SOC 2 Readiness • Consulting • Evidence Preparation

SOC 2 Compliance Readiness & Consulting Services

OC Security Audit helps companies become ready for SOC 2. We support the readiness and consulting phase by auditing your current environment, mapping controls, preparing policies, organizing evidence, reviewing vendors, assessing risk, and helping your team close gaps before the formal CPA audit process.

Schedule a SOC 2 Readiness Consultation Explore Compliance Consulting
25+ YearsIT, cybersecurity, audit & compliance experience
Dozensof Southern California business networks supported
Type I/IIreadiness support and audit preparation
CPA Readyevidence, documentation, and control organization
Our Role

We Prepare Your Company Before the SOC 2 Audit

OC Security Audit provides SOC 2 readiness, consulting, gap assessment, control mapping, documentation, evidence preparation, risk assessment, vendor review, remediation support, and audit preparation. The official SOC 2 attestation report is issued by an independent licensed CPA firm; our work helps your organization get ready before that step.

🔎

Audit First

We start by reviewing your current business systems, security controls, policies, cloud environment, Microsoft 365, access controls, vendors, and evidence readiness.

🧭

Map the Controls

We map your existing and missing controls to SOC 2 readiness expectations so leadership knows what is ready, what is weak, and what needs remediation.

📁

Prepare the Evidence

We help organize the documents, screenshots, tickets, logs, records, approvals, access reviews, vendor reviews, and reports needed for audit readiness.

Security consultant walking through a data center for SOC 2 compliance readiness
Readiness with real security expertise.We review the practical controls that support customer trust, enterprise sales, and compliance preparation.
For SaaS, Cloud, MSP & Service Providers

SOC 2 readiness built around your business, systems, customers, and risk.

SOC 2 is often requested by enterprise customers, vendors, procurement teams, investors, and business partners. If your company stores, processes, transmits, manages, or protects customer information, you may need to show that your controls are designed, documented, and operating in a repeatable way.

OC Security Audit helps companies in Southern California, Orange County, Irvine, and Los Angeles build the security and compliance readiness foundation needed before the formal SOC 2 audit.

SaaS CompaniesCloud ServicesMSPsTechnology FirmsProfessional ServicesGrowing Businesses
Process & Procedures

Our SOC 2 Readiness Process

We use a structured, practical process that moves your company from uncertainty to readiness.

01🔍

Discovery & Scoping

We identify in-scope systems, applications, services, data, users, vendors, locations, cloud platforms, and business commitments. We help determine whether you are preparing for SOC 2 Type I, SOC 2 Type II, or a staged approach.

02🧩

Gap Assessment

We compare your current security program, policies, procedures, technical controls, and documentation against SOC 2 readiness expectations and identify practical gaps that need attention.

03🗺️

Control Mapping

We map controls for access, risk, change management, vendors, incident response, backup, logging, vulnerability management, HR onboarding, cloud security, and governance.

04📘

Policy & Procedure Documentation

We create, review, and improve the policy package and operational procedures needed to support readiness, including security, access control, vendor risk, incident response, change management, backup, and risk assessment documentation.

05⚠️

Risk Assessment & Vendor Reviews

We help identify cybersecurity risks, document the risk register, prioritize remediation, and review critical third-party vendors that support your services or have access to customer information.

06📁

Evidence Preparation

We build an evidence tracker and help prepare access reviews, MFA records, training records, risk reports, change approvals, vulnerability scan results, backup records, incident logs, vendor reviews, and policy approvals.

07🛠️

Remediation Support

We help your team close control gaps, improve configurations, strengthen procedures, update documentation, and prepare for the next step with a clear action plan.

08

Final Readiness Review

Before the formal audit process, we perform a final readiness review to confirm scope, policies, control ownership, risk records, vendor reviews, evidence, and open issues are organized.

Control Areas

What we review, strengthen, and prepare for SOC 2 readiness.

Our readiness consulting covers the security and operational areas that companies commonly need before SOC 2. We focus on both technical controls and documented business procedures.

  • Security governance and control ownership
  • Risk management and risk treatment
  • User access, privileged access, MFA, and least privilege
  • Employee onboarding and termination
  • Change management and approval records
  • Vendor and third-party risk management
  • Incident response planning and evidence
  • Logging, monitoring, and alerting
  • Vulnerability management and patch records
  • Backup, recovery, BCDR, and availability evidence
  • Microsoft 365 and email security
  • Azure, cloud, firewall, endpoint, and network security
Cybersecurity engineer in server room supporting SOC 2 readiness and control review
Not just paperwork.We evaluate security configurations, identity controls, network risk, cloud settings, and operational readiness.

SOC 2 Type I and Type II readiness support

Type I readiness focuses on whether your controls are designed and documented at a point in time. Type II readiness requires repeatable operation over time, consistent evidence, and disciplined procedures. OC Security Audit helps your company prepare for either path.

Start With a Risk Assessment Request an Internal Security Audit
Type IControl design readiness
Type IIOperating effectiveness preparation
5Trust Services Criteria areas
1Clear readiness roadmap
Trust Services Criteria

Readiness across the SOC 2 criteria that matter to your customers.

Security is normally central to SOC 2. Depending on your business, additional areas such as availability, confidentiality, processing integrity, and privacy may also need to be considered.

Security

Access control, MFA, monitoring, vulnerability management, incident response, and protection against unauthorized access.

Availability

Backup, recovery, business continuity, disaster recovery, capacity, and service availability readiness.

Confidentiality

Data protection, encryption, access restriction, secure handling, and confidentiality procedures.

Processing Integrity

Change control, processing accuracy, system procedures, and operational consistency.

