Typical SOC 2 Costs

SOC 2 costs are often a mystery to companies. SOC 2 compliance is a critical framework for managing data security based on five trust service principles—security, availability, processing integrity, confidentiality, and privacy. Companies striving for SOC 2 compliance need to meet rigorous standards, which often entail significant organizational and financial commitments.

Companies often ask us what typical costs they might incur (outside of the cost of our Virtual CISO services or the cost of the actual audit) as a result of trying to achieve SOC 2 compliance for the first time.

Here are some typical costs that we see clients incur. It's important to note that these are ONLY license costs. They don't include costs to implement or migrate any of the following, which can be significant one-time costs.

SOC 2 Costs for All Companies

• Productivity Software. Most companies find they need to upgrade to a higher level of Microsoft 365 or Google Workspace to meet the compliance requirements.
  • For Microsoft, this is typically Business Premium or E3.
  • For Google, this is typically Business Plus or Enterprise.
• Security Assessments of Cloud/SaaS Software. We offer this as part of our Virtual CISO service.
• Mobile Device Management. This is typically part of the higher-cost Microsoft 365 or Google Workspace plans, described above, so the costs would be paying someone to set them up and deploy them.
• Endpoint Protection. Many companies don't have centrally managed antivirus or Endpoint Detection and Response (EDR) tools. The SOC 2 process forces them to put this in place, typically from companies like SentinelOne or Crowdstrike.
  • Prices vary, but a good budget number is $10-20/computer/month.
• Remote Monitoring and Management (RMM). Many companies don't have a way to centrally manage their computers, and to enforce settings that will be required for SOC 2 (like encryption). While these tools are not very expensive, they're also not trivial to set up and use.
  • Good budget number is $5-10/computer/month.
• Vulnerability Scanning to find unpatched vulnerabilities on your computers. We offer this as part of our Virtual CISO service.
• Patch Management to fix the aforementioned vulnerabilities. This one is tricky. RMM tools (mentioned above) do some patching, but none have 100% coverage. There are inexpensive third party tools ($3-5/computer/month) that fill some of the gaps. But the problem here is that no patching is 100% automated. You will either need an IT service or an IT person to work on these manually each month.
• Network Security.
  • For companies that still work from the office, you may find yourself purchasing a firewall with stronger security features.
  • For companies that work hybrid or full remote, you may find yourself purchasing a Secure Access Service Edge (SASE) or always-on VPN tool. Good budget number to use is $5-15/user/month.
• Bring Your Own Device (BYOD). Often the SOC 2 process forces companies to reconsider their position on BYOD. To pass an audit, all computers will need to be configured to company security standards, and managed like company computers. Some employees balk at putting security tools on their computers, which may force you to purchase company-owned computers.
• Security Awareness Training. Typically monthly videos and quizzes. We offer this as part of our Virtual CISO service.
• Simulated Phishing Tests. Typically performed monthly. We offer this as part of our Virtual CISO service.
• Password Management Systems. Typically $5-8/user/month.
• Background Checking Tools. These are typically $50-100 per person, though you may need to do them for existing staff as well as new staff.
• Data Destruction Service. If you use a lot of paper, this would be a secure shredding service. If you only have to dispose of electronic media (e.g., hard drives from old computers), you can typically find a service who will shred the drives and provide a certificate of destruction for $150-250 / drive.

Outsource I.T.?

Implementing all of the above is a significant amount of work, and none of these systems are simple to maintain.

At this point in the project, many companies start to think about whether they want to manage these I.T. systems in-house or whether they want to start working with an outsourced I.T. company. This can add a significant cost and delay to the project.

GRC Tools?

In the past few years, Governance Risk and Compliance (GRC) tools have become quite popular for managing the process of achieving SOC 2 compliance. These tools tend to start around $10k/year.

We think they're great products if you're planning to manage the SOC 2 process yourself, in-house, and you have a staff member who is fairly knowledgable about security.

We don't think they're worth the money, though, if you're working with a service like ours, as they slow us down and don't allow much flexibility. However, we're happy to support them if you prefer using them.

SOC 2 Costs for Software Development Companies

It's tough to provide fixed pricing for any of the following, as the pricing will depend on a few factors:

• Where your software is hosted (e.g., AWS vs. Azure vs. servers in a colo)
• What technology you use for your application (e.g., servers vs. containers vs. serverless tools)
• The strength and knowledge of your team in understanding how to configure and use these tools

The following list are typical services you'll need to purchase, though your actual list may vary by quite a lot.

• Cloud Security Posture Management (CSPM). Assuming you're using IaaS services (like AWS, Azure, or Google Cloud Platform), these systems check to make sure that your IaaS account is securely configured. All three of the major IaaS services offer these as part of their package, and if you're a small company it probably makes more financial sense to start with the built-in offerings.
• Server or Container Hardening. Your servers and/or containers should be configured at load-time to comply with CIS (or similar) hardening standards. You should be able to provision these directly in your IaaS system. While they might not cost more, these hardening standards will often break software, so they should be extensively tested.
• Server or Container Vulnerability Scanning. These check your servers and/or containers for vulnerabilities. For servers, we offer this as part of our Virtual CISO service. For containers, you may be able to use built-in products in your IaaS tool, or you may need to purchase a third party tool (depending on which IaaS product you use).
• Backups and Replication. SOC 2 often forces companies to get more rigorous around how often they take backups, how long they store backups, and replicating critical data to multiple regions. The cost for this will obviously depend on your IaaS service, your retention periods, and the size of your environment.
• Encryption Key Management. Most companies will use the Secrets Management tool provided by their IaaS service, which has an additional (but minimal) cost.
• Encryption In Transit and At Rest. This is often enabled by default in IaaS. If not, it may have a tiny upcharge.
• Logging and Alerting. This is one of the more complex areas of SOC 2 compliance. You'll certainly want to make sure you're fully using the logging and alerting capabilities of your IaaS product, but you may also need to make significant changes to your application to make sure you have user-level audit and traceability.
• Change Control. This is less a product and more a process, but it can be challenging for small teams. The principle is that the person who deploys code can't be the same person who changes the code. So this may require additional hires.
• Quality Assurance. Similar to change control, the principle here is that the person who changes the code can't be the same person who tests the code. May also require additional hires.
• Secure Development. For smaller companies, this usually takes two forms:
  • Putting your staff through formal secure development training (e.g., OWASP), AND
  • Implementing code-testing tools (Google the phrases "SAST" and "DAST" that will scan code for issues before being deployed. Some source code repository services already have this built-in for their higher-level plans.
• Penetration Testing. If you build code, you'll need to do at least an annual penetration test, where a skilled white hat hacker tries to find vulnerabilities. Costs vary, but can range from $5k-25k+.

Again, this list is not meant to be exhaustive, but is meant to provide you with paths to follow to build an approximate budget before you engage in a SOC 2 project.