Is it realistic for one security person to lead SOC 2 readiness at a 60 person company?
We’re a small company of about 60 people with a 3 person IT team. I’m currently the only dedicated security person.
Most of our technical IT/security operations are handled by a third-party MSP, while I’m leading the internal effort to get us ready for SOC 2. We recently started using Drata to help manage evidence, controls, and compliance tracking.
For those who have gone through SOC 2 in a similar setup: is it realistic for one internal security person to lead the SOC 2 readiness process, assuming the MSP handles most technical implementation? Or would you strongly recommend hiring a SOC 2 consultant to help with readiness before engaging an auditor?
I’d appreciate hearing from anyone who has done this in a small-company environment. What worked, what didn’t, and what would you do differently?
small note, we are not urgently looking to get certified but as soon as better.