Here’s a five-question Q&A on all things SOC 2. It’s based on our team’s collective 124 years of security and compliance experience, and it’s straight to the point.
Do I really need SOC 2?
Yes, if you have customers and prospective customers asking for it. Or you anticipate them asking for it in 3-6 months. Otherwise, don’t get SOC 2 if you don’t need it – audits are miserable enough already.
What’s the difference between Type 1 and Type 2?
When should I start prepping for SOC 2?
If you’re short on time: Now, especially if clients and prospects are asking for proof of SOC 2 and or it’s holding back your sales deals. Once you start prep, you can confidently tell clients that you’ll get SOC 2 in the near future.
If time is not an issue: Whenever works best. We recommend you go straight to Type 2 so you only prep for and pay for one audit.
How much does SOC 2 cost?
In our experience, we’ve seen total costs ranging from as high as $120K ($90K for prep + $30K for the audit) to as low as $12K total. Reputable vendors typically charge $27K – $30K in total.
Nowadays, you can find everything from bargain basement prices (and quality of work) to the Cadillac of SOC 2 prep – make sure you do due diligence and comparison shop. And use our SOC 2 ROI guide to help you get realistic ballpark prices when you’re comparing vendors and auditors.
Can I just go straight to Type 2?
Yes, especially if you’re not in a rush and want to get all of it done the first time around (check out our EZ SOC 2 program to go straight to Type 2 and save $22,000).