Privacy

Privacy-related procedures, data handling, notice, consent, retention, and policy alignment where applicable.

Digital documentation system for SOC 2 policy and evidence preparation
Documentation that supports audit readiness.Policies, procedures, control narratives, evidence folders, and trackers organized for the next phase.
Policy Package

Policy and procedure documentation built for real business use.

Many organizations have security tools but lack formal documentation. OC Security Audit helps create or improve the documentation needed to support SOC 2 readiness.

  • Information Security Policy
  • Access Control Policy
  • Acceptable Use Policy
  • Password and MFA Policy
  • Change Management Policy
  • Incident Response Policy
  • Vendor Risk Management Policy
  • Risk Assessment Policy
  • Data Classification Policy
  • Encryption Policy
  • Backup and Recovery Policy
  • Business Continuity and DR Policy
  • Vulnerability Management Policy
  • Asset Management Policy
  • Security Awareness Training Policy
  • Onboarding and Termination Procedures
Deliverables

Clear deliverables your leadership, IT team, and auditors can use.

Our consulting work is designed to produce practical outputs, not vague recommendations.

SOC 2 readiness assessment reportGap analysis and risk-rated findingsExecutive summary for leadershipRisk assessment reportRisk register and treatment planControl matrix and control mappingPolicy and procedure packageVendor risk review documentationEvidence request listEvidence tracker and folder structureRemediation roadmapAudit readiness checklistTechnical security review findingsMicrosoft 365 and Azure review notesFirewall and network security findingsFinal readiness report
Why Companies Struggle

We help close the gaps that delay SOC 2 readiness.

Companies often start SOC 2 after a customer asks for it, then discover that the policies, procedures, records, and evidence are not ready. OC Security Audit helps identify those problems early and builds a structured plan to fix them.

  • No formal security policies
  • No documented risk assessment
  • No vendor review process
  • No access review records
  • Weak onboarding and termination procedures
  • Missing MFA enforcement
  • Incomplete change management evidence
  • Poor vulnerability remediation tracking
  • No incident response testing
  • No backup or DR evidence
  • Cloud security misconfigurations
  • Unclear control ownership
Cracked shield representing cybersecurity gaps and SOC 2 readiness risks
Find the gap before the audit finds it.Readiness work helps reduce surprises, confusion, and delays.
Checklist and goal target visual for SOC 2 evidence preparation
Evidence preparation made practical.We help your team know what to collect, where to store it, and how to maintain it.
Evidence Readiness

We organize the proof behind your controls.

Evidence is where many SOC 2 readiness projects slow down. We help your company identify and prepare supporting documentation such as access review records, user provisioning and termination records, MFA screenshots, security training records, risk assessment reports, vendor reviews, change tickets, incident logs, vulnerability scans, patch records, backup reports, firewall reviews, cloud security settings, endpoint protection status, log monitoring records, and policy approvals.

Access ReviewsChange TicketsVendor ReviewsRisk RegisterSecurity TrainingBackup Evidence

Experienced cybersecurity leadership under Ali Hassani

OC Security Audit, with 25+ years of experience under the management of Ali Hassani, has worked on dozens of networks for businesses in Southern California, Irvine, and Los Angeles. With certifications such as CISSP, CCISO, MCSE, MCSA Security, MCITP, CCNA, CCNP, and more, we are professionals who help make your network and data more secure and your business more compliant.

CISSPSecurity leadership
CCISOExecutive security governance
MCSE/MCSAMicrosoft infrastructure
CCNA/CCNPNetwork security experience
Practical Security Consulting

Stronger security, cleaner evidence, and a clearer path to compliance readiness.

Our approach is built for companies that need a real-world security partner. We help leadership understand the risks, help IT teams remediate technical gaps, help operations document repeatable procedures, and help the business prepare for customer security reviews and SOC 2 readiness.

vCISO & Security Governance IT Security Consulting
Compliance graphics on tablet representing governance and audit readiness
Built for decision-makers.Executive reporting, control ownership, remediation priorities, and readiness milestones.
Related Services

Connect SOC 2 readiness with your broader security program.

Use OC Security Audit services together to strengthen the technical and governance foundation behind SOC 2 readiness.

Security

Security Internal Network Security Microsoft Azure Security Business Continuity & DR Microsoft 365 Email Security Endpoint Security

Audit

Security Audits Network Vulnerability Assessment Cybersecurity Risk Assessment Internal Security Audit Azure Cloud Security Audit Firewall Security Audit

Compliance & CISO

Compliance Consulting PCI-DSS Compliance NIST Cybersecurity Framework ISO/IEC 27000 CMMC 2.0 Virtual CISO
Policy documentation and verification visual for SOC 2 readiness
Policies, controls, and evidence aligned.Readiness requires documentation that matches how the business actually operates.
Questions Customers Ask

SOC 2 Readiness FAQ

Does OC Security Audit issue the SOC 2 report?

No. The official SOC 2 report is issued by an independent licensed CPA firm. OC Security Audit helps with readiness, consulting, gap assessment, control mapping, documentation, evidence preparation, risk assessment, remediation support, vendor review, and audit preparation.

Can you help if we are starting from zero?

Yes. We can begin with a readiness assessment, define the scope, identify missing controls, create policies, prepare a roadmap, and help your team build the foundation needed for SOC 2 readiness.

Do you help with technical security issues?

Yes. We review practical technical areas such as Microsoft 365 security, Azure cloud security, identity and access management, firewall configuration, endpoint security, logging, vulnerability management, backup, and incident response readiness.

Can you help us prepare for enterprise customer security reviews?

