I still remember the panic in the CEO's voice when he called me six weeks before their scheduled SOC 2 Type II audit. "We thought we were ready," he said. "But our auditor just sent us a preliminary document request list, and we have maybe 30% of what they're asking for."
That company ended up postponing their audit by four months, losing a major customer opportunity worth $3.2 million in annual revenue because they couldn't provide SOC 2 certification when promised.
After guiding over 40 companies through SOC 2 audits—and witnessing everything from spectacular successes to painful failures—I've learned one fundamental truth: the audit itself is the easy part. It's the preparation that makes or breaks you.
Why SOC 2 Readiness Assessments Save Your Sanity (And Your Audit)
Let me share something that might sting a bit: I've never seen a company fail a SOC 2 audit because their security was fundamentally broken. They fail because they can't prove what they're doing.
In 2021, I worked with a fintech startup that had brilliant security practices. Their CISO was paranoid in the best possible way. They had implemented controls that would make Fortune 500 companies jealous. But when audit time came, they couldn't produce:
Six months of access review logs
Evidence of security awareness training completion
Documentation of their change management process
Proof of vendor security assessments
Their security was solid. Their documentation was a disaster. They failed their first audit attempt.
"In SOC 2 audits, if it isn't documented, it didn't happen. Your actual security posture matters less than your ability to prove it."
The Real Cost of Going Into Audit Unprepared
Before we dive into the checklist, let me paint a picture of what "winging it" actually costs:
The Direct Financial Hit:
Audit delays: $15,000-$50,000 in extended auditor fees
Lost customer opportunities: $100,000-$5,000,000+ in delayed contracts
Additional remediation: $25,000-$150,000 in rushed implementations
Team overtime and stress: Incalculable but brutal
The Hidden Organizational Damage:
Team burnout from 60-80 hour weeks scrambling to prepare
Executive confidence eroded
Sales team unable to close enterprise deals
Engineering distracted from product roadmap
Customer trust damaged by delays
I watched a company burn through their entire security team during a chaotic audit preparation. All three security engineers quit within two months. The CISO followed shortly after. The replacement costs alone exceeded $400,000.
Understanding SOC 2: What You're Actually Getting Into
Let me break down what SOC 2 actually means, because I've found that many companies start the journey without truly understanding what they've signed up for.
The Trust Services Criteria: Your Audit Framework
SOC 2 audits evaluate your systems against five Trust Services Criteria:
Criteria | What It Means | Is It Required? | Common Pain Points |
|---|---|---|---|
Security | Protection of system resources against unauthorized access | Yes - Always Required | Access reviews, monitoring logs, incident response evidence |
Availability | System is available for operation and use as committed | Optional | Uptime monitoring, disaster recovery testing, capacity planning |
Processing Integrity | System processing is complete, valid, accurate, timely | Optional | Data validation controls, error handling, reconciliation procedures |
Confidentiality | Information designated as confidential is protected | Optional | Data classification, encryption evidence, confidential data handling |
Privacy | Personal information is collected, used, retained, disclosed per commitments | Optional | Privacy notices, consent management, data subject rights procedures |
Pro tip from the trenches: Most SaaS companies pursue Security + Availability for their first SOC 2. Don't overcomplicate your first audit by including all five criteria unless customers specifically demand it.
Type I vs Type II: The Critical Distinction
Here's where many companies make their first major mistake:
Audit Type | What It Evaluates | Timeframe | Best For | Typical Cost |
|---|---|---|---|---|
Type I | Whether controls are properly designed at a specific point in time | Single day snapshot | Initial compliance, proof of concept, organizations under 12 months old | $15,000 - $40,000 |
Type II | Whether controls are operating effectively over a period of time | 3-12 months (typically 6 months) | Enterprise sales, mature compliance programs, customer requirements | $25,000 - $80,000+ |
I had a client who celebrated getting Type I certified, then lost a major deal because the customer required Type II. The sales team hadn't understood the difference, and neither had the executive team. That mistake cost them six additional months and a $4.8 million contract.
"Type I proves you have a plan. Type II proves you execute that plan consistently. Enterprise customers want proof of execution, not just good intentions."
The 90-Day Readiness Assessment Roadmap
After doing this dozens of times, I've developed a structured 90-day approach that prepares companies for successful audits. Here's the framework that works.
