What to Expect from a SOC 2 Readiness Assessment
When pursuing a SOC 2 examination, a popular first step for many organizations—particularly those just stepping into the world of compliance for the first time—is the SOC 2 readiness assessment. But for those first-timers who don’t know what to expect from such a process, it might help to have a primer.
As SOC service auditors with over two decades of experience, we understand the apprehension ahead of any type of SOC 2 examination, but if you’ve elected to start with a readiness assessment, we’re going to alleviate at least some of it.
In this blog post, we’ll discuss what a SOC 2 readiness assessment is, how it distinguishes itself from other SOC 2 reports, and outline the SOC 2 readiness assessment project structure so that those who consider this path can set expectations accordingly.
(This article assumes you already have an understanding of your SOC 2 Trust Services Categories (TSCs).)
What is a SOC 2 Readiness Assessment?
As a common beginning point for organizations or their sub-entities who have never undergone a security evaluation against a framework or want to ensure their practices map to the SOC 2 criteria, when you undergo a SOC 2 readiness assessment, your chosen service auditor will perform a gap analysis of your existing practices and how well they comply with the SOC 2 TSCs for the purpose of achieving your principal service commitments to your customers.
The goal of a SOC 2 readiness assessment is to prepare your organization for a successful SOC 2 examination—as gaps are identified during the readiness assessment, you can compile remediation plans to improve or implement practices that directly correlate with what the SOC 2 criteria specify must be included without worry of the impacts on your SOC 2 report.
Readiness Assessment vs. Type 1 SOC 2 Examination vs. Type 2 SOC 2 Examination
That being said, a “readiness”—as it’s simply referred to—is not a required step. When you opt for a SOC 2 examination, you’re free to immediately pursue any one of the three forms of SOC reporting, which include:
- Readiness Assessment
- Type 1
- Type 2
The Difference Between a Readiness Assessment and Type 1/Type 2 SOC 2 Reports
While Type 1 and Type 2 reports each have their own idiosyncrasies, they both differ from the readiness in that they come with what’s called the “opinion” from your service auditor—that opinion letter is what communicates to your customers whether your processes meet each of the SOC 2 criteria or if your processes are not presented in accordance with the criteria.
Applying SOC 2 Criteria to Controls and the Results in Different Report Types
Say that your organization conducts an ongoing risk assessment and reports the results to leadership at least annually, but your organization has neither clearly specified objectives in helping identify risks on how those objectives will be achieved, nor has there been any identification of risks that account for changes impacting control operation.
Those two unique areas are specified in the following SOC 2 criteria:
- CC3.1: COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
- CC3.4: COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.
In a Type 1 or 2 report—that may potentially be provided to external parties—the service auditor may have to specify these are not in place; however, in a readiness assessment, such would be documented as a gap, which instead grants you an opportunity to improve your risk assessment methodology and better adhere to the criteria before your actual SOC 2 examination.
The Value of a SOC 2 Readiness Assessment
So, while a readiness assessment alone—and its lack of service auditor opinion—won’t provide the kind of assurance your customers need, what it will do is identify gaps that you can mitigate/implement with process improvements before graduating to a Type 1 or Type 2 report.
And, since you’ll be able to start a readiness assessment sooner than a full examination, in lieu of providing that desired assurance, it can establish customer confidence that you’ve at least begun the path to maturing and representing your security practices.
What is the SOC 2 Readiness Assessment Process?
If you’ve already decided that a SOC 2 readiness assessment is the right first step to help build your security processes and obtain a report representing your program’s maturity, you can expect four progressive phases to the project structure:
Stage |
Details |
---|---|
1. Planning (2-5 Business Days) |
First, you and your service auditor will set the parameters of what will be reviewed. As this may be your first time defining such measures, your service auditor will assist in:
|
2. Evidence Request and Collection |
Your specific needs will govern how soon you wish to get started with evidence collection—whether driven by customer demand, internal commitments, or team availability—and this phase includes:
|
3. Testing Fieldwork and Walkthroughs
(Varied duration, as determined by scope) |
Based on information gained initially, your service auditor may request more of your time for further knowledge share and more evidentiary support specific to your processes. |
4. Reporting
(1–3 weeks) |
At this point, you should receive a formally communicated centralized list—or report—of your gaps from your service auditor, including their relevant criteria. Though the work won’t be over, as you’ll have gaps to fill. If you work with Schellman, our team will remain available to you should you need further insight as you grow your program. |
Once you complete a SOC 2 readiness assessment, advancement to the next level of SOC 2 reporting will be determined by you based on gaps identified and your determined timeline for their remediation.
Typical SOC 2 Project Flow
If you’d like a more in-depth overview of SOC 2 project timelines, read our article here.
Next Steps for Your SOC 2 Readiness Assessment
Whether you've decided to pursue a SOC 2 examination due to your customers' vendor management requirements, your business growth objectives, or as a means to gauge your security practices, a readiness assessment at the start is a valuable first step that will help reduce the risk of testing exceptions and disclosures during a later SOC 2 examination.
Now that you understand what makes a SOC 2 readiness and how such a project will progress, read our other articles that can help you better shake out your progressive SOC 2 experience:
About COLLIN VARNER
Collin is a Senior Manager with Schellman Compliance, LLC based in Denver, Colorado. Collin is focused primarily on specializing in IT attestation, audit, and compliance activities as they relate to numerous standards including SOC, HIPAA, CMMC, and a suite of ISO standards. Prior to joining Schellman, Collin held roles tasked with planning, organizing, and managing multiple facets of information technology and security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting.