SOC 2 Readiness Assessment: How to Run a Gap Analysis Before the Auditor Shows Up

Most SOC 2 failures aren’t surprises. They’re predictable — the same missing policies, the same undocumented access reviews, the same vendor contracts with no security addendum. The companies that ace first-time audits ran a real gap analysis first. The ones who don’t, push their audit date by three months and scramble to close findings under pressure.

A readiness assessment is the single highest-leverage activity before your SOC 2 engagement. Here’s how to run one properly.

TL;DR

• A SOC 2 gap analysis compares your current controls against the AICPA Trust Services Criteria and flags missing, partial, or undocumented coverage
• The four most time-consuming gaps to close are penetration testing, vendor risk assessments, formal access reviews, and incident response documentation — start these first
• Most organizations need 60–120 days from gap analysis to Type 1 readiness
• Evidence collection is an ongoing discipline, not a pre-audit sprint — teams that start it early have 30–40% fewer exceptions

What a SOC 2 Gap Analysis Actually Is

A gap analysis isn’t a compliance score. It’s a diagnostic that answers a specific question: for each Trust Services Criterion that applies to your scope, do you have a control in place, is it documented, and is evidence being collected?

The AICPA Trust Services Criteria define the benchmark — 64 Common Criteria points across CC1–CC9 for Security, plus additional criteria for Availability, Confidentiality, Processing Integrity, and Privacy if you’ve scoped them. Your auditor tests against every criterion in scope. A gap analysis tells you exactly where you’d fail that test today.

The output should be three columns: Compliant (control exists, documented, evidence flowing), Partial (control exists but is inconsistently applied or undocumented), and Missing (no control in place). Partials are often more dangerous than missings — a team that thinks they have a quarterly access review but skipped it in Q3 generates an audit exception, not just a gap finding.

The 4-Phase Readiness Process

Phase 1: Scope Decisions

Before you can gap anything, you need to know what you’re gapping against. Security (CC series) is required in every SOC 2 report. The four optional categories — Availability, Processing Integrity, Confidentiality, and Privacy — each add criteria and audit cost.

The practical question: what does your customer base actually need? SaaS selling to enterprises typically needs Security. SaaS with uptime SLAs in contracts should add Availability. Platforms handling sensitive regulated data (health records, financial data, PII) should consider Confidentiality or Privacy.

Scope creep here is expensive. Start with Security only, add categories only when customers require them or when the control overlap is high enough to make the marginal cost worthwhile.

Phase 2: Control Inventory and Mapping

Walk every applicable criterion and ask: what is the control that satisfies this? Then ask three follow-up questions:

1. Is that control documented in a policy or procedure?
2. Is it consistently executed (not just theoretically in place)?
3. Is evidence being collected that would let an auditor verify it?

For most first-time assessments, the control inventory phase is where teams discover that their “controls” are actually informal practices held in people’s heads, not documented procedures with evidence trails.

Phase 3: Gap Identification and Prioritization

Not all gaps are equal. A missing penetration test takes 4–6 weeks to procure and complete. A missing password policy takes two hours to write. Prioritize by lead time, not by severity alone.

The longest-lead-time gaps — the ones that will push your audit date if you don’t start them immediately:

• Penetration test: Most auditors require an annual pentest with findings remediated. Procurement, scheduling, and report delivery typically take 4–6 weeks.
• Vendor risk assessments: Security reviews for critical SaaS vendors need to be documented. If you’re using AWS, Salesforce, and five other tools with no security review on file, that’s five assessments to run.
• Formal access reviews: The first quarterly access review needs to be completed and documented, not just scheduled. If you’re doing a Type 2, you need multiple review cycles within the observation period.
• Incident response testing: Tabletop exercises or test evidence. Most auditors want to see this has occurred.

Phase 4: Remediation Planning

Each gap needs an owner, a target date, and a definition of “done” that includes evidence collection. A remediation plan that says “fix access controls by May” without specifying what evidence demonstrates closure is a plan that will still be open at audit time.

Assign gaps to the function closest to the underlying control. Logical access controls belong to IT or Security. Vendor risk assessments belong to Legal or Procurement. Security training completion belongs to HR or People Ops. The risk function coordinates, but operational ownership needs to sit with the people who can actually execute.

The Five Most Common Gaps (And How Long They Take to Close)

Based on patterns from SOC 2 gap assessments across SaaS and fintech companies, these five findings appear in the majority of first-time engagements:

If all five show up in your gap analysis — which is common — you’re looking at 8–12 weeks of focused remediation before you’re Type 1 ready. Plan accordingly.

