SOC 2 Readiness in 90 Days — From Zero to Audit-Ready
Led a 90-day SOC 2 Type II readiness programme for a growing SaaS company with no prior formal security controls. Passed the audit on the first attempt and unlocked $2M+ in enterprise pipeline.
Challenge
A growing SaaS company needed SOC 2 Type II certification to close enterprise deals but had no formal security controls, policies, or audit experience.
Solution
Designed and executed a 90-day readiness programme — gap assessment, policy creation, control implementation, and evidence collection automation.
Result
Passed SOC 2 Type II audit on first attempt, unlocked $2M+ enterprise pipeline that had been blocked pending certification.
The Problem
I was brought in as a programme leader for a Series B SaaS company that had hit a growth wall. Their product was strong, their sales team was active, but three enterprise deals worth a combined $2M+ in annual contract value were stalled — all waiting on SOC 2 Type II certification. The company had never undergone a formal security audit. There were no documented security policies, no formalised access controls, no incident response plan, and no evidence collection processes.
The CEO wanted to be audit-ready in 90 days. The engineering team was skeptical it was possible. The sales team was anxious. I had to build the programme from scratch and make it work on a tight timeline without derailing ongoing product development.
What I Did
I structured the 90 days into three 30-day phases: assess, build, and harden.
In the first phase, I conducted a comprehensive gap assessment against the SOC 2 Trust Service Criteria. I mapped every control requirement to our current state, identified gaps, and prioritised them by audit risk and implementation effort. The gap list was long — 47 controls needed to be established or significantly improved.
In the build phase, I led policy creation for the 12 foundational documents — information security policy, access control policy, incident response plan, change management policy, vendor management policy, and others. I worked directly with engineering to implement technical controls: centralised logging, automated access reviews, encryption at rest and in transit verification, and vulnerability scanning integration into CI/CD.
A critical decision was automating evidence collection early. I implemented tooling that continuously gathered evidence — access logs, change records, deployment histories, security scan results — rather than relying on manual collection before the audit. This saved enormous time and reduced the risk of gaps in the evidence trail.
In the harden phase, I ran internal readiness reviews simulating auditor questions. I stress-tested the evidence collection pipeline, identified weak spots, and addressed them. I also prepared the team for the audit itself — who would answer which questions, where evidence was stored, and how to handle auditor requests efficiently.
The Outcome
We passed the SOC 2 Type II audit on the first attempt with zero critical findings. The three stalled enterprise deals moved forward, representing over $2M in new annual revenue. Beyond the immediate business impact, the programme established a security culture that had not existed before. The policies and controls became living documents, and the automated evidence collection meant subsequent audits required a fraction of the preparation effort. The CEO later noted that the certification became a competitive differentiator in every enterprise sales conversation.