Starting a SOC 2 audit before you're ready is one of the most expensive mistakes a company can make. Audit fees are paid regardless of outcome, and if the auditor finds significant gaps — missing policies, unimplemented controls, no evidence of monitoring — you'll either receive a qualified opinion that undermines customer trust or need to pause the audit, fix the issues, and restart with a new observation period. Either way, you've wasted time and money.

A SOC 2 readiness assessment prevents this by systematically evaluating your controls against audit requirements before you engage an auditor. Think of it as a practice exam: it reveals what you know, what you don't, and where you need to focus your remaining preparation time. Companies that conduct a thorough readiness assessment before their audit consistently have smoother engagements, fewer findings, and faster time to report delivery.

This guide covers how to conduct a readiness assessment, whether internally or with professional help. You'll learn the self-assessment methodology, how to run a gap analysis across each control area, the go/no-go decision factors that determine whether you're truly ready, and when it makes sense to bring in your auditor for a formal pre-assessment.

What a SOC 2 Readiness Assessment Covers

A readiness assessment evaluates your organization against the same criteria your auditor will use during the actual SOC 2 audit. For the Security criterion (CC series), that means examining controls across governance, risk management, access control, change management, operations, monitoring, and vendor management. If your scope includes Availability, Confidentiality, Processing Integrity, or Privacy, those criteria are assessed too.

The assessment answers three questions for each control area: Do you have a documented policy or procedure? Are you actually following that policy in practice? Can you produce evidence that demonstrates the control is operating effectively?

All three questions must be answered "yes" for a control to pass. A policy without implementation is just a document. Implementation without documentation is invisible to an auditor. And both are useless without evidence to prove they're working. The readiness assessment identifies which controls are fully ready, which need work, and how much work remains.

Self-Assessment vs. Professional Pre-Assessment

There are two approaches to readiness assessment, and they serve different purposes.

A self-assessment is conducted internally by your compliance or security team. It's lower cost (free, aside from the time investment), can be started immediately, and gives you full control over the process. The limitation is that internal teams sometimes have blind spots — they may not know what auditors specifically look for or may overestimate their readiness in areas where they're too close to the work.

A professional pre-assessment is conducted by your audit firm or a separate consulting firm. The auditor applies the same evaluation methodology they'll use during the real audit, but in an advisory capacity rather than an attestation engagement. Pre-assessments cost money — typically $5,000-$15,000 depending on scope and complexity — but they provide an objective, experienced evaluation. We'll cover when a professional pre-assessment is worth the investment later in this guide.

For most companies, the best approach is to start with a self-assessment, remediate the obvious gaps, and then decide whether a professional pre-assessment is needed before committing to the full audit. This sequence minimizes consulting costs while ensuring you benefit from external perspective where it matters.

Running Your Self-Assessment: Methodology

A structured self-assessment follows a consistent evaluation framework across every control area. For each control, you'll evaluate documentation, implementation, evidence, and operating effectiveness.

Step 1: Inventory Your Scope

Before assessing controls, confirm your audit scope. Which Trust Service Criteria will be included? Which systems are in scope? Which teams support those systems? Scope decisions drive which controls are relevant.

For most SaaS companies, the scope includes the production environment (application, databases, infrastructure), supporting systems (CI/CD, monitoring, identity provider), and the teams that manage them (engineering, DevOps, IT, security). Back-office systems like accounting software or marketing tools are typically out of scope unless they process customer data.

Document your scope clearly. During the actual audit, the auditor will verify that the scope described in your system description matches reality. Understanding your scope now prevents surprises later.

Step 2: Map Controls to Criteria

For each Trust Service Criterion in your scope, identify the controls your organization has (or should have) in place. The AICPA provides Points of Focus for each criterion that describe what controls should address, but they don't prescribe specific implementations.

