Feature Compliance Strategy
SOC 2 Readiness Assessment: How to Run a Gap Analysis Before the Auditor Shows Up
How to run a SOC 2 readiness gap analysis: the 4-phase process, most common findings, remediation priorities, and the 60–120 day timeline from gap to clean Type 1 report.
Table of Contents
Most SOC 2 failures aren’t surprises. They’re predictable — the same missing policies, the same undocumented access reviews, the same vendor contracts with no security addendum. The companies that ace first-time audits ran a real gap analysis first. The ones who don’t, push their audit date by three months and scramble to close findings under pressure.
A readiness assessment is the single highest-leverage activity before your SOC 2 engagement. Here’s how to run one properly.
TL;DR
- A SOC 2 gap analysis compares your current controls against the AICPA Trust Services Criteria and flags missing, partial, or undocumented coverage
- The four most time-consuming gaps to close are penetration testing, vendor risk assessments, formal access reviews, and incident response documentation — start these first
- Most organizations need 60–120 days from gap analysis to Type 1 readiness
- Evidence collection is an ongoing discipline, not a pre-audit sprint — teams that start it early have 30–40% fewer exceptions
What a SOC 2 Gap Analysis Actually Is
A gap analysis isn’t a compliance score. It’s a diagnostic that answers a specific question: for each Trust Services Criterion that applies to your scope, do you have a control in place, is it documented, and is evidence being collected?
The AICPA Trust Services Criteria define the benchmark — 64 Common Criteria points across CC1–CC9 for Security, plus additional criteria for Availability, Confidentiality, Processing Integrity, and Privacy if you’ve scoped them. Your auditor tests against every criterion in scope. A gap analysis tells you exactly where you’d fail that test today.
The output should be three columns: Compliant (control exists, documented, evidence flowing), Partial (control exists but is inconsistently applied or undocumented), and Missing (no control in place). Partials are often more dangerous than missings — a team that thinks they have a quarterly access review but skipped it in Q3 generates an audit exception, not just a gap finding.
The 4-Phase Readiness Process
Phase 1: Scope Decisions
Before you can gap anything, you need to know what you’re gapping against. Security (CC series) is required in every SOC 2 report. The four optional categories — Availability, Processing Integrity, Confidentiality, and Privacy — each add criteria and audit cost.
The practical question: what does your customer base actually need? SaaS selling to enterprises typically needs Security. SaaS with uptime SLAs in contracts should add Availability. Platforms handling sensitive regulated data (health records, financial data, PII) should consider Confidentiality or Privacy.
Scope creep here is expensive. Start with Security only, add categories only when customers require them or when the control overlap is high enough to make the marginal cost worthwhile.
Phase 2: Control Inventory and Mapping
Walk every applicable criterion and ask: what is the control that satisfies this? Then ask three follow-up questions:
- Is that control documented in a policy or procedure?
- Is it consistently executed (not just theoretically in place)?
- Is evidence being collected that would let an auditor verify it?
For most first-time assessments, the control inventory phase is where teams discover that their “controls” are actually informal practices held in people’s heads, not documented procedures with evidence trails.
Phase 3: Gap Identification and Prioritization
Not all gaps are equal. A missing penetration test takes 4–6 weeks to procure and complete. A missing password policy takes two hours to write. Prioritize by lead time, not by severity alone.
The longest-lead-time gaps — the ones that will push your audit date if you don’t start them immediately:
- Penetration test: Most auditors require an annual pentest with findings remediated. Procurement, scheduling, and report delivery typically take 4–6 weeks.
- Vendor risk assessments: Security reviews for critical SaaS vendors need to be documented. If you’re using AWS, Salesforce, and five other tools with no security review on file, that’s five assessments to run.
- Formal access reviews: The first quarterly access review needs to be completed and documented, not just scheduled. If you’re doing a Type 2, you need multiple review cycles within the observation period.
- Incident response testing: Tabletop exercises or test evidence. Most auditors want to see this has occurred.
