Skip to main content

Stages

Ideation & Awareness

  • Understand product security
  • Discussion: GD (business impact), Nilesh (feasibility).

Certification Analysis

SOC 2 Analysis

Scope & Requirements

Cost & ROI Assessment

Vendor Evaluation

Vendor Demos & Selection (~2-4w)

  • At least 3 demos → compare features, support, cost, integrations
  • Discussion: Leadership.
  • Decision: Final vendor.

Internal Prep (draft work) (~2w)

  • Assign internal SOC 2 roles (owner for security, infra, HR, backend etc.).
  • Collect basic infra details (AWS architecture, flow diagrams, access control lists, security setups).
  • Identify Basic Policies
  • Identify existing policies (even if draft) like Access Control, Incident Response, DR, BizCont.
  • Discuss and ruling draft policies internally with leadership
  • Doc : https://bookstack.bynry.com/books/soc-ii/page/general-policies

Evidence Pre-Collection (~2w)

  • Start gathering docs we'll definitely need:
    • Employee handbook, HR policies.
    • List of SaaS tools + vendors (Workday, Slack, GitHub, etc.).
    • Access logs, MFA screenshots, AWS IAM setup.
    • Third- Party Vendor background checks policy

Quick Wins (Pre-Control Fixes) (~1-2w)

  • Enable MFA everywhere.
  • Ensure logging/monitoring in AWS.
  • Put up Vulnerability scans wherever possible for CVEs
  • Check password policies & SSO setup.
  • Start drafting Acceptable Use, Access Control, Change Mgmt policies.
  • Following the principle of least privileges

Stakeholder Alignment

  • Conduct a kickoff-like meeting internally before vendor joins: existing work overview
  • Discussion: Leadership → who will own what


Vendor Onboarding

  • Parallel to vendor onboarding, start reaching out to SOC 2 audit firms.(If they're not bringing in : genrally they are partnered with them so this might get skipped)
  • Vendor usually helps, but early prep saves time.

Communication Plan

  • Prepare “We are pursuing SOC 2” comms for internal team → builds awareness. [short onboarding on what we're doing]
  • Draft external messaging for customers once audit starts.

Initial GAP Analysis : Current Security posture

  • Initial analysis on the current posture
  • Vendor rolls out policy update suggestions and process refinements as per soc2 guidelines
  • GAP Analysis received

Observation Phase [min 3 Months]

  • Fulfill GAP demands
  • Go for observation phase
  • Need a clean observation window of 3 months - keep track of all things

Implementation & Evidence Collection

  • Roll out policies, tools, controls.
  • Automate via vendor (if chosen).

Internal Reviews & Mock Audit

  • Dry run before final.
  • Discussion: Nilesh + Security team.

SOC 2 Audit Engagement

  • Select CPA firm (AICPA-accredited).
  • Conduct readiness → Type I/II audit.

Final Report & Communication

Receive SOC 2 report.

First thing: Notify our marketing team to add up the badges wherever possible , Share with customers, update sales collateral.

ROI realized (trust + faster deals).






Back to top