SOC 2 timeline: month-by-month spend from start to report.
Month-by-month cost curve, Type 2
| Month | Cash spend | What happens |
|---|---|---|
| Month 1 | £8,000 | Readiness assessment kickoff, platform contract signed, initial gap analysis. Heaviest single-month spend. |
| Month 2 | £3,000 | Remediation begins, policy authoring, evidence-collection rhythm starts. |
| Month 3 | £1,000 | Observation window opens. Operational rhythm. Light platform fee accrual. |
| Months 4 to 5 | £1,000 / month | Mid-window operations. Evidence generated by control activity. No substantive cash spend. |
| Month 6 | £2,000 | Mid-period evidence push. Internal audit, exception review. |
| Months 7 to 8 | £3,000 / month | Pre-audit fieldwork prep. Auditor walkthroughs scheduled. Light remediation sweep. |
| Month 9 | £20,000 | Audit fieldwork. Single largest line item. Report drafted, management response logged. |
| Total | £42,000 | Sum of cash lines. Excludes internal time at £15,000 to £25,000 fully loaded. |
Type 1 timeline
Type 1 compresses to a 3 to 6 month programme. Readiness and remediation in months 1 to 2, walkthroughs and audit fieldwork in month 3, report issued in month 3 or 4. There is no observation window. Cash curve: month 1 (£6,000 readiness), month 2 (£2,000 remediation), month 3 (£12,000 audit), total £20,000.
Concurrent SOC 2 + ISO 27001 timeline
Running both standards concurrently over 12 months: shared readiness in months 1 to 3, observation and Stage 1 audit in months 4 to 9, ISO 27001 Stage 2 in month 10 with SOC 2 audit fieldwork month 11, both reports issued month 12. Combined cash spend lands at roughly 65 to 70 percent of the sum of the two standalone programmes. The single largest cash line is month 11 audit fieldwork covering both attestations.
Acceleration cost
Compressing a 9-month Type 2 programme into 4 to 5 months typically adds 20 to 30 percent to the audit fee. The audit firm uses the surcharge to add a second senior to the team and run walkthroughs in parallel rather than sequentially. Internal burnout cost is harder to quantify but real: a compressed first-time SOC 2 typically costs the team a quarter of senior engineering time at near-100 percent allocation, which is unsustainable for more than 8 weeks.
Decel cost
Stretching a SOC 2 programme beyond 12 months loses the customer it was supposed to win. Most enterprise procurement cycles allow 4 to 6 months of compliance lead time before withdrawing the deal. A SOC 2 programme that slips to 15 months has typically already lost the original customer; the attestation arrives for the next customer, which is a different business case.
Cross-reference
For the Type 1 vs Type 2 cost decision that shapes the timeline, see the Type 1 vs Type 2 page. For the readiness work that dominates months 1 to 3, see the readiness cost page. For the audit fee that lands in month 9, see the audit firm fees page. For the full month-by-month picture with your inputs, see the calculator.