How to run a SOC 2 readiness assessment that actually works

Most founders discover SOC 2 readiness the wrong way: three months into an observation window, when the auditor asks for a quarter of access-review evidence that nobody was keeping.

A readiness assessment is the boring, useful work that happens before the observation window opens. Done well, it turns a SOC 2 from a scramble into a calendar. Done badly, or skipped entirely, it turns a SOC 2 into a remediation bill.

What a SOC 2 readiness assessment is

A SOC 2 readiness assessment is a structured pre-audit pass that scopes the systems, maps your controls against the Trust Services Criteria, lists the gaps, and sets a remediation plan. It produces a gap report, an evidence library skeleton, and a date you can realistically open the observation window. If you are new to the report itself, start with our primer on what a SOC 2 is and the full compliance requirements that readiness will pressure-test. The examination itself is governed by the AICPA's Statement on Standards for Attestation Engagements No. 18, which is the attestation standard a readiness assessment explicitly does not produce an opinion under.

It is not a practice audit. It is not an opinion. It is a plan.

Why readiness is cheaper than audit remediation

The math is simple. During a Type II observation window the auditor is watching for 12 months of operating evidence. If you find a missing control in month one, you fix it, the clock runs, and the control tests clean. If you find the same missing control in month ten, you have two choices: extend the window by another full quarter, or accept the exception in the report.

A readiness pass costs roughly 15 to 25 percent of a full audit and typically runs four to eight weeks. A three-month window extension, by contrast, adds auditor fees, pushes your sales enablement date out, and gives your buyers a later report to read. The cheapest bug is the one you catch before the window opens.

Every gap you find in readiness is a control you get to design. Every gap you find in fieldwork is an exception you get to explain.

Step 1: scope the engagement

Before anyone opens a control matrix, write down three things.

Systems in scope. Not your whole company. The product, its production environment, the supporting infrastructure, the corporate systems that touch customer data (identity provider, ticketing, code repository), and nothing else. Founders routinely over-scope here, and an over-scoped SOC 2 is an expensive SOC 2.

Trust Services Criteria in scope. Security is mandatory. Availability, Confidentiality, Processing Integrity, and Privacy are additive, and each one brings real evidence burden. Pick them based on the commitments in your customer contracts, not based on what sounds comprehensive. Our walkthrough of the TSCs covers the decision in detail.

Observation window target. A Type I is a point in time. A Type II needs a window, typically 6 to 12 months. Your readiness pass should end at least two weeks before the window opens, so remediation items have time to close.

If you cannot answer these three questions in a paragraph, you are not ready to start readiness.

Step 2: gap analysis against the chosen TSCs

With scope settled, walk every applicable criterion against what actually happens in your company today. A usable gap list has four columns: the criterion, the expected control, what you do today, and the delta.

The deltas fall into three buckets, and it helps to tag them that way from the start:

• Missing. The control does not exist. Example: no formal access review process.
• Undocumented. The control exists in practice but there is no policy, no runbook, no ticket history. Your auditor cannot test what you cannot show.
• Inconsistent. The control exists and is documented, but it fires when someone remembers. Auditors sample. Inconsistent controls fail sampling.

Resist the temptation to list 200 findings. A clean gap list for a growth-stage SaaS company is usually 25 to 60 items. If your list is longer, you are probably confusing missing controls with missing evidence, and the remediation plan will drown.

Step 3: build the evidence library in one place, mapped to controls

This is the step that separates a smooth audit from a miserable one.

An evidence library is a single location (a folder, a GRC tool, a wiki) where every piece of evidence the auditor will want lives, organized by control, with an owner and a cadence. For each control you should be able to answer, in under a minute: who owns this, where does the evidence live, how often does it get refreshed, and what does a clean sample look like.

The non-negotiables:

• One owner per control. A team is not an owner. A person is. If the owner leaves, reassign before they walk out.
• A sample of acceptable evidence. A screenshot of last quarter's access review beats a 12-page policy document every time. Auditors sample artifacts, not intentions.
• A refresh cadence written into the library. Quarterly access reviews, monthly vulnerability scans, annual policy reviews. If the cadence is not scheduled, it will not happen.
• No duplicate evidence stores. If the same access review lives in three places, at least two of them are stale. Pick one home per control.

