What should I read to prepare for SOC 2 as a founder?
The Essential Reading List
1. AICPA Trust Services Criteria (Free)
The official criteria document defines what SOC 2 evaluates. Read the Security category (CC1-CC9) — that's the baseline for every audit. Skip the other categories unless they're in your scope.
Time: 2 hours
2. Your Auditor's Evidence Request List
Ask your auditor (or prospective auditor) for their standard evidence request template. This tells you exactly what they'll ask for, specific to their methodology.
Time: 1 hour to review
3. A SOC 2 Startup Guide
Look for guides written specifically for startups, not enterprise compliance teams. The best ones cover: which TSC to pick, how to scope, what policies to write, and what evidence to collect.
Time: 2-3 hours
What You Can Skip
| Resource | Why You Can Skip It |
|---|---|
| SSAE 18 / AT-C 205 (audit standards) | Written for auditors, not auditees |
| 200-page SOC 2 compliance handbooks | Too detailed for a first-time audit |
| NIST Cybersecurity Framework | Useful but separate from SOC 2 — don't confuse the two |
| ISO 27001 documentation | Different framework, different audit |
What to Learn by Doing (Not Reading)
Some things are better learned by doing than reading:
- Run a readiness assessment. Walk through the TSC criteria and check your systems against each one.
- Write one policy. Start with your change management policy — it's the easiest to write because it describes your existing GitHub workflow.
- Talk to an auditor. A 30-minute pre-engagement call teaches more than a 100-page guide.
The Minimum Knowledge for a Founder
You don't need to become a compliance expert. You need to know:
- Which TSC criteria are in your scope
- What your seven core policy documents should say
- What evidence your auditor will ask for
- How to run a quarterly access review
Everything else can be handled by your auditor's guidance or by an AI compliance tool like Screenata.