A 6-month SOC 2 roadmap for first-time founders

SOC 2 is not technically difficult. It is administratively voluminous. The mistake first-time founders make is confusing the auditor's evidence pack with the work itself — the auditor needs the artefacts; you need the underlying controls to actually exist.

Here is the order that has worked across the engagements we have run, compressed into a 6-month plan you can drop straight into a roadmap.

Month 1 — scope and policies

1. Pick the trust services criteria. Almost always: Security + Confidentiality. Defer Availability, Processing Integrity, Privacy unless a customer has explicitly asked.
2. Adopt a baseline 12-policy library (Information Security, Access Control, Change Management, Incident Response, BCP, Vendor Risk, Data Classification, AUP, Cryptography, Logging, Backup, Risk Management). Raize ships these as templates.
3. Get the founder to actually read them, then countersign. An auditor will ask.
4. Set up an internal risk register with 8-12 entries. Do not start with 80. You will not maintain it.

Month 2 — evidence plumbing

1. Connect your cloud (AWS / GCP / Azure). Drift findings will be ugly. Good. Fix the high-severity ones first.
2. Connect your identity provider (Okta / Google Workspace / Azure AD). Quarterly access review template ready to run.
3. Connect your code repo (GitHub / GitLab) so you have a clean change-management audit trail.
4. Stand up MFA enforcement org-wide. This is the single biggest day-1 evidence ask, and the most common reason a Type I gets delayed.

Month 3 — operations layer

1. Write 5-7 standard operating procedures: code review checklist, quarterly access review, quarterly DR test, key rotation, joiner-mover-leaver, incident post-mortem template.
2. Run one of each so you have a dated record. Auditors care about evidence of operation, not evidence of writing.
3. Order DBS / background checks for every employee with production access (£23 in the UK; budget two weeks).

Month 4 — external attestation

1. Commission a penetration test (£8-12k, ~4 weeks lead). Pen Test Partners and Cure53 are both solid for SaaS.
2. Request quotes from two auditors. A-LIGN and Prescient Assurance are the most common at small-SaaS scale. Expect £15-25k for a Type I.
3. Fix anything in the high-severity column of the pen test report before the auditor starts.

Month 5 — auditor onboarding

1. Day-1 evidence pack: readiness self-assessment, architecture + data-flow + trust boundary diagrams, asset register, risk register, sub-processor list with DPAs, 12 policies as PDFs, org chart, change log, incident log, access review log, code review SOP plus a 10-PR sample, DBS certificate, pen test report, vendor risk assessments, BCP with RTO/RPO, DR test results.
2. Most auditors run on a portal. Mirror the evidence in your own filesystem so you control the source of truth.

Month 6 — fieldwork and report

Fieldwork takes 2-3 weeks. Expect a list of management responses to draft. The report itself lands ~4 weeks after fieldwork closes. Then you start the Type II observation window, which is typically 6-12 months of "keep doing what you said you do".