Skip to main content

Certification Process – Detailed Roadmap

Stage 1 – Scoping & Planning

Timeframe: 2–3 weeks

Work Involved:

  • Define audit scope: services, systems, locations, and people involved.
    • Include AWS production, Signoz observability in GCP, staging environment, and relevant SaaS vendors.
    • Make necessary migrations, isolations between prod and non-prod, customer data, basically things need to be at point from day 1 so before we start collecting the actual evidences we need to be on point that's it.
  • Choose Trust Services Criteria:
    • Security (mandatory) + Availability + Confidentiality recommended for PII-heavy SaaS.
  • Decide observation period length:
    • Minimum 3 months for Type II, most companies do 6–12 months. Here we collect all the evidences before we go for an actual audit from an external auditor.
  • Select an audit firm (AICPA-accredited CPA).
  • Decide on compliance management approach:
    • In-house, consultant, or automated platform (Vanta/Drata/Secureframe).

Deliverables:

  • Scope document
  • List of in-scope systems & personnel
  • Signed engagement letter with auditor

Stage 2 – Readiness Assessment (Gap Analysis)

Timeframe: 3–6 weeks (May take longer if fixes are more)

Work Involved:

  • Compare current practices against SOC 2 requirements.
  • Identify control gaps in:
    • Access control (MFA, least privilege, termination process)
    • Logging/monitoring (AWS CloudTrail, GCP logging, Signoz masking)
    • Policy documentation (security, incident response, change management, vendor management, data retention)
    • Device security (disk encryption, endpoint protection for personal & company laptops)
    • Vendor risk management
  • Develop a remediation plan with clear owners & deadlines.

Deliverables:

  • Gap analysis report
  • Remediation plan with timelines

Stage 3 – Implementation & Remediation

Timeframe: 2–3 months (can be parallel with readiness if fast-tracked)

Work Involved:

  • Write and approve security policies.
  • Implement technical controls:
    • MFA/SSO for AWS, GCP, and SaaS tools
    • Role-based access control
    • Encryption at rest & in transit
    • Data masking in logs
  • Deploy device management solutions for endpoint security.
  • Train employees on security awareness & incident reporting.
  • Update vendor contracts for security & confidentiality clauses.
  • Document backup, DR, and change management processes.

Deliverables:

  • Updated systems & processes
  • Signed & communicated policies
  • Security training records

Stage 4 – Observation Period (Control Operation)

Timeframe: 3–12 months (6 months recommended for first Type II)

Work Involved:

  • Operate all implemented controls consistently.
  • Collect evidence automatically (if using compliance platform) or manually.
  • Perform internal audits/checks to ensure controls are working.
  • Track and resolve incidents, access changes, and policy updates.
  • Maintain change logs for infrastructure & application updates.

Deliverables:

  • Control operation logs
  • Incident reports
  • Change management records

Stage 5 – External Audit Fieldwork

Timeframe: 3–4 weeks

Work Involved:

  • Provide evidence to auditor:
    • Access logs, monitoring alerts, incident reports, change tickets, policy documents
    • Screenshots/configurations from AWS & GCP
    • Vendor risk assessments
  • Participate in interviews with auditor (engineering, security, HR, ops teams).
  • Answer follow-up requests for clarifications.

Deliverables:

  • Evidence package
  • Completed interviews
  • Auditor’s test results (internal feedback before report finalization)

Stage 6 – Report Issuance

Timeframe: 2–4 weeks after fieldwork

Work Involved:

  • Receive draft report, review for factual accuracy.
  • Provide any additional explanations if needed.
  • Final report issued by auditor.

Deliverables:

  • SOC 2 Type II report (PDF, usually 50–100 pages)
  • Executive summary for customer sharing

Stage 7 – Continuous Compliance & Renewal

Timeframe: Ongoing (audit renewal every 12 months)

Work Involved:

  • Continue operating controls.
  • Track any system/process changes that could affect scope.
  • Plan for next observation period and re-audit.

Deliverables:

  • Updated evidence
  • Annual SOC 2 Type II report

Sample Timeline for a 6-Month Observation Period

Stage

Duration

Cumulative Time

Scoping & Planning

3 weeks

Month 0.75

Readiness Assessment

4 weeks

Month 1.75

Remediation

2 months

Month 3.75

Observation Period

6 months

Month 9.75

Audit Fieldwork

3 weeks

Month 10.5

Report Issuance

3 weeks

Month 11.25

Total: ~11–12 months from start to report.

Back to top