A big sale is on the line. Your customer requires that you achieve a SOC 2 Type 2 certification before they will sign the contract for your service. Their purchasing department is holding up the purchase until they see your SOC 2 report. Panic sets in. How long does it take to get a SOC 2? Is the timing different for a Type 1 or a Type 2? Should we skip Type 1 and go straight into a Type 2? The deal hinges on the ability to get this SOC 2 report, and time is of the essence!
Know the difference between a SOC 2 Type 1 and a Type 2.
To make an informed decision on timing, it is important to understand the difference between a Type 1 and a Type 2 certification. A Type 1 is a point-in-time audit. It can be any point in time and is typically on the last day of a month, but could be any day. For a Type 1, the design of the controls are being assessed through a test of one (aka the most perfect) sample of each control. The SOC 2 auditor will walk through each control to assess whether all SOC 2 criteria have been met and whether they cover all of the security "promises (i.e. principle service commitments and system requirements)" you have made for your product.
A Type 2 audit builds on the Type 1 and assesses the controls over a "period of time." Wondering how SOC 2 auditors test? They'll select samples and perform tests to determine how well the controls have been operating. The minimum period of time for a Type 2 is three months, but the typical time period is 12 months. The audit repeats every 12 months but doesn't have to be synced to the calendar year. Many organizations choose a quarter-end for their annual cadence.
Buy some time.
Your customer will most likely pressure you to become certified as quickly as possible. If they ask for a SOC 2 and enough revenue is on the line, you are likely to comply with whatever they ask. However, there is no harm in asking your customer contact if you can send them a Type 1 and then commit to a Type 2 later in the year or even next year. This buys you time and they may say OK!
You can also ask if they will accept a comfort letter from your auditor. This is something an auditor can provide as soon as you sign a contract or engagement letter with them. The letter explains that they have been hired and when the audit is planned. It does not make any claims to your control environment though. You may have to fill out a security questionnaire or show the results of a recent Penetration Test to buy some time. Your auditor can also help you determine the timing of your SOC 2, so bring this up when you go out to find one.
From zero to Type 2
The typical SOC 2 timeline is a readiness assessment to start, a Type 1 three to six months later (depending on how many items there are to fix as a result of the assessment), then a Type 2 at least three to six months after the Type 1.
Need a Type 1 now?
What if you need a Type 1 as soon as possible? The good news is that it is achievable. The bad news is that you may need to sacrifice product development time and it will be a lot of work across the organization. This time frame will likely require all hands on deck.
Straight to a Type 2: the risks of a running start
The minimum time frame necessary to achieve a Type 2 is three months. Going down the path of a Type 2 without first achieving a Type 1 requires exceptional confidence in your control environment. For example, suppose an auditor were to pull 15 random change management tickets for a three month period, are you 100% positive that each will have all of the control points in your change management process? Will they be completed exactly as expected?
If you think you are ready to jump right into a Type 2, this is called a ‘running start’. Be prepared for your auditor to advise against it. Part of the reason is that they will lose the revenue from performing their readiness assessment and then issuing a Type 1. More importantly, an auditor knows better than anyone, that this approach is very, very risky.
If the auditor does not think you have enough controls to meet each SOC 2 criteria, you will fail the design of your control environment. In addition, if the auditor finds any issues in the samples you have provided, you will fail the ‘operation’ of your controls. Either failure will earn you a qualified opinion or report, and this is not the outcome you want to show your customers. You want a clean or unqualified report. A qualified report could jeopardize your relationship with your customer. No one wants to work with an organization that has sloppy security practices.
You may think your organization is ready for the Type 2, but the reality is that without a readiness assessment AND at least three months of perfect test samples, you run the risk of the auditor finding control deficiencies. Can you afford to risk it? That is your call. But if you do attempt a running start, make sure you dedicate an individual (or two!) to herd the cats. The good news is that by following the Strike Graph process, you will quickly have a solid indication of whether your organization is ready to take on the risk of a running start.
How long is a SOC 2 report valid?
A SOC 2 report is valid for 12 months. At this time, your customers will want to see a new, fresh report. If you add to the scope of your SOC 2, for example, by adding Availablity, Processing Integrity, Confidentiality, or Privacy, or if you add a new service, you may want to consider refreshing your report after six months.
Strike Graph can help
Need a SOC 2 report in a short amount of time and you are ready to dive in? The Strike Graph solution starts with a risk assessment that can be completed in a few hours. From the risk assessment, you will align controls to risks via our audit-ready library of controls - if you see a control that your organization can prove that it’s doing, you activate it. All activated controls then are aligned, behind the scenes, to the SOC 2 criteria. In as little as a day, you will be able to see exactly where you stand and have the information you need to realistically determine how long the SOC 2 certification may take. You will save on audit fees and have controls identified, assigned and evidence ready to deliver. As a bonus, you will also have a centralized control repository to facilitate the completion of those pesky security questionnaires.