The Evidence Problem: Why Sprint-Mode Fails

The gap analysis gets you to control existence. The harder problem for Type 2 is evidence continuity.

A SOC 2 Type 2 audit covers an observation period — typically 6 or 12 months. Your auditor samples control execution across that entire period. If your quarterly access review didn’t happen in Q3, no amount of documentation fixes that after the fact. If your change management tool has a gap in audit trail for a three-week period, that’s an exception.

Teams that treat evidence collection as a pre-audit sprint — pulling logs and documentation in the 60 days before the observation period closes — typically generate 30–40% more audit exceptions than teams that build continuous evidence collection into operations from day one. This means:

• Access review reminders are on a calendar, not just someone’s memory
• Vulnerability scans run on a defined schedule and results are stored systematically
• Security training completion is tracked in the HR system with timestamps
• Change management tickets exist for every production deployment, not just the ones that felt important

If your gap analysis reveals that evidence collection isn’t happening continuously, that’s a process change — not a documentation sprint.

SOC 2 vs. ISO 27001: The Gap Analysis Comparison

One question that comes up early in the readiness process: should we also do ISO 27001 at the same time?

The short answer: the 80% control overlap makes doing both eventually worth it, but the process and audit methodology differ in ways that matter for gap analysis.

SOC 2 is outcome-oriented — it asks whether your controls satisfy specified criteria. ISO 27001 requires you to build and certify an Information Security Management System (ISMS) — a more structured governance framework with 93 Annex A controls. ISO 27001 is also globally recognized; SOC 2 Type 2 is the standard US market expects.

If your customer base is primarily US-based, start with SOC 2. If you’re selling into Europe or enterprise accounts with international procurement requirements, add ISO 27001 — the control overlap means your second certification is materially faster than the first.

For more on the decision framework, see SOC 2 vs ISO 27001: When to Pick Which (and When You Need Both) — that post covers the decision tree in detail.

The Gap-to-Audit Timeline

Here’s a realistic timeline for getting from gap analysis to Type 1 report:

Most organizations hit Type 1 in 14–16 weeks from a standing start. The variance is almost entirely driven by how quickly pentest procurement and vendor risk assessments move — both of which are external-dependent.

Readiness Tools: What to Actually Use

You have three options for running the gap analysis itself:

Spreadsheet (manual): Use the AICPA criteria as your framework and build a control inventory against each criterion. Cheap, slow, requires someone who understands the criteria well enough to evaluate controls honestly. Works fine for smaller-scope SOC 2 engagements.

Compliance automation platforms (Drata, Vanta, Secureframe, Thoropass): Connect your tech stack, automatically collect evidence, surface gap findings based on integration data. Faster evidence collection, better ongoing monitoring, higher upfront cost. Worth it if you’re doing a Type 2 or planning to add ISO 27001 later.

Auditor-led readiness assessment: Your future auditor (or another CPA firm) evaluates your controls before the formal engagement. Most authoritative, most expensive, reduces surprises. Some firms include it in the engagement fee; others charge separately.

The right choice depends on your timeline, budget, and whether you have someone internal who can interpret the AICPA criteria. If you’re evaluating whether you’re ready for an auditor-led assessment, the SOC 2 Compliance Checklist maps all 64 Common Criteria points to the specific controls and evidence types auditors look for.

So What?

The gap analysis isn’t bureaucracy. It’s the difference between a clean Type 1 in 16 weeks and a pushed audit date, a panicked remediation sprint, and an embarrassing conversation with your first enterprise prospect about why you don’t have your SOC 2 yet.

Start with scope. Map controls to criteria honestly. Prioritize by lead time, not severity. Launch pentest and vendor assessments immediately. Build evidence collection into operations, not just into audit season.

The companies that ace first-time SOC 2 audits don’t have better security than companies that struggle. They run the gap analysis earlier and start the slow-moving items before the fast-moving items distract them.

Related reading:

• What Is SOC 2 Compliance? A Practitioner’s Guide for First-Timers
• SOC 2 Type 1 vs Type 2: Which One Do You Actually Need?
• SOC 2 Compliance Checklist: The Controls Auditors Actually Test

External references:

• AICPA SOC 2 Trust Services Criteria
• Thoropass: SOC 2 Gap Analysis Guide
• LBMC: Five Common SOC 2 Gap Assessment Findings
• Secureframe: SOC 2 Readiness Assessment Explained