If you’re like your competitors, it’s time to factor compliance into your 2021 budget. For most tech companies, that means getting and staying SOC 2 compliant. But how much does SOC 2 cost for a business tackling the process for the first time? Taking on SOC 2 can be complicated and expensive unless you plan it correctly.
There are plenty of factors that can shift the cost of getting SOC 2 compliant. These include:
- Number of employees
- Time frame
- Vendor selection and management
TDLR; without managing your SOC 2 process with experts and a software platform, it could cost upwards of $80,000 and last over 18 months.
Scope and Gap Analysis
Before getting into the execution of your SOC 2, a compliance expert will need to evaluate the information security practices already in place. Whether you’re looking to renew your SOC 2 certification or starting from scratch, this is an important step to understanding the scope of work needed.
Time: 1 week
To get an inside look into the process, check out our blog post on our own SOC 2 gap analysis.
After establishing the gaps that need to be addressed and a remediation plan, your compliance team will dive into implementing SOC 2 controls. While you may think the audit is the most important part of SOC 2, implementation is really the main event. You can learn more about implementation from Laika’s SOC 2 certification here.
This cost varies based on the controls needed, how much you outsource versus build internally, and your timeline. If you handle it internally, you’ll need to make a full-time hire or reallocate other employees’ work, losing some organizational efficiency and productivity.
Time: 1 – 6months
This cost as something can be absorbed internally if you have specific hires to manage the process. Otherwise, you’ll likely be losing around 60-100 hours of work from your current employees.
Risk Assessment and Audit Readiness
After all your controls have been implemented, a compliance task force will need to review the evidence you collected, test the operational effectiveness of your controls, and assess your risk. These steps address audit readiness and involve accepting the amount of risk your organization has deemed acceptable.
Time: 2 weeks
SOC 2 Type 1 Audit
A SOC 2 Type 1 audit takes a snapshot of your compliance at a moment in time. The lift for auditors is less than a Type 2 audit because they will not need to test the long-term operational factors of your controls. Organizations starting out with SOC 2 usually start with a Type 1 audit and build up to a Type 2.
The cost and timing of a SOC 2 Type 1 audit are largely dependent on the size of your company. The range listed below encompasses the cost for companies between 5 – 100 employees.
Time: 2 – 3 months
Cost: $12,000 – $27,000
This price excludes legal fees to review your newly-authored information security policies, gathering evidence for auditors, and demonstrating your implemented controls. Because most auditors charge by the hour, the cost can vary based on the amount of time and back-and-forth involved.
SOC 2 Type 2 Audit
SOC 2 Type 2 audits need to be performed annually and, we won’t lie to you, they’re fairly pricey. Not only does it take a significant amount of time for auditors to check the functionality of your controls, but you’ll also likely have more back-and-forth to answer questions and fix mistakes. Depending on the scope of your SOC 2 and the size of your organization, this audit could take up to 9 months to complete.
Like a Type 1 audit, the cost and timing of a SOC 2 Type 1 audit depend on the size of your company. The range listed below encompasses the cost for companies between 5 – 100 employees.
Time: 3 – 9 months
Cost: $15,000 – $100,000+
Again, this price is just for the auditors. It does not factor in legal fees, internal productivity loss, or tools needed to demonstrate your compliance.
Additional SOC 2 Costs
SOC 2 isn’t just a one-and-done task. Many of the costs listed below are recurring or constant tasks that will need to be performed as part of your new security posture.
Control implementation, a risk assessment, and managing an audit requires at least foundational knowledge of SOC 2 compliance. If you opt for a software-only solution to assist on your SOC 2 journey, it’s likely you’ll need to hire a compliance expert consultant to help the process along.
CISO Cost: $550/hr
CISA Cost: $200/hr
Depending on the complexity of your controls and the necessary experience level of your consultant, the cost will vary.
Policy Templates and Writing
If you don’t have in-house counsel or compliance experts, you’ll need to outsource some paperwork to a legal firm. This includes any new policies you’ll need to author, like risk mitigation, privacy policies, formal business continuity plans, etc.
Time: 2 weeks
Depending on which external party handles your audit, you may be able to outsource review of the documents to them as well.
A requirement for SOC 2 is security awareness training for employees. You’ll need to develop the training yourself or outsource; either way, it’ll likely cost time and money to create and execute the training.
Time: 2 weeks
Cost: $1,000/50 employees
The average associated cost depends on the size and maturity of your business, as well as the type of data you handle.
On-going SOC 2 Requirements
A major component for SOC 2 compliance is choosing your vendors, executing due diligence to ensure they are also SOC 2 compliant, or building your own solution to be compliant as needed.
Some of these vendors include endpoint security, logging and monitoring tools, password management, hiring and termination tools and processes, and security awareness training. The cost below is broken down into estimates for each vendor:
Cost: $190 for 5 licenses
Employee background checks
Cost: $20-$100/per hire
SOC 2 compliance can quickly get very expensive. And it can be difficult to calculate your budget when considering multiple factors, from internal productivity loss to audit firms and vendors. However, SOC 2 is only becoming more imperative to do business. Our experts are always here to help; contact the team for advice and to find out more about Laika’s SOC 2 solution.