SOC 2 Gap Assessment SOP¶

Standard Operating Procedure for SOC 2 Type I/II readiness assessments

Service Pillar: Protect Service Category: Compliance Gap Assessment Target Duration: 3-4 weeks Related Pricing: See Pricing & Positioning

Service Overview¶

Purpose¶

Conduct comprehensive SOC 2 readiness assessments evaluating organization controls against the Trust Services Criteria (TSC), preparing clients for successful Type I or Type II audits.

Target Personas¶

Persona	Primary Pain Point	Value Case
CTO/VP Engineering	Enterprise sales blockers, security debt	Close $100K+ deals
Bootstrapped SaaS Founder	SOC 2 cost, runway constraints	Enterprise-ready on budget
Vibe Coder	B2B readiness, security credibility	First enterprise customer

Business Justification¶

Metric	Value	Source
Enterprise buyers requiring SOC 2	82%	A-LIGN SOC 2 Benchmark 2024
Traditional SOC 2 total cost	$50,000-$150,000	Secureframe 2025
SOC 2 Type I audit cost	$7,500-$20,000	Secureframe 2025
SOC 2 Type II audit cost	$10,000-$50,000	Drata GRC Central
Time to SOC 2 (traditional)	6-18 months	Vanta Industry Report 2024
SBK average time to Type I	4.5 months	SBK client data

Pricing Reference¶

Tier	Scope	Price Range	Duration
Startup	<50 employees, simple architecture	$10,000-$18,000	3 weeks
Growth	50-200 employees, moderate complexity	$18,000-$30,000	3-4 weeks
Scale	200+ employees, complex environment	$30,000-$50,000	4-6 weeks

See Pricing & Positioning for complete pricing structure.

Pre-Engagement¶

Qualification Checklist¶

Organization has B2B product/service
Enterprise customer requirement identified
Executive sponsor committed
Technical leadership available
Current tech stack documented
Timeline expectations aligned

Required Information Gathering¶

Category	Documents Needed
Organizational	Org chart, employee count, org structure
Technology	Architecture diagram, cloud inventory, tech stack
Security	Existing policies, prior assessments, incident history
Operations	Change management process, SDLC, HR processes
Vendor	Subservice organization list, vendor contracts

TSC Scope Selection¶

Trust Service Category	Description	Typically Included
Security (Required)	Protection against unauthorized access	Always
Availability	System availability for operation	Often (SaaS)
Processing Integrity	Accurate and timely processing	Sometimes
Confidentiality	Information designated confidential	Often
Privacy	Personal information handling	If PII processed

Assessment Framework¶

Trust Services Criteria (2017)¶

Common Criteria (Security - Required)¶

Category	Criteria	Focus Areas
CC1	Control Environment	Governance, ethics, oversight, structure
CC2	Communication and Information	Internal/external communication, quality of information
CC3	Risk Assessment	Risk identification, fraud risk, significant changes
CC4	Monitoring Activities	Ongoing evaluations, deficiency remediation
CC5	Control Activities	Policy deployment, technology controls
CC6	Logical and Physical Access	Access management, physical security
CC7	System Operations	Incident detection, response, recovery
CC8	Change Management	Infrastructure and software changes
CC9	Risk Mitigation	Vendor management, business disruption

Additional Categories (As Scoped)¶

Category	Criteria	Focus Areas
Availability	A1	Capacity management, backup, recovery
Confidentiality	C1	Identification, protection, disposal
Processing Integrity	PI1	Completeness, accuracy, timeliness
Privacy	P1-P8	Notice, consent, access, quality

Assessment Process¶

Phase 1: Discovery and Scoping (Days 1-5)¶

Objective: Understand environment and finalize assessment scope

Activity	Deliverable	Duration
Kickoff meeting	Aligned expectations	0.5 day
Architecture deep-dive	System documentation	1 day
Tech stack inventory	Comprehensive inventory	1 day
TSC scope finalization	Agreed scope	0.5 day
Control owner identification	RACI matrix	0.5 day
Evidence request	Tailored request list	0.5 day

Phase 2: Control Assessment (Days 6-15)¶

Objective: Evaluate existing controls against TSC requirements

CC1-CC5: Organizational Controls¶

Area	Assessment Activities
Governance	Board/leadership oversight, security responsibility
Ethics	Code of conduct, reporting mechanisms
Communication	Security awareness, policy distribution
Risk Management	Risk assessment process, risk register
Monitoring	Control monitoring, deficiency tracking

CC6: Access Controls¶

Control Area	Testing Approach
Authentication	MFA implementation, password policies
Authorization	Role-based access, least privilege
User lifecycle	Provisioning, modification, termination
Privileged access	Admin account management, PAM
Physical access	Facility security, visitor management

CC7: System Operations¶

Control Area	Testing Approach
Vulnerability management	Scanning frequency, remediation SLAs
Security monitoring	SIEM, alerting, log retention
Incident response	IR plan, testing, communications
Malware protection	Endpoint security, email filtering

CC8: Change Management¶

Control Area	Testing Approach
SDLC	Development process, code review
Testing	Pre-production testing requirements
Deployment	Deployment procedures, rollback
Infrastructure	Infrastructure change process

