SOC 2 Readiness Assessment

utm_source

utm_medium

utm_campaign

q1_mfa [0]

q1_mfa [3]

q1_mfa [7]

Production systems and/or admin accounts only

q1_mfa [10]

Every SaaS tool and production system, enforced company-wide

q2_access [0]

q2_access [3]

q2_access [7]

q2_access [10]

Monthly — or continuously via an automated tool

q3_encrypt [0]

q3_encrypt [3]

q3_encrypt [7]

q3_encrypt [10]

Both, in every system, with documented key management

q4_vendor [0]

q4_vendor [3]

q4_vendor [7]

q4_vendor [10]

Yes, centralized, with annual risk reviews on each vendor

q5_logging [0]

q5_logging [3]

Some logs exist, but stored locally on each system

q5_logging [7]

Centralized, but retained less than 90 days

q5_logging [10]

Centralized, retained 1+ year, with alerts on key events

q6_ir [0]

q6_ir [3]

Informal / verbal understanding on the team

q6_ir [7]

q6_ir [10]

Documented + tabletop-tested within the last 12 months

q7_endpoint [0]

q7_endpoint [3]

q7_endpoint [7]

Most laptops, but enforcement is inconsistent

q7_endpoint [10]

All laptops, enforced via MDM with automated compliance

q8_change [0]

q8_change [3]

q8_change [7]

q8_change [10]

All changes, enforced in CI/CD, with audit trail

q9_onboard [0]

q9_onboard [3]

q9_onboard [7]

q9_onboard [10]

Documented + automated (IDP-driven provisioning and deprovisioning)

q10_policies [0]

q10_policies [3]

q10_policies [7]

Yes, but they’re stale (not reviewed in 12+ months)

q10_policies [10]

Yes, reviewed annually, acknowledged by every employee

q11_risk [0]

q11_risk [3]

Informal / undocumented understanding of risks

q11_risk [7]

q11_risk [10]

Yes, documented, reviewed annually, and tied to control selection

q12_bcdr [0]

q12_bcdr [3]

q12_bcdr [7]

q12_bcdr [10]

Documented, tested within last 12 months, with defined RTOs/RPOs

q13_training [0]

q13_training [3]

q13_training [7]

q13_training [10]

Annual, mandatory, with completion records and phishing simulations

q14_retention [0]

q14_retention [3]

q14_retention [7]

Retention schedule exists, but disposal isn’t enforced

q14_retention [10]

Documented retention + automated disposal + audit trail

q15_backup [0]

q15_backup [3]

Backups exist, but never tested a restore

q15_backup [7]

q15_backup [10]

Automated backups with tested restores quarterly and documented recovery procedures

SOC 2 Readiness Assessment

Part 1 of 3 — Access & Data Protection

Which of these require MFA at your company today?

How often do you formally review who has access to customer data?

Is customer data encrypted at rest and in transit?

Do you maintain an inventory of every third-party vendor that accesses customer data?

Are critical system logs (authentication, data access, production changes) centralized and retained?