How do I keep my SOC 2 certification going after the first audit?

SOC 2 Is Not a One-Time Certificate

SOC 2 reports expire. Type I is a point-in-time snapshot. Type II covers a specific period (usually 12 months). Enterprise customers expect your report to be current — typically less than 12 months old.

The Annual Cycle

Month	Task
Ongoing	Maintain controls (branch protection, MFA, access management)
Quarterly	Run access reviews, update vendor management records
Month 9	Begin collecting evidence for the upcoming audit
Month 10	Engage auditor, confirm scope
Month 11-12	Audit fieldwork
After audit	Receive report, distribute to customers

What Gets Easier

First Audit	Subsequent Audits
Write all policies from scratch	Update existing policies
Set up all controls	Maintain existing controls
Learn the process	Already know what to expect
40-80 hours of evidence collection	10-20 hours (most is repeatable)
Higher auditor cost (first-time setup)	Lower auditor cost (renewal rate)

What Requires Ongoing Attention

1. Access reviews: Quarterly reviews must happen consistently. Set calendar reminders.
2. Policy updates: When you change cloud providers, add new tools, or restructure teams — update your policies.
3. Evidence collection: Don't wait until month 11. Collect evidence continuously or automate it.
4. New employee onboarding: Every new hire needs security training, background check, and proper access provisioning.
5. Vendor management: Annually review critical vendors and collect their updated SOC 2 reports.

Common Second-Year Mistakes

• Assuming last year's evidence works. Auditors want current evidence, not screenshots from 12 months ago.
• Letting controls lapse. Branch protection gets disabled "temporarily" and never re-enabled.
• Skipping access reviews. Easy to forget when there's no active audit. One missed quarter is an exception.
• Not updating the system description. If you migrated from Heroku to Vercel, the system description needs to reflect that.