A practical approach is to start with the common control areas and map them to criteria:

Step 3: Assess Each Control

For each control, evaluate four dimensions:

Documentation: Does a written policy or procedure exist that describes this control? Is it current (reviewed within the last year)? Does it describe what the organization actually does, not what it aspires to do? Is it approved by appropriate management?

Implementation: Is the control actually operating as the policy describes? Are the tools and configurations in place? Do team members know about the control and follow the documented procedure?

Evidence: Can you produce artifacts that demonstrate the control is working? Screenshots, logs, reports, tickets, and meeting minutes all count as evidence. The evidence must be timestamped and cover the audit period.

Operating effectiveness: Has the control been operating consistently over the anticipated audit period? A control implemented last week doesn't demonstrate operating effectiveness over a 6-month observation period. For a Type II audit, your auditor needs to see controls operating consistently throughout the entire audit period.

Rate each control using a simple scoring system. "Ready" means all four dimensions are satisfied. "Partially ready" means some dimensions are satisfied but gaps remain. "Not ready" means significant work is needed. This scoring creates a clear picture of your overall readiness and highlights where to focus remediation efforts.

Gap Analysis by Control Area

Let's walk through each major control area and identify the most common gaps companies discover during readiness assessments. Knowing where others stumble helps you focus your own assessment.

Governance and Organizational Controls

The most common governance gap is missing or outdated policies. SOC 2 expects a comprehensive set of security policies covering information security, access control, change management, incident response, data classification, acceptable use, vendor management, and business continuity. If policies are missing, outdated, or don't reflect actual practice, that's a gap.

Another common gap is lack of documented management oversight. Your auditor will look for evidence that management reviews security metrics, risk assessments, and compliance status regularly. If security governance exists only informally — the CTO "keeps an eye on things" without documented reviews — that's insufficient.

Assess whether your policies exist, are current, and are approved. Verify that management reviews happen and are documented. If you're starting from scratch on policies, our Policy Bundle at $199.95 provides templates for every policy your auditor expects, saving weeks of drafting time.

Access Control Gaps

Access control is the most common area for audit findings, so assess it carefully. The typical gaps include systems without MFA enabled, no documented provisioning or deprovisioning process, no evidence of quarterly access reviews, users with excessive permissions (violation of least privilege), and former employees or contractors with active accounts.

For each in-scope system, verify that MFA is enforced, that you have a list of all users and their roles, and that you can demonstrate when and how each user's access was approved. Pull a list of employees who left during the past year and cross-reference it against active accounts in every system. Any overlap is a gap that must be remediated before the audit.

The access control assessment alone often reveals enough work to fill several weeks of remediation. Our detailed guide on SOC 2 preparation within 90 days provides a phased approach to tackling these gaps efficiently.

Change Management Gaps

Change management gaps typically involve informal processes that work in practice but lack documentation. The development team might have a solid code review and deployment process, but without documented approval records, the auditor can't verify it.

Assess whether every production deployment during the anticipated audit period has a corresponding change record with approval, testing evidence, and a description of what changed. Check for emergency changes that bypassed the standard process — these are acceptable if documented with after-the-fact review, but problematic if they're completely undocumented.

Review your CI/CD pipeline configuration. Does it enforce the controls described in your change management policy? For example, if your policy requires peer code review before deployment, does your pipeline actually block merges without an approved review? If not, there's a gap between policy and implementation.

Monitoring and Incident Response Gaps

Auditors expect to see that you're monitoring your systems for security events and responding to incidents in a structured way. Common gaps include no centralized logging (logs exist but aren't aggregated or searchable), alerting that's too noisy (so many false positives that real alerts get ignored) or too sparse (critical events don't generate alerts), no documented incident response plan, and no evidence of incident response activity during the audit period.

That last point deserves attention. If your assessment reveals zero security incidents during the audit period, the auditor will question whether your monitoring is actually detecting events. Every organization has incidents — unusual login attempts, minor misconfigurations, failed backup jobs. If none are documented, it suggests monitoring gaps rather than perfect security. Review your logs and document the security events that occurred, even if they were minor and quickly resolved.