Yes. SOC 2 readiness often supports sales, procurement, vendor security questionnaires, investor due diligence, and customer trust. We help organize policies, evidence, controls, and reports that support those conversations.

Get SOC 2 Ready With Confidence

Prepare your company before the audit starts.

OC Security Audit helps you identify gaps, create policies, map controls, prepare evidence, assess risk, review vendors, strengthen technical security, and become ready for SOC 2 Type I or SOC 2 Type II.

Contact OC Security Audit Visit OC Security Audit Home

Important: OC Security Audit provides SOC 2 readiness, consulting, assessment, documentation, evidence preparation, control review, and audit preparation services. The official SOC 2 attestation report must be performed by an independent licensed CPA firm.

OC Security Audit SOC 2 Readiness Checklist
SOC 2 Compliance Readiness Checklist

OC Security Audit SOC 2 Readiness Control Checklist

OC Security Audit prepares companies for SOC 2 compliance readiness through consulting, discovery, scoping, gap assessment, control mapping, policy documentation, evidence preparation, risk assessment, vendor reviews, remediation planning, and final readiness support before the formal audit process.

This checklist helps CISOs, IT managers, network engineers, network administrators, cybersecurity engineers, and leadership teams evaluate current settings against SOC 2 Trust Services Criteria and readiness expectations. OC Security Audit reviews the required criteria, prepares documentation, organizes evidence, and helps your company become ready for the independent SOC 2 audit process.

Readiness Workbook View

58Checklist Rows
5Trust Services Criteria
CC1-CC9Security Common Criteria
FrozenHeader Row
The table below is styled like a professional spreadsheet. The first row is frozen using sticky headers, and the first two columns remain visible while scrolling horizontally.
🔎

Discovery & Scoping

Identify systems, services, customer data, vendors, users, applications, cloud platforms, and SOC 2 objectives.

🧭

Gap Assessment

Review security, governance, access, change, risk, operations, monitoring, documentation, and evidence maturity.

📋

Control Mapping

Map controls to SOC 2 readiness expectations and identify missing controls, unclear ownership, and weak evidence.

📁

Evidence Preparation

Prepare policies, screenshots, tickets, logs, reports, approvals, risk assessments, vendor reviews, and final readiness records.

SOC 2 Readiness Spreadsheet

SOC 2 Readiness Control Matrix

Use this matrix to review SOC 2 readiness across Security/Common Criteria, Availability, Confidentiality, Processing Integrity, Privacy, and the readiness project lifecycle. The status column can be copied into your internal tracker.

