backup restoration tests weren't performed during the observation period. Pre-empt this with quarterly restoration drills with written sign-off. Incident response tabletop wasn't conducted. Pre-empt this with a documented annual tabletop with executive participation.

Vendor SOC 2 report review is a first-party obligation that surprises people during their own audit. For every critical vendor, you need a current SOC 2 Type II report (not Type I, and not expired, because most reports become stale after 18 months from issuance), a review of the report's exceptions and qualifications with documentation of how you addressed relevant ones, and an annual review cadence. Many vendors publish SOC 2 reports on a secure portal now (Trust Center, Drata Trust, Vanta Trust Center), which makes collection easier. Build a vendor management program that tracks SOC 2 expiration, requests renewed reports 30 days before expiration, and flags any vendor that can't produce a current report.

Control operation during the observation period is the single place first-time organizations fail most often. The audit doesn't just look at your final state, it looks at every month of the 6-12 month observation period. Access reviews performed 11 of 12 quarters is a gap. Vulnerability scans run 10 of 12 months is a gap. Change management tickets lacking approval in 8% of sampled changes is a gap. The pattern that works: automate continuous controls where possible, define monthly or quarterly operation cadences for manual controls, track attainment in your GRC platform, and run quarterly internal reviews to catch slippage before the auditor does. Consistency over the observation period matters more than any single month's perfection.

Scoping decisions have direct cost implications, so decide carefully upfront. A Security-only SOC 2 Type II audit typically costs $25K-$45K. Security plus Availability adds 15-25% to that. Adding Confidentiality adds 10-20%. Processing Integrity and Privacy each add 15-30% because of the breadth of associated controls. Most organizations are best served by Security plus Availability for the first audit. Enterprise customers rarely require more in the initial review. Privacy is the scope addition I see regretted most often, because it triggers data mapping and consumer rights processes that most organizations don't have. Add Privacy in year two or three if the need arises, not in year one when you're already overloaded.

Post-certification operation is what separates organizations for whom SOC 2 was a one-time achievement from organizations for whom it became a sustainable program. The first-year certification usually triggers exhaustion, and everyone wants to move on. Type II requires continuous operation through subsequent annual observation periods, though, and controls that drift become audit findings the following year. Sustainable programs institutionalize the cadence: quarterly access reviews on a calendar, automated vulnerability management with enforced SLAs, continuous evidence collection through GRC tooling, incident response tabletops as a rhythmic quarterly or semi-annual exercise, and vendor management as a procurement gate rather than an annual review spike. Organizations that treat SOC 2 as ongoing operations avoid the compliance tax of re-remediating the same gaps every cycle.

One honest observation from running this process many times. The organizations that do well in SOC 2 Type II aren't the ones with the best tooling. They're the ones where engineering and compliance share ownership. When compliance lives in a silo and engineering views SOC 2 as a tax imposed from outside, the controls operate poorly because the people operating them resent them. When engineering helps design the controls and treats them as part of normal operations, the controls compound as part of engineering discipline. Technical organizations sometimes resist this because SOC 2 feels bureaucratic. The transformation I've seen most often is when a senior engineering leader takes ownership of a few key controls (change management, access, monitoring) and runs them as engineering problems. That's when SOC 2 stops being compliance theater and starts being actual security.

Working with a partner who's built and operated SOC 2 Type II themselves changes the economics significantly. EFROS holds SOC 2 Type II. Our controls, evidence pipeline, and auditor relationships are proven. We embed in your environment, run the 12-week readiness plan, and operate controls through your observation period, with a named vCISO who can sign your management assertion and represent you to auditors and customers. Our typical first-time client engagement closes SOC 2 Type II in 10-12 months end-to-end with zero findings. The predictability matters. First-time SOC 2 is a big company moment. Making it painful is an unforced error.