SOC 2 Readiness SOP¶
Sub-procedure of soc2-gap-sop.md
Overview¶
Detailed procedures for conducting SOC 2 readiness assessments, including Trust Services Criteria (TSC) evaluation, control mapping, gap identification, and organizational readiness determination. This sub-procedure covers the initial discovery and assessment phases.
Scope¶
Parent SOP: SOC 2 Gap Assessment Pillar: Protect (Security & Compliance) Service Area: SOC 2 Readiness Assessment
Prerequisites¶
- Parent SOP requirements met
- Executive sponsor and technical leadership committed
- TSC scope preliminarily defined (Security + optional categories)
- Current technology stack documented
- Access to architecture documentation provided
- Assessment kickoff meeting completed
Procedure¶
Step 1: Scope Definition and System Description¶
Objective: Define assessment boundaries and document system description elements
TSC Scope Selection:
| Category | When to Include | Typical Indicators |
|---|---|---|
| Security (Required) | Always | All SOC 2 engagements |
| Availability | SaaS, uptime SLAs | Availability commitments in contracts |
| Processing Integrity | Data processing services | Financial, healthcare, transaction systems |
| Confidentiality | Sensitive data handling | NDA-covered information, trade secrets |
| Privacy | Personal data processing | PII collection, processing, or storage |
System Description Elements:
| Element | Documentation Required |
|---|---|
| Services Provided | Description of in-scope services |
| Service Commitments | Contractual obligations, SLAs |
| System Components | Infrastructure, software, people, data |
| System Boundaries | In-scope vs out-of-scope delineation |
| Subservice Organizations | Third parties supporting services |
| Complementary User Entity Controls (CUECs) | Customer responsibility controls |
Scoping Workshop Agenda: 1. Review preliminary TSC scope selection 2. Document services and service commitments 3. Map system components to service delivery 4. Identify subservice organizations 5. Define system boundaries 6. Identify data flows and trust boundaries
Step 2: Control Environment Assessment¶
Objective: Evaluate organizational control environment (CC1-CC5)
Control Environment Areas:
| Criteria | Assessment Focus | Evidence Types |
|---|---|---|
| CC1 - Control Environment | Board oversight, security responsibility, organizational structure | Org charts, job descriptions, board minutes |
| CC2 - Communication | Security awareness, policy distribution, external communication | Training records, policy acknowledgments |
| CC3 - Risk Assessment | Risk identification, fraud risk, change management | Risk assessments, risk registers |
| CC4 - Monitoring | Ongoing evaluations, deficiency remediation | Audit reports, remediation tracking |
| CC5 - Control Activities | Policy deployment, technology controls | Policies, procedures, control documentation |
CC1-CC5 Evaluation Checklist:
- Board/management oversight documented
- Security responsibility formally assigned
- Code of conduct exists and is acknowledged
- Security policies documented and distributed
- Risk assessment process established
- Control monitoring process in place
- Deficiency remediation tracked
Step 3: Logical and Physical Access Assessment (CC6)¶
Objective: Evaluate access control implementation
Access Control Evaluation Areas:
| Control Area | Assessment Activities | Key Questions |
|---|---|---|
| User Authentication | Review authentication mechanisms | MFA implemented? Password policies enforced? |
| Authorization | Review access provisioning | Least privilege enforced? Role-based access? |
| Access Modifications | Review change process | Access requests documented? Approvals in place? |
| Access Removal | Review termination process | Timely deprovisioning? Account reviews conducted? |
| Physical Access | Review facility security | Access controls? Visitor management? |
Technical Validation:
| Test | Method | Expected Evidence |
|---|---|---|
| Password Policy | Configuration review | Minimum length, complexity, expiration |
| MFA Implementation | Configuration review | Enrollment %, bypass exceptions |
| Privileged Access | Access report review | Privileged account inventory, justification |
| Access Reviews | Process review | Recent access review documentation |
| Termination | Sample testing | Timely deprovisioning evidence |
Step 4: System Operations Assessment (CC7)¶
Objective: Evaluate security monitoring and incident response
CC7 Assessment Areas:
| Control Area | Evaluation Focus | Evidence Required |
|---|---|---|
| Vulnerability Management | Scanning frequency, remediation SLAs | Scan reports, remediation tracking |
| Security Monitoring | SIEM configuration, alert coverage | Alert rules, log retention |
| Incident Detection | Detection capabilities, IOC monitoring | Detection tools, alert examples |
| Incident Response | IR plan, communication procedures | IR plan, incident log |
| Recovery | Backup procedures, recovery testing | Backup logs, recovery test results |
Step 5: Change Management Assessment (CC8)¶
Objective: Evaluate change control processes
CC8 Assessment Areas:
| Control Area | Evaluation Focus | Evidence Required |
|---|---|---|
| SDLC | Development process, code review | Development policies, PR/review records |
| Testing | Pre-production testing requirements | Testing policies, test results |
| Approval | Change approval workflow | Change tickets with approvals |
| Deployment | Deployment procedures, rollback | Deployment documentation, runbooks |
| Infrastructure | Infrastructure change process | Change records, CAB meeting notes |
Change Management Checklist:
- Documented change management policy
- Change request and approval workflow
- Development/testing/production separation
- Code review requirements
- Testing before production deployment
- Rollback procedures documented
- Emergency change procedures
Step 6: Risk Mitigation Assessment (CC9)¶
Objective: Evaluate vendor management and business continuity
CC9 Assessment Areas:
| Control Area | Evaluation Focus | Evidence Required |
|---|---|---|
| Vendor Management | Vendor assessment process | Vendor inventory, assessment records |
| Vendor Monitoring | Ongoing vendor oversight | Review cadence, SOC 2 collection |
| Business Continuity | BCP/DR planning | BCP/DR plans, testing records |
| Recovery Testing | DR testing frequency | Test results, lessons learned |
Step 7: Readiness Determination¶
Objective: Assess overall audit readiness and timeline
Readiness Scoring:
| Status | Definition | Audit Recommendation |
|---|---|---|
| Audit Ready | 90%+ controls implemented with evidence | Schedule audit within 30 days |
| Near Ready | 70-90% implemented, minor gaps | 30-60 day remediation, then audit |
| Significant Gaps | 50-70% implemented | 60-120 day remediation program |
| Not Ready | <50% implemented | Full remediation program required |
Gap Prioritization Matrix:
| Priority | Criteria | Remediation Timeline |
|---|---|---|
| Critical | Blocks audit, fundamental gap | Before audit scheduling |
| High | Likely audit finding | 60 days |
| Medium | Possible finding, best practice | 90 days |
| Low | Optimization, enhancement | Post-audit |
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| TSC Scope Documentation | Word/PDF | SBK Consultant |
| System Description Draft | Word | SBK Consultant |
| Control Assessment Matrix | Excel | Lead Assessor |
| Gap Identification Report | Excel/PDF | Lead Assessor |
| Readiness Summary | Executive report | SBK Lead |
| Recommended Audit Timeline | Project plan | SBK Lead |
Quality Gates¶
- TSC scope formally agreed with client
- System description elements documented
- All in-scope TSC criteria assessed
- Control owners identified for each area
- Evidence gaps documented
- Readiness level determined
- Remediation priorities established
- Audit timeline recommendation provided
Related Documents¶
- Parent SOP: SOC 2 Gap Assessment
- SOC 2 Audit Prep SOP
- SOC 2 Evidence Collection SOP
- Cross-Pillar SOPs
- Assessment Templates
Last Updated: February 2026 Parent SOP: soc2-gap-sop.md