CriticalHighMedium
Control IDSOC 2 Area / TSCRequirement / CriterionReadiness Checklist QuestionControl / Process to InvestigateEvidence to PrepareRisk Assessment FocusBusiness Impact if Gap ExistsPrimary OwnerSystems / ScopeReadiness StatusPriorityOC Security Audit Consulting Support
RD-01SOC 2 Readiness ProgramDiscovery & business contextHave the business objectives, services, customers, data types, and SOC 2 drivers been documented?Interview leadership, IT, security, operations, HR, engineering, and application owners.Discovery notes, service descriptions, org chart, customer requirements, business objectives.Incomplete understanding of system boundaries and commitments.Incorrect scope, wasted effort, missed controls, audit delay.CISO / Executive SponsorCompany-wide / in-scope serviceClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
RD-02SOC 2 Readiness ProgramSOC 2 scope definitionAre systems, applications, locations, vendors, cloud platforms, data flows, and control owners clearly in scope?Define in-scope products, infrastructure, applications, data stores, vendors, people, and processes.Scope memo, system inventory, network/cloud diagram, data flow diagram, owner matrix.Unclear scope or excluded dependencies.Auditor questions, control gaps, incomplete evidence.CISO / IT ManagerIn-scope environmentClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
RD-03SOC 2 Readiness ProgramTrust Services Criteria selectionHas the company selected Security plus any relevant Availability, Confidentiality, Processing Integrity, or Privacy criteria?Match criteria to customer contracts, service commitments, data sensitivity, uptime commitments, and business model.Trust category recommendation, scope decision log, management approval.Wrong criteria selection or over/under-scoping.Higher audit burden, customer rejection, incomplete assurance.Executive Sponsor / Compliance LeadSOC 2 report scopeClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
RD-04SOC 2 Readiness ProgramReadiness gap assessmentHas a pre-audit gap assessment been performed before engaging the formal audit process?Assess governance, access, operations, change, risk, vendors, security controls, and evidence maturity.Gap report, risk-rated findings, remediation tracker.Unknown weaknesses remain unresolved.Audit delays, costly remediation, customer confidence issues.CISO / Compliance LeadAll in-scope areasClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
RD-05SOC 2 Readiness ProgramEvidence repositoryIs there a structured, controlled evidence repository for policies, screenshots, tickets, reports, logs, and approvals?Create folder structure, naming standards, evidence owner assignments, collection frequency, and retention approach.Evidence tracker, repository index, sample evidence folders.Missing or inconsistent audit evidence.Controls may appear undocumented or not operating.Compliance Lead / IT ManagerEvidence managementClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
RD-06SOC 2 Readiness ProgramManagement readiness reportingDoes leadership receive clear status on readiness, risk, blockers, remediation, and open evidence?Build executive dashboards, weekly milestone reports, control closure summaries, and decision logs.Executive summary, readiness dashboard, meeting minutes.Leadership blind spots and delayed decisions.Readiness project stalls or risks remain accepted informally.Executive Sponsor / CISOGovernanceClient to assessMediumOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC1.1Security / Common CriteriaControl Environment: Integrity and ethical valuesAre integrity, ethics, security responsibility, acceptable use, and expected conduct communicated and enforced?Review code of conduct, acceptable use, HR/security policies, disciplinary process, and security culture practices.Code of conduct, employee handbook, policy acknowledgments, disciplinary procedures.Weak accountability and inconsistent security behavior.Employees may bypass controls or mishandle sensitive data.HR / Executive LeadershipCompany-wideClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC1.2Security / Common CriteriaControl Environment: Oversight responsibilityDoes governance or leadership provide oversight over security, risk, compliance, and control performance?Review board/management oversight, security reporting cadence, and escalation processes.Security committee minutes, leadership reports, risk review records.Security risks not escalated or managed.Unaddressed material weaknesses and slow remediation.Executive Sponsor / CISOGovernanceClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC1.3Security / Common CriteriaControl Environment: Structure, authority, responsibilityAre roles, reporting lines, authorities, and security responsibilities clearly defined?Validate org chart, job descriptions, RACI, and control owner matrix.Org chart, RACI, job descriptions, control owner list.No clear ownership for controls.Controls fail due to unclear responsibilities.Executive Leadership / HRCompany-wideClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC1.4Security / Common CriteriaControl Environment: CompetenceAre personnel qualified, trained, and supported to perform security and control responsibilities?Review hiring practices, training, certifications, job responsibilities, and performance management.Training records, job descriptions, certification records, onboarding checklists.Personnel may lack required security skills.Misconfiguration, poor response, audit findings.HR / IT ManagerEmployees and contractorsClient to assessMediumOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC1.5Security / Common CriteriaControl Environment: AccountabilityAre individuals held accountable for internal control responsibilities and security obligations?Review performance management, control task ownership, escalation, and policy enforcement.Performance review templates, task trackers, control ownership records.Control tasks not performed on schedule.Evidence gaps and repeated control failures.Executive Leadership / CISOCompany-wideClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC2.1Security / Common CriteriaInformation and Communication: Quality informationDoes the organization obtain and generate quality information to support controls?Review inventory, logs, reporting, monitoring, metrics, and data used for security decisions.Asset inventory, risk reports, monitoring dashboards, vulnerability reports.Decisions based on incomplete or inaccurate information.Missed vulnerabilities, poor prioritization, control failure.IT Manager / Security LeadSecurity operationsClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC2.2Security / Common CriteriaInformation and Communication: Internal communicationAre security policies, control responsibilities, incidents, and risks communicated internally?Review security announcements, training, escalation procedures, and internal reporting.Policy acknowledgments, training records, internal memos, incident communication plans.Employees are unaware of responsibilities.Policy violations, incident delays, inconsistent processes.CISO / HRCompany-wideClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC2.3Security / Common CriteriaInformation and Communication: External communicationAre external parties informed about relevant security commitments, incidents, responsibilities, and customer obligations?Review customer security commitments, vendor communications, incident notification procedures, and support processes.Customer agreements, vendor notices, incident communication templates, support procedures.External commitments not managed.Contract issues, customer trust loss, compliance gaps.Legal / Compliance LeadCustomers and vendorsClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC3.1Security / Common CriteriaRisk Assessment: ObjectivesAre security, availability, confidentiality, processing, and privacy objectives defined clearly enough to identify risks?Review objectives, service commitments, control objectives, customer obligations, and risk appetite.Security objectives, service commitments, risk appetite statement.Unclear objectives lead to incomplete risk assessment.Misaligned controls and weak prioritization.CISO / Executive SponsorGovernanceClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC3.2Security / Common CriteriaRisk Assessment: Identify and analyze risksDoes the company identify, analyze, and prioritize risks to achievement of objectives?Perform formal cybersecurity risk assessment covering systems, data, vendors, people, and processes.Risk assessment report, risk register, treatment plan.Undetected threats and unmanaged vulnerabilities.Breach, outage, data loss, customer concerns.CISO / Risk OwnerIn-scope environmentClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC3.3Security / Common CriteriaRisk Assessment: Fraud riskDoes the organization consider fraud, misuse, insider threat, and abuse scenarios in risk assessment?Review fraud risk, privileged access abuse, financial/process manipulation, and unauthorized data access scenarios.Fraud risk notes, insider threat review, privileged access review.Fraud or abuse not considered in controls.Financial loss, data exposure, trust damage.CISO / Finance / HRSensitive processesClient to assessMediumOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC3.4Security / Common CriteriaRisk Assessment: Significant changeAre significant changes in business, technology, vendors, threats, or regulations identified and assessed?Review change risk assessment, vendor changes, cloud migrations, new products, and threat landscape changes.Change review records, risk reassessment notes, management approvals.New risks introduced without review.Misconfigured systems, missed controls, audit exceptions.IT Manager / Change ManagerChange managementClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC4.1Security / Common CriteriaMonitoring Activities: Ongoing evaluationAre controls monitored through ongoing or periodic evaluations?Review internal audits, control testing, management reviews, and automated monitoring.Control testing records, internal audit reports, monitoring dashboards.Control