SOC2 Type II without the security-theatre

We got SOC2 Type II in ten weeks with three engineers and no outside consultants. Here’s what we actually did.

Week 1: read the AICPA TSC reference. Map every Trust Service Criterion to either (a) something we already do, (b) something we need to add, or (c) something we’ll get a carve-out for.

Weeks 2-5: implement (b). The big ones for us were: centralized log aggregation, formal access-review cadence (quarterly), encryption-at-rest audit, BCP/DR runbook with an actual game-day.

Weeks 6-8: 30-day observation window with the auditor. No code freeze — that's a myth. Just make sure your controls are running.

Weeks 9-10: report.

The control we changed *afterward* was access reviews. We made them monthly instead of quarterly, because the auditor flagged that two months was too long between someone changing teams and losing the old team’s permissions. SOC2 didn’t require it. Common sense did.