Menu
A SOC 2 self-assessment is an internal exercise you run before engaging any auditor, mapping your controls against the Trust Services Criteria and scoring where you stand today. No CPA, no customer-facing report. One output: a clear picture of what will pass and what will fail before the auditor shows up.
What a SOC 2 self-assessment is
A SOC 2 self-assessment is a structured internal review of your controls, policies, and evidence against the AICPA Trust Services Criteria, completed before engaging an auditing firm. You select applicable criteria, inventory your controls, test whether each produces evidence an auditor could verify, and score the result. The output is a gap list and a remediation plan, not a formal opinion.
The self-assessment answers one question: if an auditor sampled this control today, would they find something to evaluate, or just your word that it happens? Auditors pull access review records, change approval tickets, and backup restore logs. A control that runs with no trace it ran fails the same way a missing control fails.
Self-assessment vs. readiness assessment vs. the audit
These three activities are often conflated. They answer different questions and should happen in sequence.
| Activity | Who runs it | Output | Shareable with customers? |
|---|---|---|---|
| Self-assessment | Your team | Gap list and score | No |
| Readiness assessment | You or an advisor, using an auditorβs lens | Prioritized gap list and findings | No (internal use) |
| SOC 2 audit | Licensed CPA firm | Type I or Type II opinion | Yes |
A self-assessment is the cheapest diagnostic. It surfaces obvious gaps and tells you whether a readiness assessment is worth commissioning yet.
A readiness assessment goes further, applying an auditorβs lens to your actual evidence rather than your teamβs recollection. Done thoroughly, often with a consultant, it samples evidence, interviews control owners, and reviews configurations to produce a prioritized findings report. It mirrors what the auditor will do, which is why it catches what a self-assessment misses: the access review that looks complete but uses an unsigned spreadsheet, the backup that runs but has never been tested under a realistic failure scenario. When you do engage a consultant, AICPA independence rules prevent the same firm from doing both readiness and audit, so you typically use a consultant for readiness and a separate CPA firm for the audit.
The audit is formal validation. A licensed CPA evaluates whether your controls are suitably designed (Type I) or operated effectively over the observation period (Type II) and issues a report you can share with customers.
For a structured walkthrough of the readiness phase, see our how to run a SOC 2 readiness assessment guide. If you already know your gaps and want a prioritized fix list, the SOC 2 gap analysis breakdown picks up from here.
How to score yourself: the three states
Every control in a SOC 2 self-assessment falls into one of three states.
Documented, with evidence = full credit. The control ran during the period and left a traceable artifact: a signed access review, a PR approval, a backup restore log with a timestamp and a name. An auditor could examine it and form an opinion.
We do it, but cannot prove it (informal) = half credit. The control runs in practice but produces no artifact an auditor could test. Your team offboards employees promptly, but offboarding happens via Slack with no record. Engineers review each otherβs code, but no branch protection enforces it and approvals are not logged. From the auditorβs chair, informal controls are exceptions waiting to happen.
Missing = no credit. The control does not exist or exists only as a future plan.
Score each control and sum to 100. Four zones tell you what to do next.
| Score | Zone | What it means |
|---|---|---|
| 85 to 100 | Audit-ready | Proceed to schedule your audit |
| 60 to 84 | Findings only | Remediable gaps; commission a readiness assessment |
| 35 to 59 | Material gaps | Significant controls missing; remediate before engaging an auditor |
| Below 35 | Audit-blocker | Foundational work required; an audit now would almost certainly produce a qualified opinion |
The half-credit state is where most organizations overestimate themselves. Telling your team βwe do quarterly access reviewsβ and maintaining signed attestation records for each one are not the same thing. Auditors test evidence, not intentions.
A self-assessment checklist: 11 controls to evaluate
Work through each control below. Assign full credit, half credit, or no credit based on whether you have documented evidence, informal practice only, or nothing. The CC reference maps each finding to the Trust Services Criteria. For a deeper look at what auditors expect as evidence for each, see our guide to controls auditors check first.
MFA on all production access (CC6.1): Every account with production access requires MFA, enforced at the IdP level. Full credit: configuration screenshot showing enforcement, not just a policy document.
Same-day offboarding with a record (CC6.2): All access revoked same day an employee departs, with a dated ticket or HR record per departure. βWe always handle it right awayβ with no record is half credit.
Encryption at rest and in transit (CC6.7): Customer data encrypted at rest (AES-256+) and in transit (TLS 1.2+). Full credit: cloud console screenshots plus a configuration export confirming TLS enforcement.
Peer-reviewed PRs for all production changes (CC8.1): No production merge without a second engineerβs approval, enforced by branch protection. Full credit: branch protection screenshot and merged PR samples with visible approvals. Verbal review culture with no enforcement is half credit.
Tested backup restore in the last 12 months (A1.2): Automated backups restored under realistic conditions within the past year. Full credit: a written restore test report with date, scenario, outcome, and recovery time.
Approved infosec policies with employee acknowledgment (CC1.1): Written infosec policy, approved by leadership, acknowledged by every employee in a trackable system. Full credit: dated approval plus an acknowledgment log (LMS, DocuSign, or equivalent). A wiki policy with no acknowledgment trail is half credit.
Quarterly access reviews with sign-off (CC6.2): Each quarter, a manager or system owner reviews and attests to their teamβs access, with attestation retained. Full credit: completed records for all four quarters, each with a named reviewer and date.
Tested incident response tabletop (CC7.4): IR plan exercised through at least one tabletop or simulation during the observation period. Full credit: notes covering scenario, participants, timeline, and identified gaps. A plan never exercised is half credit.
Vendor inventory with reviewed SOC 2 reports (CC9.2): Every vendor handling customer data in an inventory with data sensitivity classification and documented SOC 2 report review. Full credit: inventory with review dates and filed attestations.
Security awareness training records (CC2.2): All employees complete annual security awareness training with completion records retained. Full credit: LMS export showing completion dates and names.
Annual risk assessment with leadership sign-off (CC3.2): Formal risk assessment completed in the last 12 months, documented as a risk register, and approved by leadership. An informal threat discussion with no artifact is half credit.
Score each control and sum to 100. Weight evenly: roughly 9 points per control, with the two CC6.2 items sharing their slot.
When DIY is enough and when to hire help
A self-assessment is the right starting point when you have no baseline, need to demonstrate to a board that compliance work is underway, or want to decide whether a readiness assessment is worth commissioning.
It has one known blind spot: your team knows the system well enough to unconsciously paper over gaps. The access review process that feels complete internally may be missing the signed attestation that makes it testable. The IR tabletop that felt productive may have left no artifact.
Bring in outside help when your score lands below 60, when you have a hard audit deadline, or when you are preparing for a Type II observation period and need someone to pressure-test your evidence before the clock starts. A readiness consultant samples your actual evidence the same way an auditor will, surfacing the half-credit controls you would have counted as full.
A practical sequence: run the self-assessment, prioritize remediation by score zone, then engage a readiness consultant to validate before committing to the audit.
When you are ready to pressure-test your findings, the SOC 2 readiness assessment checklist walks through evidence requirements control by control. Or take the 90-second readiness check to get a directional score and see where to focus first.