Vendor Management Gaps

Vendor management is often one of the least mature control areas in growing companies. Common gaps include no vendor inventory, no documented security assessments for critical vendors, no process for reviewing vendor security on an ongoing basis, and missing contracts or data processing agreements.

Start by listing every vendor that accesses, stores, or processes your data (or your customers' data). Categorize them by risk tier. For critical and high-risk vendors, verify that you have their SOC 2 report, ISO 27001 certificate, or completed security questionnaire on file. For more on building this program, review our guide on SOC 2 vendor management.

Backup and Disaster Recovery Gaps

If Availability is in your audit scope, backup and DR gaps are common. The most frequent issues include backups that run but have never been tested with a restore, no documented disaster recovery plan, no evidence of DR testing, and RPO/RTO not defined or not achievable based on current architecture.

Test a backup restore before the audit — don't let your auditor be the first person to discover that your restores don't work. Document the test results, including how long the restore took and whether the data was complete and intact.

The Go/No-Go Decision: Are You Ready?

After completing your gap analysis, you need to make a decision: are you ready to proceed with the audit, or do you need more time to remediate gaps?

Go Criteria

You're likely ready for the audit if your core policies are documented, approved, and reflect actual practice. MFA is enabled on all in-scope systems. You have evidence of access reviews, change management, and monitoring for the audit period. Your team can walk through each control area and explain how it works. You've addressed common audit findings proactively. Your backup and DR procedures have been tested. Critical vendors have been assessed. And any remaining gaps are minor and can be remediated before fieldwork begins.

No company enters an audit with zero gaps. The question isn't whether you're perfect — it's whether your controls are fundamentally sound and operating consistently enough to receive an unqualified opinion.

No-Go Criteria

Consider delaying the audit if major policies don't exist or don't match practice. Controls have been operating for less than the planned observation period (for Type II). MFA isn't enforced on critical systems. No access reviews have been conducted. You don't have an incident response plan or DR plan. Your monitoring is minimal or non-existent. Or you've identified more than 5-10 significant gaps that would likely result in exceptions.

Delaying the audit to fix fundamental issues is almost always the right call. The cost of delay — a few months of preparation time — is far less than the cost of a qualified audit opinion or, worse, a failed audit that requires a complete restart.

Partial Readiness: The Type I Bridge

If your controls are well-designed but haven't been operating long enough for a Type II audit (which requires a minimum 3-6 month observation period), consider starting with a Type I audit. A Type I evaluates your controls at a specific point in time — are they properly designed and implemented? — without requiring an observation period.

A Type I report gives your customers and prospects a credible compliance artifact while your controls build the operating history needed for Type II. Many companies follow a Type I-then-Type II progression, with the Type I completed 6-9 months before the Type II audit begins. This approach lets you demonstrate compliance momentum without rushing into a Type II audit you're not ready for.

When to Engage an Auditor for Pre-Assessment

A professional pre-assessment adds cost but provides an experienced, objective evaluation of your readiness. Consider investing in one if this is your first SOC 2 audit and you're uncertain about your readiness despite completing a self-assessment. Your self-assessment revealed significant gaps and you want expert guidance on prioritizing remediation. Your organization has complex architecture or unusual control implementations that you're unsure an auditor will accept. You've previously received a qualified opinion and want to ensure issues are fully resolved before the next audit.

What a Pre-Assessment Looks Like

A pre-assessment typically takes 1-3 weeks and involves the auditor reviewing your policies and procedures, conducting abbreviated walkthroughs of key control areas, examining sample evidence, and providing a detailed report of findings with remediation recommendations.

The deliverable is a gap report — a list of issues organized by severity, with specific guidance on what needs to change before the full audit. This report becomes your remediation roadmap.

Choosing the Right Timing

Schedule the pre-assessment early enough to allow time for remediation — typically 3-6 months before the planned audit start date. If the pre-assessment reveals significant gaps, you need months, not weeks, to implement new controls and build the operating history required for a Type II audit.

