Building SOC2 Security Program (High Level) Roadmap

This is assuming you are starting from scratch and covering only SOC 2 Security Criteria and not Availability, Confidentiality, Processing Integrity, and Privacy Criterias. This is also assuming that you will go for the SOC2 Type 2 Report in 12–18 Months.

The Benefits of SOC2

  • Establishing a third party opinion on which — or all — of the Trust Services Principles apply to your organization.

SOC2 consists of three types of documents:

  • Narratives: Narratives provide an overview of the organization and the compliance environment.

1 Month

SOC2 Type 1 Audit (Only if you have money in the budget for it)

  • This will allow your company to look at your security controls at a point in time.

3 Months

  • Decide on the Scope of the Audit

From the gaps from SOC2 Gap Analysis or SOC2 Type 1 Audit

  • Select Tools and Technologies to fulfill these gaps

6 Months

  • Create a governance program for different security areas like Infrastructure, Application, HR and Personnel Security, and others

Review the contracts of your company Customers, Vendors, and Partners (Ensure contracts are standardized)

  • Review 5 Customers

Develop Narratives

  • Organizational Narratives

7 Months

  • Rollout security awareness trainings for the company and Engineering teams using Security Awareness Training tool

9 Months

  • Start gathering evidence

12 Months

  • Successfully Complete SOC2 Type 2 Audit

You can see the ISO 27001 Security program roadmap here.

You can purchase some of my prepared SOC2 documents that are ready for download at



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store