SOC2 Practice for SMBs

This post is to show how a small or medium sized service company to get into SOC2 readiness.

 

Timelines and Cost

SOC 2 Certification Cost for SMBs with Up to 50 Employees

The approximate SOC 2 compliance cost breakdown for SMBs with up to 50 employees might be around $91,000, as detailed in the table below.

Stage		Duration*	Cost*
Pre-Assessment	Pre-Assessment Supervision	4 months	$36,000
	Software Licenses	1 month	$12,000
	Penetration Test	2 weeks	$8,000
	Awareness Training	3 days	$5,000
External Audit	Audit	3 months	$30,000
Total Cost		7 months	$91,000

* the duration and expenses can vary

SOC 2 Certification Timeline for SMBs with 50-250 Employees

Stage		Duration*	Cost*
Pre-Assessment	Pre-Assessment Supervision	7 months	$62,000
	Software Licenses	1 month	$60,000
	Penetration Test	2 weeks	$25,000
	Awareness Training	3 days	$9,000
External Audit	Audit	3 months	$30,000
Total Cost		10 months	$186,000

From: https://underdefense.com/

Framework Topics

Governance : Leadship Oversight, Policies, Risk Management
Human Resources : Onboarding, Offboarding

Asset management: Asset Inventory, Laptops, Hardware, Software

Access Control: Administrative Access, Least privilege

Physical Security: Facilities

Network Security: Firewalls, Routers, IDS/IPS

Change Control/SDLC : Product development, DevSecOps, Agile, Scrum

Incident Management: Incident Identification, Management, Communications

BCP/DR: Backups and Recovery

Monitoring: Alerts, Logs, and Communication

Effort Estimates

Leadership - 2-4 hours: walkthroughs, gathering evidence
Security / GRC (Governance, Risk, Compliance) - 10-20 hours: walkthroughs, gathering evidence, Coordination
Information Technology - 8-16 hours: walkthroughs, gathering evidence
Engineering - 4-8 hours: walkthroughs, gathering evidence
HR, Legal, Facilities - 5-10 hours: walkthroughs, gathering evidence

References

• https://underdefense.com/blog/how-much-does-soc-2-cost/