failures go undetected.Audit gaps, security incidents, noncompliance.CISO / Internal AuditControl environmentClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC4.2Security / Common CriteriaMonitoring Activities: Deficiency communicationAre control deficiencies identified, prioritized, communicated, and remediated in a timely manner?Review remediation tracker, severity ratings, owners, target dates, escalation process.Deficiency reports, remediation tracker, closure evidence.Findings remain open or ignored.Repeated audit findings and increased breach risk.CISO / Control OwnersControl remediationClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC5.1Security / Common CriteriaControl Activities: Select and develop controlsAre control activities selected and designed to mitigate identified risks?Review control design against risk register, policies, and system objectives.Control matrix, risk-to-control mapping, design review.Controls do not address actual risks.False sense of security and audit exceptions.CISO / Compliance LeadControl designClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC5.2Security / Common CriteriaControl Activities: Technology general controlsAre technology controls developed for infrastructure, software, access, operations, and change?Review ITGCs, system configurations, administrative access, backups, monitoring, and change approvals.ITGC matrix, configuration evidence, change tickets, access reviews.Technology controls are inconsistent or undocumented.System compromise, downtime, audit gaps.IT Manager / Network AdministratorIT systemsClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC5.3Security / Common CriteriaControl Activities: Policies and proceduresAre controls deployed through documented policies and procedures?Review policy set, procedure details, approvals, communication, and review cycles.Policies, procedures, approval records, review logs.Control expectations not documented or followed.Inconsistent execution and insufficient evidence.Compliance Lead / CISOPolicy programClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC6.1Security / Common CriteriaLogical Access: Access security architectureAre logical access controls designed to restrict access to systems and protected information assets?Review identity architecture, role-based access, authentication, authorization, network segmentation, and admin controls.Access control policy, RBAC matrix, IAM configuration, network diagrams.Unauthorized access due to weak architecture.Data breach, privilege escalation, regulatory concern.IT Manager / Identity AdminIAM / infrastructureClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC6.2Security / Common CriteriaLogical Access: User registration and authorizationAre users registered, approved, and authorized before credentials are issued?Review joiner process, manager approvals, ticketing, background checks where applicable, and account creation.User provisioning tickets, approvals, onboarding checklist.Unauthorized or inappropriate accounts created.Excess access and insider misuse.IT Manager / HRUser accessClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC6.3Security / Common CriteriaLogical Access: AuthenticationAre users authenticated before access is granted, including MFA where appropriate?Review password standards, SSO, MFA, conditional access, privileged access authentication, and service accounts.MFA screenshots, SSO policy, authentication settings, privileged account list.Weak authentication or credential compromise.Account takeover and unauthorized access.Identity Admin / Security LeadIAM / cloud / appsClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC6.4Security / Common CriteriaLogical Access: Access modification and removalAre access rights modified or removed when roles change or users terminate?Review movers/leavers process, termination timing, HR-to-IT workflow, access recertification.Offboarding tickets, access removal logs, HR termination notices, access review evidence.Former users or role-changed users retain access.Data theft, unauthorized activity, audit finding.HR / IT ManagerUser lifecycleClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC6.5Security / Common CriteriaPhysical Access: Facility and asset protectionAre physical access controls in place for offices, network equipment, endpoints, and data centers?Review badge access, visitor logs, server room controls, CCTV, equipment inventory, and secure disposal.Badge reports, visitor logs, server room access list, asset disposal records.Physical theft or unauthorized facility access.System outage, data exposure, equipment loss.Facilities / IT ManagerFacilities / equipmentClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC6.6Security / Common CriteriaBoundary Protection: External threatsAre controls implemented to protect systems from external threats and unauthorized network access?Review firewalls, VPN, WAF, IDS/IPS, endpoint security, secure remote access, email protection, and cloud perimeter.Firewall rules, VPN settings, EDR reports, email security settings, vulnerability scan.External attacker gains access.Breach, ransomware, service disruption.Network Engineer / Security LeadNetwork and cloud perimeterClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC6.7Security / Common CriteriaData Movement: Transmission and removalAre controls in place for transmission, movement, and removal of information?Review encryption, DLP, file sharing, removable media, email forwarding, data export controls, and remote access.Encryption settings, DLP policy, data transfer logs, approved sharing procedures.Data exfiltration or uncontrolled disclosure.Loss of confidentiality and customer trust.Security Lead / Data OwnerData transfer channelsClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC6.8Security / Common CriteriaMalicious Software ProtectionAre controls in place to prevent and detect malware, ransomware, and unauthorized software?Review EDR/AV deployment, patching, application control, alerting, and response process.EDR dashboard, malware alerts, endpoint coverage report, response tickets.Malware or unauthorized software compromises systems.Ransomware, data loss, downtime.Security Lead / Endpoint AdminEndpoints and serversClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC7.1Security / Common CriteriaSystem Operations: Detection of anomaliesAre systems monitored to detect anomalies, suspicious activity, and security events?Review SIEM, log sources, alert rules, EDR alerts, cloud alerts, and monitoring coverage.SIEM dashboards, log source inventory, alert rules, EDR reports.Malicious activity goes undetected.Long dwell time and larger breach impact.Security Operations / IT ManagerMonitoring systemsClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC7.2Security / Common CriteriaSystem Operations: Monitoring componentsAre system components monitored for configuration, performance, availability, and security events?Review infrastructure monitoring, cloud monitoring, endpoint status, network monitoring, and service health alerts.Monitoring dashboard, uptime reports, device inventory, alert history.Infrastructure issues or attacks are missed.Outage, degraded service, delayed response.Network Administrator / Systems AdminInfrastructureClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC7.3Security / Common CriteriaSystem Operations: Security event evaluationAre detected security events evaluated to determine whether they are incidents?Review triage procedures, severity matrix, alert handling, escalation and incident classification.Triage tickets, severity matrix, incident decision records.Events not triaged or escalated properly.Delayed containment and inconsistent response.Security Lead / SOC AnalystIncident triageClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC7.4Security / Common CriteriaSystem Operations: Incident responseAre incidents responded to using documented procedures, roles, escalation, and communication plans?Review incident response plan, playbooks, roles, communication, evidence preservation, and tabletop exercises.Incident response plan, playbooks, tabletop records, incident tickets.Disorganized incident response.Longer downtime, evidence loss, customer impact.CISO / Incident CommanderIncident responseClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC7.5Security / Common CriteriaSystem Operations: Recovery activitiesAre recovery activities identified, developed, implemented, and tested after incidents or disruptions?Review recovery plans, lessons learned, root cause analysis, corrective actions, and restoration evidence.Post-incident reports, recovery records, corrective action tracker.Failure to recover effectively or prevent recurrence.Repeated incidents, downtime, audit concerns.IT Manager / DR OwnerRecovery processClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC8.1Security / Common CriteriaChange ManagementAre infrastructure, software, firewall, cloud, and application changes authorized, tested, approved, and documented?Review change tickets, approvals, testing, rollback plans, emergency change procedures, and production deployment records.Change tickets, approvals, test results, deployment logs, rollback plans.Unauthorized or poorly tested changes.Outages, security gaps, audit exceptions.Change Manager / Engineering LeadApplications and infrastructureClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC9.1Security / Common CriteriaRisk Mitigation: Business disruptionAre risk mitigation activities developed for business disruptions, security threats, and operational dependencies?Review risk treatment plans, BCDR controls, insurance, contingency plans, and critical process dependencies.Risk treatment plan, BCDR plan, mitigation tracker, dependency map.Risks accepted without mitigation.Operational failure or unacceptable downtime.Risk Owner / Executive SponsorRisk managementClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
