SOC 2 Type II is a six-to-twelve month process. You spend the first few months implementing and documenting controls, then an external auditor observes your controls operating over a minimum 6-month period, then they write the report. Most teams spend the first few months on the wrong things.
Based on our experience mapping G8KEPR's own controls against the AICPA Trust Services Criteria — and talking to security teams who have been through the process — here is a prioritised framework for the first 90 days.
The CC Series: Where Auditors Actually Look
The Common Criteria (CC) series covers security and is the only TSC required in all SOC 2 audits. Everything else (Availability, Confidentiality, Processing Integrity, Privacy) is optional. Most enterprise buyers care most about CC6 (logical access) and CC7 (monitoring). Start there.
CC6.1 — Logical and Physical Access
This is the control auditors look at hardest. They want to see: who has access to what, how was that access granted, how is it reviewed, and how is it revoked. Practically: an access matrix, evidence of MFA enrollment for everyone, evidence that leavers are deprovisioned promptly, and evidence of periodic access reviews.
CC7.2 — System Monitoring and Alerting
Auditors want evidence that you are watching your systems and responding to anomalies. This means: a logging setup that captures meaningful events, alerting on those events, and incident records showing that alerts were investigated. You do not need a SOC — you need a documented process and evidence that it was followed.
The Evidence Gap Most Teams Miss
Having a control implemented is not the same as having evidence the control is operating. A SOC 2 Type II audit observes controls operating over time. If you implement MFA in month 1 and have no evidence it was enforced in months 4, 5, and 6 of the observation period, you will have a finding.
The practical fix: automate evidence collection from day one. MFA enforcement reports, access reviews, change management tickets, backup restore test logs — if these are not generated automatically and stored in a retrievable format, you will spend the last month of your audit period scrambling to reconstruct them.
Controls You Can Deprioritise in the First 90 Days
- ▸CC9 (Risk mitigation) — important, but auditors focus more on CC6/7/8 for Type II
- ▸Physical safeguards — unless you operate your own datacenters, cloud provider certifications cover most of this
- ▸Vendor risk assessments — required eventually, but not blocking for initial certification
- ▸Privacy TSC — only needed if you add it to scope, which adds 3+ months to prep
The Timeline That Actually Works
- 1.Month 1-2: Gap assessment, access control implementation, logging setup
- 2.Month 3: Policies written and ratified, MFA enforced, change management process documented
- 3.Month 4-9: Observation period begins — evidence collection runs automatically
- 4.Month 10-12: Auditor fieldwork, report drafting, final review