SOC 2 Readiness Assessment

Type I tests whether your controls are designed correctly at a single point in time and can be issued in 4-6 weeks; Type II tests whether those controls operated effectively across an observation window of typically 3-12 months and is what most enterprise customers actually want to see. The right answer depends on your sales cycle, current control maturity, and how soon enterprise prospects need a report. The assessment includes a Type I vs Type II decision matrix tailored to your timeline, and many teams use Type I as a 4-6 week bridge while the Type II observation window runs in parallel.

Compliance-automation platforms continuously collect evidence and tell you whether a control is connected - but they do not tell you whether your control design will actually pass an auditor's review, whether your subservice organisations are scoped correctly, whether your CUECs are complete, or what the auditor will raise as exceptions on day one. The assessment is explicitly designed to complement those platforms by adding the human-verified gap analysis they don't do well. If you already use Vanta, Drata, Secureframe, Sprinto, Thoropass, or Hyperproof, we sanity-check the mapping and identify where the platform is producing false confidence.

Yes. The assessment maps every finding to the AICPA TSC 2017 - Security (CC1-CC9 Common Criteria), Availability (A1.1-A1.3), Confidentiality (C1.1-C1.2), Processing Integrity (PI1.1-PI1.5), and Privacy (P1-P8) - using the same scoping language, control IDs, and evidence forms that Big Four and SOC-2-specialist firms (BDO, Grant Thornton, A-LIGN, Schellman, Prescient Assurance, Insight Assurance, KirkpatrickPrice) use in their workpapers.

Type II reports test that controls operated effectively across an observation window - typically 3, 6, 9, or 12 months. Once the window starts, every control gap during that period becomes an audit exception. The assessment includes an observation-window plan that tells you which gaps must be closed before the window starts, which can be remediated during the window without becoming exceptions, and which automation platform integrations need to be live before day one of the window.

Every subservice organisation (your hosting provider, payment processor, email vendor) must be either carved out or included in your report. We list every subservice organisation we identify in your stack, recommend carve-out vs inclusive method per AICPA SSAE-18 guidance, draft Complementary User Entity Controls (CUECs) for your customers and Complementary Subservice Organisation Controls (CSOCs) you rely on from your subservices, and review their SOC 2 reports if available - so your final report has the right scoping language an auditor will accept.

Yes. Many teams pursuing SOC 2 also need ISO 27001 (often via cross-mapping), HIPAA (for healthcare), GDPR (for EU customers), or PCI-DSS (for cardholder data). The assessment flags every control that satisfies multiple frameworks, identifies framework-specific extras (e.g. ISO 27001 Annex A.5-A.8 vs SOC 2 CC, HIPAA §164.312 mapping to CC6, GDPR Article 32 alignment), and the report can be reused as input for a multi-framework programme.

No. The assessment is fully read-only and runs against configuration APIs at a controlled rate. Nothing we do can modify resources, change IAM, restart workloads, or affect production. You can run the audit during normal business hours with zero risk to delivery.

Typical turnaround is 1-2 business days from the moment read-only access is granted, plus a 45-minute live findings walkthrough at a time that suits your security and engineering leads. Larger multi-account, multi-cloud, or multi-product estates can take a little longer; we confirm the timeline as soon as we see the scope.