SOC 2 Readiness,
Trust Services Criteria mapped to a CloudCheck 360° pass and handed to your auditor in evidence-ready form. We prepare you to pass; an independent CPA firm issues the report.
Readiness guide
01 Background
What SOC 2 actually is
+
Background
What SOC 2 actually is
SOC 2 is an attestation report issued by a licensed CPA firm under AICPA's SSAE 18 attestation standard. It evaluates a service organization against the AICPA Trust Services Criteria and produces one of two outcomes: a Type I report (controls are designed correctly at a point in time) or a Type II report (controls were designed correctly and operated effectively over a period, typically three to twelve months).
The criteria are organized into five categories, only one of which is mandatory. Security — the Common Criteria — is in every SOC 2 report.
required
Security
mandatory
optional
Availability
uptime & recovery
optional
Processing Integrity
complete & accurate
optional
Confidentiality
sensitive info
optional
Privacy
personal info
For most cloud-native SaaS companies the report scope is Security plus Availability plus Confidentiality. Privacy is scoped in when the service directly handles personal information. Processing Integrity is mostly scoped in for financial or transactional services.
Source: AICPA Trust Services Criteria.
02 Audience
Who needs one
+
Audience
Who needs one
SOC 2 is driven by procurement, not regulation. Nobody is legally required to have a SOC 2 report, but many buyers will not sign until you do. The common triggers:
- Selling to US mid-market or enterprise B2B. Buyers ask for a SOC 2 Type II report as part of the vendor security questionnaire.
- Processing customer data in a multi-tenant system. Buyers want the attestation before giving you production data.
- Competing in a category where every incumbent has a SOC 2. Prospects assume you do too; not having one feels like a red flag.
- Raising a Series B or later. Investors and large customers both ask.
When SOC 2 can wait: very early-stage products with no enterprise buyers, services that store no customer data, and services sold only to consumers. If your pipeline is consumer-only and your buyers never ask, SOC 2 is not the framework to prioritize.
03 Scope
What readiness means
+
Scope
What readiness means
We prepare the environment, the policies, and the evidence. An independent CPA firm — the auditor of record — issues the actual SOC 2 report. The line between those two roles is strict under AICPA independence rules; the firm that prepares you cannot also attest, and the firm that attests cannot also remediate. Cloud Upload sits entirely on the readiness side.
A readiness engagement produces three outputs:
Output A
Gap assessment
Control-by-control against the Common Criteria and any additional TSC in scope. Each control marked ready, partial, or gap.
Output B
Remediation roadmap
Every gap, prioritized by audit impact and effort. Dependencies surfaced.
Output C
Evidence package
Screenshots, config exports, policies, access reviews, tickets — organized the way an auditor expects to consume it.
For Type II specifically, the evidence package must cover the audit window (typically 3, 6, or 12 months). That means readiness has to land well before the window starts. We recommend remediation be complete at least 30 days before the audit window begins.
04 Mapping
How CloudCheck 360° maps to SOC 2
+
Mapping
How CloudCheck 360° maps to SOC 2
The SOC 2 Common Criteria are grouped into nine sections (CC1 through CC9). Every one of them is covered by one of the eight CloudCheck 360° categories, which is how we can prepare a SOC 2 environment as a byproduct of a standard cloud audit engagement rather than as a separate project.
| SOC 2 | Title | CC360° category |
|---|---|---|
| CC1 | Control environment | §7 Compliance posture |
| CC2 | Communication & information | §7 Compliance posture |
| CC3 | Risk assessment | §7 Compliance posture (risk register) |
| CC4 | Monitoring activities | §5 Logging, monitoring, detection |
| CC5 | Control activities | Cross-cutting across all categories |
| CC6 | Logical & physical access | §1 Identity · §2 Network · §3 Data |
| CC7 | System operations | §4 Workload · §6 Incident response |
| CC8 | Change management | §4 Workload & container security |
| CC9 | Risk mitigation | Remediation roadmap |
This is the mapping most consultancies do not publish because it is the actual product. Publishing it is deliberate — a buyer who reads it before the first call is a better buyer.
