Building SOC2 Security Program (High Level) Roadmap

Building SOC2 Security Program (High Level) Roadmap
This is assuming you are starting from scratch and covering only SOC 2 Security Criteria and not Availability, Confidentiality, Processing Integrity, and Privacy Criterias. This is also assuming that you will go for the SOC2 Type 2 Report in 12-18 Months.

The Benefits of SOC2

  • Establishing a third party opinion on which — or all — of the Trust Services Principles apply to your organization.
  • Identifying security gaps in your organization.
  • Demonstrating to clients that you truly take the confidentiality, integrity, and availability of their information seriously.
  • Differentiating yourself from competing companies who have not achieved SOC

SOC2 consists of three types of documents:

  • Narratives: Narratives provide an overview of the organization and the compliance environment.
  • Policies: Policies govern the behavior of employees and contractors.
  • Procedures: Procedures prescribe specific steps that are taken in response to key events.

1 Month

SOC2 Type 1 Audit  (Only if you have money in the budget for it)

  • This will allow your company to look at your security controls at a point in time.
  • Around only 2 weeks.

3 Months

  • Decide on the Scope of the Audit
  • SOC2 Gap Analysis (If you didn’t do the SOC2 Type 1 report)
  • Build a Policy Portal
  • Identify and fill gaps in your cybersecurity program.
  • Create and Edit Policies and Other documentation.

From the gaps from SOC2 Gap Analysis or SOC2 Type 1 Audit

  • Select Tools and Technologies to fulfill these gaps
  • IF NO SECURITY TRAINING TOOL: Create security awareness and educational trainings for the company and specific teams (For the time being)
  • Complete risk assessments of high risk processes and come up with gaps and recommendations

6 Months

  • Create a governance program for different security areas like Infrastructure, Application, HR and Personnel Security, and others
  • Deploy and Integrate GRC Tools across functional teams
  • Review Your Vendor/Partner Onboarding Process

Review the contracts of your company Customers, Vendors, and Partners  (Ensure contracts are standardized)

  • Review 5 Customers
  • Review 5 Vendors
  • Review 5 Partners

Develop Narratives

  • Organizational Narratives
  • Product & Services Narratives
  • Control Environment Narrative
  • System Architecture Narrative
  • Research and Select Security Awareness Training Tool for the organization

7  Months

  • Rollout security awareness trainings for the company and Engineering teams using Security Awareness Training tool

9 Months

  • Start gathering evidence
  • Finalize Policies and Procedures

12 Months

  • Successfully Complete SOC2 Type 2 Audit

You can see the ISO 27001 Security program roadmap here.

You can purchase some of my prepared SOC2 documents that are ready for download at

Share Tweet Send
You've successfully subscribed to Songer Tech
Great! Next, complete checkout for full access to Songer Tech
Welcome back! You've successfully signed in
Success! Your account is fully activated, you now have access to all content.