Menu
A SOC 2 gap analysis is a control-by-control inventory of your current environment measured against the Trust Services Criteria you have selected. The output is a gap register: a prioritized list of what is missing, what exists only in practice without documentation, and what is fully evidenced. That register becomes the remediation roadmap that leads into your audit. Before reading further, you can run the 90-second SOC 2 readiness check to see your control gaps scored from your auditorβs chair.
What a SOC 2 gap analysis is
A SOC 2 gap analysis is a structured comparison of your existing controls against the AICPAβs Trust Services Criteria that produces a written inventory of every gap, the severity of each gap, and who owns the fix. It is not an audit. No CPA firm issues a report. The output is internal: a gap register you use to drive remediation before the auditor arrives.
The analysis assigns every control in scope one of three states. βDocumented, with evidenceβ means the control is designed, operating, and leaves a paper trail an auditor can sample. βInformal, no evidenceβ means the control is real in practice but not documented. βMissingβ means there is no control at all. Those three states sum to a score out of 100, which falls into one of four readiness zones: Audit-ready (85 to 100), Findings only (60 to 84), Material gaps (35 to 59), or Audit-blocker (below 35).
The three-state model is deliberate. Auditors do not test intentions. They test evidence. A control that exists only in your engineersβ heads is functionally the same as a missing control during fieldwork, because the auditor will select a sample and find no record. That is why the informal state earns only half credit. An undocumented control is one exception waiting to happen.
Gap analysis vs. readiness assessment
A gap analysis answers: what needs to be built or documented before the audit clock can start? A readiness assessment answers: have the gaps been closed, and is the evidence complete enough to survive sampling?
The distinction matters for timing. A gap analysis belongs 4 to 6 months from your target audit date, before controls are systematically implemented. A readiness assessment belongs 2 to 4 weeks from fieldwork, after implementation is complete. Running a readiness assessment on an environment that has not been through a gap analysis produces a scorecard on an unprepared program.
A gap analysis is almost always done without your auditor. It is a self-directed exercise, sometimes with a consultant, that produces a private internal document. See our SOC 2 self-assessment guide for how to run the inventory yourself before engaging outside help.
How to run the control inventory: the three states
The control inventory is the core work of a gap analysis. For every control in scope, you answer three questions: does this control exist, is it documented, and does it generate evidence that can be sampled?
Documented, with evidence. The control exists, is captured in a policy or procedure, operates on a defined schedule, and produces an artifact: an access review sign-off, a pull request approval log, a backup restore report. Full credit. An auditor can test this on day one.
Informal, no evidence. The control exists in practice but lives in Slack threads and tribal knowledge, not in a documented procedure, and leaves no consistent artifact. Half credit. Without evidence, the auditor tests for an exception.
Missing. No control exists. No policy covers the area. No system enforces it. No credit.
The half-credit state is where most first-timers lose ground. The instinct is βwe do this, it should count.β The auditor pulls a sample and finds entries with no timestamps, or pull requests merged by their own authors. The practice was real. The exception is also real. A practical rule: if you cannot produce the evidence artifact within 30 minutes of being asked, treat the control as informal.
Building a gap register
The gap register is the output of the control inventory. Each row is one control, its current state, the severity of the gap, and the person who owns remediation. Without an owner, gaps do not close.
Below is an illustrative gap register using the controls our scoring model weights most heavily. Current states are examples: yours will differ.
| Control (CC ref) | Current state | Gap severity | Remediation owner |
|---|---|---|---|
| MFA on all production access (CC6.1) | Informal, no evidence | Critical | Head of Engineering |
| Same-day offboarding access revocation with record (CC6.2) | Missing | Critical | IT / People Ops |
| Encryption at rest and in transit for customer data (CC6.7) | Documented, with evidence | None | Infrastructure Lead |
| Peer-reviewed pull requests for every production change (CC8.1) | Informal, no evidence | High | Engineering Manager |
| Tested backup restore in the last 12 months (A1.2) | Missing | High | DevOps Lead |
| Approved information security policies with employee acknowledgment (CC1.1) | Missing | Medium | CISO / GRC Lead |
| Quarterly access reviews with documented sign-off (CC6.2) | Informal, no evidence | High | IT / People Ops |
| Tested incident response plan or tabletop exercise (CC7.4) | Missing | Medium | Security Lead |
| Vendor inventory with SOC 2 reports reviewed (CC9.2) | Missing | Low to Medium | Procurement / GRC |
| Security awareness training records (CC2.2) | Informal, no evidence | Low | People Ops |
| Annual risk assessment with leadership sign-off (CC3.2) | Missing | Medium | CISO / Leadership |
Severity reflects audit impact, not business impact. A missing vendor inventory (CC9.2) rarely blocks fieldwork on day one. Missing MFA evidence (CC6.1) does. That distinction drives the sequencing in your remediation plan.
For building the evidence artifacts each row requires, see our SOC 2 evidence collection guide.
The gaps that block fieldwork first
From the auditorβs chair, not all gaps are equal. Some produce exceptions in the sample. Others stop the audit from starting at all. The Stage 1 controls in our scoring model carry the highest weight because they fall in the second category.
This is not theoretical. In CBIZβs 2024 SOC Benchmark Study of 193 reports, 54.9% carried at least one control exception, and user access reviews and terminations were among the most common causes. Those are the same access controls listed below.
MFA on all production access (CC6.1). An auditor who discovers that production systems are accessible without MFA flags a design gap before testing a single sample. Fixing this after fieldwork begins does not retroactively satisfy a Type 2 observation period.
Same-day access revocation with a record (CC6.2). Auditors pull all terminations and sample them. For each, they compare the HR termination date to the timestamp of access revocation. A 72-hour gap on a production database is a finding. No timestamp is worse. Without a revocation record, the auditor cannot confirm the control operated even if the access was removed.
Peer-reviewed pull requests for every production change (CC8.1). Change management is tested by sampling all production deployments. If a meaningful fraction were self-merged or lacked a reviewer approval, each is a separate exception. Emergency merges without a defined exception process accumulate into a qualified opinion.
Tested backup restore (A1.2). Having backups and having proven you can restore from them are different things. Auditors ask for the restore test report: date, scope, result, sign-off. A backup configuration screenshot does not satisfy the test. If the restore has never been attempted, the control is missing, not informal.
Compare those four to security awareness training records (CC2.2): a gap there is a finding, not a showstopper. Fieldwork proceeds, the exception is noted, and remediation can close it in the next period.
For the full sequence of what auditors test and when, see the controls auditors check first.
How long it takes and what it costs
A SOC 2 gap analysis for a typical SaaS company scoped to the Security criterion takes 2 to 6 weeks. The variance is driven almost entirely by control-owner availability and documentation maturity. Companies with no formal policies spend most time in the inventory phase, building the control list and discovering what exists at the same time.
Cost depends on who runs it. A self-directed gap analysis using our scoring model and self-assessment tool costs only internal time. External consultants charge a fixed fee. Some CPA firms bundle advisory gap work into a pre-audit engagement, though AICPA independence rules constrain how deeply your audit firm can advise before the formal engagement begins.
A common mistake is treating the gap analysis as a one-time exercise. Controls that were βdocumented, with evidenceβ six months ago may have drifted if the responsible team changed. Re-run the inventory 30 to 60 days before the Type 2 observation period clock starts.
For context on total audit investment, see our SOC 2 audit cost breakdown.
Run the gap analysis before you spend money on a readiness consultant or an audit. A control inventory that is honest about the difference between what you can prove and what you merely do turns a vague βare we readyβ into a dated list of fixes with named owners. That list is what keeps your eventual fieldwork short.