How Much Does SOC 2 Cost?
How much does SOC 2 really cost?TL;DR: See table below for cost breakdowns of risk assessment (needed to get ready for your SOC 2), readiness phase, and audit phase. Note that the number of Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) that apply to your organization may decrease or increase your total costs.
Full explanation: The total cost of ownership of getting SOC 2 certified can be broken down into two phases if you've already conducted a risk assessment (RA), but technically three if you haven't yet conducted a RA:
1A) Risk assessment: an exercise in identifying potential hazards and analyzing their potential consequences if they were to occur, e.g., a data breach of your customers' data. Security certifications like SOC 2 and ISO 27001 require you to conduct a risk assessment before you engage in the readiness phase. Consultants and auditors typically charge $10K for this, but Tugboat Logic will conduct it free of charge for you . The way we see it, our goal is to help futureproof companies‘ security efforts with a solid jumping off point for certs they might need regardless of whether they end up partnering with Tugboat Logic.
1B) Audit readiness (SOC 2 prep): the work of identifying your org's security risks, mapping out the corresponding SOC 2 Trust Services Criteria to your org, and implementing security controls tied to those criteria).
If you need outsourced help, reputable vendors (either consultants or SaaS solutions) will do the heavy lifting of writing policies for you and implementing the controls; they'll typically charge $12K - $30K. Of course, the beauty of such a large marketplace is that you can find everything from bargain basement vendors (with quality of work to match!) to white glove service providers who will guide you every step of the way – just make sure you comparison shop at least three vendors and due diligence.
Or put it another way, would you trust any random contractor to work on your house? Hell no! You'd ask for referrals from friends, compare their offerings + pricing, make sure they're licensed, bonded, and have no glaring complaints, and conduct upfront and backchannel reference checks. And as if you needed a true horror story: one of our customers was quoted $90K by a consultant who was going to have them fill out SOC 2 policy and control templates he downloaded off the Internet.
2) The audit: where an independent third-party audit firm (usually a CPA or CPA firm that specializes in compliance) assesses your implementation of security controls; more specifically, the auditor collects a sample list of evidence of the controls you've implemented to determine whether you are in compliance (fun fact: the AICPA states that an organization cannot conduct both the readiness and audit portions of SOC 2, but some vendors oddly enough offer both 🤔 a rule is only as good as it's enforced, right?).
Similar to the guidance we provided on the readiness phase, it's best that you do your due diligence and comparison shop – some auditors are more expensive than others, while others are shockingly much cheaper. And especially when it comes to auditors, cheaper is not necessarily better. We seriously cannot stress this enough: you'll not only get the best price, but you'll have the opportunity to really vet if an auditor fits your organization's style vs. an auditor trying to fluff and puff you just to win your business.
Reputable vendors typically charge $20K - $30K for conducting the audit, but we've seen firms charge as low as $8K to as high as $70K (the $70K was from the same customer story you read earlier!). "Buyer beware", as the saying goes.