SOC 2 Readiness Assessment: Scope, Deliverables, and What to Expect

TL;DR

• Readiness assessment = pre-audit gap analysis + remediation plan + evidence workflow setup. 2–6 weeks typical.
• Expect 4 deliverables: gap register, remediation plan, evidence index, auditor-ready controls matrix.
• Skipping readiness typically costs more than doing it: material audit findings add 2–6 months delay.

Skipping the readiness assessment is the most common and most expensive SOC 2 mistake. Teams see the auditor's fees and think they are buying the report. In reality, the audit is the final step — readiness is where the actual compliance work happens. Organizations that go to audit without readiness almost always come back with findings that delay the report by months and cost more than the readiness work would have.

This guide covers what a SOC 2 readiness assessment actually includes, how to scope and negotiate one, the deliverables you should demand, and how to evaluate providers.

What Readiness Actually Covers

A SOC 2 readiness assessment has four main goals:

1. Gap identification. Map your current control environment against the SOC 2 Trust Service Criteria. Identify missing controls, weak controls, and undocumented controls.

2. Remediation planning. For each gap, define the remediation work: policy writing, technical implementation, process changes, training, or evidence collection.

3. Evidence workflow setup. Establish the continuous evidence collection that will support the observation period. This usually involves GRC platform configuration, integration setup, and process documentation.

4. Audit preparation. Prepare the artifacts the auditor needs to conduct fieldwork efficiently: system description, controls matrix, evidence index, control owner list.

Done well, readiness produces an organization that can enter an observation period confident that controls will operate effectively and evidence will be collected consistently.

For the broader SOC 2 context, see our complete SOC 2 readiness guide.

Scoping the Assessment

Before engaging a readiness provider, decide these six scope parameters.

1. Trust Service Criteria

Which TSCs will your SOC 2 report cover? Security is mandatory. Most B2B SaaS add Availability. Confidentiality, Processing Integrity, and Privacy are included only when contract or regulation requires them.

Additional TSCs add time, complexity, and cost. For first-time readiness, default to Security + Availability unless you have a specific reason to add more.

2. System Boundary

What product or platform is in scope? Many SaaS companies include only their primary product in the first SOC 2 audit and expand in subsequent cycles. Defining the boundary precisely at readiness prevents scope drift.

3. Legal Entities

If you have multiple legal entities, specify which are in scope. A US parent and an EU subsidiary processing different data sets may need different scoping decisions.

4. Physical Locations

For fully-remote SaaS, this is typically "no physical locations in scope" — your primary infrastructure is cloud. For hybrid teams with offices, specify which offices and what in-scope data is processed there.

5. Target Report Type

Type I is design only (point in time). Type II includes operating effectiveness over a period. Readiness for Type II is more extensive because it needs to set up evidence collection for the observation period.

Most organizations do readiness for Type II even if they plan to start with a Type I report to unblock deals.

6. Timeline Expectations

When do you want the audit to start? Readiness typically runs 2 to 6 weeks, remediation runs 4 to 12 weeks, and the observation period runs 3 to 12 months. Work backwards from the desired report date.

For a week-by-week implementation plan, see our audit readiness checklist.

The 4 Deliverables You Should Demand

A well-executed readiness assessment produces four specific artifacts. Any provider charging readiness rates should deliver all four.

1. Gap Register

A detailed list of gaps identified during the assessment. Each entry should include:

• Gap description
• Related SOC 2 Trust Service Criterion and Common Criterion
• Severity (blocking, significant, minor)
• Recommended remediation
• Estimated effort (hours or days)
• Priority order

The register is the master document for remediation work. It should be owned by a single project lead with assigned owners and deadlines for each item.

2. Remediation Plan

A time-sequenced plan covering every gap in the register. Each remediation item should have:

• Owner (specific person, not "IT team")
• Deadline
• Acceptance criteria
• Dependencies (other remediation items, vendor actions, budget approvals)
• Evidence that will demonstrate closure

The plan should be a live document updated weekly during the remediation phase.

3. Evidence Index

The complete catalog of evidence your controls will produce, with collection cadence and owner. Each evidence item:

• Evidence type (screenshot, log export, ticket, report, signed document)
• Source system
• Owner responsible for collection
• Cadence (real-time, daily, weekly, monthly, quarterly, annually)
• Retention requirement
• Linked control(s)

The evidence index drives your GRC platform configuration. It should enumerate every artifact the auditor will sample during fieldwork.

