SOC 2 Type 2 prep — moving from Type 1 to Type 2
Updated
Type 1 = point-in-time. Type 2 = 3-12 month continuous evidence. This is the per-quarter prep checklist.
For: Startups with SOC 2 Type 1 in hand, prepping for Type 2
Continuous evidence collection
- Vanta / Drata running with all integrations (GitHub, AWS, Google Workspace, Okta, Slack)critical
- Quarterly access review documented in compliance platformcritical
- Quarterly vendor inventory review documented
- Quarterly tabletop IR exercise documentedcritical
Continuous controls
- MFA enforced 100% (no exceptions, no temporary disable)critical
- Background checks completed for every employeecritical
- Annual security training completed (track in compliance platform)
- Securie running on every PR (continuous vulnerability management evidence)critical
Incident readiness
- IR runbook tested + updatedcritical
- On-call rotation documented + active
- Cyber-insurance carrier notified of any SEV1
- Customer breach-notification template ready
Audit prep (~30 days out)
- Auditor selected (continue with Type-1 auditor or rotate)critical
- Auditor scope confirmed (Security trust criterion + any added)critical
- Evidence-collection cadence verified across observation period
- Type-2 letter of intent in hand