Phase 1: Discovery and Gap Analysis (Days 1-21)
This is where you figure out where you actually stand versus where you need to be.
Week 1: Scope Definition
What you're doing: Determining exactly what systems, processes, and data are in scope for your SOC 2 audit.
Critical questions to answer:
Question | Why It Matters | Common Mistake |
|---|---|---|
What systems process customer data? | Defines your audit boundary | Including too much (increases cost/complexity) or too little (audit findings for out-of-scope systems) |
Where is customer data stored? | Identifies all storage locations requiring controls | Missing backup systems, log aggregation, or development environments |
Who has access to production systems? | Determines access control requirements | Forgetting contractors, vendors, or temporary access |
What third-party services do you use? | Vendor management requirements | Overlooking small vendors or free-tier services |
What Trust Services Criteria apply? | Audit scope and cost | Choosing criteria customers don't require |
Deliverable: A clear scope document that you'll reference throughout the audit process.
I once worked with a company that initially scoped only their production environment, forgetting their staging environment had full production data copies. Their auditor caught it during fieldwork, expanding the audit scope and adding $18,000 in fees.
Week 2: Control Framework Mapping
What you're doing: Mapping your current practices against SOC 2 requirements.
This is where you create your first draft of what auditors call the "control matrix." Here's a simplified version of what this looks like:
SOC 2 Criteria | Control Objective | Your Current Process | Evidence You Have | Gap Rating |
|---|---|---|---|---|
CC6.1 - Logical Access | Restrict access to authorized users | Okta SSO with MFA | User provisioning records, MFA enrollment | ✅ Good |
CC6.2 - Access Reviews | Regular review of user access | Quarterly spreadsheet review | Last review 4 months ago | ⚠️ Gap |
CC7.2 - Security Monitoring | Monitor and detect security events | Datadog + PagerDuty | Alerts configured, no log retention policy | ⚠️ Gap |
CC8.1 - Change Management | Manage changes to infrastructure | GitHub PRs, no formal process | PR history, no approval evidence | 🔴 Major Gap |
What this reveals: Most companies have about 60-70% of required controls operating in some form. The remaining 30-40% requires focused effort.
Week 3: Evidence Gap Analysis
This is where reality hits hard. You need to identify what evidence you can actually produce for auditors.
The six-month problem: For Type II audits, auditors will request evidence spanning your entire audit period (typically 6 months). If you're starting preparation now, you can't retroactively create evidence from three months ago.
Critical evidence categories:
Evidence Type | What Auditors Want | How Far Back | Common Gaps |
|---|---|---|---|
Access Reviews | Proof of quarterly user access reviews | 6-12 months | Missing reviews, no documentation of removals |
Security Awareness Training | Training completion records | Annual | No completion tracking, informal training only |
Vulnerability Scans | Regular scan results and remediation | 6-12 months | Inconsistent scanning, no remediation tracking |
Penetration Testing | Annual or bi-annual pen test reports | 12 months | Never done, or done but not annually |
Vendor Assessments | SOC 2 reports from critical vendors | Current | Vendors who don't have SOC 2, incomplete assessments |
Backup Testing | Restoration test evidence | Quarterly | Never tested, or no documentation |
Incident Response | Security incident logs and responses | 6-12 months | No formal logging, incomplete investigation records |
Change Management | Approved change tickets for production | 6-12 months | No approval process, missing documentation |
The harsh truth I tell every client: If you have gaps in historical evidence, you have three options:
Delay your audit until you have sufficient evidence (recommended)
Accept audit findings/exceptions for missing evidence (risky)
Reduce your audit period (limited applicability)
Phase 2: Control Implementation and Remediation (Days 22-60)
Now you're in execution mode. This is where you fix the gaps you've identified.
