What should a CTO prioritize before the SOC 2 audit?
March 6, 20262 min readFirst-Time SOC 2
CTO's SOC 2 Priority List
Priority 1: Quick Wins (Day 1-2)
| Action | Time | Impact |
|---|---|---|
| Enforce MFA on Google Workspace | 30 min | Eliminates top access control finding |
| Enable GitHub branch protection on main | 15 min | Proves change management controls |
| Require GitHub org-level 2FA | 15 min | Secures code repository access |
| Block public S3 access (if using AWS) | 15 min | Prevents data exposure |
| Enable CloudTrail | 30 min | Creates audit logging |
Priority 2: Access Controls (Week 1)
- Restrict admin access. Review who has Owner/Admin roles on GitHub, AWS, and Google Workspace. Limit to CTO + 1-2 senior engineers.
- Remove former employee accounts. Audit all systems for stale accounts.
- Document the permission model. Write down which roles exist and what each can access.
Priority 3: Infrastructure Controls (Week 2)
- Deploy MDM (Kandji, Mosyle) on all company devices
- Verify encryption on databases and storage services
- Enable automated backups with documented retention periods
- Set up basic monitoring — CloudWatch alarms, Sentry error tracking, PagerDuty
Priority 4: Documentation (Week 3-4)
- Write the system description. Name your tech stack specifically — "Next.js on Vercel, PostgreSQL on Supabase, GitHub Actions CI/CD."
- Review or write the change management policy. Describe your actual PR → review → merge → deploy workflow.
- Draft the access control policy. Document your current RBAC model.
What Not to Waste Time On
- Building custom compliance dashboards
- Implementing SIEM tools (not required for most startups)
- Hiring a security engineer before the audit
- Over-engineering access controls beyond what's needed
The CTO's Ongoing Role
During the observation period (Type II), the CTO is typically responsible for:
- Quarterly access reviews
- Approving policy updates
- Responding to audit evidence requests
- Maintaining branch protection and access controls