SOC 2 Type II in 90 days — the checklist we actually use

May 15, 2026 Athena IT engineering team

You closed your first enterprise prospect call and the buyer said three words that changed your quarter: “send the SOC 2.” You don’t have one. You’ve heard SOC 2 takes nine to eighteen months. The deal closes in six.

We run this play every quarter with Bay Area SaaS clients between 15 and 80 employees. Done well, SOC 2 Type II is roughly a 90-day operation — and most of the work is identity and endpoints, not policy paperwork.

This is the checklist we actually use. No “in today’s threat landscape” filler. No “depending on your unique requirements” hedging.

Scope first. Everything else after.

The single highest-leverage decision is what’s in scope. Inside scope: anything that stores, processes, or transmits customer data. Outside scope: your marketing site, your CRM if it doesn’t touch customer data, the developer’s home Wi-Fi.

A tight scope makes the audit cheaper and the controls actually possible. Sprawling scope is how startups burn nine months.

This week: draw your in-scope system diagram on one whiteboard. Production app, customer database, any service that touches customer data, any identity provider that gates access. If it doesn’t appear on that whiteboard, it’s not in scope.

Identity and access — the 60% of the work

Most SOC 2 findings are identity findings. The Trust Service Criteria you’ll trip on first are CC6.1 (logical access) and CC6.2 (provisioning).

The non-negotiables:

One identity provider for production access. Okta, Azure AD, or Google Workspace. Pick one.
SSO for every system in scope. No more local accounts.
MFA enforced. No exceptions for “the founder’s laptop.”
Conditional access policies — at minimum block production access from unmanaged devices and from countries you don’t operate in.
Joiner / Mover / Leaver automation. The most-cited finding in our practice is offboarded staff who still had access weeks later.

This week: pull a CSV of every active account in your identity provider. Match it against your current headcount roster. If the gap is bigger than two, your offboarding is broken.

Endpoints — laptops are the perimeter now

The standard control here is “all production access is from a managed device with full-disk encryption and EDR.”

MDM on every laptop. Kandji for Mac, Intune for Windows, Jamf if you have both.
Full-disk encryption on, verified centrally.
EDR (endpoint detection and response) deployed and reporting to a central console. Crowdstrike, SentinelOne, or Defender for Endpoint. Your insurance underwriter will ask which one.
Patch posture monitored. You need an answer to “what percentage of your fleet is more than 30 days behind on OS patches?”

Logging and monitoring

Auditors want to see that you can answer two questions: “who accessed production yesterday?” and “if something bad happened, how would you know?”

Centralized logs from your identity provider, your cloud control plane, and your production application
Alerting on the obvious things — root logins, MFA failures bursting, identity provider config changes
Retention of at least 12 months for in-scope logs (this is how Type II is even possible — the auditor samples your operating effectiveness over the audit window)

You don’t need a SIEM at 30 employees. CloudWatch / Cloud Audit Logs / a managed log service like Datadog is enough.

Backups and recovery testing

The most common finding here isn’t “you don’t have backups.” It’s “you have backups but you’ve never tested restoring from them.”

3-2-1-1-0: three copies, two media types, one off-site, one immutable, zero errors at last test
Quarterly restore test. Document who did it, what they restored, how long it took, what broke. The doc is the artifact your auditor reads.

Vendor management

If you process customer data through a sub-processor, your auditor needs to see that you assessed it.

Sub-processor list (every SaaS that touches customer data)
BAAs where applicable (any healthcare data, even if you don’t think of yourself as a healthcare company)
Annual review of each material sub-processor (their SOC 2 report, their security page, your DPA)

This is paperwork. Allocate a week. Get it done.

Policy library

You need written policies for: access control, change management, incident response, data classification, backup and recovery, vendor management, acceptable use, business continuity, and risk assessment.

Don’t write these from scratch. Vanta, Drata, and Secureframe all ship reasonable starter templates. Customize the four or five that genuinely describe how you operate. The rest can be standard.

Audit prep — what your auditor will actually look at

Three things, in order:

The list of users with production access, cross-referenced against your HR roster and your identity provider. They’ll pick 5–10 names at random and ask you to show evidence of how each was provisioned and reviewed.
Change management evidence — pull requests merged to production, approvals, ticket references. They’ll sample.
Access reviews — quarterly evidence that someone (usually the engineering or IT lead) reviewed who had access to what and either confirmed or revoked.

If those three are real and documented, you’ll pass. If they’re aspirational, you won’t.

The 90-day arc

Weeks 1–3: scope, identity, endpoints, vendor list. The “make the environment auditable” phase.
Weeks 4–6: monitoring, logging, policies. The “produce evidence as we run” phase.
Weeks 7–12: the Type II audit window itself. Operating-effectiveness evidence accumulates.
Weeks 13+: auditor fieldwork, report delivery.

Most clients pass on the first attempt. The ones who don’t almost always trip on the same thing: stale access for offboarded staff. Fix that this week and you’re halfway there.

If you’d rather skip the checklist and have us run it: book a 30-minute IT review. We’ve passed SOC 2 Type II with Bay Area SaaS clients in as little as 11 weeks, and we run the program as part of how we operate the environment — not as a separate project.