SOC 2 Type II in 90 Days: What Actually Has to Be True

Compliance

'We need SOC 2 by Q3' is a phrase we hear once a quarter. The 90-day timeline only works if you start with the right scope, run a real audit period, and skip the right shortcuts. Here's what we actually do.

By Arjun Raghavan, Security & Systems Lead, BIPI · May 8, 2025 · 8 min read

'We need SOC 2 by Q3' is a phrase we hear once a quarter, usually from a SaaS founder whose enterprise prospect just asked for the report. Achievable for most teams. The path is narrower than the consultancies make it sound, and the 90-day timeline only works if you start with the right scope and skip the right shortcuts.

What 90 days actually means

SOC 2 Type II measures controls operating effectively over a period — not at a single point in time. The minimum audit period AICPA accepts is three months for a first-time engagement (six months is the typical recommendation; some auditors will accept three months for the bridge letter and require six for the full report). 90 days is the floor.

The 90 days is the audit window. The work to get ready (designing controls, writing policies, deploying tools, training the team) happens before the window opens. So 'SOC 2 in 90 days' means: 30 days of preparation, then 90 days of audit period, then 30 days of fieldwork and report drafting. Realistically a 5-month calendar.

The five trust-service criteria, ranked by effort

SOC 2 has five trust-service criteria. Security is mandatory; the other four are optional. Picking the right scope is the most important decision.

1. Security (mandatory). Access controls, change management, encryption, vulnerability management, incident response. The bulk of the work.
2. Availability (optional). SLA monitoring, backups, DR testing, capacity planning. Worth including for SaaS that contracts on uptime.
3. Confidentiality (optional). Data classification and handling. Light lift if you already have data tags. Heavy lift if you do not.
4. Processing Integrity (optional). System processes data completely, accurately, timely, with authorised input. Hard for ML systems; rarely worth including unless customers demand it.
5. Privacy (optional). Notice, choice, consent, collection, retention, disposal. Skip unless you specifically handle PII at scale and your customers ask for this. GDPR/DPDPA compliance is a separate exercise.

The right first scope for most SaaS startups is Security plus Availability. That covers what 90% of enterprise procurement teams check. Adding the others later as a scope expansion is straightforward; descoping is awkward.

Continuous monitoring vs point-in-time

Type II tests evidence over the audit period. Point-in-time evidence (a screenshot taken once) does not satisfy. The auditor wants to see that the control operated continuously.

This is what makes Type II hard. Every control needs continuous evidence. Background check policy: did every new hire actually get a check before joining, evidenced by HR records dated before their start date? Access review: did the quarterly review actually run, with documented sign-off? Vulnerability scan: did it run weekly, with high findings tracked to closure?

The teams that pass cleanly are the ones that automate evidence generation. Cron jobs that produce dated artifacts. CI pipelines that produce build logs with timestamps. Calendar invites for quarterly reviews with attendance lists. Evidence is generated by the system, not assembled by the team in panic the week before fieldwork.

Auditor selection

The auditor is not the same as the audit. Different firms apply the criteria with very different rigour. Talk to three. Ask them: what is your typical first-time engagement timeline? What evidence do you accept for control X? Do you support the customised approach? What is your fee structure for fieldwork that overruns?

Tier-1 firms (Big Four) are slow and expensive but have the strongest market recognition. Mid-market firms specialised in SaaS (BARR Advisory, A-LIGN, Insight Assurance, Schellman) are faster, cheaper, and recognise the same SOC 2 standards. The report is identical in either case — the firm name is what enterprise buyers anchor on.

What to skip

Three categories of advice we hear that we ignore.

• GRC platform mandatory. Vanta, Drata, Secureframe, Sprinto, Tugboat are useful but not required. A small team with disciplined evidence collection in S3 + git can pass without one. Save the budget for the auditor.
• Pentest mandatory. SOC 2 does not require an annual pentest. It requires that vulnerabilities are identified and remediated. A continuous vulnerability scanning program with documented remediation is sufficient. Pentest is a defensible add for high-value targets, not a checkbox.
• Every employee needs security training every quarter. SOC 2 wants annual training, evidenced. Quarterly training is admirable but not required. Save the calendar.

Closing

SOC 2 Type II in 90 days is a real timeline if your scope is tight, your evidence is automated, and your auditor is selected for speed. The teams that miss are usually the ones that scope the full five criteria, hand-collect evidence, and pick a firm whose default timeline is six months. Get those three right and the report shows up on schedule, and your sales team has the artifact they were asking for.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.