InsurTech: SOC 2 Type II Certification in 6 Months
An insurance distribution platform needed SOC 2 Type II to close enterprise carrier partnerships. Their AWS infrastructure had the right components but no audit trail, no change management process, and no documented security controls. We got them certified in 6 months.
The Challenge
The compliance gap was not primarily technical - the infrastructure was reasonably secure. The gap was documentation and process. Engineers deployed by pushing directly to main with no approval workflow. Access reviews had never been conducted. There was no formal incident response plan. A SOC 2 Type II audit requires evidence of controls operating consistently over a minimum observation period - typically 6 months.
The Approach
We separated the work into two phases: control implementation (months 1–2) and evidence collection period (months 3–6). Controls had to be in place before the observation window started. We ran the compliance program alongside the engineering team without slowing product development.
The Implementation
Change management process
We implemented branch protection rules requiring two approvals for all production changes, added a deployment approval step in GitHub Actions for production, and set up a lightweight change log in Linear. Every production change was now traceable.
Access control and quarterly reviews
We audited all IAM users and roles, removed 14 unused permissions, enforced MFA on every AWS account, and set up a quarterly access review process using a structured spreadsheet tracked in Notion.
Vulnerability management pipeline
Snyk added to the CI pipeline for dependency scanning on every PR. AWS Inspector enabled for EC2 and container image scanning. A monthly remediation SLA was defined: critical within 7 days, high within 30 days.
Incident response documentation
We wrote the incident response plan, ran a tabletop exercise, and documented two real incidents from the prior year as evidence. The plan defined severity levels, escalation paths, communication templates, and post-mortem requirements.
Key Takeaways
- SOC 2 Type II is primarily a process discipline problem, not a technology problem - most modern SaaS stacks already have the right tools
- Starting the observation window early is the most impactful scheduling decision - delays there push the certification date directly
- Branch protection and deployment approvals are the easiest controls to implement and among the most valued by auditors
- Quarterly access reviews are non-negotiable for Type II - build the process from day one of the observation period
Facing Similar Challenges?
Book a free 30-minute audit and I will tell you what I see.