A prospect asks for your SOC 2 report. You don't have one. Now there's a deal on the table and a compliance project you didn't budget for.
The first thing most companies do is search for a solution, and every result on the first page of Google is selling the same thing: a GRC automation platform at $5,000–$30,000 per year, plus auditor fees, plus an implementation project. The total first-year cost lands somewhere between $17,000 and $85,000 — and you're locked into the platform subscription indefinitely.
That's one way to do it. It's not the only way.
What the auditor actually evaluates
SOC 2 isn't a technology test. It's a documentation and evidence exercise. Your auditor evaluates whether your organization has designed controls that meet the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy) and — for Type 2 — whether those controls operated effectively over a period of time.
The auditor doesn't care what tool you used to manage your compliance program. They care whether the documentation exists, the evidence is organized, and the controls are demonstrably in place.
Everything in the first two columns — governance and controls — is documentation. You write it once, customize it to your organization, and maintain it. The third column — evidence — comes from your actual operations. No platform produces that for you. You produce it by running your security program.
The GRC platform trap
GRC platforms like Vanta, Drata, Secureframe, and Sprinto do three things well: they automate evidence collection from cloud providers, they provide a dashboard for tracking compliance status, and they give your auditor a portal to review evidence.
Those are genuine benefits — for organizations with complex multi-cloud environments, hundreds of employees, and ongoing compliance programs across multiple frameworks.
For a 50-person SaaS company pursuing its first SOC 2 Type 1 to close enterprise deals, the calculus is different. You're paying $5,000–$30,000 per year for a platform whose primary value is automating evidence collection from systems you could screenshot in an afternoon. The documentation — policies, system description, control narratives — still has to be written by someone. The platform provides templates, but you're filling them in yourself, same as you would with standalone documentation.
The platform becomes the dependency. When you cancel, you lose access to your compliance dashboard, your evidence repository, and your audit history. The documentation you wrote inside the platform may or may not be exportable in a useful format. You've rented your compliance program instead of building one.
The documentation-first alternative
The alternative is simpler than the platform vendors want you to believe:
Start with the documentation. System description, security policies, control narratives mapped to the Common Criteria (CC1 through CC9), risk assessment methodology, and vendor management program. These are Word and Excel files. You own them. They live in your SharePoint, Google Drive, or file server. No platform required.
Build the evidence collection into your existing operations. Quarterly access reviews go in a spreadsheet. Incident response records go in your ticketing system. Training completion goes in your HR platform. Vulnerability scans come from your existing scanner. You're collecting this evidence anyway — the only question is whether it's organized for the auditor.
Use the evidence workbook to track what you have and what's missing. A simple spreadsheet that maps each control to its evidence artifact, location, last review date, and owner. This is the operational tool that replaces the GRC dashboard — and it costs nothing to maintain.
Engage the auditor directly. Most specialist SOC 2 audit firms (Johanson Group, Sensiba, Schellman, A-LIGN, BARR Advisory) will conduct a readiness assessment before the formal audit. Some include this in the audit fee. They'll tell you exactly what's missing. You don't need a platform to tell you what an auditor will tell you directly.
If you want a head start before the readiness assessment, the free SOC 2 Readiness Assessment Workbook scores your maturity against all 33 Common Criteria in 20 minutes — so you walk into that conversation knowing where you stand instead of guessing.
The five SOC 2 documents your auditor reads first
These are the documents that set the tone for the entire audit. If they're well-structured and complete, the audit goes smoothly. If they're thin or inconsistent, the auditor starts digging.
System description. The narrative overview of your service, infrastructure, people, procedures, and data flows. This is the document the auditor reads first and references throughout. It defines the scope of everything that follows. A vague system description creates scope creep. A precise one keeps the audit focused.
Control narratives. For each Common Criteria category (CC1 through CC9), a description of what controls you have in place, how they operate, and what evidence demonstrates their effectiveness. These aren't policies — they're the operational reality of how your organization meets each criterion.
Risk assessment. A documented process for identifying, evaluating, and addressing risks to your system. The auditor wants to see methodology, not just a list of risks. How do you score likelihood and impact? Who reviews the assessment? How often? What triggers a reassessment?
Information security policies. The policy set that governs access control, data handling, incident response, change management, and vendor management. These must be approved, communicated, and current — not draft documents sitting in someone's email.
Evidence workbook. The index that maps controls to evidence. When the auditor asks "show me evidence of quarterly access reviews," you open the workbook, find the row, and point to the artifact. Without this, every evidence request becomes a search operation.
What this costs
The documentation itself — whether you build it from scratch or buy implementation-ready documentation — is the smallest cost in the SOC 2 project. The auditor is the largest.
Realistic SOC 2 Type 1 budget — 50-person SaaS company
Documentation: $0 (build from scratch) to $997 (implementation-ready suite)
Internal effort: 40–80 hours over 4–8 weeks (customization, evidence collection, gap remediation)
Auditor: $7,000–$25,000 (varies by firm and scope)
Total first year: $8,000–$26,000
Year 2 and beyond: Auditor fee only (you own the documentation)
Compare: GRC platform approach = $17,000–$85,000 first year, $5,000–$30,000/year ongoing
The documentation-first approach doesn't eliminate cost. It eliminates the recurring platform fee and gives you ownership of your compliance program. When you change auditors, switch frameworks, or add a second compliance requirement (ISO 27001, HIPAA, PCI-DSS), your documentation travels with you. A platform subscription doesn't.
When you should use a GRC platform instead
This approach isn't universally superior. If your organization has 500+ employees, operates across multiple cloud providers, needs continuous compliance monitoring across three or more frameworks simultaneously, and has a dedicated compliance team — a GRC platform may genuinely save time. The evidence automation alone can justify the subscription at that scale.
But if you're a 20–100 person company pursuing your first SOC 2, the documentation-first approach gets you the same audit outcome at a fraction of the cost, with no ongoing subscription and full ownership of every artifact.
Once you pass the audit, the customer questionnaires don't stop — they shift from "do you have SOC 2?" to "show me the details." Ridgeguard manages the ongoing questionnaire response, vendor risk assessments, and evidence tracking that SOC 2 creates as an operational requirement. 30-day free trial, $299/year.
What to do this week
- Determine your SOC 2 scope. Security (CC1–CC9) is required. Availability, processing integrity, confidentiality, and privacy are optional. Start with Security only unless a customer requires otherwise.
- Inventory your existing documentation. You may have policies, an incident response plan, or access review records already. Map what exists to the Common Criteria.
- Get three auditor quotes. Specialist firms are 30–40% less than Big 4 for the same deliverable. Ask whether they include a readiness assessment.
- Decide on your documentation approach: build from scratch (80–120 hours), buy implementation-ready documentation (customization in days), or hire a consultant ($15,000–50,000).
- Set a target date for audit readiness. Work backward from there.
Next week: The incident response plan that actually works — what most IR documentation gets wrong and how to fix it before you need it.
If you're pursuing SOC 2 without a GRC platform, the SOC 2 Readiness Suite includes the system description template, control narratives for all Common Criteria, evidence workbooks, and the complete policy set — 71 documents, framework-mapped, ready to customize. $997, one-time purchase, instant download.