05 Engagement
How an engagement runs
+
Engagement
How an engagement runs
A SOC 2 readiness engagement is typically 8 to 14 weeks from kickoff to auditor hand-off, scaled by environment complexity and the state of existing documentation.
Weeks 1–2
Scoping & kickoff
Agree on which criteria are in scope, the audit window target, the auditor of record (named or to be selected), and the accounts or subscriptions in scope. Kick off the standard CloudCheck 360° pass in parallel.
Weeks 2–6
Gap assessment
The CloudCheck 360° report, cross-mapped to SOC 2 controls, becomes the gap assessment. Policy documents are reviewed and drafted where missing. Evidence artifacts are inventoried and, where missing, generated.
Weeks 6–12
Remediation
Technical gaps are fixed. Policies are finalized and signed. Access reviews, change-management records, and vendor risk assessments are put into an operating rhythm that will generate evidence during the audit window.
Weeks 12–14
Auditor hand-off
Evidence package is organized in the structure the auditor expects. Kickoff call with the auditor of record. We can stay on during the audit to answer technical questions — purely a support role, never a substitute for the auditor's independent work.
06 Patterns
Common gaps we see
+
Patterns
Common gaps we see
Across SOC 2 readiness engagements, three gap patterns show up more than the rest.
Access reviews exist but are not evidenced.
Engineering managers eyeball access quarterly and approve in Slack. The auditor needs a signed record showing who reviewed, when, what they reviewed, what was revoked. Easy to fix with a standardized quarterly access-review process in a ticket system.
Change management for production is informal.
Code is merged and deployed via CI/CD with no separate approval workflow. SOC 2 does not require a heavy change-management board, but it does require evidence that production changes are authorized. Branch protection rules plus mandatory reviewer approval plus an audit trail from the Git provider are usually enough.
Vendor risk management is absent.
The company uses dozens of SaaS subprocessors but has no inventory, no risk assessment per subprocessor, and no evidence of monitoring changes to those subprocessors' own SOC 2 reports. We help build the inventory and the review cadence.
07 FAQ
Questions we get asked
+
FAQ
Questions we get asked
Type I or Type II first? +
Most buyers will accept a Type I while a Type II is in progress, then switch to Type II on renewal. Going straight to Type II adds 3 to 12 months of waiting for the audit window to close. Type I first, Type II second is the common pattern unless a specific buyer explicitly requires Type II on day one.
How long is a Type II window? +
Your first Type II report usually covers 3 to 6 months. Subsequent reports cover 12 months so the attestations renew annually. The window is a business decision, negotiated with the auditor.
Can we use Vanta or Drata and skip the consultant? +
Compliance automation platforms generate evidence and automate a slice of control monitoring. They do not replace the human judgment of mapping controls to a specific environment, writing policies that describe what the company actually does, or remediating architectural gaps. We work on top of those platforms when clients already use them.
What does the auditor of record cost? +
Separately billed, outside our scope. Expect $15K–$40K for a first-year Type II with a mid-market CPA firm. The more the environment is ready, the less the auditor has to do.
Can you introduce us to auditors? +
We maintain a short list of CPA firms that we have seen do good work with cloud-native companies. We do not take referral fees and the recommendation is based on fit, not commercial arrangement.
Does this make sense before product-market fit? +
Probably not. SOC 2 is a sales-enabler; it returns value when buyers are asking for it. If no buyer has asked, a Health Check and a NIST-CSF-style pass is usually the better starting point and converts to SOC 2 readiness later without rework.
Primary sources
AICPA Trust Services Criteria, SSAE 18. See also the CloudCheck 360° methodology, and related frameworks ISO 27001 and NIST CSF / CIS.
Start with a free Cloud Health Check.
A scoped-down CloudCheck 360° of your current environment. Delivered in five business days, no commitment.