The gap between “we should get SOC 2” and “we’re ready for the auditor” is mostly organization, not rocket science. Here’s a realistic 12-week plan a small team can run alongside the day job.

Weeks 1–2: Scope and baseline

  • Decide which Trust Services Criteria you’ll include. Security is required; add Availability or Confidentiality only if you commit them to customers.
  • Inventory your systems: cloud accounts, code repos, data stores, laptops, and the SaaS tools that touch customer data.
  • Run a gap analysis against the criteria so you know your starting point. Don’t guess — most teams are further along than they fear in some areas and further behind in others.

Weeks 3–5: Fix access and identity

Access is the heart of SOC 2. This is usually the highest-leverage remediation.

  • Enforce MFA everywhere, especially admin access and your identity provider.
  • Move to unique accounts and least privilege; remove shared logins.
  • Establish joiner/mover/leaver: access granted on hire, changed on role change, removed on exit.
  • Run your first access review — list who has access to what and certify keep/revoke/modify. Keep the record; it’s evidence.

Weeks 4–6: Turn on the technical controls

  • Encryption in transit and at rest.
  • Logging and monitoring with alerting on security-relevant events.
  • Vulnerability management — scanning plus a patching cadence.
  • Backups with a restore you’ve actually tested.

Weeks 5–8: Policies and governance

Auditors expect written, approved policies and evidence they’re followed.

  • Adopt a core policy set: information security, access control, change management, incident response, vendor management, business continuity, and acceptable use.
  • Get them formally approved and dated. A draft policy is not a control.
  • Stand up a risk register: identify risks, rate them, assign owners and treatments.
  • Do a vendor inventory with criticality tiers and a review cadence.

Weeks 6–9: Pick your auditor

  • Get 2–3 quotes from CPA firms that audit companies your size.
  • Decide Type I vs Type II and, for Type II, your observation window (a 3-month window is common for a first report).
  • Confirm scope and timeline in writing. (See our guide on choosing a SOC 2 auditor.)

Weeks 8–12: Evidence and dry run

  • Start collecting evidence continuously — access review records, change tickets, monitoring configs, training completion, vendor reviews.
  • Map each piece of evidence to the criteria it supports so nothing is orphaned.
  • Do an internal dry run: pull the evidence an auditor will ask for and find the gaps before they do.

The mindset shift

The teams that find audits painless treat compliance as an operating routine, not a one-time project: access reviews happen every quarter, evidence is captured as work happens, and readiness is always visible. The teams that suffer try to reconstruct a year of evidence the week before fieldwork.

How Keel helps

Keel turns this plan into a guided workflow: one-click starter controls mapped to the criteria, policy templates you approve and export, access reviews that generate evidence automatically, a risk register and vendor module, and a live readiness view so you always know what’s left. Evidence attaches to controls once and counts toward every framework you’re pursuing.

Start free and turn this checklist into a working program. For the full evidence list, see our SOC 2 evidence checklist.