A SOC 2 readiness checklist is the work you do before the audit: scope the Trust Services Criteria, stand up and run the controls, and gather the evidence a licensed CPA firm will sample. Security is mandatory; the other four categories are in scope only where you make commitments. Readiness is preparation, not the report.
What does SOC 2 readiness actually involve?
Readiness is where a SOC 2 is won or lost, and it happens months before the auditor opens a single ticket. A readiness assessment is a gap analysis against the Trust Services Criteria: you map your current controls to the criteria, find what is missing or undocumented, and fix it before the observation period starts.
For a Type II report, the auditor tests whether controls operated effectively over a period, commonly 3 to 12 months, so a control you stand up the week before buys you nothing. The CPA firm does not help you build the controls. Independence rules keep the auditor at arm’s length, so readiness is your job, or your readiness partner‘s. The deliverable of readiness is not a report. It is a control environment that will survive sampling.
What goes on a SOC 2 readiness checklist?
Six areas carry most of the work. Get these to a state where each control operates, is documented, and leaves a record, and the audit becomes a sampling exercise rather than a scramble.
| Area | What to have ready |
|---|---|
| Scope and criteria | The system boundary in writing, and which Trust Services categories are in scope (Security always, plus any commitments on availability, processing integrity, confidentiality or privacy) |
| Policies and governance | Information security, access control, change management, incident response, risk assessment, vendor management and personnel security policies, each approved, dated and owned |
| Access and identity | A joiner, mover and leaver process, multifactor authentication, least privilege, and access reviews you can show were performed |
| Change and development | Change management with approvals, code review, separated environments, and a secure development process |
| Monitoring and response | Centralised logging, alerting, vulnerability management, and an incident response plan that has been tested |
| Vendor and risk | A current risk assessment, a vendor register with due diligence, and the subservice organisations named (carve out or inclusive method) |
Which Trust Services Criteria should you scope in?
Security always; the rest only where you make commitments. Security is the common criteria, the CC series, mandatory in every SOC 2. The other four, availability, processing integrity, confidentiality and privacy, are included only where you commit to them in your customer agreements. Each one you add widens the control set, the evidence and the cost.
Do not add privacy because it sounds thorough. Add it because you handle personal information and your customers ask. Points of focus under each criterion are considerations, not a checklist to tick, and not all apply to every entity. Scope to what you actually commit to, then prove it.
What policies and documents do you need?
Written, approved, dated, and actually followed. The auditor reads policy first, then tests whether you live by it. A policy dated the week before the audit is a flag.
The core set covers information security, access control, change management, incident response, risk assessment, vendor and third party management, business continuity, and personnel security. Each needs an owner, an approval date and a review cycle. A policy nobody follows is worse than no policy. The gap between the document and the practice is exactly what Type II testing surfaces.
What evidence will the auditor actually accept?
Historical records the system generated, not screenshots made for the occasion. Type II tests operating effectiveness across the period, so the auditor samples evidence with dates inside the window: access review records, change tickets with approvals, onboarding and offboarding records, alerts and their resolution, vulnerability scans.
Evidence created the week before tells the auditor the control was not running. The strongest evidence is the byproduct of a control that already operates: the ticket, the log, the signed review. Set up evidence collection before the clock starts, not after.
How long does readiness take, and when should you start?
It depends on how far the current control environment sits from the criteria. As a guide, Cybernion scopes readiness and gap work at 4 to 8 weeks, and the Type II observation period runs 6 to 12 months after that. Both are indicative; a team with mature controls moves faster.
Start readiness before you commit to an audit window. The mistake is booking the observation period, then discovering the controls were not ready, and watching the window fill with exceptions you cannot fix mid period. Many teams that already hold ISO 27001 carry most of the control work across. Get ready first. Then start the clock.
Frequently asked questions
No. Readiness is a gap analysis you run before the audit to find and fix missing or undocumented controls. The audit is a separate engagement by an independent licensed CPA firm, who issues the report. The same firm cannot both build your controls and audit them.
No. Security, the common criteria, is mandatory in every SOC 2. The other four, availability, processing integrity, confidentiality and privacy, are included only where you make commitments in those areas. Each added category widens the control set and the cost.
Before either. Readiness fixes gaps before the observation period starts, which matters most for Type II, where the auditor tests how controls operated over a period commonly 3 to 12 months. A control stood up late in the window produces an exception you cannot undo.
No. Automation tools collect evidence and track controls, which saves time, but they do not write your policies, run your access reviews or decide your scope. The control environment still has to operate. The tool records it; it does not replace it.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- AICPA, 2017 Trust Services Criteria (with Revised Points of Focus, 2022), 2022
- AICPA, SOC 2 reporting guidance, accessed June 2026
- AICPA, Mapping of the 2017 Trust Services Criteria to ISO/IEC 27001, accessed June 2026
Last updated: 21 June, 2026