CC9.2Security / Common CriteriaRisk Mitigation: Vendor and business partner riskAre vendor and business partner risks assessed, managed, monitored, and documented?Review vendor inventory, risk tiering, SOC reports, contracts, access, DPAs, and annual reviews.Vendor inventory, vendor risk assessments, SOC reports, contracts, review evidence.Vendor weakness impacts company systems or data.Data exposure, service disruption, third-party audit gaps.Vendor Manager / Compliance LeadThird partiesClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
A1.1AvailabilityAvailability: Capacity and performanceAre processing capacity, system performance, and resource utilization monitored to meet availability commitments?Review capacity planning, uptime monitoring, performance thresholds, scaling, and resource alerts.Capacity reports, uptime reports, monitoring alerts, service-level reports.Capacity constraints or performance issues not detected.Customer-facing downtime or SLA issues.IT Manager / Cloud EngineerProduction systemsClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
A1.2AvailabilityAvailability: Environmental protections and recovery supportAre backup, environmental, infrastructure, and recovery controls in place to support availability?Review backups, replication, redundancy, environmental controls, cloud resilience, and DR infrastructure.Backup reports, DR architecture, redundancy evidence, recovery procedures.No recoverable backup or insufficient resilience.Extended outage and customer impact.Systems Admin / DR OwnerCritical systemsClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
A1.3AvailabilityAvailability: Recovery plan testingAre disaster recovery, backup restoration, and business continuity plans tested regularly?Review DR tests, restore tests, tabletop exercises, RTO/RPO metrics, and corrective actions.DR test report, backup restore evidence, BCDR tabletop records.Plans fail when needed.Extended downtime and loss of customer trust.DR Owner / IT ManagerBCDR programClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
C1.1ConfidentialityConfidentiality: Identify and maintain confidential informationHas confidential information been identified, classified, inventoried, and protected based on need-to-know?Review data classification, data inventory, owners, access rules, encryption, and retention.Data inventory, classification policy, access list, encryption settings.Sensitive data not identified or protected.Unauthorized disclosure, customer trust loss.Data Owner / Security LeadConfidential dataClient to assessCriticalOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
C1.2ConfidentialityConfidentiality: Protect and dispose confidential informationAre confidential information retention, transmission, storage, access, and disposal controls enforced?Review retention schedules, secure disposal, encryption, DLP, file sharing, and archival processes.Retention policy, disposal certificates, DLP policy, encryption evidence.Improper retention or disposal of confidential data.Data leakage, legal and customer issues.Data Owner / Compliance LeadConfidential data lifecycleClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
PI1.1Processing IntegrityProcessing Integrity: Quality informationIs relevant, complete, accurate, timely, and authorized information used to support processing objectives?Review input sources, data validation, process ownership, and exception reporting.Process maps, data source inventory, validation rules, exception logs.Incorrect or incomplete source data.Bad outputs, customer errors, operational loss.Application Owner / Data OwnerProcessing systemsClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
PI1.2Processing IntegrityProcessing Integrity: InputsAre system inputs authorized, complete, accurate, and timely?Review input controls, API validation, import logs, approvals, and error handling.Input validation evidence, import logs, API controls, approval records.Invalid or unauthorized data enters system.Processing errors and inaccurate customer results.Application Owner / EngineeringApplications / data inputsClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
PI1.3Processing IntegrityProcessing Integrity: ProcessingAre processing activities complete, valid, accurate, timely, and protected from unauthorized manipulation?Review processing logic, job controls, error handling, reconciliations, and monitoring.Job logs, reconciliation reports, exception reports, code review evidence.Processing errors not detected.Incorrect reports, financial or customer impact.Application Owner / EngineeringProcessing workflowsClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
PI1.4Processing IntegrityProcessing Integrity: OutputsAre outputs complete, accurate, timely, and distributed only to authorized recipients?Review output validation, reporting controls, recipient access, delivery logs, and exception handling.Output reports, delivery logs, access lists, validation checks.Incorrect or unauthorized outputs.Customer disputes, data exposure, operational error.Application Owner / Data OwnerReports / outputsClient to assessMediumOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
PI1.5Processing IntegrityProcessing Integrity: Storage, retention, and disposalAre data storage, retention, and disposal processes aligned with processing requirements?Review retention rules, database storage, archiving, disposal, backup retention, and data lifecycle controls.Retention schedules, disposal logs, database policies, backup retention settings.Data retained too long or lost too early.Legal issues, lost records, privacy concerns.Data Owner / Compliance LeadData lifecycleClient to assessMediumOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P1.1PrivacyPrivacy: Notice and communicationAre privacy notices, policies, and practices communicated to data subjects and customers?Review privacy policy, customer notices, website notices, contractual terms, and change communication.Privacy notice, website policy, customer terms, notice change records.Individuals are not informed of privacy practices.Customer trust issues and privacy compliance gaps.Privacy Lead / LegalPersonal informationClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P2.1PrivacyPrivacy: Choice and consentAre choices, consent, opt-in/opt-out, and preference mechanisms documented and honored?Review consent flows, opt-out controls, preference records, and processing basis.Consent logs, preference records, opt-out procedures, screenshots.Privacy preferences not captured or honored.Complaints, contract issues, regulatory concern.Privacy Lead / Product OwnerPersonal informationClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P3.1PrivacyPrivacy: CollectionIs personal information collected only for disclosed, authorized, and necessary purposes?Review data collection points, forms, APIs, logs, minimization, and purpose limitation.Data collection inventory, form screenshots, API documentation, data mapping.Overcollection or unauthorized collection.Privacy exposure and increased breach impact.Privacy Lead / Data OwnerPersonal information collectionClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P4.1PrivacyPrivacy: Use, retention, and disposalIs personal information used, retained, and disposed according to notices, policy, and business purpose?Review data use cases, retention schedules, deletion process, archival rules, and disposal evidence.Retention schedule, deletion tickets, privacy policy, data lifecycle records.Data used outside disclosed purpose or kept too long.Privacy risk, customer concern, legal exposure.Privacy Lead / Compliance LeadPersonal information lifecycleClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P5.1PrivacyPrivacy: Access by data subjectsCan individuals access, correct, or request actions on personal information as required by company policy and commitments?Review data subject request process, identity verification, workflow, response timelines, and records.DSR procedure, request log, identity verification evidence, response templates.Requests mishandled or delayed.Customer complaints and privacy compliance gaps.Privacy Lead / Support ManagerPrivacy requestsClient to assessMediumOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P6.1PrivacyPrivacy: Disclosure to third partiesAre disclosures of personal information to third parties authorized, documented, and limited?Review third-party sharing, DPAs, vendor contracts, subprocessors, and transfer controls.Vendor list, DPAs, subprocessors list, sharing map, approval records.Unauthorized third-party disclosure.Privacy incident and customer trust damage.Privacy Lead / Vendor ManagerThird-party sharingClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P6.2PrivacyPrivacy: Third-party privacy obligationsAre third parties required to protect personal information and report incidents as committed?Review contractual clauses, vendor privacy/security reviews, breach notification duties, and monitoring.Contracts, DPAs, vendor assessments, breach notification terms.Third party fails to protect data or notify.Privacy breach, delayed response, contract exposure.Vendor Manager / LegalThird partiesClient to assessHighOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P7.1PrivacyPrivacy: Data qualityIs personal information maintained as accurate, complete, and relevant for its intended use?Review data correction processes, validation controls, master data ownership, and customer update procedures.Data quality reports, correction tickets, validation rules, customer update logs.Incorrect personal information used.Poor service, customer complaint, privacy issue.Data Owner / Privacy LeadPersonal informationClient to assessMediumOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
P8.1PrivacyPrivacy: Monitoring and enforcementAre privacy controls monitored, complaints handled, and violations remediated?Review privacy control monitoring, complaint tracking, incident escalation, policy enforcement, and training.Privacy review reports, complaint logs, corrective action records, training evidence.Privacy control failures persist.Repeated issues and loss of customer trust.Privacy Lead / Compliance LeadPrivacy programClient to assessMediumOC Security Audit reviews, validates, documents gaps, maps controls, prepares evidence, and supports readiness remediation.
OC Security Audit Readiness Flow