Phase 4: Remediation Planning
Each gap needs an owner, a target date, and a definition of “done” that includes evidence collection. A remediation plan that says “fix access controls by May” without specifying what evidence demonstrates closure is a plan that will still be open at audit time.
Assign gaps to the function closest to the underlying control. Logical access controls belong to IT or Security. Vendor risk assessments belong to Legal or Procurement. Security training completion belongs to HR or People Ops. The risk function coordinates, but operational ownership needs to sit with the people who can actually execute.
The Five Most Common Gaps (And How Long They Take to Close)
Based on patterns from SOC 2 gap assessments across SaaS and fintech companies, these five findings appear in the majority of first-time engagements:
| Gap | Average Remediation Time | Why It Takes That Long |
|---|---|---|
| Missing or outdated security policies | 2–4 weeks | Requires policy drafting, legal/compliance review, and formal approval |
| Over-permissioned accounts, no access review | 3–6 weeks | Requires access audit, removal of excess permissions, documented review procedure |
| No formal incident response plan | 2–3 weeks | Requires plan drafting, tabletop exercise, and documentation of results |
| Vendor oversight deficiencies | 4–8 weeks | Must run risk assessments for each critical vendor; some vendors require back-and-forth |
| Change management bypasses | 3–5 weeks | Requires formalizing approval workflow, training, and demonstrating consistent execution |
If all five show up in your gap analysis — which is common — you’re looking at 8–12 weeks of focused remediation before you’re Type 1 ready. Plan accordingly.
The Evidence Problem: Why Sprint-Mode Fails
The gap analysis gets you to control existence. The harder problem for Type 2 is evidence continuity.
A SOC 2 Type 2 audit covers an observation period — typically 6 or 12 months. Your auditor samples control execution across that entire period. If your quarterly access review didn’t happen in Q3, no amount of documentation fixes that after the fact. If your change management tool has a gap in audit trail for a three-week period, that’s an exception.
Teams that treat evidence collection as a pre-audit sprint — pulling logs and documentation in the 60 days before the observation period closes — typically generate 30–40% more audit exceptions than teams that build continuous evidence collection into operations from day one. This means:
- Access review reminders are on a calendar, not just someone’s memory
- Vulnerability scans run on a defined schedule and results are stored systematically
- Security training completion is tracked in the HR system with timestamps
- Change management tickets exist for every production deployment, not just the ones that felt important
If your gap analysis reveals that evidence collection isn’t happening continuously, that’s a process change — not a documentation sprint.
SOC 2 vs. ISO 27001: The Gap Analysis Comparison
One question that comes up early in the readiness process: should we also do ISO 27001 at the same time?
The short answer: the 80% control overlap makes doing both eventually worth it, but the process and audit methodology differ in ways that matter for gap analysis.
SOC 2 is outcome-oriented — it asks whether your controls satisfy specified criteria. ISO 27001 requires you to build and certify an Information Security Management System (ISMS) — a more structured governance framework with 93 Annex A controls. ISO 27001 is also globally recognized; SOC 2 Type 2 is the standard US market expects.
If your customer base is primarily US-based, start with SOC 2. If you’re selling into Europe or enterprise accounts with international procurement requirements, add ISO 27001 — the control overlap means your second certification is materially faster than the first.
For more on the decision framework, see SOC 2 vs ISO 27001: When to Pick Which (and When You Need Both) — that post covers the decision tree in detail.
The Gap-to-Audit Timeline
Here’s a realistic timeline for getting from gap analysis to Type 1 report:
| Week | Activity |
|---|---|
| 1–2 | Run gap analysis; inventory all criteria; classify as Compliant/Partial/Missing |
| 3–4 | Assign owners and due dates; launch long-lead items (pentest, vendor assessments) |
| 5–8 | Close policy and documentation gaps; formalize access review and change management |
| 9–10 | Pentest complete; findings remediated or risk-accepted; documented |
| 11–12 | Final internal review; evidence organization; auditor kickoff |
| 13–16 | Type 1 audit fieldwork; auditor questions; final report |
Most organizations hit Type 1 in 14–16 weeks from a standing start. The variance is almost entirely driven by how quickly pentest procurement and vendor risk assessments move — both of which are external-dependent.
