SOC 2 Readiness Assessment: A complete guide to getting ready for a successful SOC 2 Audit

Published August 2, 2023
Avatar photo
Evan Pappas
ControlMap SOC 2 audit readiness assessment guide

Are You SOC 2 Certified?

Chances are that customers or prospects have asked you. If you don’t already have a SOC 2 report, you likely struggled to answer.

Your inability to confidently answer could be blocking a sale. That’s right — a SOC 2 examination has become the go-to standard for cybersecurity assurance for service providers.

With our work helping MSPs meet their compliance objectives, such as SOC 2, we’ve created this guide to help you with your own SOC 2 audit.

What is SOC 2? 

SOC 2 is an examination of your company’s security controls performed by an external certified CPA. Let’s dig into more details.

The American Institute of Certified Public Accountants (AICPA) created the SOC 2 compliance standard. It consists of Service Organization Controls (SOC 2) requirements, including an examination of your controls with an audit report. 

The SOC 2 report is an outcome of an audit conducted by an external Certified Public Accountant (CPA) on the company’s compliance controls.

A SOC 2 evaluation categorizes the controls in high-level categories, known as the Trust Services Criteria (TSCs). The TSCs are security, availability, processing integrity, confidentiality, and privacy.

SOC trusted services categories

The report assures your partners that your MSP takes cybersecurity and data privacy seriously. 

With a SOC 2 report, you get detailed information about your company’s security and privacy controls. Informed MSPs can address the risk management processes, vendor management processes, and other company governance processes.

Trust Services Criteria
Evaluates the protection of Information Security Systems from unauthorized access. This includes other threats that could damage the information system’s confidentiality and availability.
Evaluates controls related to the availability of information systems as defined by your SLA objectives.
Processing Integrity
Evaluates controls that ensure information is processed accurately, in time, and according to your objectives.
Evaluates controls that secure and protect confidential information from unauthorized access.
Evaluates controls that are in place to protect the privacy of Data Subjects’ information and other data processed and stored in the system.

What is a control?

So what’s a control? A control is a statement describing any management, operational, or technical method used to manage risk. 

Controls monitor and measure aspects of standards to help the company accomplish their goals or objectives.

At a minimum, a SOC 2 report evaluates controls for the Security TSC. This control ensures the system is protected against unauthorized access (physically and logically). 

Each TSC outlines the requirements your company must meet. They outline the points of focus that you must implement as controls to be ready for a SOC 2 examination. 

Below is a high-level overview of the various TSCs and the overarching requirements included for each.

Trust Services CriteriaAreas Covered
This TSC covers 33 requirements with more than 120 points of focus implemented as controls.

Covers Personal Conduct, Corporate governance, Awareness training, Code of Conduct, Access Control, Asset Management, Data Protection, Change Management, Hiring & Termination workflows.
There are three additional requirements for the Availability TSC. About 15 points of focus typically implemented as controls.
Covers current capacity, forecasting system usage demand, data backup, and alternate processing infrastructure.
Processing Integrity
The criteria for Processing Integrity have five additional requirements. Making up about 14 points of focus.
Processing Integrity
Covers data related to processing inputs, detection and correction of production errors, and other system processing specifications.
The criteria for Confidentiality specify requirements for an entity to identify and maintain confidential information.
Covers protecting, identifying, and maintaining sensitive information.
This TSC deals with the additional requirement for handling your customers’ and users’ private and personal data. There are eight additional requirements to be implemented and 50 points of focus.
Covers criteria related to choice, consent, and collection of private information, access, disclosure, and monitoring.

Types of SOC 2 Reports

Type 1 Report – This report evaluates the suitability of the design of the controls at a single point in time. The auditor assesses the effectiveness of control design and implementation. This report does not evaluate the operating effectiveness of the controls themselves. A Type 1 evaluation report is generally the first step for a company. 

Type 2 Report – A type 2 report evaluates the design of controls and their operating effectiveness of the controls over a period of time. This period must be at least six months and no more than 12 months before the Type 2 audit. An auditor assesses the controls operating effectiveness and completeness of the evidence collected. The auditor provides an opinion and detailed description of tests of controls performed and those tests’ results.

Which SOC 2 report is right for my organization?

First-timers and startups most commonly get a SOC 2 Type 1 report, followed by a SOC 2 Type 2 report. After achieving the SOC 2 Type 2 report, there usually isn’t a need for another Type 1 report.

What does the SOC 2 report contain?

A SOC 2 report is produced by an AICPA accredited auditor and may vary based on the company’s needs, scope, and environment. It typically contains the following information:

  • Management assertion and representation letters provided by you to the auditor in writing as part of the audit report.
  • A section describing the company’s in-scope environment, including products and services provided.
  • A description of system boundaries, infrastructure, integrations, software/tools, people, processes and procedures, information/data, data security and encryption, and incident management.
  • Description of applicable Trust Services Criteria framework and controls and related Trust Services Principles in the organization.
  • Description of control objectives, control activities, and control tests and results.
  • An auditor’s opinion after examining the controls of the company information systems in-scope evaluated against the Trust Services Criteria.

Does my company need a SOC 2 Report?

