Back to Calculator

SOC 2 Readiness Assessment

Use this checklist to evaluate your current control environment before starting a formal SOC 2 engagement. Items marked critical are those most commonly cited in SOC 2 audit failures and readiness reports from auditors.

Critical item
Standard item

Access Control

High weight
  • Multi-factor authentication enforced for all production systemscritical
  • Formal onboarding and offboarding access provisioning procedurescritical
  • Principle of least privilege applied and documentedcritical
  • Access review conducted at least every 90 days
  • Privileged access limited and separately logged
  • Password policy documented and enforced via tooling

Logging and Monitoring

High weight
  • Centralised logging in place for production infrastructurecritical
  • Security alerts configured and monitoredcritical
  • Log retention policy defined (minimum 90 days, 1 year preferred)
  • Intrusion detection or anomaly detection tooling in place
  • Alert review process documented with named owner

Vulnerability Management

High weight
  • Automated vulnerability scanning on at least a quarterly basiscritical
  • Documented patch management process with SLA by severitycritical
  • Critical vulnerabilities remediated within defined SLAcritical
  • Penetration testing conducted within the last 12 months
  • Dependency scanning for open source vulnerabilities

Change Management

Medium weight
  • Code review required before merging to productioncritical
  • Deployment pipeline includes automated testing
  • Change requests logged with approvals documented
  • Production access restricted to authorised personnel onlycritical
  • Rollback procedures documented and tested

Incident Response

High weight
  • Incident response plan documented and available to responderscritical
  • Incident response plan tested in the last 12 months
  • On-call escalation contacts defined and current
  • Post-incident review process documented
  • Incident log maintained with classifications and outcomes

Vendor Management

Medium weight
  • Critical vendors identified and risk-assessedcritical
  • Data processing agreements (DPA) in place with all data-processing vendorscritical
  • Vendor security review process documented
  • Annual review of critical vendor compliance status

Employee Security

Medium weight
  • Security awareness training conducted annually with attendance recordscritical
  • Background checks conducted for employees with production access
  • Acceptable use policy in place and acknowledged by all staff
  • Security training completion tracked and documented

Data Security

High weight
  • Data encrypted at rest using AES-256 or equivalentcritical
  • Data encrypted in transit using TLS 1.2 or highercritical
  • Data classification policy documented
  • Backup procedures documented with tested recoverycritical
  • Data retention and deletion policy defined

Interpreting Your Readiness

All critical items met

Audit-ready

You are likely ready to begin the observation period. Expect a shorter readiness phase and lower total cost.

3 to 5 critical gaps

3-6 months from ready

Budget 3 to 6 months for remediation before starting the audit observation window. Consider a formal readiness assessment.

6+ critical gaps

6-12 months from ready

Significant investment needed. A phased approach starting with Security-only SOC 2 Type 1 may be more practical.

Calculate Your SOC 2 Cost