SOC 2 Readiness Accelerator

The first product in the catalog that works as both a point-in-time assessment AND an ongoing 3–12 month operational tracker. SOC 2 has distinct phases — readiness assessment, observation period, audit — and this workbook serves all three.

The 2026 SOC 2 reality: audit costs $5–50K external plus 2–5x for preparation; typical timeline 9–15 months from zero to Type 2 report; continuous evidence now replaces periodic collection across the full observation window; AI systems fall under existing criteria with no exemption; identity lifecycle gets deepest scrutiny.

20-tab architecture:

Scoping: Scope & System Description (5 sections — system description, infrastructure, people/processes, subprocessors, commitments) and TSC Selection (5 criteria with in-scope status and common combination reference).

Control Libraries: Security Controls — 100+ controls across CC1–CC9, each with CC reference, family, description, evidence type, score, owner, and notes. Auto-calculated family and overall readiness scores. Optional TSC Controls (34 controls across Availability / Confidentiality / Processing Integrity / Privacy). Policy Library tracking 35 required policies with status, review dates, and auto-calculated completion percentage.

Ongoing Operations (7 tabs — where Type 2 audits succeed or fail): Evidence Tracker pre-seeded with 16 common artifact types. Access Review Log pre-seeded with 7 system types (the #1 audit finding area). Vendor Tracker with 10 common SaaS vendors pre-seeded. Risk Register with 10 pre-seeded risks and likelihood × impact heat mapping. Incident Log (CC7.4 evidence, 30 rows). Change Log (CC8.1 evidence, 30 rows). Training Tracker (CC1.5 evidence, 25 rows).

Audit Preparation: Gap Remediation (30 gaps with severity/owner/target/status, auto-calculated closure %). Auditor Selection with 4-tier guide, cost ranges, 10 questions to ask, and red flags. Readiness Checklist (50+ items across 6 stages: Foundational / Type 1 / Type 2 / Pre-audit / During audit / Post-audit). Common Findings (top 10 with prevention strategies). Executive Dashboard — three auto-calculated metrics: Overall SOC 2 Readiness, Policy Completion, Gap Closure.

Pre-populated operational tabs: 16 evidence artifacts auditors will want, 7 access review types, 10 SaaS vendors that appear in virtually every scope, 10 risks every register needs, 35 policies auditors will check. This is where a $15–40K readiness consultant spends their first month.

User Guide — 24 sections, 843 paragraphs. Standout sections: Section 20 (Common SOC 2 Mistakes — starting too broad, treating policies as fiction, sprinting evidence at the end, using audit firm for readiness), Section 14 (Type 1 vs Type 2 decision framework), Section 22 (FAQ: "how is this different from Drata/Vanta/Secureframe" and "do we need a readiness firm"). Industry adjustments for B2B SaaS, healthcare, FinTech, consumer, DevTools, and early-stage companies.