CC9: Risk Mitigation¶

Control Area	Testing Approach
Vendor management	Vendor assessment, monitoring
Business continuity	BCP/DR plans, testing

Phase 3: Technical Validation (Days 10-18)¶

Objective: Validate technical control implementation

Assessment Area	Testing Approach
Cloud security	AWS/Azure/GCP configuration review
Network security	Firewall rules, segmentation, encryption
Endpoint security	Configuration standards, patching
Application security	SAST/DAST results, secure SDLC
Data protection	Encryption at rest/transit, key management
Logging and monitoring	Log coverage, SIEM configuration
Backup and recovery	Backup verification, recovery testing

Phase 4: Reporting (Days 16-22)¶

Objective: Synthesize findings into actionable deliverables

Activity	Deliverable	Duration
Finding consolidation	Gap matrix	1 day
Remediation planning	Priority roadmap	1.5 days
Report drafting	Draft assessment	2 days
Internal QA	Quality-assured report	0.5 day
Client review	Feedback incorporation	2 days

Gap Rating Methodology¶

Readiness Levels¶

Level	Definition	Audit Readiness
Implemented	Control fully in place with evidence	Audit-ready
Partially Implemented	Control exists but incomplete/inconsistent	30-60 days remediation
Not Implemented	Control missing or not formalized	60-120 days remediation
Not Applicable	Control not relevant to scope	Document rationale

Priority Classification¶

Priority	Definition	Remediation Window
Critical	Blocks audit, fundamental gap	Before audit scheduling
High	Likely audit finding, significant gap	60 days
Medium	Possible finding, improvement area	90 days
Low	Best practice, optimization	Post-audit

Deliverables¶

SOC 2 Readiness Report¶

Structure:

Executive Summary
Scope and approach
Readiness assessment summary
Audit timeline recommendation
Investment estimate for remediation
Scope Definition
Trust Service Categories in scope
System description elements
Subservice organizations
Control Assessment Matrix
TSC criteria mapping
Control descriptions
Readiness status
Gaps identified
Recommendations
Remediation Roadmap
Prioritized action items
Owner assignments
Timeline to audit-ready
Resource estimates
Appendices
Evidence inventory
Technical findings
Policy gap analysis

Remediation Support Materials¶

Material	Purpose
Policy templates	Address documentation gaps
Control implementation guides	Technical remediation guidance
Evidence collection checklist	Audit preparation
System description template	SOC 2 report Section 3 prep

Audit Preparation Pathway¶

Timeline to Audit¶

Phase	Duration	Activities
Gap Assessment	3-4 weeks	This engagement
Remediation	2-4 months	Control implementation
Evidence Collection	2-4 weeks	Audit prep
Type I Audit	2-4 weeks	Point-in-time audit
Observation Period	3-6 months	For Type II
Type II Audit	4-6 weeks	Period-of-time audit

Type I vs Type II¶

Aspect	Type I	Type II
Scope	Design effectiveness	Design + Operating effectiveness
Duration	Point-in-time	3-12 month observation period
Evidence	Control design documentation	Operating evidence over time
Typical Use	First audit, quick requirement	Ongoing compliance, mature orgs
SBK Recommendation	Start here, fast path to enterprise	Graduate to Type II after Type I

Quality Assurance¶

Internal Review Checklist¶

All in-scope TSC criteria addressed
Gap ratings are consistent
Recommendations are actionable
Timeline is realistic
Audit cost estimates included
Policy templates provided where needed
Technical findings validated

Client Review Process¶

Draft report delivery
5 business day review period
Questions/clarifications call
Final report delivery
Remediation planning session

Post-Delivery¶

Remediation Support Options¶

Option	Scope	Investment
Self-Remediation	Report + templates only	Included
Guided Remediation	Monthly check-ins, Q&A	$2,000-$4,000/month
Full Remediation	Hands-on implementation	Custom scoping

Auditor Coordination¶

Auditor selection guidance (Big 4 vs boutique)
Pre-audit readiness check
Evidence package preparation
Audit coordination support (optional)

Service	Connection	SOP Reference
vCISO	Ongoing compliance management	vcto-vciso-engagement-sop.md
Penetration Testing	Validates technical controls	pentest-sop.md
Security Awareness	Addresses CC1/CC2 requirements	security-training-sop.md
Risk Assessment	Comprehensive risk program	risk-assessment-sop.md

Evidence Base¶

Why This Approach Works¶

Principle	Evidence	Source
Focused scope reduces cost	30-50% cost reduction with proper scoping	Drata Research
Type I first accelerates timeline	4-6 month path vs 12-18 month traditional	SBK client data
Compliance automation reduces burden	40% evidence collection time reduction	Secureframe 2025

SBK Success Metrics¶

Metric	Target	Measurement
First-time audit pass rate	100%	Audit outcomes
Time to Type I	<6 months	Client tracking
Client satisfaction	4.5+/5.0	Post-engagement survey
Remediation engagement rate	70%+	Sales tracking

Regulatory References¶

Last Updated: February 2026 Version: 1.0