Menu
A SOC 2 readiness assessment asks eleven scored control questions covering access, change management, availability, governance, and vendor risk. Each question has three possible answers: documented with evidence, practiced informally without proof, or missing entirely. Your score determines whether you are audit-ready, carrying only minor findings, facing material gaps, or blocked from starting fieldwork.
The questions below are the exact prompts from our assessment tool. Answer them in our 90-second readiness check to get a scored result with per-control findings.
Each question maps to a specific criterion in the AICPA Trust Services Criteria; the CC or A reference appears beside each one below.
How the three-state model works
Every question maps to one of three states:
Documented with evidence earns full credit. The control exists, operates consistently, and produces artifacts an auditor can examine: policy documents with approval dates, configuration screenshots, access review records with sign-off, timestamped tickets.
We do it but cannot prove it earns half credit. Auditors test evidence, not intentions. A Slack message or a verbal agreement does not satisfy fieldwork. Half credit reflects a control that is designed correctly but will generate an exception in the report.
Missing earns no credit.
Scores sum to 100 points across four zones: Audit-ready (85 to 100), Findings only (60 to 84), Material gaps (35 to 59), Audit-blocker (below 35).
For more on what auditors treat as acceptable evidence, see the SOC 2 evidence collection guide.
Access controls (CC6.1, CC6.2, CC6.7)
Access is the first area auditors test. If an unauthorized person can reach production, every other control becomes irrelevant.
Q1: MFA enforcement (CC6.1)
The question: If someone steals an admin password tomorrow, can they log into your production cloud or admin tools without a phone code or hardware key?
What the auditor wants: The IdP enforcement policy showing MFA is required for every production user, plus a log confirming the second factor is active per user. Screenshots of the IdP setting alone are not enough without a written policy naming the scope. For Type 2, auditors sample login events to confirm consistent enforcement across the observation period.
Why informal gets half credit: Enabling MFA in the IdP without a documented policy and a user roster leaves the auditor with the setting but no coverage proof. The control passes with an exception. Ten points, checked on day one.
Q2: Offboarding (CC6.2)
The question: When an employee or contractor leaves, is their access to all production systems revoked within one business day, with a record of who removed it and when?
What the auditor wants: A ticket for each departure showing the revocation date, systems affected, and who made the change. Auditors sample three to five former employees and match the ticket timestamp against the termination date.
Why informal gets half credit: Slack messages and verbal confirmations do not satisfy the sample. βI think I got it Fridayβ is a finding, not a response.
Q3: Encryption (CC6.7)
The question: Is customer data encrypted at rest in your databases and object storage, and is all customer-facing traffic forced over TLS?
What the auditor wants: Configuration screenshots for every database and object store holding customer data, plus a TLS scan or load balancer config showing plain HTTP is rejected on customer-facing endpoints.
Why informal gets half credit: βIβm pretty sure itβs onβ is not evidence. The auditor samples two databases and one endpoint. Without a config artifact for each, the control passes with a documentation exception.
Change management (CC8.1)
Q4: Pull request review
The question: Does every code change to production go through a pull request reviewed and approved by someone other than the author?
What the auditor wants: Five production deployments sampled at random, each traceable to a PR with an approver who is not the commit author. The approval must exist in source control, not added after the fact. For Type 2, the sample spans the full observation window.
Why informal gets half credit: A self-approved PR will appear in the sample. Self-approval fails the test. The exception appears in the report your customers read.
For the full list of controls auditors test first, see SOC 2 controls auditors check first.
Availability (A1.2)
Q5: Backup restore testing
The question: Have you successfully restored a backup of production data in the last 12 months and documented the test?
What the auditor wants: A dated test artifact showing what was restored, who ran the test, and the outcome. A runbook defining the procedure. An ad hoc restore that happened because staging broke is not a planned test.
Why informal gets half credit: If the restore happened but was not logged as a structured test with a documented result, the control passes with an exception. Auditors ask for the document.
Governance (CC1.1, CC6.2, CC7.4, CC3.2)
Governance controls prove your security program is intentional, not reactive.
Q6: Information security policies (CC1.1)
The question: Do you have written information security policies, formally approved by leadership, that all employees acknowledge?
What the auditor wants: Policy documents with an approval date and a named approver. A roster of current employees matched against acknowledgment records. Drafts without an approval signature do not satisfy this test.
Why informal gets half credit: Policies without acknowledgment records are an exception. Missing both the approval and the acknowledgment list is a finding.
Q7: Quarterly access reviews (CC6.2)
The question: Do you review who has access to production at least quarterly, with documented sign-off?
What the auditor wants: Access review records for each required quarter: the current-access export, the review date, and the reviewerβs sign-off. For Type 2, the auditor asks for all four quarterly records and checks for gaps.
Why informal gets half credit: A spreadsheet without a sign-off line passes with an exception. A Slack message saying you planned to run a review passes as nothing.
Q8: Incident response plan and tabletop (CC7.4)
The question: Do you have a written incident response plan, and have you run a tabletop against it in the last 12 months with documented results?
What the auditor wants: A written IR plan with roles, escalation steps, and communication channels. A tabletop record: date, attendees, scenario, and action items.
Why informal gets half credit: A meeting with no notes passes with an exception. The auditor needs the artifact to verify the plan was actually exercised.
Q11: Annual risk assessment (CC3.2)
The question: Have you performed and documented a formal risk assessment in the last 12 months, with leadership sign-off?
What the auditor wants: A risk assessment completed within the audit period listing identified risks, likelihood and impact ratings, and treatment decisions. Leadership sign-off with a date. A document last updated 14 months ago fails the timing test.
Why informal gets half credit: A risk register without a sign-off date or management approval passes with an exception.
Vendor risk and training (CC9.2, CC2.2)
Q9: Vendor SOC 2 review
The question: Do you have a list of critical vendors, and have you collected and reviewed their SOC 2 reports?
What the auditor wants: A vendor inventory identifying critical subprocessors, with evidence that you reviewed each vendorβs SOC 2 report and noted any exceptions. A folder of unread PDFs is not a review.
Why informal gets half credit: The auditor samples three critical vendors and asks for the last review date and conclusion. A vendor list without review records is an exception. Enterprise procurement asks the same question and stalls when you cannot produce the reports.
Q10: Security awareness training
The question: Has every current employee completed security awareness training in the last 12 months, with completion records?
What the auditor wants: A completion roster matched against the current employee list with a training date for each person. New hires must have a completion record from within 12 months of the audit date.
Why informal gets half credit: Three employees without a completion record trigger three exceptions. The auditor reconciles the training roster against HR records; every gap is a separate exception in the final report.
What to do with your score
A score in the audit-ready zone means your evidence is in place and an auditor can begin. A score in the material-gap zone means six to twelve weeks of remediation before starting fieldwork, not before selecting a firm.
For a structured approach to closing specific gaps, see the SOC 2 gap analysis guide. Take our 90-second readiness check to score all eleven controls and get a per-control finding from the auditorβs chair.