Last Updated on September 29, 2020
A SOC 2 Type 2 report covers the operation of a company’s internal controls in relation to safeguarding customer data. Sharing a positive SOC 2 Type 2 report with customers and prospects is a great way to prove that you can keep your customer’s sensitive data secure, as well as meet their needs (and those of your regulators) regarding privacy, confidentiality, availability and/or processing integrity, if relevant to your business.
Similar to certification against a globally respected cybersecurity standard like ISO 27001, a positive SOC 2 Type 2 report demands that your organization implement and document robust security/privacy controls and processes. Evaluating your current security posture and mitigating “gaps” where you don’t meet SOC 2’s high standards can often require significant time and expertise.
Total costs for a SOC 2 Type 2 report can vary widely, depending on the scope/complexity of your report and your staffing/consulting needs for controls implementation, assessment and planning, etc. Further, the “cybersecurity talent gap” continues to drive salary/rate increases. These overarching issues make it challenging to predict “average” costs for security attestations in general… but that won’t stop us from giving it a go 🙂
How much does a SOC 2 Type 2 report cost?
These are best-guess estimates that are applicable to 90% of our clients:
- Preparatory costs generally run from $40,000 at the low end to $100,000 on the high end, depending on the complexity of your environment.
- Audit costs range from as low as about $25,000 to $35,000-$40,000 depending on the scope of the report and the size/complexity of the business.
Cost drivers for SOC 2 Type 2 reports
These few critical factors will exert the biggest influence on your cost to attain a positive SOC 2 Type 2 report:
- The scope of your SOC 2 Type 2 report
Which Trust Services Criteria are in scope for your SOC 2 Type 2 audit? Organizations that need an attestation regarding Privacy, Availability, Confidentiality and/or Processing Integrity will likely experience higher preparation and audit costs.
- The complexity of your in-scope environment
Larger companies with multiple locations and/or product/service offerings in scope will have higher costs than an SMB with just a single SaaS solution in scope, for instance.
- Registrar/auditor costs
Registrar/auditor costs for a SOC 2 Type 2 report vary considerably, being closely aligned to the fee structure of the CPA firm involved. For example, a “Big 4” firm like EY or KPMG might charge $60,000, while a leading compliance and attestation firm like Aprio or Schellman & Company would charge $45,000. Other reputable audit partners might charge slightly less; e.g., $32,000 to $37,000.
- Are you leveraging multiple cybersecurity frameworks?
We are seeing more and more companies pursue not just a SOC 2 report or an ISO 27001 certification, but both. If your business is looking to garner the competitive, cost and time benefits of multiple security/privacy attestations, your overall costs for the combined effort will be greater.
How do SOC 2 Type 2 and ISO 27001 attestation costs compare?
We are often asked which costs more, SOC 2 Type 2 or ISO 27001 attestation. The bottom line is that they end up costing about the same across the preparation/consulting, audit and post-audit cycle, with SOC 2 generally costing about 15%-20% more. Overall, cost drivers for the two attestations will be similar.
For example, while SOC 2 doesn’t require you to document an information security management system (ISMS) like ISO 27001 does, the control requirements for SOC 2 are more prescriptive and thus require more time to address and to audit. Greater prescriptivity of controls to ensure SOC 2 readiness and to prepare for the more control-oriented SOC 2 audit can also make costs somewhat higher. This balances out the somewhat higher year-over-year cost of maintaining an ISO 27001 certification versus a single SOC 2 Type 2 report.