From Uncertainty to SOC 2 Readiness

OC Security Audit helps companies move through a structured readiness program designed to reduce audit surprises and make controls, documentation, ownership, risk, vendor reviews, and evidence clear.

1. DiscoverBusiness context, systems, data, vendors, people, and services.
2. ScopeTrust criteria selection, in-scope boundaries, control owners, and systems.
3. AssessGap assessment, technical review, risk assessment, and vendor review.
4. Map & DocumentControl mapping, policies, procedures, control narratives, and evidence plans.
5. PrepareRemediation support, evidence preparation, management reporting, and final readiness review.
Prepared for SOC 2 Readiness

OC Security Audit Helps Prepare Your Company for SOC 2

OC Security Audit, with 25+ years of experience under the management of Ali Hassani, has worked on dozens of networks for businesses in Southern California, Irvine, and Los Angeles. With certifications such as CISSP, CCISO, MCSE, MCSA Security, MCITP, CCNA, CCNP, and more, we help make your network and data more secure and your business better prepared for compliance readiness.

OC Security Audit provides SOC 2 readiness and consulting services. The official SOC 2 report must be issued by an independent licensed CPA firm. We help your company prepare before that step.

Call 949-777-5567 | Email Support@OCsecurityAudit.com
Schedule a SOC 2 Readiness Consultation
Example Client Deliverable

SOC 2 Readiness Gap Assessment Report for IT Perfection

This sample report illustrates the type of professional deliverable OC Security Audit provides after performing discovery, scoping, investigation, gap analysis, control mapping, risk assessment, vendor review, evidence preparation, and readiness support for a SOC 2 readiness engagement.

