ISO 27001 Maturity Assessment
Many organisations pursue both SOC 2 and ISO 27001, with significant control overlap.
Learn moreOverview
The SOC 2 Readiness Assessment provides a comprehensive framework for evaluating your organisation's control environment against the AICPA Trust Services Criteria. With 119 questions across 9 control domains, this assessment helps service organisations prepare for Type I or Type II SOC 2 examinations.
Through structured evaluation criteria aligned to the Common Criteria (CC series), you will assess your organisation's security governance, logical and physical access controls, system operations, change management, and risk mitigation practices.
The assessment employs a maturity-based scoring model to help you understand your current readiness posture, identify control gaps that could result in examination exceptions, and develop a prioritised remediation roadmap.
Who It's For
This assessment is designed for:
- SaaS providers preparing for their first SOC 2 examination
- Service organisations maintaining SOC 2 Type II attestation
- Technology companies responding to enterprise customer security requirements
- Security and compliance teams managing SOC 2 programmes
- Organisations transitioning from SOC 1 to SOC 2
- Companies evaluating readiness before engaging a CPA firm
Typical Outcomes
Organisations using this assessment typically gain:
- Clear understanding of readiness for SOC 2 examination
- Identification of control gaps likely to result in exceptions
- Prioritised remediation plan for examination readiness
- Documentation to support internal compliance reporting
- Evidence of control maturity for customer security questionnaires
- Structured preparation for CPA firm engagement
Assessment Coverage
The assessment comprehensively evaluates SOC 2 Trust Services Criteria:
- CC1: Control Environment — Management commitment, ethics, governance structure, personnel competence, and accountability
- CC2: Communication & Information — Security objectives, policy communication, training, and incident notification
- CC3: Risk Assessment — Risk identification, assessment methodology, fraud risk, and change-related risks
- CC4: Monitoring Activities — Ongoing monitoring, logging, alerting, internal audit, and deficiency remediation
- CC5: Control Activities — Segregation of duties, policy documentation, and exception management
- CC6: Logical & Physical Access — Access provisioning, RBAC, MFA, termination, encryption, and physical security
- CC7: System Operations — Vulnerability management, endpoint protection, network security, incident response, and hardening
- CC8: Change Management — Change approval, testing, segregation of environments, and emergency changes
- CC9: Risk Mitigation — Vendor management, business continuity, and disaster recovery
Questions are tagged with Type I and Type II relevance to help you prioritise based on your examination timeline.
Important Disclaimer
This assessment is a self-assessment tool designed to help organisations evaluate their readiness for SOC 2 examination. It does not constitute a SOC 2 audit, examination, or attestation. Formal SOC 2 reports require examination by an independent CPA firm.