Upcoming Webinar | Assuring Agentic AI on March 5th @ 1:00 PM ET

Learn More
866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
Certificate Directory
Contact Us

«  View All Posts

What to Expect from a SOC 2 Readiness Assessment Blog Feature
Chad Goubeaux

By: Chad Goubeaux

Print/Save as PDF

What to Expect from a SOC 2 Readiness Assessment

SOC Examinations | Audit Readiness | SOC 2

Published: Jan 18, 2024

Last Updated: Jan 15, 2026

When pursuing a SOC 2 examination, a popular first step for many organizations—particularly those just stepping into the world of compliance for the first time—is a SOC 2 readiness assessment. But for those first-timers who don’t know what to expect from this process, it might help to have a roadmap. 

As SOC auditors with over two decades of experience, we understand the apprehension ahead of any type of SOC 2 examination, but if you’ve elected to start with a readiness assessment, we’re going to alleviate at least some of it. 

In this blog post, we’ll detail what a SOC 2 readiness assessment is, including how it distinguishes itself from other SOC 2 reports and an outline of the readiness assessment project structure so that organizations who consider this path can set expectations accordingly. 

However, before we dive in, you should obtain an understanding of the SOC 2 Trust Services Categories (TSCs). 

What is a SOC 2 Readiness Assessment? 

As a common beginning point for organizations or their sub-entities who have never undergone a security evaluation against a framework or want to ensure their practices map to the SOC 2 criteria, when you undergo an optional SOC 2 readiness assessment, your chosen service auditor will perform a gap analysis of your existing practices and how well they meet the SOC 2 TSCs for the purpose of achieving your principal service commitments and system requirements to your customers. 

The goal of a SOC 2 readiness assessment is to prepare your organization for a successful SOC 2 examination. As gaps are identified during the readiness assessment, you can compile remediation plans to improve or implement practices that directly correlate with what the SOC 2 criteria emphasize be in place based on the points of focus. 

Readiness Assessment vs. Type 1 SOC 2 Examination vs. Type 2 SOC 2 Examination 

That being said, a “readiness”—as it’s simply referred to—is not a required step. When you opt for a SOC 2 examination, you have the option to immediately pursue any one of the three forms of SOC reporting, which include: 

  • Readiness Assessment 
  • Type 1 
  • Type 2 

The Difference Between a Readiness Assessment and Type 1/Type 2 SOC 2 Reports 

While Type 1 and Type 2 reports each have their own characteristics, they both differ from a readiness in that they come with what’s called the “opinion” from your service auditorthat opinion letter is what communicates to your customers whether your processes meet each of the SOC 2 criteria or if your processes are not presented in accordance with the criteria. When you undergo a readiness assessment, your service auditor is evaluating your preparedness to meet the SOC 2 criteria, identifying gaps, and providing you with a deliverable for internal use to remediate gaps as you deem appropriate. 

Applying SOC 2 Criteria to Controls and the Results in Different Report Types 

Say that your organization conducts an ongoing risk assessment and reports the results to leadership at least annually, but your organization has neither clearly specified objectives in helping identify risks on how those objectives will be achieved, nor has there been any identification of risks that account for changes impacting control operation. 

Those two unique areas are specified in the following SOC 2 criteria: 

  • CC3.1: COSO Principle 6: The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 
  • CC3.4: COSO Principle 9: The entity identifies and assesses changes that could significantly impact the system of internal control.

In a Type 1 or 2 report—that is designed to be provided to external parties—the service auditor may have to specify these are not in place; however, in a readiness assessment, such would be documented as a gap within an internal deliverable, which instead grants you an opportunity to improve your risk assessment methodology and better adhere to the criteria before your actual SOC 2 examination. 

The Value of a SOC 2 Readiness Assessment 

While a readiness assessment does not include a service auditor’s opinion—and therefore can’t provide the level of assurance your customers may require—it does offer meaningful value in identifying gaps for your team to address, mitigate, and implement processes internally before moving on to a Type 1 or Type 2 examination. 

