SOC 2 Readiness Self-Assessment

Track your readiness against the AICPA Trust Services Criteria. Progress saved in your browser. Export when you are ready to engage an auditor.

Common Criteria (CC) — All organizations

CC1 — Control Environment 0%

Org has integrity, ethical values, and oversight from top.

Written code of conduct exists Evidence: signed copy on file for all staff

Board / advisor oversight defined Evidence: org chart + meeting minutes

Background checks on hires with privileged access Evidence: HR policy + completed checks

CC2 — Communication & Information 0%

Information is identified, captured, and communicated.

Incident notification process documented Who-tells-whom on incident

Customer-facing security commitments published /security/disclosure already covers this

CC3 — Risk Assessment 0%

Org identifies and assesses risks to achievement of objectives.

Annual risk assessment performed Document risks + mitigations

Fraud risk assessment done Especially for finance touchpoints

Significant change risk reviewed Before every major release / vendor change

CC4 — Monitoring Activities 0%

Org evaluates whether internal control is functioning.

Quarterly access review Who has admin / privileged access

Vulnerability scans run monthly Scan reports archived

Penetration test annually 3rd-party report on file

CC5 — Control Activities 0%

Org has policies + procedures, and segregation of duties.

Change management process documented Code review, approval, rollback plan

Segregation of duties enforced Same person cannot code + deploy + approve

Vendor management policy in place /compliance/policies/vendor-management.md exists

CC6 — Logical & Physical Access 0%

Access to systems/data is restricted.

MFA on all admin accounts Entra ID admin MFA enforced

Password complexity + rotation policy /compliance/policies/password.md exists

Encryption at rest + in transit TLS 1.2+ enforced everywhere

Provisioning + deprovisioning checklist Onboard/offboard documented

CC7 — System Operations 0%

Org detects + responds to security events.

SIEM / log aggregation in place Centralized log review

Incident response plan documented Roles + escalation tree

Backup + recovery tested annually Documented test result on file

CC8 — Change Management 0%

Org authorizes + tests changes before production.

Production changes go through code review GitHub PR approval

Staging environment used pre-prod No untested prod pushes

Rollback plan documented per change In runbook / change ticket

CC9 — Risk Mitigation 0%

Org identifies, selects, and develops risk mitigations.

Vendor risk reviewed before signing Security questionnaire on file

Business continuity plan exists /compliance/policies/business-continuity.md exists

Optional: trust service categories you want covered

Availability 0%

Uptime monitored + reported /status page already live

SLA published 99.9% or as committed

Confidentiality 0%

Data classification policy Public / internal / confidential / restricted

Encryption at rest for sensitive data AES-256 typically

Privacy 0%

Data inventory + retention schedule What data, where, how long

Self-serve data export + deletion /aria-data-export already live