Weeks 1–2: Scoping and Trust Service Criteria
Pick your TSCs deliberately. Security is mandatory; the others (Availability, Confidentiality, Processing Integrity, Privacy) are optional — and each one you add multiplies evidence work.
Weeks 3–8: Evidence Automation
The teams that finish on time automate evidence collection from day one — access reviews, vulnerability scans, change tickets, and onboarding/offboarding. Don't wait until the auditor's request list arrives.