Because a readiness assessment is strictly an evaluation, Schellman or any other assessor does not provide advisory, remediation, or implementation services. Your organization retains responsibility for resolving any gaps. However, this diagnostic step gives your team the insight and lead time needed to understand what is already compliant, what needs attention, and how to minimize surprises during the formal SOC 2 assessment. And while it isn’t a substitute for a SOC 2 report, completing a readiness assessment can still demonstrate to customers that you’ve begun the process of maturing and formalizing your security posture, increasing stakeholder confidence.  

What is the SOC 2 Readiness Assessment Process?

If you’ve already decided that a SOC 2 readiness assessment is the right first step to help build your security processes and obtain a report representing your program’s maturity, you can expect four progressive phases to the project structure

Stage

Details

1. Planning

(2-5 Business Days)

First, you and your service auditor will set the parameters of what will be reviewed. As this may be your first time defining such measures, your service auditor will help you: 

  • Specify the SOC 2 categories you will be reviewed against
    • At Schellman, we help our clients identify the categories most applicable to them via understanding their products, customers, and procedures as they relate to SOC 2 criteria
  • Determine project milestones and timelines 

2. Walkthrough Meetings 


(~1 week) 

Your specific needs will govern how soon you wish to get started with walkthrough meetings—whether driven by customer demand, internal commitments, or team availability—and this phase includes: 

  • Walkthroughs of your procedures together with your service auditor so that they may absorb your unique environment and processes 
  • Gaps in coverage with SOC 2 criteria and points of focus will be identified and communicated 

Based on the information gained initially, your service auditor may request more of your time for further knowledge share and more evidentiary support specific to your processes. 

3. Evidence Request and Collection

 

(simultaneously with Phase 2) 

After your internal procedures are identified, the service auditor may request additional evidence to support the processes discussed (if not shared during the walkthrough meetings): 

  • Answering the submission request(s) from your service auditor for data reflecting your policies and system processes related to the areas in-scope 
  • Opportunities to ask your auditors questions regarding how the content is evaluated and why

4. Reporting

 

(~1 week) 

At this point, you should receive a formally communicated deliverable of your gaps from your service auditor, including their relation to relevant criteria. 

Although this concludes the readiness assessment process, your work won’t be over as you’ll now have gaps to evaluate whether or not they should be remediated before beginning the formal examination.  

Once you complete a SOC 2 readiness assessment, advancement to the next level of SOC 2 reporting will be determined by you based on gaps identified and your determined timeline for their remediation. 

Typical SOC 2 Project Flow

SOC RA Graphic-3

If you’d like a more in-depth overview of SOC 2 project timelines, read our article here. 

Next Steps for Your SOC 2 Readiness Assessment 

Whether you've decided to pursue a SOC 2 examination due to your customers' vendor management requirements, your business growth objectives, or as a means to gauge your security practices, starting with a readiness assessment is a valuable first step that will help reduce the risk of testing exceptions and disclosures during a later SOC 2 examination. 

Now that you better understand what’s involved in the SOC 2 readiness assessment process, contact us today if you’re ready to proceed or would like to learn more. In the meantime, you can read our other articles for insights that can help you further plan for a smoother SOC 2 experience: 

About Chad Goubeaux

Chad Goubeaux is a Manager at Schellman based in Columbus, Ohio with nearly 10 years of experience serving clients in auditing and IT compliance. He is a leader of the firm's SOC methodology group and contributes to the AICPA SOC 2 working group, helping to shape industry standards. At Schellman, Chad specializes in SOC 1, SOC 2, SOC 3, and HIPAA attestations. With previous experience in financial statement audits from a Big 4 firm, he brings a strong foundation in risk management and regulatory compliance. A graduate of The Ohio State University, Chad holds multiple certifications, including CPA, CISSP, CISA, CITP, CCSK, and the AICPA Advanced SOC certificate.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.