Your future self, mid-fieldwork, will thank your present self for this step more than any other.

Step 4: remediation windows, 2-week fixes vs 2-quarter fixes

Every finding has a realistic remediation timeline. The readiness consultant's job is to tell you the truth about which is which.

Two-week fixes. Write the missing policy. Turn on MFA for the three services that lost it in a migration. Wire logging to a retention-enabled bucket. Document the change management process you already follow. These are paperwork and configuration, and a competent team closes them before the next sprint review.

Two-month fixes. Roll out an access review process and run the first cycle. Implement formal vendor management with a risk-rated inventory. Build a vulnerability management workflow with SLAs. These take a quarter because they require people to change behavior, not just config.

Two-quarter fixes. Re-architect an environment that mixes production and corporate identity. Replace a homegrown deployment pipeline that does not support separation of duties. Stand up an incident response program with on-call rotations and post-incident reviews. These are projects, not tickets, and they decide when your observation window can open.

A readiness plan that treats every finding as a two-week fix is a readiness plan that is about to slip. Be honest up front and the window dates will hold.

Step 5: pick the Type I vs Type II moment

Readiness ends with a decision. With the gap list closed, do you open a Type I now or a Type II window?

A Type I is a design opinion at a point in time. It is useful when a first enterprise deal is gating on "do you have a SOC 2," you need something defensible in a quarter, and your buyer will accept a design report while the Type II runs.

A Type II is a design-and-operating-effectiveness opinion over a window. It is the report most enterprise buyers actually want. If your sales cycle can wait six to twelve months and your controls have been running consistently through readiness, skip the Type I and go straight to a Type II.

The trap to avoid: committing to a Type II window before remediation items with two-quarter timelines have actually closed. The window will open, the controls will not be operating, and the report will read the way the controls ran. A one-quarter Type I bridge while you finish building, followed by a Type II, beats a botched first Type II every time.

Once you issue, the cadence continues. A bridge letter covers the gap between your Type II report date and your next observation window, and the audit process itself is a separate conversation.

Common readiness mistakes

Four patterns we see repeatedly on engagements that come to us late.

Scoping too broadly. Including the marketing website, the blog, the sales CRM, the HR platform, every internal tool. None of this is what your buyer is asking about. Scope is the first knob to turn, and tighter almost always wins. The same buyer-driven logic sits behind our piece on what a SOC 2 actually tells your buyer.

No evidence owner. A gap list without named owners is a wish list. The pattern is familiar: the control gets "implemented," nobody owns refreshing it, fieldwork hits, the most recent artifact is eleven months old, and the sample fails.

Consultants who also sell the audit. The AICPA independence rules prohibit the same CPA firm from performing readiness consulting and the SOC 2 audit on the same engagement. The AICPA's own SOC for Service Organizations toolkit and its SOC 2 resource hub are the primary sources here; any firm that offers both readiness and the opinion on the same engagement is either misunderstanding independence or ignoring it, and either answer should worry you. That independence constraint is also why the Type I vs Type II decision almost always emerges from readiness rather than from your auditor. SecurancePro will do your readiness or your audit on a given engagement, not both. If you want our audit opinion, we will help you find a readiness partner. If you want our readiness work, we will help you find an auditor. Keeping the two roles in separate firms is how the opinion keeps its value.

Treating readiness as a one-time project. The evidence library, access reviews, vendor inventory, and vulnerability cadence outlive the readiness engagement. If those processes stop the day readiness ends, the observation window will find out. Our engagement process is built around readiness that keeps running.

A good readiness pass is undramatic. Eight weeks, a tight gap list, owners named, a calendar for the next six months, and a date the observation window opens. Do it once, well, and the audit becomes bookkeeping.

---

If you are scoping a first SOC 2 and want a readiness pass that ends with a real date instead of a second slideshow, get in touch and we will tell you what four to eight weeks of focused work looks like for your stack.