Why gap analysis before the auditor matters
SOC 2 audits are expensive. A Type II audit from a reputable CPA firm typically costs $15,000–$50,000 depending on scope, complexity, and the firm. A readiness assessment from a consultant typically adds another $5,000–$15,000. And if you engage an auditor before your controls are actually in place, you burn the observation period on a period where your controls aren't operational.
The single most expensive SOC 2 mistake is starting the audit window before you're ready. A Type II report requires the auditor to observe your controls operating effectively over a defined period (minimum 6 months for a full report). If your access review process didn't exist in month 2, the auditor notes it as an exception. Exceptions require remediation commentary. Multiple exceptions can result in a qualified opinion — which some enterprise customers will refuse to accept.
The solution is a rigorous self-assessment before you engage anyone. This post walks through how to do it properly.
The five Trust Service Criteria — which ones do you need?
SOC 2 is not a single checklist. It's built around five Trust Service Criteria (TSC):
| Criteria | Code | What it covers | Required? |
|---|---|---|---|
| Security | CC | Logical and physical access controls, system operations, change management, risk management | Always required |
| Availability | A | Uptime commitments, backup and recovery, capacity management | Include if you have uptime SLAs |
| Confidentiality | C | Protection of confidential information (trade secrets, NDA-covered data) | Include if you handle sensitive B2B data |
| Processing Integrity | PI | Complete, accurate, timely processing | Include for financial processing, data pipelines |
| Privacy | P | Personal information lifecycle, consent, AICPA privacy notice | Include if privacy is a key selling point or requirement |
Most early-stage SaaS companies start with Security (CC) + Availability (A). Adding Confidentiality and Privacy is increasingly expected by enterprise buyers. The more criteria you include, the more comprehensive — and expensive and time-consuming — the audit.
The Common Criteria (CC) breakdown: what auditors actually test
The Security criteria are divided into CC1 through CC9. Here's a practical summary of what auditors look for evidence of:
| Criteria | Key Controls | Typical Evidence |
|---|---|---|
| CC1 (Control Environment) | Security policy, management commitment, board oversight | Signed Information Security Policy, security committee meeting minutes |
| CC2 (Communication & Information) | Asset inventory, risk assessment | Asset register, annual risk assessment report, risk register |
| CC3 (Risk Assessment) | Risk identification, vendor risk, change risk | Risk register with likelihood/impact ratings, vendor assessments |
| CC4 (Monitoring) | Security monitoring, internal audit, deficiency remediation | Log monitoring evidence, alert configurations, remediation tickets |
| CC5 (Control Activities) | Change management, software development controls | PR review requirements, deployment pipeline configs, staging environment evidence |
| CC6 (Logical & Physical Access) | Authentication, authorisation, MFA, access reviews, encryption | MFA configuration screenshots, access review spreadsheets/tickets, encryption config |
| CC7 (System Operations) | Vulnerability management, incident detection, incident response | Vulnerability scan reports, IRP document, incident register, pen test report |
| CC8 (Change Management) | Infrastructure changes, code changes, emergency changes | Pull request history, ticket evidence of approvals, release notes |
| CC9 (Risk Mitigation) | Vendor risk, insurance, business continuity | Vendor risk assessments, DPAs/BAAs, BCP/DRP document |
How to conduct your gap assessment
A thorough self-assessment takes 2–4 hours. Here's the process:
Step 1: Map your current controls
For each control area, honestly answer: do we have a documented, tested, and operating control? "We have it in someone's head" is not a control. "We do this informally" is partial at best. Written, reviewable, with evidence — that's a passing control.
Use this scoring: In Place (written policy + operating evidence), Partial (exists but not consistently applied or documented), Not In Place (doesn't exist or is only aspirational).
Step 2: Identify your critical gaps
Any control marked "Not In Place" in the Security (CC) criteria is a critical gap. These must be remediated before the audit observation period starts. Non-CC gaps (Availability, Confidentiality, etc.) are important but can sometimes be built in parallel with the observation period.