4. Controls Matrix

The matrix maps your implemented controls to each SOC 2 Trust Service Criterion and Common Criterion. Each row:

• Control ID (internal)
• Control name and description
• Mapped TSC / CC
• Control owner
• Operating frequency (real-time, daily, weekly, etc.)
• Linked policy
• Evidence references

This is the document the auditor uses to plan fieldwork. Having a clean controls matrix before audit kickoff cuts fieldwork by 30 to 50 percent.

What Readiness Does Not Cover

Be clear about what is out of scope so you do not confuse readiness with audit prep later.

Readiness does not include the audit itself. The audit is a separate engagement with a CPA firm. Readiness prepares you for that engagement.

Readiness does not usually include penetration testing. Most SOC 2 scopes require a pentest, but the pentest is a separate engagement with a dedicated security firm. See our pentest guide for detail.

Readiness does not include ongoing operations. Once remediation and evidence workflow setup are complete, ongoing operations are typically owned by an internal compliance function or a managed compliance service.

Readiness does not guarantee a clean audit report. It substantially reduces findings, but control failures during the observation period can still produce exceptions. Readiness is about arriving prepared; ongoing discipline determines the outcome.

How to Evaluate Readiness Providers

If you are engaging an external firm, ask these questions before signing.

How many SOC 2 readiness engagements has the firm completed in the last 12 months? Experience matters. Firms that have done 20+ recent engagements have encountered the edge cases and know what specific auditors expect.

Can they provide anonymized gap registers and evidence indexes from prior engagements? If they cannot show you examples of deliverables, they likely do not produce them at the quality you need.

Who specifically will be on your engagement? Many consulting firms sell the senior partner's credentials but staff the engagement with junior resources. Confirm names, titles, and time commitment.

How do they handle GRC platform configuration? Readiness without GRC platform setup leaves a major gap. Confirm the firm configures Vanta, Drata, Secureframe, or your chosen platform as part of the engagement.

What is their auditor network? Firms that work with multiple CPA firms have real-world knowledge of what each auditor prioritizes. This knowledge is the difference between "generic readiness" and "readiness for your specific auditor."

Do they offer fixed fee or time-and-materials? Fixed fee is generally better for readiness because scope is well-defined. Time-and-materials engagements can balloon if the firm discovers more gaps than initially assumed.

What happens if the audit produces findings despite readiness? Good firms include a remediation support clause. Unknown firms disappear after readiness delivery.

Readiness Timeline Reality

Here is a realistic timeline for a B2B SaaS with 30 to 100 employees.

Week 1: Kickoff and discovery. Discovery interviews, stack inventory, existing documentation review. Provider produces an initial gap hypothesis.

Weeks 2–3: Deep assessment. Detailed review against the Trust Service Criteria. Policy gap analysis. Evidence workflow assessment. Gap register draft.

Week 4: Remediation planning. Remediation plan with owners and deadlines. Evidence index draft. Controls matrix draft.

Weeks 5–8: Remediation execution. Policy writing and approval. Technical control implementation. GRC platform configuration. Evidence collection workflow setup.

Weeks 9–10: Pre-audit validation. Mock audit walkthrough. Evidence sample review. Auditor coordination and kickoff planning.

Total: approximately 10 weeks from readiness kickoff to audit-ready state. Organizations in acute procurement pressure can compress to 6 to 8 weeks by parallelizing workstreams and accepting higher internal labor intensity.

Common Readiness Mistakes

Confusing readiness with platform setup. Buying a GRC platform and running its automated checks is not readiness. The platform tells you what controls are not passing; readiness tells you why they are not passing and how to fix them.

Treating readiness as one-time. SOC 2 requires ongoing operations. Readiness sets up the program; ongoing discipline sustains it. Budget for either internal operational capacity or a managed service.

Underinvesting in policies. Policies are the artifact auditors read first. Generic policies from a template library fail almost every time. Readiness should produce policies customized to your actual operations.

Ignoring the auditor relationship. The auditor is not an adversary but they are also not a partner. Readiness should include explicit preparation for auditor questions and evidence formats. A good readiness provider knows the preferences of major CPA firms.

Skipping the mock audit. The mock audit catches what the gap register missed. Plan for at least one half-day walkthrough in the final week of readiness.

Getting Started

If you have an enterprise deal waiting on SOC 2, readiness is the first step that actually moves the needle. A well-scoped readiness engagement, started this week, unlocks a Type I report in 8 to 12 weeks and a Type II within 6 to 9 months.

For teams that want a readiness program run by operators who have done this across dozens of B2B SaaS — with GRC platform configuration, auditor coordination, and remediation support included — reach out to CertifyOps to scope the engagement.