SOC 2 Readiness Assessment: Free Self-Assessment Quiz (2026)

Last updated: 2026-03-28

Evaluate your SOC 2 readiness with this free 15-question self-assessment. The quiz covers all 5 Trust Service Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy — and provides a per-criteria readiness score, specific gaps identified, estimated remediation effort, and recommended next steps.

SOC 2 Readiness Self-Assessment

Answer 15 questions across the 5 Trust Service Criteria to gauge your SOC 2 readiness.

Question 1 of 15Security

SecurityAvailabilityProcessingConfidentialityPrivacy

Security

Do you have role-based access controls (RBAC) with least-privilege enforcement?

SOC 2 requires logical access controls that restrict system access to authorized users based on their role.

This self-assessment is based on SOC 2 Trust Service Criteria (AICPA). It provides directional guidance only — not a substitute for a professional readiness assessment.

What This Assessment Covers

Security (5 questions)

Access controls, encryption, monitoring, incident response, and network security. This is the mandatory criteria for every SOC 2 audit.

Availability (2 questions)

Uptime monitoring, SLAs, disaster recovery, and business continuity planning.

Processing Integrity (2 questions)

Change management, code review processes, and QA/testing procedures.

Confidentiality (3 questions)

Data classification, encryption at rest, key management, and vendor security assessments.

Privacy (3 questions)

Privacy policies, data retention and deletion, and consent management.

How to Prepare for SOC 2

Take this readiness assessment to identify your current gaps and prioritize remediation efforts.
Estimate your budget with our SOC 2 Cost Calculator to plan your investment.
Choose your scope — decide which Trust Service Criteria to include (start with Security only if budget is tight).
Remediate gaps — focus on high-effort items first. Implement access controls, encryption, monitoring, and policies.
Consider an automation platform like Vanta or Drata to streamline evidence collection.
Engage an auditor — get quotes from 3+ CPA firms and schedule a pre-assessment before the formal audit.

Frequently Asked Questions

What is a SOC 2 readiness assessment?

A SOC 2 readiness assessment evaluates your organization's current security controls, policies, and processes against the AICPA Trust Service Criteria to identify gaps before the formal audit. Professional readiness assessments cost $10,000-$25,000 and are conducted by compliance consultants. This free self-assessment provides a directional overview to help you understand where you stand and what to prioritize.

What are the 5 Trust Service Criteria (TSC)?

The 5 Trust Service Criteria are: (1) Security (CC) — the foundational criteria required for all SOC 2 audits, covering access controls, monitoring, and incident response. (2) Availability (A) — uptime commitments, disaster recovery, and business continuity. (3) Processing Integrity (PI) — data processing accuracy, completeness, and timeliness. (4) Confidentiality (C) — protection of confidential data including encryption, classification, and vendor management. (5) Privacy (P) — personal data handling, consent, retention, and individual rights. Only Security is mandatory; the others are optional and chosen based on your business.

Which Trust Service Criteria should I include?

Start with Security (mandatory). Add Availability if you have uptime SLAs with customers. Add Confidentiality if you handle sensitive business data for clients. Add Processing Integrity if data accuracy is critical to your service. Add Privacy if you handle consumer personal data. Most first-time SOC 2 companies start with Security only or Security + Availability, then add criteria in subsequent years.

How long does it take to get SOC 2 ready?

Timeline depends on your current maturity: companies with strong existing security practices may be audit-ready in 1-2 months; companies starting from scratch typically need 4-9 months. Key factors include the number of gaps to remediate, whether you use an automation platform (saves 2-4 months), and the complexity of your infrastructure. The Type 2 observation period adds 3-12 months on top of the readiness timeline.

What are the most common SOC 2 gaps?

The most frequently identified gaps during readiness assessments are: (1) Lack of formal security policies and procedures. (2) No access review process — users retain access after role changes. (3) Missing or incomplete incident response plan. (4) No vendor security assessment program. (5) Inadequate logging and monitoring. (6) No formal change management process. (7) Missing data classification policy. (8) Insufficient backup testing or disaster recovery planning. Most of these can be addressed within 1-3 months with focused effort.

Do I need a readiness assessment before the audit?

It is strongly recommended. A readiness assessment identifies gaps before the auditor does, giving you time to remediate without the pressure of the audit timeline. Discovering critical gaps during the audit can result in qualified opinions, wasted audit fees, or needing to restart the observation period. Most auditors offer a pre-assessment service, and many automation platforms include continuous readiness monitoring.

What happens if I fail a SOC 2 audit?

Technically, you cannot 'fail' a SOC 2 audit — the auditor issues a report regardless. However, they can issue a 'qualified opinion' noting exceptions where controls were not operating effectively. A qualified report can be worse than no report, as it documents specific weaknesses. If significant issues are found, the auditor may recommend pausing the audit to remediate before continuing. This is why readiness assessments are so important — fix issues before the formal audit begins.

How is this self-assessment different from a professional readiness assessment?

This free self-assessment provides a high-level overview of your readiness across all 5 Trust Service Criteria. A professional readiness assessment ($10K-$25K) is much more thorough: it includes detailed control testing, evidence review, policy evaluation, technical vulnerability scanning, and a comprehensive remediation roadmap with specific recommendations for your environment. Use this quiz as a starting point, then engage a professional for a detailed assessment before your audit.

Can I do SOC 2 without an automation platform?

Yes, but it requires significantly more manual effort. Without automation, you need to manually collect evidence screenshots, maintain spreadsheet-based control matrices, and manually track policy acknowledgments and access reviews. Automation platforms like Vanta and Drata automate 70-80% of evidence collection and continuous monitoring. For companies with limited security staff, an automation platform is nearly essential. For companies with dedicated security teams, manual compliance is feasible but more time-consuming.

Related Tools & Guides

SOC 2 Cost Calculator

Estimate your total SOC 2 compliance costs: audit, remediation, automation, and ongoing expenses.

Use free tool →

Which Framework Quiz

Not sure if SOC 2 is right? Find out which compliance framework your business actually needs.

Take the quiz →

Vanta vs Drata

Compare the leading SOC 2 automation platforms to find the right fit for your team.

Read comparison →

Related Resources on This Site

Helpful guides

Required Benefitsrequired employee benefits by state
Benefits401(k) for small business — setup and costs
SOC 2SOC 2 Type 1 vs Type 2 comparison
CertificationMBE/WBE/MWBE certification guide

Last updated: 2026-03-28. This self-assessment provides directional guidance based on the AICPA Trust Service Criteria. It is not a substitute for a professional SOC 2 readiness assessment. Actual audit scope and requirements depend on your specific environment and auditor expectations.