Why SOC 2 lands on your desk
For most small and mid-sized businesses, SOC 2 isn't a strategic choice — it's a sales blocker. A prospect's procurement team asks for the report, the deal stalls, and suddenly compliance is everyone's problem. The good news: the framework is principles-based, so a lean team can pass it.
Pick your Trust Services Criteria
SOC 2 covers five criteria, but only Security (the "common criteria") is mandatory. Add Availability if you sell uptime, Confidentiality if you handle customer secrets, and skip Processing Integrity and Privacy unless a contract demands them. Scoping tightly is the single biggest cost lever.
The 90-day readiness arc
- Weeks 1–2: gap assessment. Map your current controls to the common criteria. Most SMBs already do 60% of this informally.
- Weeks 3–6: close the gaps. MFA everywhere, centralized logging, a documented access-review cadence, and an incident response plan.
- Weeks 7–10: write the policies. Information security, access control, change management, vendor management, and incident response. Keep them short and real.
- Weeks 11–12: start the observation window. Type II requires evidence over time (typically 3–12 months), so begin collecting now.
Evidence is the whole game
Auditors don't grade intentions — they sample evidence. Automate collection where you can: access-review exports, ticket trails for changes, and screenshots of MFA enforcement. A control you can't prove is a control you don't have.
The teams that struggle aren't the ones with weak security — they're the ones who can't show their work.
What to avoid
- Over-scoping criteria you don't need.
- Writing aspirational policies you don't actually follow; auditors test the gap.
- Treating readiness as a one-time project rather than a continuous posture.