Readiness Tools: What to Actually Use
You have three options for running the gap analysis itself:
Spreadsheet (manual): Use the AICPA criteria as your framework and build a control inventory against each criterion. Cheap, slow, requires someone who understands the criteria well enough to evaluate controls honestly. Works fine for smaller-scope SOC 2 engagements.
Compliance automation platforms (Drata, Vanta, Secureframe, Thoropass): Connect your tech stack, automatically collect evidence, surface gap findings based on integration data. Faster evidence collection, better ongoing monitoring, higher upfront cost. Worth it if you’re doing a Type 2 or planning to add ISO 27001 later.
Auditor-led readiness assessment: Your future auditor (or another CPA firm) evaluates your controls before the formal engagement. Most authoritative, most expensive, reduces surprises. Some firms include it in the engagement fee; others charge separately.
The right choice depends on your timeline, budget, and whether you have someone internal who can interpret the AICPA criteria. If you’re evaluating whether you’re ready for an auditor-led assessment, the SOC 2 Compliance Checklist maps all 64 Common Criteria points to the specific controls and evidence types auditors look for.
So What?
The gap analysis isn’t bureaucracy. It’s the difference between a clean Type 1 in 16 weeks and a pushed audit date, a panicked remediation sprint, and an embarrassing conversation with your first enterprise prospect about why you don’t have your SOC 2 yet.
Start with scope. Map controls to criteria honestly. Prioritize by lead time, not severity. Launch pentest and vendor assessments immediately. Build evidence collection into operations, not just into audit season.
The companies that ace first-time SOC 2 audits don’t have better security than companies that struggle. They run the gap analysis earlier and start the slow-moving items before the fast-moving items distract them.
Related reading:
- What Is SOC 2 Compliance? A Practitioner’s Guide for First-Timers
- SOC 2 Type 1 vs Type 2: Which One Do You Actually Need?
- SOC 2 Compliance Checklist: The Controls Auditors Actually Test
External references:
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
SOC 2 Compliance Checklist
151 controls mapped to AICPA Trust Services Criteria with evidence collection guidance.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What is a SOC 2 readiness assessment?
What does a SOC 2 gap analysis actually cover?
How long does SOC 2 gap remediation take?
What are the most common SOC 2 gap findings?
Should I hire an auditor to run the gap analysis, or can I do it internally?
What is the difference between a SOC 2 gap analysis and the SOC 2 audit itself?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
SOC 2 Compliance Checklist
151 controls mapped to AICPA Trust Services Criteria with evidence collection guidance.
◆ Keep reading
Related posts.
Compliance Strategy
FinCEN's June 2026 Update Turns Section 314(b) Into a Real-Time Fraud-Fighting Tool
FinCEN's June 12, 2026 guidance expanded the Section 314(b) safe harbor to explicitly cover fraud—wire fraud, bank fraud, mail fraud, computer fraud—without requiring an institution to connect the activity to money laundering first. Here's what changed, why it matters for BSA programs, and what enrollment and real-time sharing actually look like in practice.
Jul 8, 2026
Compliance Strategy
Risk Register Template: Free Download vs. Paid vs. Building Your Own
Free risk register template, paid toolkit, or build from scratch? An honest three-way comparison — time to deploy, coverage, maintenance, and when each wins.
Jul 8, 2026
Compliance Strategy
OCC's 2026 Exam Rightsizing: What Community Banks Should Stop Doing—and What Still Gets You Written Up
Effective January 1, 2026, OCC Bulletin 2025-24 eliminated mandatory examination activities that aren't required by law for community banks. That means fair lending risk assessments and flood insurance transaction testing are no longer mandatory every exam cycle. Here's what actually changed, what didn't, and where compliance teams are misreading this shift.
Jul 7, 2026