Do I need to hire a compliance person to pursue SOC 2 or ISO 27001?

No. Three operating models reach a passed audit without a dedicated compliance hire: a software platform plus internal engineering hours, a software platform plus a separate consultant, or compliance as a service with bundled engineers. Each has trade-offs.

When does hiring a compliance person make sense?

Around 100 to 200 employees, when the regulatory surface area gets broad enough that a dedicated person earns back their loaded cost. Before that, the compliance work is too sporadic for a full-time role to make economic sense.

Can a fractional compliance person cover this?

Yes for some companies. A fractional CISO or fractional GRC lead at one or two days a week handles policy authorship and customer security reviews well. The remediation work still needs engineers.

What does a Head of GRC actually do day to day?

Policy authorship and updates, customer security reviews, vendor risk assessments, internal audit coordination, training program management, regulatory horizon scanning, exception management, and audit preparation. Roughly 60 percent of the work is people-driven; 40 percent is documentation.

Building a compliance program without hiring a compliance person

Around the time a Series A SaaS gets its first SOC 2 ask, founders start drafting a Head of GRC job description. Then the cost calculator opens: a Head of GRC fully loaded runs 200,000 to 350,000 USD a year, with a six-month time-to-productivity. Suddenly the question becomes whether the role is necessary at this stage at all.

For most companies under 100 to 200 employees, it is not. The work is real, but the volume does not justify a dedicated hire. Three operating models close the gap. Here is the menu, with the trade-offs.

What a compliance hire actually does

A Head of GRC, depending on company stage, spends time across:

Policy authorship and updates. Information security policy, acceptable use, data retention, vendor management, incident response, change management, and a dozen others. Most need annual review even when nothing material changes.
Customer security reviews. Filling in vendor security questionnaires (often hundreds of questions per enterprise customer), uploading evidence, attending follow-up calls.
Vendor risk assessments. Reviewing every new SaaS the company adopts; maintaining a current list of subprocessors with due diligence records.
Internal audit coordination. For ISO 27001, a required annual internal audit; for SOC 2, evidence collection and walkthrough scheduling.
Training program management. Onboarding training, annual refreshers, phishing simulations, role-specific training tracking.
Regulatory horizon scanning. Watching for changes in SOC 2 criteria, ISO updates, GDPR enforcement trends, HIPAA OCR settlements, PCI v4.x clarifications.
Exception management. When a control cannot be applied as designed, documenting the exception, the compensating control, and the review schedule.
Audit preparation. Two to four weeks of intense activity before each audit; lighter activity continuously.

Roughly 60 percent of this work is people-driven (questionnaires, audits, training, vendor reviews); 40 percent is documentation that does not need expert authorship every time. A software platform automates parts of the second category. The first category does not automate.

Operating model 1: Software plus internal engineering hours

How it works: subscribe to Vanta, Drata, Secureframe, Sprinto, or Scrut. The platform handles continuous monitoring, evidence collection, and policy templates. An existing engineer, usually a senior backend or DevOps, owns compliance as a 20 percent allocation. Customer security reviews go to whoever is closest to the deal, typically engineering management or the founder.

Cost: 8,000 to 25,000 USD per year for the platform; 33,000 to 70,000 USD of opportunity cost on the engineering side (20 percent of one engineer's loaded cost). Total: 41,000 to 95,000 USD.

Trade-offs: cheapest line-item cost. Highest engineering opportunity cost; the engineer is doing compliance work instead of shipping product. Customer security reviews can blow up time during sales cycles. Works for one framework; gets harder when adding ISO 27001 alongside SOC 2.

Best fit: pre-revenue or revenue-light teams where engineering capacity is not the binding constraint, and there is one framework to handle.

Operating model 2: Software plus a separate consultant

How it works: subscribe to a software platform, and engage a consulting firm for remediation, policy authorship, and audit preparation. The consultant handles the heavy lift; the platform tracks evidence; engineers approve technical changes the consultant prescribes.

Cost: 8,000 to 25,000 USD platform; 30,000 to 80,000 USD per framework consultant; 12,000 to 35,000 USD audit. Total first year: 50,000 to 140,000 USD per framework.

Trade-offs: lowest engineering opportunity cost. Consultant scope creep is the predictable surprise; hourly billing on novel work tends to overrun. Two procurement cycles. Consultant relationship is transactional; turnover between engagements is normal.

Best fit: companies that already have a consulting partner they trust, or that want best-in-class software ergonomics and are willing to assemble the operational layer themselves.

Operating model 3: Compliance as a service

How it works: one vendor delivers the platform, the engineers, the auditor coordination, and the penetration testing in a single fixed-scope engagement. No separate procurement for software and remediation; no consultant scope creep; no engineering allocation pulled off product.

Cost: scoped per program; lands roughly in the same total range as the software-plus-consultant model. The structural difference is one bill, one team, one accountable party.

Trade-offs: less flexibility to mix and match (you do not get to pick a different consultant if you dislike the relationship). Newer category; smaller review footprints than established software vendors. Single-vendor accountability is intentional but means more concentrated dependency.

Best fit: companies that do not want to staff compliance work and prefer one team accountable end to end. This is the lane HSD operates in.

The fractional alternative

A fractional CISO or fractional GRC lead at one or two days a week, paired with one of the three operating models, can fill the gap below the threshold for a full-time hire. Typical engagement: 4,000 to 12,000 USD per month for one to two days a week.

Where fractional helps: customer security reviews (high-touch, high-context, hard to automate), policy authorship for novel processing, training program design, audit preparation week-of intensity. Less helpful for: continuous monitoring, evidence collection, technical remediation. Pair with software or a service.

When the full-time hire makes sense

Around 100 to 200 employees, with multiple frameworks active and an enterprise customer base that triggers continuous customer security reviews, the math flips. A dedicated person earns back their loaded cost in:

Faster customer security review turnarounds (sales acceleration).
Lower consultant fees (in-house owns more of the work).
Better posture (consistent program ownership reduces audit findings).
Strategic capacity (regulatory horizon scanning, framework expansion planning).

Below that headcount, the work is too sporadic to justify a full-time role, and the operating models above are more efficient.

The honest summary

For most companies under 100 employees with one or two compliance frameworks active, hiring a Head of GRC is premature. Pick one of the three operating models based on your engineering capacity and risk tolerance, optionally pair with a fractional senior advisor for the high-touch work, and revisit the hiring decision when you cross the threshold.

Want a thirty-minute call to figure out which model fits your situation? Book one with HSD.