What is a SOC 2 readiness assessment?
What Is a SOC 2 Readiness Assessment?
A readiness assessment is a dry run of your SOC 2 audit. It evaluates your existing controls, policies, and evidence against the Trust Services Criteria you plan to include. The goal is to find gaps before the auditor does — so you can fix them on your timeline rather than scrambling during fieldwork.
Readiness assessments are not required, but they significantly reduce the risk of a qualified opinion or delays during the actual audit.
What Does a Readiness Assessment Cover?
| Assessment Area | What Is Evaluated | Common Gaps Found |
|---|---|---|
| Policies | Do written policies exist for security, access, change management, incident response? | Missing policies or policies not reviewed in 12+ months |
| Access controls | Are access reviews performed? Is MFA enforced? | No formal access review process, shared credentials |
| Change management | Are code changes tracked and approved before deployment? | Deployments without PR reviews |
| Risk management | Is there a risk assessment process? | No formal risk register |
| Vendor management | Are third-party vendors evaluated for security? | No vendor assessment process |
| Monitoring | Are security events monitored? Are incidents tracked? | No centralized logging or incident response |
| Evidence | Can you produce artifacts for each control? | Evidence exists but is not organized |
Who Performs a Readiness Assessment?
You have three options:
- Your auditor — Many CPA firms offer readiness assessments as a separate engagement. Costs typically run $5,000–$15,000.
- A consultant or vCISO — Independent consultants assess gaps and help remediate. This costs $10,000–$30,000+.
- Self-assessment — Walk through the Trust Services Criteria yourself using publicly available mappings.
How Long Does It Take?
A readiness assessment typically takes 1–3 weeks depending on the size of your organization and the state of your controls. The output is a gap report with prioritized findings. Screenata runs an automated readiness assessment as part of onboarding, identifying control gaps and generating a remediation plan in days instead of weeks.