How to Prepare for Your First SOC 2 Audit in 90 Days

Most SOC 2 guides are written by consultants who want you to believe the process is complex enough to require their ongoing involvement. It's not. A 5–30 person SaaS startup with reasonable engineering practices can get from zero to Type 1 in 90 days — without a compliance consultant — if they know what to focus on.

Here's the actual playbook.

Days 1–7: Gap Analysis

Before doing anything else, understand where you stand. A gap analysis scans your connected integrations and tells you which controls are passing, which are warnings, and which are failing. This determines your 90-day roadmap.

At minimum, assess:

• GitHub: branch protection, MFA, secret scanning, public repo exposure
• AWS: password policy, MFA enforcement, CloudTrail logging, S3 encryption, S3 public access blocks
• Identity: who has admin access to what, are MFA requirements enforced
• Policies: which written policies exist, which are missing

Days 8–35: Fix Critical Gaps

Focus on FAIL controls first — these are deal breakers in an audit. Typical critical gaps for an early-stage startup:

• No branch protection on main branch
• MFA not enforced in GitHub or AWS
• No CloudTrail logging configured
• S3 buckets with public access enabled
• Employees with admin access who don't need it (access creep)
• No incident response policy
• No access control policy

Most of these are configuration changes, not engineering projects. Assign an owner for each item with a due date. Block out 2–3 engineering days per week for this sprint.

Days 36–60: Write the Missing Policies

The most underestimated part of SOC 2 preparation. Auditors want written, approved, dated policies for every major control area. You need at minimum:

• Information Security Policy (the master policy)
• Access Control Policy
• Change Management Policy
• Incident Response Policy
• Risk Assessment Policy
• Vendor Management Policy
• Business Continuity & Disaster Recovery Policy
• Acceptable Use Policy

Each policy should be 1–3 pages, ratified by your CEO or CTO, and stored somewhere with version history. Google Drive with version tracking is fine.

Days 61–75: Build Your Evidence Archive

Start collecting evidence now — before the auditor asks. Organized evidence makes the audit faster and cheaper (auditors bill by the hour).

• Screenshots of your GitHub branch protection settings
• Screenshots of MFA enforcement in GitHub and AWS
• CloudTrail configuration export
• IAM password policy screenshot
• List of users and their access levels (export from GitHub + AWS)
• Any access review documentation (even a simple spreadsheet with dates)

Days 76–90: Choose an Auditor and Kick Off

By day 76, your critical gaps should be closed and your policies should be written. Now you're ready to engage an auditor without expensive surprises.

How to choose an auditor:

• Get 3 quotes — prices vary by 2x for the same scope
• Prefer firms that specialize in SaaS/tech companies (they move faster)
• Ask specifically about their Type 1 + Type 2 combined engagement process
• Ask for references from companies at your stage
• Confirm they can start the Type 2 observation period concurrent with Type 1 work

Share your gap analysis results and evidence archive with prospective auditors as part of your RFP. This signals you're prepared and often results in lower quotes — auditors reduce their estimate when they see organized evidence.

What Happens After You Kick Off

The auditor will send you a document request list (PBC list — Provided By Client). If you've followed this guide, 80% of it is already done. The remaining 20% is usually specific evidence samples from your systems — specific log entries, specific change tickets, etc.

Type 1 fieldwork takes 4–8 weeks. The report is issued 2–4 weeks after fieldwork closes. You'll have your Type 1 report within 90–120 days of audit kickoff — which, if you started preparation at day 1, means your total time from gap analysis to Type 1 report is approximately 6 months.

Ready to see where you stand?

Run a free SOC 2 gap analysis with Clovra