soc2pickr.com › readiness self-checker
SOC 2 readiness self-checker
12 questions, 2 minutes. Score your audit-readiness across the six SOC 2 control families. We'll show you which gaps to close first — and which tools actually move the needle.
Disclosure: we earn a referral commission when you sign up to recommended tools. Recommendations are based on which gap each tool solves, not payout.
SOC 2 readiness is a continuum. The fastest path from "scattered" to "audit-ready" is to (1) close the foundation gaps in Access and Network first, then (2) get evidence collection automated, then (3) book a Type 1 audit ~3 months out. Type 2 follows 6–12 months later with a continuous-evidence period.
What SOC 2 actually requires
SOC 2 is an audit attestation against the AICPA's Trust Services Criteria. The Common Criteria (mandatory) cover access, change management, monitoring, and risk. The four optional categories are availability, processing integrity, confidentiality, and privacy. Most B2B SaaS startups attest to Common + Confidentiality, sometimes adding Availability if uptime is a sales talking point.
An audit costs $15–$50k for Type 1, $25–$80k for Type 2 (the same auditor usually handles both). Companies that fail their first audit usually fail because they have controls in policy but no evidence. That's where audit-automation tools earn their keep — they collect evidence continuously instead of you scrambling for it the week before fieldwork.
Type 1 vs Type 2 in one paragraph
Type 1 is a snapshot — "as of [date], your controls were designed correctly." Faster (~3 months), cheaper, useful for unblocking enterprise sales who just need to see a SOC 2 report. Type 2 is a movie — "over [3–12 month window], your controls operated effectively." More expensive, but it's what big enterprise actually wants on renewal. Most companies do Type 1 first, then start the Type 2 observation period the day after Type 1 issues.
middot; Affiliate disclosure