Building SOC2 Security Program (High Level) Roadmap

Austin Songer
2 min readAug 3, 2022

This is assuming you are starting from scratch and covering only SOC 2 Security Criteria and not Availability, Confidentiality, Processing Integrity, and Privacy Criterias. This is also assuming that you will go for the SOC2 Type 2 Report in 12–18 Months.

The Benefits of SOC2

  • Establishing a third party opinion on which — or all — of the Trust Services Principles apply to your organization.
  • Identifying security gaps in your organization.
  • Demonstrating to clients that you truly take the confidentiality, integrity, and availability of their information seriously.
  • Differentiating yourself from competing companies who have not achieved SOC

SOC2 consists of three types of documents:

  • Narratives: Narratives provide an overview of the organization and the compliance environment.
  • Policies: Policies govern the behavior of employees and contractors.
  • Procedures: Procedures prescribe specific steps that are taken in response to key events.

1 Month

SOC2 Type 1 Audit (Only if you have money in the budget for it)

  • This will allow your company to look at your security controls at a point in time.
  • Around only 2 weeks.

3 Months

  • Decide on the Scope of the Audit
  • SOC2 Gap Analysis (If you didn’t do the SOC2 Type 1 report)
  • Build a Policy Portal
  • Identify and fill gaps in your cybersecurity program.
  • Create and Edit Policies and Other documentation.

From the gaps from SOC2 Gap Analysis or SOC2 Type 1 Audit

  • Select Tools and Technologies to fulfill these gaps
  • IF NO SECURITY TRAINING TOOL: Create security awareness and educational trainings for the company and specific teams (For the time being)
  • Complete risk assessments of high risk processes and come up with gaps and recommendations

6 Months

  • Create a governance program for different security areas like Infrastructure, Application, HR and Personnel Security, and others
  • Deploy and Integrate GRC Tools across functional teams
  • Review Your Vendor/Partner Onboarding Process

Review the contracts of your company Customers, Vendors, and Partners (Ensure contracts are standardized)

  • Review 5 Customers
  • Review 5 Vendors
  • Review 5 Partners

Develop Narratives

  • Organizational Narratives
  • Product & Services Narratives
  • Control Environment Narrative
  • System Architecture Narrative
  • Research and Select Security Awareness Training Tool for the organization

7 Months

  • Rollout security awareness trainings for the company and Engineering teams using Security Awareness Training tool

9 Months

  • Start gathering evidence
  • Finalize Policies and Procedures

12 Months

  • Successfully Complete SOC2 Type 2 Audit

You can see the ISO 27001 Security program roadmap here.

You can purchase some of my prepared SOC2 documents that are ready for download at



Austin Songer

Trusted Veteran | Compassionate. Aspiring. Resourceful.