Q&A Friday: SOC 2 Timeline

3 months ago
Written by

How long does it take to get SOC 2 compliance?

TL;DR Answer:

With preparation time, SOC 2 Type I takes a minimum of 1.5 months and SOC 2 Type II takes a minimum of 5.5 months.

SOC 2 Timeline:

There are three phases for pursuing SOC 2 certification.

Preparation (completion time: 4-6 weeks)

The audit preparation period takes 4-6 weeks as you define controls to correlate with your selected Trust Services Criteria. During this time you’ll be drafting policies for your control areas and selecting how you’re going to prove your compliance (e.g. screenshots, logs, etc.)

SOC 2 Type I (2-3 weeks to complete)

SOC 2 Type I has an audit period of one day as you do a point in time test of your controls. It takes an additional 2-3 weeks for certification once you submit your evidence.

SOC 2 Type II (4-15 months to complete)

SOC 2 Type II has an audit period of 3-12 months as you test the effectiveness of your controls over your selected audit period and gather evidence.

Once you’ve submitted your evidence, the auditor review and certification takes a minimum of a month, for a 4-15 months to completion timeframe. Completion time is greatly affected by the ease of documenting your controls, gathering evidence, and your auditor.

For more information, check out our SOC 2 page.

Try Indent for free.