Skip to content
FortaRisks
All toolsAttestation · SOC 2

SOC 2 readiness assessment

Gauge your readiness for a SOC 2 audit, and leave with your priorities.

≈ 5 minutes · no sign-up

SOC 2 proves your controls to customers. Answer the 18 statements below: everything is computed in your browser, and no answer is stored.

Answer each statement based on your real situation. Your score and priorities appear instantly in your browser. Nothing is sent anywhere.

Progress0 / 18 answered

1.Scope and criteria

You have determined which Trust Services Criteria apply (Security, plus Availability, Processing Integrity, Confidentiality and Privacy where relevant).

You have determined which Trust Services Criteria apply (Security, plus Availability, Processing Integrity, Confidentiality and Privacy where relevant).

You have chosen between a Type I and a Type II report based on customer needs.

You have chosen between a Type I and a Type II report based on customer needs.

The system boundary (people, processes, technology) is defined and documented.

The system boundary (people, processes, technology) is defined and documented.

2.Security (Common Criteria)

Access is managed on least privilege, with MFA and periodic review.

Access is managed on least privilege, with MFA and periodic review.

A change-management process is in place.

A change-management process is in place.

You perform a documented risk assessment.

You perform a documented risk assessment.

3.Monitoring and incidents

Centralized logging covers your systems.

Centralized logging covers your systems.

You monitor and detect abnormal activity.

You monitor and detect abnormal activity.

An incident response plan is documented and tested.

An incident response plan is documented and tested.

4.Vendor management

You keep an inventory of your critical vendors.

You keep an inventory of your critical vendors.

You assess the security posture of your vendors.

You assess the security posture of your vendors.

Your agreements include security requirements.

Your agreements include security requirements.

5.Governance and control environment

A SOC 2 program owner is designated.

A SOC 2 program owner is designated.

Your security policies are formalized and communicated.

Your security policies are formalized and communicated.

Staff receive security awareness training.

Staff receive security awareness training.

6.Evidence and readiness

You collect control evidence continuously, throughout the period.

You collect control evidence continuously, throughout the period.

Evidence is complete and available across the whole audit window.

Evidence is complete and available across the whole audit window.

You have run a readiness review before the audit.

You have run a readiness review before the audit.

Answer every statement to reveal your score.

FAQ

What is SOC 2?

SOC 2 is an attestation report, issued by a CPA firm under the AICPA framework, that evaluates your controls against the Trust Services Criteria. It is not a certification.

Type I or Type II?

Type I evaluates the design of controls at a point in time. Type II evaluates their operating effectiveness over a period, typically 3 to 12 months. Customers usually ask for Type II.

What are the criteria?

Five Trust Services Criteria: Security (the Common Criteria, always required), Availability, Processing Integrity, Confidentiality and Privacy. You scope in the ones relevant to your service.

How long does it take?

A Type II covers an observation period, often 3 to 12 months, during which evidence must be collected continuously. Upfront preparation drives success.

Does this assessment replace the auditor?

No. It is an indicative tool to gauge your readiness and prioritize your actions. Only a qualified auditor can issue a SOC 2 report.