Critical Controls Every Company Needs
Based on 15+ years of audit experience, here are the controls that cause the most audit findings:
1. Access Control and User Management
Control | Implementation | Evidence Required | Timeline |
|---|---|---|---|
Multi-Factor Authentication | Enforce MFA for all users accessing systems with customer data | MFA enrollment reports, authentication logs | Week 1 |
User Provisioning/Deprovisioning | Formal onboarding/offboarding checklist | Completed checklists, IT tickets | Week 2 |
Quarterly Access Reviews | Review and certify user access every 90 days | Completed review spreadsheets, removal tickets | Ongoing |
Privileged Access Management | Restrict and monitor administrative access | Admin user list, session recordings, approval workflows | Week 3-4 |
Real story: A client had MFA enabled but hadn't enforced it—23% of users had never set it up. Their auditor flagged this as a significant deficiency. They had to enforce MFA immediately and couldn't use any of those users' access as evidence, effectively invalidating three months of access review evidence.
2. Security Monitoring and Incident Response
Control | Implementation | Evidence Required | Timeline |
|---|---|---|---|
Security Information and Event Management (SIEM) | Centralized log collection and analysis | Log retention policy, configured alerts, alert review records | Week 1-2 |
Incident Response Plan | Documented procedures for security incidents | IR plan document, incident response drills | Week 2 |
Incident Logging | Track and document all security events | Incident tickets with timestamps, actions taken, resolution | Ongoing |
Alert Response | Respond to and document security alerts | Alert investigation records, resolution notes | Ongoing |
Lesson learned the hard way: I worked with a company that had excellent security monitoring but never documented how they responded to alerts. Their auditor couldn't verify that alerts were actually reviewed. They had to start maintaining response logs from scratch, delaying audit completion by two months.
3. Change Management
This is the control that trips up more companies than any other. Here's what you need:
Control | Implementation | Evidence Required | Timeline |
|---|---|---|---|
Change Request Process | Formal approval for production changes | Change tickets with approvals | Week 1 |
Change Testing | Test changes before production deployment | Test results, staging environment evidence | Week 2 |
Change Documentation | Document what changed, why, and impact | Detailed change descriptions, rollback plans | Ongoing |
Emergency Change Process | Expedited process with post-implementation review | Emergency change policy, review evidence | Week 1 |
"Change management isn't about slowing down development—it's about creating an evidence trail that proves you make deliberate, authorized changes. Fast-moving companies can absolutely maintain strong change management."
4. Vendor Management and Third-Party Risk
This is where small companies often struggle most:
Control | Implementation | Evidence Required | Timeline |
|---|---|---|---|
Vendor Inventory | Comprehensive list of vendors with access to systems/data | Vendor spreadsheet with categorization | Week 1 |
Vendor Risk Assessment | Evaluate security posture of critical vendors | Risk assessment questionnaires, SOC 2 reports | Week 2-4 |
Vendor Contracts | Security requirements in vendor agreements | Contracts with security clauses, DPAs, BAAs | Week 2-4 |
Annual Vendor Review | Review vendor risk annually | Review documentation, updated risk ratings | Annual |
The vendor nightmare: A client had 47 vendors with some form of system access. Only 8 had been assessed. We spent three weeks collecting SOC 2 reports, running security questionnaires, and documenting risk acceptance for vendors without reports. This single control area consumed 40% of their preparation time.
5. Security Awareness Training
Seems simple, but here's what auditors actually require:
Requirement | What You Need | Common Mistakes | Fix |
|---|---|---|---|
Annual Training | All employees complete training at least annually | Training happened but no completion tracking | Implement LMS, require completion confirmation |
Training Content | Security best practices, company policies, incident reporting | Generic video, no company-specific content | Customize training with your policies and procedures |
New Hire Training | Training within 30 days of hire | IT onboarding only, no security component | Add security training to onboarding checklist |
Specialized Training | Role-specific training for sensitive access | Everyone gets same training | Create additional training for admins, developers |
Completion Records | Proof of who completed training and when | Training happened verbally or informally | Use training platform with completion tracking |
Pro tip: I recommend KnowBe4, Cybrary, or even creating custom training in Google Forms or Microsoft Forms if budget is tight. What matters is having completion records, not expensive platforms.
Phase 3: Evidence Collection and Documentation (Days 61-90)
You've implemented controls. Now you need to prove it.
The Document Vault: What Your Auditor Will Request
Here's the actual document request list from a recent SOC 2 audit I supported (sanitized). Use this as your preparation checklist:
Policies and Procedures (Day 61-70)
Document | Purpose | Must Include | Status Check |
|---|---|---|---|
Information Security Policy | Overarching security program governance | Management approval, annual review date, scope | ☐ Draft ☐ Approved ☐ Distributed |
Acceptable Use Policy | Define appropriate use of company resources | Covered assets, prohibited activities, consequences | ☐ Draft ☐ Approved ☐ Distributed |
Access Control Policy | User access management procedures | Provisioning process, access review frequency, termination | ☐ Draft ☐ Approved ☐ Distributed |
Incident Response Policy | Security incident handling procedures | Detection, escalation, investigation, communication | ☐ Draft ☐ Approved ☐ Distributed |
Change Management Policy | Production change procedures | Change approval, testing requirements, rollback | ☐ Draft ☐ Approved ☐ Distributed |
Business Continuity/DR Policy | Continuity and recovery procedures | RTO/RPO objectives, recovery procedures, testing | ☐ Draft ☐ Approved ☐ Distributed |
Vendor Management Policy | Third-party risk management | Vendor assessment, ongoing monitoring, contracts | ☐ Draft ☐ Approved ☐ Distributed |
Data Classification Policy | Information handling requirements | Classification levels, handling procedures, retention | ☐ Draft ☐ Approved ☐ Distributed |
Policy writing pro tip: Don't overcomplicate. I've seen companies create 200-page policy manuals that nobody reads. Your access control policy can be 3-4 pages. Make it practical, not comprehensive. You can always expand later.
System and Network Documentation (Day 71-75)
Document Type | What Auditors Evaluate | Preparation Tips |
|---|---|---|
Network Diagrams | System architecture, data flows, security boundaries | Use Lucidchart or Draw.io, show production environment, highlight security controls |
System Inventory | All systems in scope with owners and purpose | Spreadsheet format fine, include system name, purpose, owner, hosting location |
Data Flow Diagrams | How customer data moves through systems | Show entry points, processing, storage, and exit points |
Technology Stack | Software, platforms, and services used | Include versions, hosting environment, update frequency |
The diagram disaster: I once watched a company's auditor spend 45 minutes trying to understand their architecture because their network diagram was two years out of date and showed systems they no longer used. That confusion led to additional audit scope and $12,000 in extra fees.
Evidence Samples by Control Area (Day 76-90)
Now comes the evidence gathering. Here's what you need to collect:
Access Control Evidence:
Evidence Type | Sample Size | Time Period | Format | Collection Method |
|---|---|---|---|---|
User Access Reviews | All reviews in audit period | 6-12 months | Spreadsheets with reviewer signatures | Export from access management system |
New User Provisioning | 25 samples or all if less | 6-12 months | Completed onboarding checklists | From IT ticketing system |
User Terminations | 25 samples or all if less | 6-12 months | Offboarding checklists showing access removal | From HR and IT systems |
MFA Enrollment Report | Current state | Point in time | System export showing all users | From identity provider |
Privileged Access List | Current state | Point in time | Admin users with justification | From access management |
Change Management Evidence:
Evidence Type | Sample Size | Time Period | What To Include |
|---|---|---|---|
Production Changes | 25 samples | 6-12 months | Change request with approval, description, test results, deployment confirmation |
Emergency Changes | All occurrences | 6-12 months | Emergency change ticket with post-implementation review |
Failed Changes | 2-3 samples | 6-12 months | Failed change with rollback procedure and lessons learned |
Change Review Meetings | All meetings | 6-12 months | Meeting minutes showing change review and approval |
Security Monitoring Evidence:
Evidence Type | Sample Size | Time Period | What To Include |
|---|---|---|---|
Vulnerability Scans | All scans | 6-12 months | Scan results with remediation tracking |
Penetration Test | Most recent | Annual | Full pen test report with remediation plan |
Security Alerts | 25 samples | 6-12 months | Alert with investigation notes and resolution |
Log Review | Monthly | 6-12 months | Evidence of log review and any actions taken |
SIEM Dashboard | Current | Point in time | Screenshot showing monitoring coverage |
Training Evidence:
Evidence Type | Sample Size | Time Period | What To Include |
|---|---|---|---|
Security Awareness Training | All employees | Annual | Training completion report with names and dates |
New Hire Training | 25 samples or all | 6-12 months | Individual completion records |
Specialized Training | All applicable employees | Annual | Role-specific training completion |
Vendor Management Evidence:
Evidence Type | Sample Size | Time Period | What To Include |
|---|---|---|---|
Vendor Inventory | Complete list | Current | All vendors with system/data access |
Vendor Risk Assessments | All critical vendors | Annual | SOC 2 reports, security questionnaires, risk ratings |
Vendor Contracts | All critical vendors | Current | Contracts with security requirements, DPAs, BAAs |
Vendor Reviews | All reviewed vendors | Annual | Review documentation with risk re-evaluation |
"Evidence collection feels tedious until your auditor asks for something and you produce it in 30 seconds. That's when you realize good documentation is your secret weapon."
