SecuritComply
SOC 2AuditComplianceGRCCanada

How to Prepare for a SOC 2 Audit in 90 Days

SecuritComply·June 17, 2026

90 Days Is Enough — For Type I

If a customer is holding a contract until you produce a SOC 2 report, 90 days is a realistic runway for a Type I report (controls suitably designed at a point in time). A Type II report requires an observation period — typically 3 to 12 months — so you can't compress that. The winning move: get Type I done in 90 days to close the deal, and start your Type II observation window on day one so the longer report follows naturally.

This plan assumes Security-only scope (the most common starting point) and a small-to-mid engineering org.

Days 1–15: Scope, Auditor, and Reality Check

Define your scope. Decide which product, systems, and Trust Services Criteria are in. Start with Security (the Common Criteria) unless a customer explicitly demands Availability, Confidentiality, Processing Integrity, or Privacy. A tight scope is faster and cheaper.

Pick your auditor early. SOC 2 reports can only be issued by a licensed CPA firm. Good auditors book out weeks ahead, so engage now. Ask about Type I + Type II bundling and Canadian client experience.

Run a gap analysis. Compare where you are against the Common Criteria (CC1–CC9). Be honest. The output is your punch list for the next 75 days: missing policies, no formal access reviews, unencrypted backups, no incident response plan, ad-hoc onboarding/offboarding, and so on.

Assign an owner. One person must own the program day-to-day. SOC 2 prep dies when it's "everyone's" job.

Days 16–40: Policies and Foundations

Auditors expect documented, approved, and followed policies. Draft and ratify the core set:

  • Information Security Policy
  • Access Control Policy
  • Change Management Policy
  • Risk Assessment and Management
  • Incident Response Plan
  • Vendor / Third-Party Risk Management
  • Business Continuity and Disaster Recovery
  • Acceptable Use, and a Data Classification / Retention policy

Two rules: policies must be approved by leadership, and your actual practice must match what they say. An auditor will compare the policy to reality. A modest policy you follow beats an ambitious one you ignore.

In parallel, stand up the foundations:

  • Risk assessment — a real, documented one, with treatment decisions.
  • Security awareness training — assign it to all staff and capture completion.
  • Centralized identity — SSO and MFA everywhere you can.

Days 41–70: Implement and Operate Controls

This is the heart of the work — turning policy into operating controls and generating evidence:

Access management

  • Unique accounts, MFA, least privilege
  • A documented access review (run at least one before the audit)
  • Formal onboarding/offboarding checklists with evidence

Change management

  • Code changes go through pull requests with review and approval
  • CI/CD with traceability; production access is restricted and logged

Monitoring and logging

  • Centralized logs, alerting, and retention
  • Vulnerability scanning and a patching cadence

Data protection

  • Encryption in transit and at rest
  • Tested backups and a documented recovery process

Vendor risk

  • An inventory of sub-processors with risk ratings and reviews (collect their SOC 2 / ISO reports)

Incident response

  • The plan exists and you've done a tabletop exercise you can point to

For Type I, the auditor checks that each control is designed and in place as of the report date. For Type II, they'll test that it operated consistently across the window — which is why clean, continuous evidence from day one matters.

Days 71–85: Evidence and Dry Run

SOC 2 is won or lost on evidence. For every control, you need an artifact: a screenshot, an export, a ticket, a signed policy, a training record, an access-review log. Pull it together now, not during the audit.

Then run an internal readiness review — your own dry run against the auditor's likely request list. Where evidence is thin, fix it while there's still time. Common last-minute gaps: no completed access review, missing offboarding proof, untested backups, and policies that were written but never formally approved.

Days 86–90: The Audit

For a Type I, the auditor reviews your control design and evidence as of the report date, interviews owners, and may request live walkthroughs. Be responsive — a tidy evidence repository turns a stressful audit into a quick one. Address any exceptions, and you'll have your report.

Then keep operating the controls. Your Type II observation period — which you started on day one — continues, and 3–6 months later you can produce the report most enterprise buyers ultimately want.

What Derails a 90-Day Timeline

  • Scope creep — adding extra criteria "while we're at it." Don't.
  • No single owner — the fastest way to lose two weeks.
  • Policies without practice — auditors test the gap between the two.
  • Evidence archaeology — scrambling to reconstruct proof at the end. Capture as you go.
  • Booking the auditor late — their calendar, not yours, sets the end date.

Bottom Line

Ninety days is enough to walk into a Type I audit genuinely prepared — if you scope tightly, assign one owner, write policies you actually follow, and treat evidence as a daily habit rather than a final scramble. Start the Type II clock immediately and the bigger report takes care of itself.

SecuritComply gives you the SOC 2 Common Criteria pre-loaded, a guided readiness wizard, policy templates, and one place to collect and track evidence — with all data kept in Canada. Start free or see the 3-minute demo.

Ready to get compliant?

SecuritComply makes it simple — 17 frameworks, Canadian data residency, 70–85% cheaper than US tools.

Start Free →
← Back to all posts