Some companies use the same audit firm for pre-assessment and the full audit. This is common and acceptable, but understand the limitation: the pre-assessment must be purely advisory. The audit firm cannot implement controls for you (that would compromise their independence for the subsequent audit). They can tell you what's missing and recommend approaches, but the implementation work is yours.

Our guide on how to choose a SOC 2 auditor covers the evaluation criteria for selecting an audit firm, including whether they offer pre-assessment services and how they price them.

Building Your Readiness Assessment Checklist

A structured checklist keeps the assessment organized and ensures nothing is missed. Here's a framework organized by control area that you can adapt to your specific scope.

Governance Readiness

Verify that all required policies exist and are current. Confirm that policies are approved by management and communicated to employees. Check that security responsibilities are defined and assigned. Verify that management reviews security metrics and compliance status with documented evidence. Confirm that a code of conduct exists and employees have acknowledged it.

Risk Management Readiness

Verify that a risk assessment has been conducted within the past year. Confirm that risks are documented in a risk register with severity ratings and treatment plans. Check that risk treatment actions have been implemented and documented. Verify that new risks from system changes or incidents have been added to the register.

Access Control Readiness

Verify MFA is enforced on all in-scope systems. Confirm that a role matrix defines permissions for each role. Check that provisioning records with approvals exist for all users added during the audit period. Verify that deprovisioning was completed within 24 hours for all departures during the audit period. Confirm that quarterly access reviews were conducted and documented. Check that privileged access is limited and justified.

Change Management Readiness

Verify that a change management policy exists and describes the actual process. Confirm that change records with approvals exist for all production deployments during the audit period. Check that emergency changes were documented with after-the-fact review. Verify that code review evidence exists for changes during the audit period.

Operations and Monitoring Readiness

Verify that centralized logging is configured for all in-scope systems. Confirm that alerting is configured for security-relevant events. Check that an incident response plan exists and has been tested or exercised. Verify that incidents during the audit period were documented and resolved. Confirm that vulnerability scans and/or penetration tests have been conducted.

Vendor Management Readiness

Verify that a vendor inventory exists with risk tiers assigned. Confirm that critical vendors have been assessed (SOC 2 reports reviewed, security questionnaires completed). Check that vendor contracts include security requirements. Verify that annual vendor reviews are scheduled or completed.

Availability Readiness (If in Scope)

Verify that RPO and RTO are defined and documented. Confirm that backup configurations meet RPO requirements. Check that backup monitoring is in place with alerts for failures. Verify that a disaster recovery plan exists and is current. Confirm that DR testing has been conducted within the past year with documented results.

From Assessment to Audit: Closing the Gaps

The readiness assessment is only valuable if you act on its findings. Prioritize remediation based on severity — items that would likely result in audit findings should be addressed first — and feasibility — items that can be fixed quickly should be knocked out immediately to build momentum.

For most companies, the highest-priority remediation items are enabling MFA on any systems where it's missing, conducting an access review if none has been done, testing a backup restore if none has been tested, writing any missing policies (or updating stale ones), and documenting incidents that occurred but weren't formally recorded.

These items address the most common audit findings and have the highest impact on your audit outcome. Each can typically be completed within a few days to a few weeks.

The Complete Bundle at $549.95 provides policy templates, evidence worksheets, and process documentation that accelerate remediation by giving you proven frameworks to customize rather than building from scratch. For companies in the remediation phase, having structured templates can cut weeks off the preparation timeline.

The gap between readiness assessment and audit is where the real work happens. Use the assessment findings as your roadmap, track remediation progress, and reassess areas of concern as you close gaps. By the time audit fieldwork begins, you should be confident — not because everything is perfect, but because you've systematically evaluated your controls, addressed the significant gaps, and built the evidence base your auditor needs to issue a clean report. That confidence comes from preparation, and the readiness assessment is where preparation starts.