SOC 2 Readiness Assessment: How to Find Your Gaps

What a Readiness Assessment Is

A SOC 2 readiness assessment — sometimes called a gap analysis — is a structured evaluation of your current security controls and practices against the AICPA's Trust Service Criteria. Its purpose is to identify the gaps between where you are today and where you need to be before the audit observation period begins.

A readiness assessment is not a pre-audit in the formal sense — it is not conducted by your CPA firm and does not produce an opinion. It is an internal or consultant-led exercise that gives you a prioritized work list before you commit to an audit timeline. Companies that skip this step often start their observation period with fundamental gaps — no formal access review process, no change management tickets, no vendor risk assessments — and discover them when the auditor asks for evidence 6 months later.

The output of a readiness assessment should be: a gap register listing every missing or insufficient control, a risk rating for each gap (high/medium/low based on likelihood and audit impact), an assigned owner for each gap, a target remediation date, and a recommended sequencing plan (high-risk gaps first, lower-risk gaps can be parallelized).

The Three Assessment Layers

Layer 1 — Policies and procedures: do you have written policies that address each criterion? At minimum, a Security-only SOC 2 requires an Information Security Policy, Access Control Policy, Change Management Policy, Incident Response Plan, Vendor Management Policy, and Business Continuity / DR Plan. Each must be approved by leadership, dated, versioned, and distributed to staff. Assessing this layer takes 1–3 hours of document review.

Layer 2 — Technical controls: are your systems configured to enforce the policies? This layer requires examining your AWS configuration (GuardDuty enabled? CloudTrail logging? S3 public access blocked?), your GitHub configuration (branch protection? required reviewers? secrets scanning?), your Okta or Google Workspace settings (MFA enforced? SSO configured for all in-scope applications?), and your network security (VPC configuration, security group rules). Automated scanning tools can assess this layer in minutes.

Layer 3 — Operational evidence: are you producing the records that prove controls are working? This is the hardest layer to assess and the most commonly missed. Even with the right policies and technical configurations, if you have never conducted a formal access review, have no incident log, and have never completed a DR test, you have no operating evidence. Assessing this layer requires interviewing your engineering, HR, and security leads about their actual operational cadence.

Most Common Gaps Found

Access management gaps (CC6): no formal quarterly access review process; no documented off-boarding checklist; production access granted to employees who don't need it (excessive permissions); service accounts with no rotation or ownership documentation. These are found in roughly 80% of first-time assessments.

Change management gaps (CC8): informal code review process (reviews happen but aren't enforced via branch protection); no separation between development and deployment (developers can push directly to production); no audit trail for infrastructure changes made via the AWS console rather than IaC tools.

Risk assessment gaps (CC3): no formal risk register; security risks identified in Slack messages or informal discussions but never documented; no annual risk assessment meeting with leadership. Often the entire CC3 criterion is missing because the company has never formalized a risk management process.

Vendor management gaps (CC9): no vendor inventory; no process for reviewing vendors' security before granting access to customer data; no record of having reviewed vendors' SOC 2 reports or security questionnaire responses. Most startups have 10–30 SaaS tools with access to their environment and have never formally assessed any of them.

How to Run Your Own Readiness Assessment

Start with the AICPA's 2017 Trust Service Criteria publication (freely available at aicpa.org). For each criterion in CC1–CC9, ask three questions: (1) Do we have a written policy covering this? (2) Is a technical control configured to enforce this? (3) Do we have recent evidence that this control is operating?

Work through each criterion and record your answers in a spreadsheet. Mark each as GREEN (fully addressed), YELLOW (partially addressed, needs improvement), or RED (not addressed). At the end, you have a gap register with 90–150 rows covering all criteria. Calculate your gap count by color — this gives you a benchmark.

Typical first-time assessment results: 30–50% GREEN (things you've been doing right without knowing they were SOC 2-relevant), 20–30% YELLOW (practices that exist informally but need to be formalized), and 20–40% RED (genuine gaps). A typical company has 15–30 RED items, each requiring meaningful remediation work.

Prioritizing Remediation Work

Not all gaps are equal. Prioritize by two factors: audit impact (how likely is this gap to produce an exception?) and remediation effort (how long does it take to fix?). High-impact, low-effort fixes should happen first. An example: enforcing MFA on all AWS IAM users via an SCP takes 30 minutes and eliminates a high-impact gap in CC6.

High-impact gaps that require significant effort — like implementing a formal access review process or building a risk register — need to be started immediately because they require both policy work and operational cadence establishment. You can't install an access review process two weeks before your observation period ends and claim it was operating effectively for 6 months.

Low-impact gaps can often wait until year two. If your penetration test vendor relationship isn't formalized in a written contract yet (CC9), that's a low-risk gap that can be fixed in a day once you get to it. Don't let low-effort, low-impact gaps crowd out high-effort, high-impact remediation work in your project plan.

Tools and Resources for Readiness Assessment

DIY approach: AICPA's TSC 2017 publication + a Google Sheets template that maps criteria to evidence types. Takes 20–40 hours for a thorough assessment. Best for companies with an engineering leader who has SOC 2 experience. Free but time-intensive.

Compliance platform approach: platforms like AuditPath connect to your AWS, GitHub, and Okta accounts and automatically assess technical control gaps. The readiness dashboard shows which controls are green, yellow, or red based on live configuration data. The policy gap list shows which of the 8 required policies are missing or outdated. This automated scan takes minutes and covers the technical layer — manual review is still needed for the operational evidence layer. Assessment time: 2–4 hours.

Consultant approach: a vCISO or readiness consultant with SOC 2 specialization can conduct a comprehensive assessment in 2–5 days. This typically costs $2,000–$8,000 but produces a professional-grade gap report with prioritized recommendations. Best for companies without internal SOC 2 expertise or under time pressure to close an enterprise deal.