SOC 2 Type II Readiness Assessment

Evaluate readiness for SOC 2 Type II audit based on AICPA Trust Services Criteria for security, availability, processing integrity, confidentiality, and privacy

BiotechHealthcareResearchCannabis20 minutes23 questions

1. Security (CC)

Have you defined and documented security objectives and risk management processes?*

Common Criteria CC1.1-1.5: Control Environment and Risk Assessment

Do you maintain logical and physical access controls with least privilege principles?*

CC6: Logical and Physical Access Controls

Are systems monitored for security events with alerting and incident response procedures?*

CC7: System Monitoring and Detection

Do you conduct annual penetration testing and vulnerability assessments?*

Required for Type II audits; remediation tracked

Are changes to systems managed through a formal change control process?*

CC8: Change Management including testing and approval

Do you encrypt sensitive data at rest and in transit?*

Industry standard encryption (AES-256, TLS 1.2+)

2. Availability (A)

Have you defined and documented system availability objectives and SLAs?*

A1: Availability commitments and system requirements

Do you maintain environmental protections (backup power, HVAC, fire suppression)?*

A1.2: Physical infrastructure supporting availability

Are automated backups performed with documented recovery procedures?*

A1.2: Backup and restoration tested at least annually

Do you monitor system capacity and performance with proactive scaling?*

A1.3: Capacity planning and monitoring

3. Processing Integrity (PI)

Are data processing procedures documented and followed to ensure accuracy?*

PI1.1: Processing integrity commitments

Do you validate inputs and outputs for accuracy and completeness?*

PI1.3: Data validation controls

Are errors detected, logged, and corrected in a timely manner?*

PI1.5: Error handling and correction procedures

4. Confidentiality (C)

Have you classified data and implemented controls based on sensitivity?*

C1.1: Confidentiality commitments and data classification

Are confidentiality agreements in place with employees and vendors?*

C1.1: NDAs and confidentiality obligations

Do you restrict access to confidential information on a need-to-know basis?*

C1.2: Access controls for confidential data

5. Privacy (P)

Have you documented privacy notice and consent procedures?*

P1: Privacy commitments communicated to data subjects

Do you provide mechanisms for data subjects to access, correct, and delete their data?*

P4: Privacy rights (access, rectification, erasure)

Are third-party vendors assessed for privacy compliance before engagement?*

P5: Privacy considerations in vendor management

Do you maintain records of data processing activities and data flows?*

P6: Data inventory and processing documentation

6. Audit Preparation

Have you retained evidence of control operation for at least the audit period?*

Type II requires 3-12 months of operating effectiveness evidence

Do you conduct periodic internal audits or readiness assessments?*

Pre-audit gap analysis recommended

Are policies and procedures documented, approved, and accessible to relevant personnel?*

Auditors require evidence of documented controls

Please answer all required questions to see your results