Compliance

SOC 2 Readiness Without the 6-Month Slog

A field-tested walkthrough of the controls we check first on AWS, Azure, and GCP engagements — and the misconfigurations that catch teams off guard.

RAZR Compliance

6 min read

Most SOC 2 projects don't fail because the controls are hard. They fail because teams treat compliance as a document exercise and only realize during the audit that they can't produce the evidence.

The 90-day shape that actually works

  1. Weeks 1-2: scope the system boundary and pick the Trust Services Criteria you'll be assessed against.
  2. Weeks 3-6: implement evidence automation for access reviews, change management, and vulnerability tracking.
  3. Weeks 7-10: run the controls in production so you generate real evidence, not backfilled screenshots.
  4. Weeks 11-13: dry-run the audit with your assessor and close the gaps they flag.

Skip the policy-first trap

Writing 40 policies before touching a single control feels productive but produces nothing an auditor can test. Start from the controls, then let the policies reflect what you actually do.

What to automate first

  • Quarterly access reviews tied to your IdP.
  • Change management evidence pulled from your PR + deploy pipeline.
  • Vulnerability scan results archived from your CI or cloud-native scanner.

Get these three flowing and you'll have covered the bulk of the evidence your auditor asks for — without a single spreadsheet.

Share this post

Get new posts in your inbox

Field notes on cloud security, compliance, and incident response. One email when we publish. No spam.

Ready to see how your stack scores?

Take the 15-minute diagnostic and get a prioritized 30/60/90-day action plan.

Related posts

More reading based on this post's category and tags.