SOC 2 Type I in 90 Days: A Practical Playbook
Ninety days is achievable — but only if you start with the right scope, move fast on remediation, and don't underestimate the evidence burden. Here's exactly how to do it.
Type I first. Type II next.
SOC 2 Type I is achievable in 90 days. SOC 2 Type II is not — it requires evidence of controls operating effectively over a period of time, typically 6–12 months. For most organizations, the right strategy is to pursue Type I first to unblock near-term deals, then move directly into the Type II audit period.
The 90-day timeline assumes a focused effort with executive sponsorship, a defined scope, and a security program owner (internal or fractional) who can drive the process. Organizations that treat SOC 2 as a part-time project alongside other priorities routinely take 6–9 months to achieve Type I.
This playbook covers the three phases of a 90-day Type I engagement: Scope & Readiness, Remediation & Controls, and Evidence & Audit. Each phase has specific tasks, a clear milestone, and a watch item — the thing most likely to derail you if you're not paying attention.
About this playbook
Written for CEOs, CTOs, and security leaders preparing for their first SOC 2 audit. Assumes no prior SOC 2 experience and a security program that is partially built but not audit-ready.
Know what you're committing to before you start.
Three phases. One audit report.
Scope & Readiness
Define the audit boundary, select your auditor, and establish a clear picture of where you stand.
The most common reason SOC 2 timelines slip is scope creep — systems added late, evidence gaps discovered during fieldwork, or a scope that was never formally agreed upon. This phase locks all of that down before a single control is implemented.
Scope Definition
- Define the systems, services, and data in scope for the audit
- Identify the Trust Services Criteria (TSC) applicable to your service — Security is mandatory; Availability, Confidentiality, Processing Integrity, and Privacy are optional
- Document the scope boundary in writing and get executive sign-off
- Identify all third-party subservice organizations in scope
Auditor Selection
- Issue RFPs to 3–5 licensed CPA firms with SOC 2 experience
- Evaluate auditors on industry experience, timeline flexibility, and communication style — not just price
- Negotiate the audit window and evidence submission deadlines upfront
- Confirm whether the auditor will conduct a readiness assessment or go straight to Type I
Gap Assessment
- Map current controls to the applicable Trust Services Criteria
- Identify and document all control gaps with severity ratings
- Prioritize gaps by audit risk — gaps that will result in exceptions vs. gaps that are informational
- Build a remediation roadmap with owners and target dates
Remediation & Controls
Close the gaps identified in Phase 1 and implement the controls required for the audit period.
For a Type I audit, you need controls to be in place at a point in time. For Type II, you need evidence that controls operated effectively over the audit period — typically 6–12 months, though some auditors will accept a shorter period for a first-time engagement. This phase implements the controls and starts the evidence clock.
Access Control
- Implement multi-factor authentication for all systems in scope
- Conduct a formal access review and remove all unnecessary access
- Document the access provisioning and de-provisioning process
- Implement privileged access management for production systems
Risk & Policy
- Complete a formal risk assessment and document the results
- Draft or update the Information Security Policy and supporting policies
- Implement a vendor risk assessment process for subservice organizations
- Establish a formal change management process for in-scope systems
Technical Controls
- Implement endpoint detection and response (EDR) on all managed endpoints
- Configure centralized logging for all in-scope systems
- Establish a vulnerability management program with defined remediation SLAs
- Implement encryption at rest and in transit for all in-scope data
Evidence & Audit
Collect and organize evidence, conduct a pre-audit review, and execute the audit.
Evidence collection is where most organizations underestimate the effort. A SOC 2 audit requires documented evidence for every control — not just that the control exists, but that it operated as designed. This phase builds the evidence package and prepares the team for auditor fieldwork.
Evidence Collection
- Build an evidence repository organized by Trust Services Criteria
- Collect evidence for each control: screenshots, exports, policy documents, meeting minutes
- Assign evidence owners and establish a collection cadence
- Conduct an internal evidence review against the auditor's request list
Pre-Audit Review
- Conduct a formal readiness assessment against the applicable TSC
- Identify and remediate any remaining evidence gaps
- Brief all control owners on what to expect during auditor interviews
- Review the System Description with your auditor before fieldwork begins
Audit Execution
- Respond to auditor evidence requests within agreed SLAs
- Manage auditor interviews — ensure control owners are prepared and available
- Track and respond to auditor findings in real time
- Review the draft report before it is finalized
Six findings that appear in nearly every first-time SOC 2 audit.
Incomplete access reviews
Access reviews that were conducted but not documented, or that excluded privileged accounts, are among the most common SOC 2 findings. Document everything.
Vendor risk gaps
Subservice organizations (cloud providers, SaaS tools) that handle in-scope data must be assessed. Many organizations discover mid-audit that critical vendors have never been reviewed.
Undocumented change management
Informal change processes that work fine operationally often fail the documentation test. If it's not in a ticket, it didn't happen — at least not as far as the auditor is concerned.
Stale policies
Policies that haven't been reviewed or updated in over 12 months are a common finding. Establish a review cadence before the audit period begins.
Monitoring gaps
Logging and alerting that covers most systems but misses a few in-scope components is a reliable source of exceptions. Audit your monitoring coverage before the auditor does.
Training completion below threshold
Security awareness training completion rates below 90% are frequently cited. Run training completion reports before the audit and chase down stragglers.
Need to hit a SOC 2 deadline?
Paragon Advisory's Compliance Readiness practice has driven SOC 2 Type I engagements from kickoff to report in under 90 days. We own the process — scope, remediation, evidence, and auditor management — so your team stays focused on the product.
Related Reading
Our Services
Paragon Advisory guides mid-market organizations through SOC 2, ISO 27001, HIPAA, and 25+ other frameworks — from gap assessment through audit.
View Compliance Services