Common critical gaps for early-stage SaaS:
- No formal Information Security Policy signed by management
- No quarterly user access review process (or no evidence of it)
- MFA not enforced on cloud console / admin accounts
- No formal vulnerability scanning or pen testing
- No documented Incident Response Plan
- No security awareness training with records
- No vendor risk assessment process
Step 3: Estimate remediation effort
Policy documents (InfoSec policy, IRP, BCP/DRP) can be created quickly — 1–2 weeks each. Process changes (access reviews, MFA enforcement, vulnerability scanning) take 2–4 weeks to implement and need an additional observation period to demonstrate they're working. External activities (pen test, security awareness training) need to be scheduled 4–8 weeks in advance.
A realistic timeline from starting gap assessment to being audit-ready:
| Scenario | Gaps | Realistic Timeline |
|---|---|---|
| Mostly in place | 0–2 critical gaps, few partials | 2–3 months to Type I; 8–9 months total to Type II report |
| Moderate gaps | 3–6 critical gaps | 4–6 months to readiness; 10–12 months total to Type II report |
| Significant gaps | 7+ critical gaps | 6–9 months to readiness; 12–15 months total to Type II report |
Step 4: Build your remediation roadmap
Prioritise in this order:
- Access control (CC6) — MFA, RBAC, access reviews. These affect almost every other control.
- Policies (CC1/CC5) — InfoSec policy, change management policy. Auditors want to see these first.
- Monitoring and incident response (CC7) — Log monitoring, IRP, vulnerability scanning.
- Risk assessment (CC2/CC3) — Formal risk register and annual review process.
- Vendor management (CC9) — Vendor risk assessment process, signed DPAs/BAAs.
- Training (CC9) — Security awareness training with completion records.
- Pen testing (CC7) — Schedule early; good firms book out 6–8 weeks.
Evidence collection: what auditors actually want to see
The SOC 2 audit is an evidence audit. You need to provide proof that controls were operating during the audit period. Start collecting evidence from day one of your observation period:
- Access review evidence: Screenshots or exported reports showing quarterly user access reviews, with a record of who was reviewed and what changes were made.
- Vulnerability scan reports: Regular scan outputs with dates and remediation actions for findings.
- Pen test report: Dated report from an independent firm with findings and your remediation responses.
- Training records: Completion records for security awareness training (name, date, score if applicable).
- Incident log: Even if you had zero incidents, you need an incident register showing the process exists.
- Change management: PR merge history, deployment records, approval tickets.
- Vendor assessments: Completed questionnaires or evidence of review for critical vendors.
When are you actually ready for a Type II audit?
You're ready to start the observation period (not engage the auditor) when:
- All critical CC gaps are remediated and controls are operating
- You have your core policies written and approved by management
- MFA is enforced across all production systems
- User access review has been conducted at least once
- Vulnerability scanning is running regularly
- Your IRP has been documented and walked through once
- Vendor assessments are in place for critical vendors
You engage the auditor about 1–2 months before the end of your desired observation period, so they can start planning fieldwork. The observation period is typically 6 months for a Type II report.
Policy documents you need for SOC 2
Auditors expect to see these documents. Use ComplyKit generators to build them quickly:
- Information Security Policy — CC1.1, CC5.1, CC6 alignment
- Incident Response Plan — CC7.3, CC7.4, CC7.5
- Business Continuity / Disaster Recovery Plan — A1.2, A1.3
- Data Retention Policy — CC6.5, Privacy P criteria
- Vendor Risk Assessment Questionnaire — CC9.1 / CC9.2
- NDA Template — Confidentiality criteria C1.2
- GDPR DPA — Privacy criteria P8.1 (if GDPR in scope)
Start your self-assessment now with the free SOC 2 Gap Assessment Generator — answer questions about your current controls and get a prioritised remediation report in minutes.