Back to Blog
SOC 2 7 min read

SOC 2 Project Timeline: 12-Week Roadmap to Type I

A week-by-week 12-week roadmap to SOC 2 Type I readiness: from kickoff through policy writing, control implementation, and auditor engagement.

Key Takeaways
  • 12 weeks from kickoff to Type I readiness is achievable for companies with moderate existing security maturity.
  • Weeks 1–2 are gap analysis; weeks 3–8 are remediation and policy writing; weeks 9–12 are evidence and auditor preparation.
  • Policy writing is the most common schedule risk — assign a single dedicated owner with a hard deadline.
  • Engage your auditor in weeks 2–4, not at the end of preparation — they need lead time to schedule fieldwork.
  • Type I fieldwork typically takes 2–4 weeks after the as-of date.

Weeks 1–2: Kickoff and Gap Analysis

Week 1: Programme kickoff. Assign programme owner. Define scope (Trust Services Criteria to include). Select compliance automation tool. Set up tool integrations (AWS, GitHub, Okta).

Week 2: Gap analysis. Complete the gap analysis against all criteria in scope. Produce a prioritised remediation backlog with owners and target dates. Identify the longest-lead items (penetration test scheduling is typically 6–10 weeks lead time — start immediately).

Weeks 3–4: Auditor Engagement and Policy Sprint

Week 3: Engage your auditor. Request quotes from 2–3 firms. Share your scope and tentative as-of date. Good auditors book 2–3 months in advance — starting this conversation in week 3 is the minimum to avoid scheduling delays.

Week 4: Policy sprint begins. Assign each required policy to a writer. Use templates (AuditPath provides 14 policy templates). Set draft review dates for the following week. Policy approval requires the CTO or CEO — schedule their review time now.

Weeks 5–8: Control Implementation

Week 5–6: Technical controls. Enable GuardDuty in all regions. Activate Security Hub with CIS Benchmark. Enable AWS Config with key rules. Enforce MFA for all users in Okta/Google Workspace. Configure CloudTrail multi-region.

Week 7: Process controls. Conduct first access review (document it thoroughly — this is evidence). Create vendor risk register and collect SOC 2 reports from Tier 1 vendors. Establish change management process in ticketing system.

Week 8: Policy approvals. All policies should be in final draft by now. Obtain executive approval for each policy. Distribute to employees and collect acknowledgements. Record acknowledgements in HR system or compliance tool.

Weeks 9–10: Evidence and Pre-Audit Review

Week 9: Evidence organisation. Map all evidence to controls in your compliance tool. For each control, verify: description is accurate, evidence item exists, evidence owner is assigned. Flag any controls without evidence.

Week 10: Pre-audit review. Walk through every criterion and confirm: control description matches implementation, evidence demonstrates the control, no controls have zero evidence. Complete system description document draft (Section III of your SOC 2 report).

Weeks 11–12: Auditor Fieldwork Preparation

Week 11: Team briefing. Brief all control owners on their specific controls — what the control is, how it works, what evidence supports it. Brief the broader engineering team on the audit process and what to expect if interviewed.

Week 12: Auditor kickoff. Type I fieldwork begins with an auditor kickoff meeting. Confirm the as-of date, system description scope, and criteria covered. Respond to initial evidence requests promptly. Fieldwork for a Type I typically takes 2–4 weeks.

Common Schedule Risks

Policy bottleneck: policies require multiple rounds of review and executive approval. Each policy delayed by one week pushes your readiness back. Mitigate: assign a single policy owner, use templates, set non-negotiable approval deadlines.

Auditor availability: good auditors are booked 2–3 months in advance. If you engage in week 3 but your target as-of date is week 12, you may not be able to get fieldwork scheduled until months later. Engage early.

Penetration test lead time: penetration testing firms typically need 4–6 weeks notice for scheduling. If you wait until week 10 to schedule, the pen test will not be complete before your as-of date. Request quotes in week 2.

MFA rollout resistance: if engineers have MFA exemptions or shared accounts, implementing full MFA enforcement can take longer than expected. Identify exceptions in week 1 and address them immediately.

Frequently Asked Questions

Can we complete SOC 2 Type I preparation in less than 12 weeks?
Yes, with sufficient resources. Companies with existing strong security controls (MFA already enforced, CloudTrail already enabled, existing policies) can complete preparation in 6–8 weeks. The constraint is usually policy writing time and auditor scheduling, not technical controls.
What if we discover major gaps in week 8 that take weeks to fix?
Adjust the as-of date. If significant gaps appear late in preparation, it is better to push your Type I as-of date by 4 weeks than to present the audit with known design gaps. Communicate this to your auditor early and they can adjust their schedule.
How much dedicated time does the programme owner need per week?
During weeks 1–12: 15–25 hours/week during the most intensive phases (gap analysis, policy sprint, pre-audit review). During steady-state observation period: 5–10 hours/week. During audit fieldwork: up to 30 hours/week (responding to evidence requests, coordinating with the team).
Should we do a dry run audit before the actual audit?
Some companies do a readiness assessment with a boutique SOC 2 advisor (not the auditing firm, to avoid independence conflicts). This 1–2 day engagement reviews your evidence and control documentation for gaps before fieldwork. The cost ($2,000–$5,000) can prevent costly exceptions in the actual audit.
What happens after the 12-week Type I preparation?
The Type I as-of date occurs. Auditor fieldwork begins (2–4 weeks). Type I report is delivered (4–8 weeks after fieldwork ends). Simultaneously, your Type II observation period begins — the clock for your first Type II report starts ticking from the day controls are fully operational.

Automate your compliance today

AuditPath runs 86+ automated checks across AWS, GitHub, Okta, and 14 more integrations. SOC 2 and DPDP Act. Free plan available.

Start for free