Readiness Process

The readiness sprint is a focused 2–4 week engagement that produces everything you need to pursue a SOC 2 audit with confidence: a defined scope, a control baseline, an evidence plan, and a clear remediation roadmap.

Sprint Timeline

The engagement follows four phases, each building on the outputs of the previous one.

1

Intake

2–6 days
  • NDA & stakeholder map
  • Document request
  • Scoping interviews
  • System boundary draft
2

Assessment

9 days
  • TSC selection
  • Type 1/Type 2 recommendation
  • Control walkthroughs
  • Evidence sampling
3

Outputs

9 days
  • Controls matrix & gap register
  • Policy/document backlog
  • Evidence calendar
  • Executive readout & roadmap
4

Follow-on

Variable
  • Remediation implementation
  • Type 2 observation period

Phase Details

1. Intake 2–6 days

We start by understanding your business, systems, and compliance context.

  • NDA and stakeholder mapping — identify the people who own systems, data, and processes
  • Document request — collect existing policies, architecture diagrams, vendor lists, and prior audit reports
  • Scoping interviews — understand your products, infrastructure, data flows, and customer commitments
  • System boundary draft — define the initial scope of the audit based on what we learn

2. Assessment 9 days

We evaluate your current control posture against the selected Trust Services Criteria.

  • TSC selection — recommend which criteria to include based on your business model and buyer expectations
  • Type 1 vs. Type 2 recommendation — determine the right report type for your timeline and goals
  • Control walkthroughs — review existing controls across all 12 domains (access, change management, logging, etc.)
  • Evidence sampling — assess what evidence you can already produce and identify gaps in your evidence repository

3. Outputs 9 days

We deliver the artifacts that define your path to audit readiness.

  • Controls matrix and gap register — every control mapped to criteria, with gaps ranked by risk
  • Policy and document backlog — list of policies to write or update, prioritized by audit impact
  • Evidence calendar — what to collect, who collects it, and how often
  • Executive readout and remediation roadmap — board-ready summary with a prioritized plan to close gaps

4. Follow-on Variable

After the readiness sprint, the path forward depends on the gaps identified.

  • Remediation implementation — close gaps with our support (typically 1–4 months depending on maturity)
  • Type 2 observation period — if pursuing Type 2, operate controls for 3–12 months while collecting evidence

Sprint Deliverables

Every readiness sprint produces these minimum deliverables:

Scoped system boundary
TSC recommendation
Type 1 vs. Type 2 recommendation
Control inventory mapped to criteria
Gap analysis with risk ranking
Evidence collection plan
Policy backlog
Executive readout

Start Your Readiness Sprint

Most companies complete the readiness sprint in 2–4 weeks. The result is a clear, actionable plan to get audit-ready.

Get in Touch