Free tool · SOC 2

SOC 2 readiness self-check

Are clients asking for a SOC 2 report? This free 2-minute self-check gauges your organization against the Trust Services Criteria (security, availability, confidentiality). Answer honestly: nothing is saved, sent, or tracked — it all runs in your browser.

This self-check is provided for information only and is not an audit opinion.

What the self-check covers

Ten pillars of a SOC 2 program

  • Documented, approved security policies
  • Least-privilege access control and MFA
  • Annual risk assessment
  • Vendor and subservice-provider risk management
  • Change management
  • Logging and monitoring of events
  • A tested incident-response plan
  • Encryption at rest and in transit
  • Secure onboarding/offboarding and training
  • Continuous evidence collection for audit

The self-check scores out of 20 across three bands: early stage, underway, and audit-ready.

Ready to act? We guide your compliance program (SOC 2, ISO 27001, NIST), with a virtual CISO to drive it. Not sure which framework fits? See SOC 2 vs ISO 27001 for SMBs.

Frequently asked

SOC 2: what to know

What does a SOC 2 report actually attest?

SOC 2 is an independent auditor’s report on how well your controls meet the AICPA Trust Services Criteria — security (always), and optionally availability, processing integrity, confidentiality and privacy. It isn’t a certification or a pass/fail badge; it’s an attestation a client can read to judge whether your controls are designed and operating effectively.

Does SOC 2 require a penetration test?

Not in so many words — the AICPA Trust Services Criteria don’t list a penetration test as a required control. What they do require is that you monitor your environment and manage vulnerabilities, and a pen test is among the most common and most convincing evidence auditors accept on those criteria. The customers and insurers who read your report often expect to see one as well. You can technically argue your way around it; in practice it’s simpler, and stronger, to build a test into the program.

What’s the difference between SOC 2 Type I and Type II?

Type I assesses whether your controls are suitably designed at a single point in time. Type II tests whether they actually operated effectively over a period — usually 3 to 12 months. Most enterprise clients want Type II; Type I is often a stepping stone you can produce sooner.

How long does it take to get audit-ready?

For an SMB starting from scratch, getting controls in place and evidence flowing usually takes a few months before the Type II observation window even begins. The biggest variables are how much is already documented and whether you automate evidence collection. We scope it to your size.

Do we need SOC 2, ISO 27001, or both?

It depends on your buyers: SOC 2 is the norm for North American (especially US) customers, ISO 27001 for international and European ones. Many SMBs only need one. We help you choose before you spend.

Ready to pursue SOC 2?

Talk to a Canadian-owned firm — hands-on guidance plus compliance automation (Drata), in English or French.

Get in touch