A SOC 2 Readiness Checker that scores your control environment against the five Trust Service Criteria before you spend money on an auditor. SOC 2 is the dominant assurance standard for SaaS and cloud vendors, and most failed or delayed audits trace back to gaps that a structured self-assessment would have caught early. This tool is for startups and security leads preparing for a Type I or Type II report who want a clear, prioritised picture of where they stand.
How it works
SOC 2 is built on five criteria, with Security (the Common Criteria) mandatory and the others added by scope:
Security (mandatory — Common Criteria)
Availability (uptime / resilience commitments)
Confidentiality (protecting confidential data)
Processing Integrity (complete, accurate, timely processing)
Privacy (notice, choice, handling of personal data)
Within your chosen criteria the tool presents control prompts grouped by category — access control and authentication, change management, monitoring and logging, incident response, vendor risk, backup and recovery, and so on. You mark each as in place, partial, or missing:
score = (in_place × 1 + partial × 0.5) / total controls in criterion
What each Trust Service Criterion covers
Security (CC — Common Criteria) is mandatory for every SOC 2 report. It covers logical and physical access controls, system operations, change management, and risk mitigation. If you are only pursuing one criterion, this is the one. Key controls include multi-factor authentication, role-based access, patch management, and an incident response plan.
Availability is added when customers rely on your system being accessible — typically SaaS products with uptime SLAs. The controls here cover monitoring, capacity planning, incident response timelines, and disaster recovery. If your contract includes an SLA, availability is usually in scope.
Confidentiality applies when your system processes information that must be kept confidential under contractual obligation — client business data, trade secrets, or regulated data other than personal information. Controls include encryption at rest and in transit, access controls, and data classification policies.
Processing Integrity ensures that system processing is complete, valid, accurate, timely, and authorised. It is most commonly scoped for transactional systems — payment processing, financial reporting, order fulfilment. Controls include input validation, reconciliation, error handling, and output verification.
Privacy addresses how personal information is collected, used, retained, disclosed, and disposed of, aligned to the AICPA’s Privacy Management Framework. This overlaps with GDPR and CCPA compliance but is broader — it is about operating your privacy programme, not just having a privacy policy.
Type I vs Type II — the practical difference
A Type I report asserts that your controls are suitably designed at a specific point in time. An auditor inspects your policies, procedures, and system configuration and forms an opinion. A startup can often achieve Type I in three to six months once controls are in place. It provides meaningful assurance to enterprise prospects but is increasingly seen as a baseline rather than a differentiator.
A Type II report asserts that your controls operated effectively over an observation period, typically three to twelve months. The auditor reviews evidence: access logs showing that terminated employees were removed promptly, change management tickets showing approvals, monitoring alerts showing that anomalies were investigated. The evidence must span the full observation window — a control implemented the week before the audit window closes contributes almost nothing to a Type II opinion.
Reading the heat-map and planning remediation
The tool’s heat-map shows per-criterion readiness percentages in colour. Prioritise red categories above amber, and deal with systematic gaps (no MFA anywhere, no incident response plan, no vendor risk process) before individual control exceptions. For Type II, the clock matters: every week you delay implementing a control is a week of evidence you will never recover. Start collecting evidence on day one of your observation period, not the week before the audit.
Everything is calculated locally — none of your control data is uploaded or stored.