A SOC 2 readiness assessment is the gap analysis you run before the formal audit begins. Its job is simple to state and hard to do well: compare what your control environment actually is against what the Trust Services Criteria require, find every place they diverge, and produce a plan to close the distance. It is an internal, advisory exercise, separate from the attestation itself, and for good reason. The point is to find your problems on your own timeline, not to discover them while a CPA firm bills you by the hour.

What the Assessment Examines

A rigorous readiness assessment works through the same terrain a real auditor will, in the same order, but without the pressure of an opinion at the end. It covers four things.

Scope. Before anything else, the assessment defines the system boundary: which product, which environments, which supporting infrastructure, and which Trust Services Categories apply. Security is always in scope; Availability, Confidentiality, Processing Integrity, and Privacy are added based on your commitments to customers. Scope decisions made here shape the cost and duration of everything downstream, so this is not a formality.

Control mapping. The assessor maps your existing controls to the criteria they are meant to satisfy, criterion by criterion, from the common criteria (CC1 through CC9) outward. This is where a control matrix earns its place: every criterion should trace to a named control, an owner, and an evidence source. Criteria with no mapped control are gaps by definition.

Gap identification. For each control, the assessor asks two questions an auditor will ask: is it designed to meet the criterion, and can you prove it operates? A control that exists on paper but produces no evidence is a gap. A control that runs but was never designed to address the relevant criterion is a gap. Each finding is rated by severity so you know what must be fixed before the observation period and what can follow.

Evidence readiness. The assessment checks whether the artifacts an auditor will request actually exist and are captured correctly, with the timestamps, ownership, and completeness that testing requires. This is where automation-only programs most often fall short: the platform reports a control as green while the underlying artifact would not survive an auditor's inspection.

The Four Deliverables to Expect

A readiness assessment that ends with a verbal "you look mostly fine" has failed. A proper one produces documents you can act on and hand to a build team.

DeliverableWhat it tells you
Scope statementThe exact system boundary and which Trust Services Criteria apply, so nothing is tested that should not be and nothing in scope is missed.
Gap reportEvery finding mapped to a specific criterion, with a severity rating, so you can see precisely where you stand against the standard.
Remediation roadmapA prioritized plan to close each gap, with effort estimates and sequencing, so the work is ordered by risk and dependency rather than convenience.
Build-phase estimateA realistic projection of the cost and time to reach audit readiness, so leadership can budget the program, not just the audit.

Together these answer the four questions leadership actually has: what needs to happen, in what order, how long it will take, and what it will cost.

Keep readiness and attestation separateThe firm that performs your attestation should not also remediate the gaps it will later test, because that compromises independence. A clean structure is one party for readiness and remediation advisory, a separate licensed CPA firm for the attestation. This separation is not bureaucratic; it is what makes the eventual opinion defensible.

Why It Is the Best Money in the Engagement

The single most controllable factor in what a SOC 2 audit costs is how audit-ready you are when fieldwork starts. A CPA firm prices partly on how much work it expects your evidence to create, and every gap the auditor has to chase is an hour you pay for. A readiness assessment moves that discovery earlier, where fixing a gap costs a policy edit and a process change rather than a change order and a delayed report. Companies that skip it are the ones surprised in month three, and a surprise during a Type 2 observation period can mean restarting the clock.

There is a credibility dimension too. Since the market correction around fast, automated compliance, enterprise vendor risk teams read reports more carefully and probe the evidence behind them. A readiness assessment that stress-tests your evidence the way a skeptical reviewer would is how you make sure the report you eventually earn holds up to that scrutiny, rather than passing a checkbox and failing the follow-up questions.

How to Use the Output

The remediation roadmap is not a filing cabinet document. It is the work plan for the weeks before your observation period begins. Assign each gap an owner, sequence the fixes by severity and dependency, and hold a short recurring review until the roadmap is closed. When the last high-severity gap is remediated and its control has produced evidence for long enough to sample, you are ready to start the clock on a Type 2 with confidence rather than hope.

If you want to see how the pieces connect, our guides on gathering evidence for SOC 2 Type 2 and choosing between Type 1 and Type 2 pick up exactly where a readiness assessment leaves off. And if the number that matters to you right now is the budget, the real cost of a SOC 2 audit breaks down where the money actually goes.