DIY SOC 2: cost, time, and where it actually breaks down.
What DIY actually costs
The DIY budget shape for a 25 to 50 employee SaaS pursuing first-time SOC 2 Type 2 with Security and Confidentiality in scope, no GRC platform, mid-tier CPA audit firm:
| Line item | Cost | Notes |
|---|---|---|
| Audit firm fee (boutique or mid-tier CPA) | £18,000 – £35,000 | Same fee as platform-led path. Some firms offer modest discounts where evidence is well-organised. |
| GRC platform fee | £0 | By definition. Zero platform line. |
| Internal time (300 to 500 hours at £75) | £22,500 – £37,500 | Concentrated on a senior security or engineering lead at roughly 30 to 40 percent time across 6 to 9 months. |
| Light advisory (5 to 10 days) | £4,000 – £12,000 | Many DIY teams hire a consultant for 5 to 10 days at the readiness stage to avoid scope mistakes. |
| Year-1 total | £44,500 – £84,500 | Comparable to platform-led path. Lower cash spend, higher FTE concentration. |
The DIY total is broadly comparable to the platform-led path because the audit fee dominates either way. The difference is distributional: DIY shifts cost from cash (platform fee) to internal time (FTE hours).
What DIY needs to work
A senior security or engineering lead with 30 to 40 percent free time across 6 to 9 months. Without that, DIY breaks within the first month. The lead role is non-delegable: it is the person who owns control design, evidence collection rhythm, audit-firm liaison, and exception management.
A lightweight evidence-collection system. Most DIY SOC 2 programmes use a shared drive (one folder per control), plus a ticketing-system tag convention (one tag per control), plus a monthly 30-minute evidence-review meeting with the control owner. The whole system can be set up in two days. It does not need to be elegant.
Existing reasonable security hygiene. DIY does not work on top of a mess. If access management is ad-hoc, change management is informal, and vendor reviews have never happened, the readiness gap is too large for the lead to close in 6 months.
Where DIY breaks down
| Scenario | Why DIY breaks | What works instead |
|---|---|---|
| Multi-framework programme (SOC 2 + ISO 27001 + GDPR) | Single source of truth for evidence becomes painful across three control sets. Evidence drift between frameworks generates audit-fee inflation. | Platform path. Multi-framework is the canonical case where platforms earn their fee. |
| Distributed engineering team (20+ engineers across regions) | Calendar coordination on evidence collection scales poorly. Automated collection is the only practical answer. | Platform path or a hybrid (entry-tier platform for evidence, internal lead for policy). |
| Privacy criterion in scope | DSAR handling, processor inventories, and data-flow mapping get heavy fast. Manual coordination costs more than the platform fee. | Platform path with a Privacy module, or a hybrid. |
| First-time SOC 2 with no senior security FTE | Lead role unfilled, readiness stalls, audit slips a quarter. | Boutique consultant for readiness, then DIY through the audit cycle once the lead role is permanently filled. |
The hybrid pattern
Many teams DIY the policy and process work and use a £6,000 to £9,000 entry-tier platform purely for evidence automation. Total year-one cost lands around £40,000 to £55,000, splits the difference between full DIY and full platform. The advantages are real: the policy work captures the organisation's actual practice instead of the platform's template defaults, and the platform handles the part that DIY does worst (cross-region evidence collection at scale).
Cross-reference
For the platform path with break-even calculator, see the GRC platforms page. For the readiness work that DIY teams handle in-house, see the readiness cost page. For the audit-firm fee that is identical on either path, see the audit firm fees page. For the scale-up bracket where DIY breaks down, see the scale-up cost page.