Dezen Technology
All articles
Pharma & ComplianceMay 13, 20268 min read

SOC 2 readiness in plain English

Five Trust Service Criteria, Security mandatory and the rest optional. Type 1 vs Type 2. The pragmatic 6-month timeline — not the year-long ordeal it’s made out to be.

SOC 2 readiness in plain English

Most teams approach SOC 2 like a 200-page form they have to fill in. It’s not. SOC 2 is a framework for proving you take security seriously, evaluated by an independent auditor against a fixed set of criteria. The criteria are public. The framework is finite. Done right, the first audit is a 6-month project — not the year-long ordeal it gets characterized as.

Here’s what SOC 2 actually is, in plain English.

SOC 2 — five Trust Service Criteria pillars, with Security mandatory and the others optional

The five Trust Service Criteria

SOC 2 evaluates you against up to five “Trust Service Criteria”:

  • Security (mandatory). Access controls, encryption, vulnerability management. This is the only one you HAVE to include. Most B2B SaaS get SOC 2 with only Security in scope, especially for the first audit.
  • Availability (optional). Uptime SLAs, incident response, business continuity planning. Add this if you sell to customers who care about uptime commitments.
  • Confidentiality (optional). Data classification, NDAs, secure destruction. Add this if you handle customer data marked as confidential.
  • Privacy (optional). PII handling, consent, access requests. Often required for healthcare or consumer-facing apps.
  • Processing Integrity (optional).Data accuracy, completeness, monitoring. Rarely scoped — usually relevant only for financial/regulated domains.

Practical advice: scope just Security for your first audit. Add others when a customer explicitly asks for them. Adding scope adds cost and time.

Type 1 vs Type 2

  • Type 1— a snapshot. “On June 1, 2026, your controls were in place.” You can get this in 2-3 months.
  • Type 2— a movie. “Over the past 6-12 months, your controls were in place AND operating effectively.” Real validation; takes longer to earn.

Most customers will accept a Type 1 for the first 6 months while you accumulate a Type 2 audit window. Plan for both: Type 1 quickly, Type 2 the following year.

What the audit actually checks (Security)

  1. Logical access: SSO, MFA, role-based access, periodic access reviews, deprovisioning on termination.
  2. Change management: code reviews, approved deploys, audit trail of who changed what.
  3. Vulnerability management: dependency scanning, regular patching, a documented process for handling discovered vulns.
  4. Risk assessment: a documented risk register, regularly reviewed.
  5. Vendor management: a list of your subprocessors, their SOC 2 status, periodic review.
  6. Incident response: a documented plan, tested at least once, incident log with timestamps.
  7. Encryption: data in transit (TLS), data at rest (database + backup encryption), key management.
  8. Monitoring: logs, alerts, retention policy (typically 90+ days), who reviews them.

The pragmatic timeline

  • Month 0-1: pick a compliance platform (Vanta, Drata, Tugboat). Connect integrations.
  • Month 1-3: remediate gaps. Most are policy documents you need to write + a couple of technical changes.
  • Month 3-4: select an auditor. Schedule the audit.
  • Month 4-6: the audit itself. Auditors collect evidence; you answer questions; they issue the report.
  • Month 6-18: the Type 2 observation window. Controls keep operating; evidence accumulates automatically via your compliance platform.

What NOT to do

  • Don’t try to do this without a compliance platform. The platforms automate ~70% of evidence collection.
  • Don’t scope all five criteria for your first audit. Security only.
  • Don’t pick the cheapest auditor. SOC 2 reports vary in rigor; cheap audits get challenged by sophisticated customers.
  • Don’t fake controls. The audit checks evidence, not aspirations. “We have an incident response plan” without an incident response log is a finding.

How we approach this

For clients pursuing SOC 2 via our cybersecurity and security & compliance work, we run the technical remediation in parallel with the policy work. Most customers reach Type 1 within 4 months and Type 2 in the following 12. The total cost (platform + auditor + engineering remediation time) typically lands between $40K and $100K for a small SaaS — not the $500K some procurement teams budget.

Takeaways

  • Scope Security only for the first audit.
  • Type 1 quickly, Type 2 over the next year.
  • Use a compliance platform — Vanta, Drata, Tugboat. Don’t roll your own.
  • The audit checks evidence, not intention.
Keep reading

More from the engine room

AI in QA: where it helps, where it doesn’t

May 27, 2026

AI in QA: where it helps, where it doesn’t

AI augments QA throughput — test generation, triage, visual regression. It doesn’t replace QA judgment: strategy, exploratory testing, and defining correctness stay human.

Read More
Controlling LLM costs in production

May 25, 2026

Controlling LLM costs in production

Four levers cut spend 10x without cutting quality: route by difficulty, cache, trim context, batch and stream. Measure cost-per-feature first; set budget guardrails always.

Read More
RAG vs fine-tuning: which do you actually need?

May 23, 2026

RAG vs fine-tuning: which do you actually need?

Facts → RAG. Behavior → maybe fine-tune. Most business AI features want RAG even when teams ask for fine-tuning. The decision rule and the order to try things in.

Read More
Agentic features in SaaS: the maturity ladder

May 21, 2026

Agentic features in SaaS: the maturity ladder

From manual to autonomous — four levels of autonomy and the guardrails each needs. Match autonomy to the cost of being wrong, not to how impressive it sounds.

Read More
Offline-first mobile: the app that works on the subway

May 19, 2026

Offline-first mobile: the app that works on the subway

The UI never waits on the network. Local DB, sync engine, server — with conflict resolution per data type. The architecture that makes mobile apps feel instant.

Read More
Lift-and-shift vs refactor: how to actually decide

May 17, 2026

Lift-and-shift vs refactor: how to actually decide

Lift-and-shift is fast, cheap to do, expensive to keep. Refactor is months of work with structural upside. The matrix — and why half-finished refactors are the worst path.

Read More
Monolith migration: the strangler-fig playbook

May 15, 2026

Monolith migration: the strangler-fig playbook

The big-bang rewrite is the most consistently bad idea in software. Proxy in front, extract one route at a time, shrink the monolith to nothing. No migration day.

Read More
OWASP top risks for 2026 — with what to actually do

May 11, 2026

OWASP top risks for 2026 — with what to actually do

The ten vulnerability classes that show up in real breaches, each with the single most important defensive action. Plus the 80/20 of web security.

Read More
View all blogs

Let’s Build the Future Together!

Contact our team today and turn your ideas into reality.

Let’s Discuss
Contact Details : sales@dezentech.com Sy. No:40, Flat No:402, SIRISAMPADHA ARCADE I, Plot no:18-21, behind Union Bank of India, Khajaguda, Hyderabad, Telangana 500104