Is SOC 2 mandatory?
No, a SOC 2 is not legally required by any organization. However, your customer may require you to obtain one in order to do business with you.
Is SOC 2 a certification or an attestation?
There’s no such thing as SOC 2 certification. It is more accurate to call the process of gaining compliance a SOC 2 attestation. This is because SOC 2 audits are conducted by licensed CPAs based on standards set by the AICPA—but there’s no certifying body or official certification. Auditors provide an objective report on your security posture that lacks a pass or fail outcome.
Who needs to comply with SOC 2?
SOC 2 compliance is not legally required for any organization. It’s completely voluntary for businesses to get and there are no fines or penalties for not having a SOC 2. This standard is commonly used by SaaS companies, organizations that provide business intelligence or analytics, and managed IT providers.
Can you fail a SOC 2 audit?
You can’t technically "fail" a SOC 2 audit, as there’s no pass or fail system. Instead, the auditor provides an objective report on your security posture. If your controls or their execution don’t meet the required criteria, the report may include a “qualified opinion,” signaling areas that need improvement.
How much does SOC 2 certification cost?
Taking into account lost productivity, build vs. buy decisions for new tools, and security training, we estimate the cost at $147,000 all-in.
Let’s dig into each of these points to help you understand the costs you may encounter.
How much will an Auditor charge for a SOC 2 Type 1 audit?
Expect the cost of an auditor for SOC 2 Type 1 to be in the $12k-$17k range.
But the cost of the auditor is just the beginning. You will need months of dedicated time from your existing staff or consultants. Once the audit is complete, you will have a laundry list of items to remediate, which may necessitate the purchase of additional tools and training as well.
Lost Productivity
First, assign someone to own the SOC 2 process from start to finish. Expect this to become a full-time focus for the duration of the project. This is a hidden SOC 2 cost that may not be obvious to account for. This responsibility is not something that can be delegated to your IT or security team, nor can it be handled by junior staff. The initiative needs to be led by someone who has sufficient familiarity with technical systems to be efficient with the team’s time. That person will also need to be sufficiently senior to successfully cut through the company politics and get things done.
Cost | Time |
---|---|
50% FTE or Consultant, ~$50-75k | 6 months |
Readiness Assessment
Next, you will need a readiness assessment. This assessment is designed to educate your team on the audit scope and conduct preliminary investigative and prep work, including identifying data stores, mapping workflow, and creating an inventory of technical systems. It’s also the right time to give some of your key teams – like legal and HR – a heads up that some of your company’s documentation and policies will need to be changed.
Cost | Time |
---|---|
Producitivy loss of dedicated team | 2 weeks |
Legal
Review with your attorney all customer agreements, vendor and contractor agreements and employment agreements. These agreements will establish a foundation of responsibility assignment that allows you to make assertions in your policies regarding confidentiality, privacy and security. You may need to revisit these annually with each audit. Anticipate this will be an ongoing SOC 2 cost.
Cost | Time |
---|---|
$10k | 2 weeks spread out over 3 months |
Build vs. Buy Decisions
Depending on your existing infrastructure and security posture, you may need to roll out several new tools as you ramp up your SOC 2 program. Tools that can collect asset inventory, generate tickets for capturing compliance tasks, as well as manage security and compliance reporting. You will also need tools for threat and intrusion detection, file integrity monitoring and vulnerability management. You’ll face many build versus buy decisions. If you have time, but not enough budget, you may choose a DIY approach. In that example, your Access Onboarding & Termination Policy might consist of open-source tools and custom scripts. If you need to move faster, you could buy a tool like Openlane to automate onboarding, termination and auditing.
Cost | Time |
---|---|
$5-$50k depending on the mix of commercial and DIY | 2 months |
Staff Training
Another important cost to consider is security training. You will want to start conducting annual security awareness training, either in-house or through a third party, if you don’t already. Someone will need to make sure the entire company attends the training and that all employees sign off on receiving it. Expect this to incur logistical costs and impact team productivity, which is a lesser-known SOC 2 cost.
Cost | Time |
---|---|
~$5k | 1 Week |
Conclusion
To summarize your SOC 2 compliance checklist, set realistic expectations and anticipate the time and cost you will need to invest in SOC 2. Delegate SOC 2 responsibilities to senior staff members who can own the project from start to finish, involve your legal team in refining agreements and ensure all staff members receive regular security awareness training. Expect the cost and time requirements to equal:
SOC 2 Certification Cost | Cost | Time |
---|---|---|
Auditor | $17,000 | |
Project Lead | $75,000 | 6 months |
Readiness Assessment | 2 weeks | |
Legal Review | $10,000 | 2 weeks |
Tools | $30,000 | 2 months |
Security Training | $5,000 | 1 week |
Total | $147,000 | 6 months |
We’ve created an open-source SOC 2 templates tool for every single SOC 2 policy. You can download each and customize them to suit your specific business needs. They’re 100% free.