The Readiness Assessment Execution Checklist
Here's your practical, week-by-week checklist for the 90 days before audit:
Weeks 1-3: Discovery Phase
Week 1 Tasks:
☐ Define audit scope (systems, data, Trust Services Criteria)
☐ Select audit firm and schedule kickoff call
☐ Create preliminary system inventory
☐ Identify internal audit lead and team
☐ Document current architecture and data flows
Week 2 Tasks:
☐ Map current practices to SOC 2 control requirements
☐ Create initial control matrix
☐ Identify all vendors with system/data access
☐ Assess completeness of existing policies
☐ Review historical evidence availability
Week 3 Tasks:
☐ Complete gap analysis
☐ Identify missing historical evidence
☐ Prioritize control implementations
☐ Create remediation project plan
☐ Make audit timeline decision (proceed or delay)
Weeks 4-8: Implementation Phase
Week 4 Tasks:
☐ Implement/enforce MFA across all systems
☐ Establish formal change management process
☐ Configure SIEM and security monitoring
☐ Create incident response plan
☐ Begin policy documentation
Week 5 Tasks:
☐ Conduct first formal access review
☐ Implement user provisioning/deprovisioning checklists
☐ Configure automated vulnerability scanning
☐ Start security awareness training program
☐ Complete vendor inventory
Week 6 Tasks:
☐ Finalize all required policies
☐ Obtain management approval on policies
☐ Distribute policies to all employees
☐ Conduct vendor risk assessments
☐ Collect vendor SOC 2 reports
Week 7 Tasks:
☐ Test business continuity/disaster recovery procedures
☐ Conduct incident response tabletop exercise
☐ Implement privileged access management
☐ Configure log retention (minimum 6 months)
☐ Complete penetration testing (if not done recently)
Week 8 Tasks:
☐ Review all implemented controls
☐ Ensure evidence collection mechanisms are working
☐ Conduct internal self-assessment
☐ Address any remaining critical gaps
☐ Brief executive team on readiness status
Weeks 9-12: Evidence Collection Phase
Week 9 Tasks:
☐ Gather all policy documents
☐ Create system and network diagrams
☐ Export user access reports
☐ Collect access review documentation
☐ Compile training completion records
Week 10 Tasks:
☐ Gather change management evidence
☐ Collect security monitoring evidence
☐ Compile vulnerability scan results
☐ Gather incident response records
☐ Document control testing results
Week 11 Tasks:
☐ Organize evidence in auditor-friendly structure
☐ Create evidence index/catalog
☐ Review evidence for completeness
☐ Prepare evidence explanations/narratives
☐ Identify any evidence gaps
Week 12 Tasks:
☐ Conduct final internal readiness review
☐ Prepare audit kickoff presentation
☐ Brief team on audit process and expectations
☐ Set up auditor workspace/portal
☐ Schedule audit fieldwork dates
Common Readiness Assessment Pitfalls (And How To Avoid Them)
After watching companies navigate this process, here are the mistakes that consistently cause problems:
Pitfall #1: Starting Too Late
The mistake: Companies schedule their audit before completing readiness assessment.
The consequence: I watched a company commit to customer delivery dates based on planned SOC 2 completion, then discover they needed six more months of evidence. They lost the customer and $2.4M in ARR.
The fix: Complete your gap analysis before scheduling your audit. Add buffer time. It's better to deliver early than scramble.
Pitfall #2: Treating It As An IT Project
The mistake: Assigning SOC 2 preparation solely to the security or IT team.
The consequence: A company I advised had excellent technical controls but failed their audit because HR couldn't produce background check evidence, and Finance hadn't documented their vendor approval process.