A SOC 2 report can help provide positive assurance to customers for many types of businesses.

However, we see that companies dealing with customer data and doing business in the cloud are the ones who most definitely need a SOC 2 Report. Most SaaS companies and software service providers fall in this category.

For other enterprises and businesses, SOC 2 may or may not be the right choice. They may choose to pursue other cybersecurity certifications such as ISO 27001, NIST CSF, or others.

How long does it take to get a SOC 2 Report?

It takes anywhere from 30 days to one year to be ready for a SOC 2 audit. The time varies depending on the organization’s size, complexity, the scope of the products and services, and preparedness for a SOC 2 audit. 

A Type 1 SOC 2 audit typically lasts two to three weeks, while a Type 2 SOC 2 audit can last up to six weeks to complete.

Where do I start to get ready for SOC 2 audit?

Here’s what we see works best to get off the ground for SOC 2:

  1. Obtain clear management commitment: Management sponsorship goes a long way in securing resources, designing and building controls, policies, processes, and procedures.
  2. Identify your internal team: Identify a business process owner (BPO) within your company who will oversee the entire SOC 2 initiative and ongoing compliance.
  3. Recruit external resources (Service Providers and Consultants): Connect with external resources and services to augment your internal team. These are service providers or cybersecurity consultants to help you with your IT gap remediation.
  4. Pick an end-to-end SOC 2 platform (ControlMap): A platform such as ControlMap brings all your compliance work into a single platform. It automates evidence collection and is much more efficient than doing it manually.
  5. Select a competent Auditor: Auditors can help with the right plan, approach, and gap assessments for you to get started. Interview at least three SOC 2 auditors to find the right technology and cultural fit for your organization. ControlMap has partner auditors well versed in the platform. Contact us so that we can introduce you to an excellent network of partner auditors.
  6. Scope your SOC 2 audit/report: Scoping your SOC 2 is essential to focus all your teams and auditor efforts in the right areas
    • Identify the applications and services and other parts of your company that will be part of the SOC 2 evaluation.
    • Identify Trust Services Principles you need to be evaluated on. Remember that the Security Trust Principle is required. Availability, Confidentiality, Processing Integrity, and Privacy are optional and should be included based on your company’s needs. If you don’t know, you can always start with Security and then add other TSCs later.
    • Pick the type of report you want to be evaluated for. Most commonly, if you are doing an audit for the first time, then a Type 1 report is suitable. All subsequent audits are for a Type 2 report.

What’s a typical plan for a SOC 2 program?

Now you know where and how to start, the next step is to define a plan with timelines to keep you on track for your SOC 2. You will typically create this plan in collaboration with your service provider and auditor. Here’s what a typical plan looks like:

  1. Legwork
  2. Readiness Assessment (1 – 2 Weeks)
  3. Control Environment Design (1 – 12 weeks)
  4. Type 1 Audit
  5. Control Operations, Monitoring & Evidence Collection (6 – 12 months)
  6. Type 2 Audit

These durations are highly company-dependent and sometimes could take more than a year. ControlMap can cut down readiness and control design time by 90%. It has its built-in controls and evidence collection connectors to help you work faster.


Legwork is about getting started. It’s all about company internal readiness, teams, objectives, and other scope exercises that we discussed.

Readiness Assessment

In this phase, you and your readiness consultant assess where you stand and what gaps must be addressed. 

You’ll also decide which readiness assessment approach works for you based on your company’s maturity, products, and services.

A SOC 2 readiness assessment guides you through a Yes / No questionnaire to identify gaps. This helps you develop a list of to-do’s before you are audit-ready.

You may also want to perform an automated cloud compliance check. Start here if your products and services are in cloud environments such as AWS, Azure, or Google Cloud. An automated scanner checks your Cloud configuration against security standards. It will present a list of areas that need remediation.

Control Environment Design

There are four key activities that are typically performed in this stage:

  • Information Assets Inventory
  • Risk Assessment, Report, and Treatment Plan
  • Design the control environment – aka, information security management system
  • Establish and document policies, process, and procedures

Information Assets Inventory

The information assets inventory is a crucial information security assurance principle. 

Every single information asset in the organization’s infrastructure must be accounted for and listed. This includes information sources and systems, physical computing assets, licensed software assets, and open-source software assets used within the in-scope control environment.

Risk Assessment

This phase aims to identify the critical risks your business faces and create mitigating controls for those risks. 

Risks vary based on the business environment. But there are common risks for cloud businesses, software products, and services that you should mitigate. A formal periodic Risk Assessment guides your team in identifying critical risks. They can then assign scores, and review controls to mitigate those risks.

Controls Design

During this step, you design and define controls based on the assessment gaps and identified risks. You identify owners for each control and define the evidence that has to be collected and its frequency.

Here are the most critical control areas for defining controls for a successful SOC 2 audit. You can sign up for free to look at all controls required for SOC 2.

