Home/Services/Readiness Advisory/SOC 2 Readiness

Readiness Advisory

SOC 2 Readiness

Map the Trust Services Criteria to your environment and build the evidence base for a successful SOC 2 examination.

Overview

Be examination-ready before the auditor arrives.

A SOC 2 readiness engagement ensures your controls and evidence are in place before the formal examination, avoiding exceptions and a failed first report.

We select the relevant Trust Services Criteria, design and implement the supporting controls, and assemble the evidence so your Type I or Type II goes smoothly.

What’s covered

What we assess and prepare.

Criteria selection

Which Trust Services Criteria apply.

Control design

Controls mapped to each criterion.

Policy & process build

Supporting documentation.

Evidence preparation

What auditors will sample.

Readiness review

Gap closure before the exam.

Who needs this

Does this match your needs?

Where this engagement tends to add the most value.

SaaS companiesPre-examination preparation.

Startups selling to enterpriseUnblocking procurement.

Data processorsClient assurance.

First-time SOC 2 seekersBuilding controls and evidence.

Managed service providersCustomer requirements.

Any service org targeting SOC 2Examination readiness.

Regulatory drivers

Why this is required

SOC 2 readiness prepares your controls and evidence before the examination so the report comes back clean; it is the practical first step for any service provider pursuing SOC 2.

AICPA Trust Services Criteria

The criteria your controls will be designed and tested against.

Customer & procurement pressure

Readiness is usually driven by an enterprise client requiring a report.

Audit efficiency

Closing gaps first materially reduces exceptions in the formal examination.

How we work

A structured path, start to finish.

An orderly lifecycle designed for a credible, defensible result.

Scoping & TSC selection

Selecting the Trust Services Criteria in scope.

Gap assessment

Assessing current state against the chosen criteria.

Control & policy design

Designing the controls and policies you need.

Implementation support

Hands-on help to put the controls in place.

Evidence & internal testing

Collecting evidence and testing readiness internally.

Audit handoff

Preparing you for the SOC 2 examination.

What you receive

Documentation built for every audience.

TSC gap assessmentYour posture against the chosen criteria.
Remediation roadmapA prioritised plan to close gaps.
Policy & control templatesSOC 2 documentation to build on.
Evidence trackerEvidence collected and tracked.
Pre-audit readiness sign-offConfirmation you are ready for the examination.

Standards & frameworks

This work maps to the standards and regulatory requirements relevant to you.

SOC 2 TSCAICPA SSAEISO 27001 (mapping)COSO

Checklist

Are you ready? A quick checklist

What to have in place before we begin.

Criteria selected

System description drafted

Control set designed

Policies planned

Evidence collection set up

Control owners assigned

Observation period planned (Type II)

Target report date set

FAQ

Common questions

Should we start with Type I or Type II?

Many organisations start with a Type I report to confirm their controls are well-designed at a point in time, then move to Type II to demonstrate they operate effectively over a period; some go straight to Type II if a customer requires it. We advise based on what your customers are actually asking for, so you don’t pay for more than you need.

How much evidence do we need?

A Type II report requires evidence covering the entire observation period, not just a snapshot, so the volume can be significant. We set you up to collect that evidence continuously through the period — with the right tooling and processes — rather than scrambling to assemble it at the end.

Can readiness reuse ISO 27001 work?

Absolutely. SOC 2 and ISO 27001 share many overlapping controls, so if you have done ISO 27001 work you can reuse much of the documentation and evidence for SOC 2. We map the overlap so you build once and satisfy both, rather than running two separate programmes.