Why SOC 2 lands on your desk

For most small and mid-sized businesses, SOC 2 isn't a strategic choice — it's a sales blocker. A prospect's procurement team asks for the report, the deal stalls, and suddenly compliance is everyone's problem. The good news: the framework is principles-based, so a lean team can pass it.

Pick your Trust Services Criteria

SOC 2 covers five criteria, but only Security (the "common criteria") is mandatory. Add Availability if you sell uptime, Confidentiality if you handle customer secrets, and skip Processing Integrity and Privacy unless a contract demands them. Scoping tightly is the single biggest cost lever.

The 90-day readiness arc

  1. Weeks 1–2: gap assessment. Map your current controls to the common criteria. Most SMBs already do 60% of this informally.
  2. Weeks 3–6: close the gaps. MFA everywhere, centralized logging, a documented access-review cadence, and an incident response plan.
  3. Weeks 7–10: write the policies. Information security, access control, change management, vendor management, and incident response. Keep them short and real.
  4. Weeks 11–12: start the observation window. Type II requires evidence over time (typically 3–12 months), so begin collecting now.

Evidence is the whole game

Auditors don't grade intentions — they sample evidence. Automate collection where you can: access-review exports, ticket trails for changes, and screenshots of MFA enforcement. A control you can't prove is a control you don't have.

The teams that struggle aren't the ones with weak security — they're the ones who can't show their work.

What to avoid

  • Over-scoping criteria you don't need.
  • Writing aspirational policies you don't actually follow; auditors test the gap.
  • Treating readiness as a one-time project rather than a continuous posture.