The fix: SOC 2 is a business initiative requiring cross-functional participation:
Department | Role in SOC 2 | Key Responsibilities |
|---|---|---|
Executive Leadership | Program sponsorship and governance | Policy approval, resource allocation, risk acceptance decisions |
Security/IT | Control implementation | Technical controls, monitoring, incident response |
Human Resources | Personnel controls | Background checks, onboarding/offboarding, training administration |
Legal | Contract and compliance | Vendor contracts, customer commitments, regulatory requirements |
Finance | Vendor and asset management | Vendor approval, software license tracking, budget for security tools |
Engineering | Development controls | Change management, code review, deployment procedures |
Customer Success | Commitment verification | Confirming SLAs, availability commitments, customer communications |
Pitfall #3: Documentation Theater
The mistake: Creating beautiful policies that don't reflect actual practices.
The consequence: Auditors interview your team and discover that your "quarterly access reviews" are actually done annually, or your "formal change management process" is actually just Slack messages.
The fix: Document what you actually do, then improve your practices to match what you should be doing. Auditors value authenticity over perfection.
Real example: I worked with a startup that created an impressive 15-page incident response policy. During the audit, their team couldn't find it and didn't know what was in it. The auditor gave them a finding for "ineffective incident response procedures." A simple, well-understood 3-page procedure would have passed with flying colors.
Pitfall #4: Tool Obsession
The mistake: Believing you need expensive GRC (Governance, Risk, Compliance) tools to pass SOC 2.
The consequence: Companies spend $50,000+ on compliance platforms before understanding their requirements, then struggle to configure tools properly.
The fix: Start simple. You can pass SOC 2 with:
Google Sheets or Excel for tracking
Your existing ticketing system for change management
Email and file sharing for policy distribution
Your current monitoring tools
Upgrade to dedicated compliance tools once you:
Have completed one successful audit cycle
Understand your specific needs
Have budget and resources to implement properly
I've helped companies pass SOC 2 with nothing more than well-organized spreadsheets and existing IT tools. Don't let tool vendors convince you otherwise.
Pitfall #5: The Evidence Scramble
The mistake: Waiting until the auditor requests documents to start collecting evidence.
The consequence: Auditors give you 1-2 weeks to produce requested evidence. If you're starting collection then, you'll work 80-hour weeks and still miss deadlines.
The fix: Organize evidence throughout your audit period in this folder structure:
SOC2_Evidence/
├── 01_Policies_and_Procedures/
├── 02_System_Documentation/
├── 03_Access_Control/
│ ├── User_Access_Reviews/
│ ├── User_Provisioning/
│ ├── User_Terminations/
│ └── MFA_Reports/
├── 04_Change_Management/
├── 05_Security_Monitoring/
├── 06_Incident_Response/
├── 07_Vendor_Management/
├── 08_Training/
├── 09_Business_Continuity/
└── 10_Penetration_Testing/
Update this quarterly. When audit time comes, you'll already have 90% of what you need.
The Reality Check: Are You Actually Ready?
Before you schedule your audit, honestly answer these questions:
Access Control Readiness:
☐ Can you produce evidence of user access reviews for every quarter in your audit period?
☐ Do you have documented onboarding/offboarding procedures that are actually followed?
☐ Is MFA enforced (not just enabled) for all users accessing in-scope systems?
☐ Can you demonstrate that access is granted based on job role and approved by managers?
Change Management Readiness:
☐ Do you have a formal change approval process that's documented?
☐ Can you produce 25+ examples of approved production changes?
☐ Are emergency changes documented with post-implementation reviews?
☐ Is your source code repository evidence available (commits, PRs, approvals)?
Security Monitoring Readiness:
☐ Do you have centralized logging covering all in-scope systems?
☐ Can you produce vulnerability scan results for every month in your audit period?
☐ Do you have a penetration test from the last 12 months?
☐ Can you demonstrate how you respond to security alerts?
Vendor Management Readiness:
☐ Do you have a complete inventory of vendors with system/data access?
☐ Have you collected SOC 2 reports from critical vendors?
☐ Do your contracts include security requirements?
☐ Have you performed risk assessments on vendors without SOC 2?
Training Readiness:
☐ Have all employees completed security awareness training?