Control Areas, Objectives, and Samples
Human Resource Management
Establish policies and procedures relating to the area of Human Resources. These controls typically apply to procedures such as employee background verification, hiring & termination, employee handbooks, code of conduct, etc.
• Employee Handbook.
• Job descriptions, including security.
• Background Screening Policy and Procedures.
• Hiring & Termination processes and checklists.
• Employment agreements.
Security Awareness & Training
Establish policies and procedures relating to the company workforce’s security awareness and training to prevent data loss and theft.
• Annual security awareness training.
• Role-based security awareness training.
Risk Management Procedures
Conduct an annual risk assessment to identify critical risks to the company and perform a risk mitigation exercise.
• Annual risk assessment, report, and treatment plan.
Identity & Access Control
Establish controls to restrict user access to sensitive information and document policies and procedures for granting and revoking access to information systems.
• Centrally manage all users & identities in the company.
• A strong password policy is defined for all sensitive systems.
• Enable multi-factor authentication to sensitive and administrator access and other sensitive areas.
Application & Information Security
The objective of this control area is to define and maintain application development and operation security standards.
• All code development follows security standards such as OWASP.
• Establish baseline security configuration for all applications and systems.
• Separate software development, QA / testing, staging, and production environments.
Cryptographic Protection
This control area aims to define cryptographic protection for data at rest and data in transmission.
• All databases are encrypted.
• Protect all data transmission using secure protocols, i.e., HTTPS, TLS.
• All sensitive removable storage is encrypted.
Threat & Vulnerability Detection
Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures to identify, report, and prioritize the remediation of vulnerabilities to protect systems against vulnerability exploitation. Review and update the policies and practices at least annually.
• Malware Protection Policy and Procedures.
• Perform quarterly penetration testing. – Perform application vulnerability testing & detection each quarter.
Logging & Monitoring
This control area establishes policies, procedures, and controls for enabling logging for all user access, administrative access and monitors them to detect anomalies in access patterns and security incidents.
• Retain audit logs for at least 60 days or longer to support investigations.
• Monitor security logs to detect activity outside of known patterns.
• Log and monitor cryptographic key user lifecycle events.
Change Management
This control area establishes policies and procedures for making changes in the environment.
• Centrally track all application changes.
• Production changes require explicit approval.
• The security team reviews Security-related changes.

Establish and document policies, process and procedures

Within each Trust Services Criteria, there are four main sections during the audit period.

Policies: Company has defined and documented its policies relevant to the particular principle.

Communications: Company communicates its policies to responsible parties and users of the system.

Procedures: Company changes operation procedures to match its defined policies.

Management and Monitoring: Company monitors the system and acts to maintain compliance with its defined policies.

A SOC 2 evaluation requires the following policies established and documented:

  • Information Security Policy
  • Security Awareness and Communication Policy
  • Code of Conduct Policy
  • Change Management Policy
  • Encryption Policy
  • Access Control Policy
  • Remote Work policy
  • Risk Assessment Policy
  • Vendor Management Policy
  • VPN Policy
  • Logging and Monitoring Policy
  • Incident Management Policy
  • Wireless Access Policy
  • Asset Classification and Management Policy

Control Operations, Monitoring & Evidence Collection

During this focused period, your company operates the designed controls. You will continuously monitor them and collect evidence about the controls’ proper functioning.

The activities during this period are continuous. Evidence collected is specific to the environment, controls, products, and services. Illustrative activities and the evidence that must be collected are following:

New hire
• List of new hires.
• Proof that background checks were conducted.
• Proof that access authorizations were approved.
• Proof of employment contract and handbook signatures.
• Proof that terminated employees’ assets were returned.
Change management act
• List of change tickets for the examination period.
• Proof of change management approval.
User access provisioning
• List of approvals for administrative access.
• List of access requests.
• Proof of role-based access.
• List of privileged and least functional access.
Application Vulnerability Scans
• Quarterly vulnerability scan reports.
• Proof of vulnerability remediation.
Penetration Testing Reports
• Proof of penetration testing performed by a third-party.
• Proof of penetration testing findings and remediation.

Which evidence collection can be automated?

You can automate and streamline up to 90% of evidence collection. A platform like ControlMap continuously monitors your cloud environment, HR systems, and vulnerability scanning tools. It helps you stay up to date with compliance at all times.

How much does a SOC 2 report cost?

The cost for your SOC 2 will vary and will depend on the scope you select and the complexity of your company’s products and services. Typically the SOC 2 cost is comprised of the following components:

  • Internal team cost
  • External service provider cost
  • Auditor Cost
  • IT Services cost (Vulnerability / Penetration Testing)
  • Cost of other tools & services, such as log management

All combined, a SOC 2 report can be a costly affair. A typical audit can cost upwards of $40,000 for a Type 1 and Type 2 report. 

Additional services such as internal audits and service providers for penetration testing range from $15,000 to $50,000. The price can be higher depending on other factors. Those include the control environment scope, information security maturity, and staff participation.

Is it worth it?

Yes, it is absolutely worth it! A SOC 2 Report impacts your business reputation and its ability to compete in the market today. It sets up acceptable security practices and even improves operational effectiveness.

Begin your SOC 2 journey

ControlMap is ready to help you get started on your SOC 2 journey. For more information on how ControlMap helps you follow the path to compliance with SOC 2 or other frameworks, book a demo today.