☐ Do you have records proving training completion with dates?
☐ Is security training part of your new hire onboarding?
☐ Can you demonstrate annual refresher training?
Business Continuity Readiness:
☐ Do you have documented backup and recovery procedures?
☐ Have you tested backup restoration in the last year?
☐ Can you produce evidence of backup testing?
☐ Do you have defined RTO/RPO objectives?
If you answered "no" to more than 3 questions in any category, you're not ready. And that's okay—now you know what to fix.
The Pre-Audit Meeting: Your Final Checkpoint
Two weeks before your audit starts, schedule a pre-audit meeting with your auditor. Here's what to cover:
Agenda for Pre-Audit Meeting:
Topic | Discussion Points | Why It Matters |
|---|---|---|
Scope Confirmation | Review in-scope systems, Trust Services Criteria, audit period | Prevents mid-audit scope changes |
Evidence Format | Confirm acceptable evidence formats and organization | Avoids evidence rejection |
Sample Selection | Understand how auditor will select samples | Helps you prepare relevant evidence |
Timeline and Milestones | Confirm fieldwork schedule, evidence request timing | Manages team availability |
Communication Protocol | Establish points of contact and response expectations | Keeps audit moving smoothly |
Known Issues | Disclose any control gaps or concerns upfront | Allows auditor to plan approach |
"Surprises during an audit are never good. Use the pre-audit meeting to surface any concerns. Auditors appreciate transparency and will work with you to address issues."
Questions to ask your auditor:
"What are the most common issues you see that delay audits?"
"How do you prefer evidence to be organized and delivered?"
"What red flags should we address before fieldwork begins?"
"Can you share sample evidence requests so we can prepare?"
"What's your typical timeline from fieldwork to report delivery?"
Your 48-Hour Emergency Readiness Plan
Sometimes you don't have 90 days. Maybe your sales team promised a customer SOC 2 certification. Maybe a major prospect just made it a requirement. You need to move fast.
Here's what to focus on when you have limited time:
Immediate Actions (48 hours):
Engage an auditor immediately—explain your timeline constraints
Define minimal viable scope (Security criteria only, shortest audit period possible)
Assess Type I vs Type II feasibility (Type I if you're under time pressure)
Identify show-stopper gaps (MFA, logging, access reviews)
First Week Priorities:
Implement/enforce MFA everywhere
Begin formal access reviews
Start collecting existing evidence
Create basic policy documents
Implement change management tracking going forward
Accept reality: If you don't have historical evidence, you likely need to delay for a Type II audit or accept findings/exceptions. There's no magic bullet for missing evidence.
I once helped a company achieve Type I certification in 6 weeks, but they had solid security practices and just needed documentation. They then spent 6 more months collecting evidence before pursuing Type II. It worked because they set realistic expectations with customers about the timeline.
The Post-Readiness Assessment Mindset
Here's what I tell every client after they've completed their readiness assessment:
Compliance is not a destination; it's a practice.
Your first SOC 2 audit is just the beginning. The real value comes from maintaining these practices long-term. Companies that treat SOC 2 as a one-time project fail their surveillance audits or let controls degrade.
Build compliance into your operations:
Make access reviews a quarterly calendar event
Integrate security training into onboarding
Build change management into your deployment pipelines
Schedule quarterly evidence collection reviews
Conduct annual policy reviews
The companies that succeed treat SOC 2 controls as improvements to their operations, not burdens to carry.
Final Thoughts: The Readiness Assessment That Changed Everything
I started this article with a story about a company that postponed their audit and lost a major customer. Let me end with a different story.
In 2022, I worked with a Series A startup pursuing their first SOC 2. They took readiness seriously. They spent three months preparing before scheduling their audit. They involved every department. They documented everything.
Their audit was almost boring—in the best possible way. No surprises. No scrambling. No all-nighters. Their auditor commented it was one of the smoothest audits he'd conducted.
But here's the real payoff: because they were organized and prepared, they discovered they could add the Availability criteria to their audit scope with minimal additional effort. That expanded scope helped them win two enterprise deals their competitors couldn't compete for.
The readiness assessment didn't just prepare them for an audit—it transformed their entire security program and became a competitive advantage.
That's the power of doing it right.