OC Security Audit helps clients prepare for SOC 2 compliance readiness. We provide consulting, readiness review, documentation support, control mapping, evidence preparation, and audit preparation support. The official SOC 2 attestation report is performed by an independent licensed CPA firm.
Request SOC 2 Readiness Consulting View SOC 2 Services
68%SOC 2 Ready
ClientIT Perfection
Report TypeReadiness
High Risks7
Target StateAudit Ready
Visible Executive Summary

Executive Readiness Summary

IT Perfection is a hypothetical managed IT and cybersecurity services company preparing for SOC 2 readiness. OC Security Audit reviewed the organization’s security governance, access controls, risk management, vendor oversight, change management, incident response, vulnerability management, backup procedures, policy documentation, and evidence preparation process.

Readiness Status: Partially Ready

Overall Result

IT Perfection has several foundational controls in place, including endpoint protection, Microsoft 365 security controls, basic ticketing records, firewall management, backup procedures, and informal incident response practices. However, the company requires stronger documentation, repeatable evidence collection, vendor review records, formal risk assessment, access review cadence, and management approval records before entering the formal SOC 2 audit phase.

OC Security Audit Recommendation

OC Security Audit recommends a structured 60 to 120 day remediation and evidence preparation program focused on high-impact gaps: access review documentation, vendor risk management, SOC 2 policy package, risk register, change management evidence, incident response testing, vulnerability remediation tracking, and executive control ownership.

42Controls Reviewed
15Controls Ready
20Partial Controls
7High Priority Gaps
Interactive Report Sections

Open Each Section to View the Sample SOC 2 Readiness Report

1. Discovery, Scoping, and Business Context

Client Profile

IT Perfection is a hypothetical technology services provider supporting small and mid-sized businesses with managed IT, network administration, cybersecurity support, Microsoft 365 administration, cloud infrastructure, endpoint security, backup management, and help desk support.

  • Primary service environment: managed IT and cybersecurity services
  • Primary systems reviewed: Microsoft 365, Azure, firewall, endpoint security, ticketing, backups, remote access, vendor platforms
  • Primary compliance objective: SOC 2 readiness preparation

Readiness Scope

The readiness review focused on systems, people, vendors, policies, procedures, and evidence that support customer data protection and service delivery.

  • Security criterion: in scope
  • Availability criterion: recommended for managed service operations
  • Confidentiality criterion: recommended due to access to customer environments
  • Processing Integrity and Privacy: review based on final service commitments
2. SOC 2 Criteria and Control Mapping Overview
SOC 2 Area Control Objective Reviewed IT Perfection Current State Readiness Status Risk Impact OC Security Audit Recommendation
CC1 Control Environment Governance, ethics, security accountability, management oversight Leadership is involved but formal security governance documentation and recurring management review evidence are incomplete. Partial Medium Create formal security governance charter, assign control owners, and document recurring leadership review.
CC2 Communication and Information Security communication, internal awareness, policy distribution Security expectations are communicated informally; policy acknowledgment records are not centralized. Gap Medium Implement policy acknowledgment tracking and annual security awareness communication records.
CC3 Risk Assessment Formal risk identification, likelihood, impact, treatment, and ownership No complete SOC 2-aligned risk register was available during review. Gap High Perform formal risk assessment and maintain an approved risk register with treatment plans.
CC4 Monitoring Activities Control monitoring, access review, alert review, remediation tracking Security tools exist, but control monitoring evidence is inconsistent. Partial High Define monitoring cadence, maintain review evidence, and track exceptions through closure.
CC5 Control Activities Policies, procedures, approvals, segregation of duties Core procedures exist operationally, but formal control narratives and approval evidence need improvement. Partial Medium Create control matrix and document approval workflows for key operational controls.
CC6 Logical and Physical Access MFA, least privilege, onboarding, termination, privileged access review MFA is broadly enabled, but periodic access review evidence and privileged access justification are incomplete. Partial High Implement quarterly access reviews, privileged account approval records, and termination evidence retention.
CC7 System Operations Logging, monitoring, incident detection, vulnerability management Tools are deployed, but alert review and vulnerability remediation evidence are not consistently documented. Partial High Centralize security monitoring evidence and maintain vulnerability remediation tickets with closure dates.
CC8 Change Management Change approvals, testing, implementation, emergency changes Ticketing system records changes, but not all changes include approval, testing, and backout documentation. Partial Medium Standardize change templates and require approval/testing evidence for in-scope systems.
CC9 Risk Mitigation Vendor risk, third-party dependencies, business risk treatment Critical vendors are known, but vendor risk reviews and security documentation are incomplete. Gap High Create vendor inventory, risk tiering, annual review workflow, and evidence repository.
Availability Backup, disaster recovery, capacity, uptime commitments Backup tools exist, but restoration testing records and DR tabletop evidence are incomplete. Partial Medium Document restoration tests, RTO/RPO targets, business continuity procedures, and incident escalation.
Confidentiality Data classification, encryption, secure handling, access limitation Encryption and secure access practices exist, but data classification and handling procedures require formalization. Partial Medium Implement data classification policy, secure handling procedure, and encryption evidence collection.
3. High Priority Findings and Remediation Plan
Finding ID Finding Risk Business Impact Recommended Remediation Target Owner Target Timeline
F-01 Formal SOC 2 risk assessment and risk register not fully documented. High Leadership may not have sufficient evidence of risk identification, risk treatment, and risk ownership. Conduct formal risk assessment, assign owners, define treatment plans, and approve risk register. CISO / Executive Sponsor 30 days
F-02 Quarterly access reviews are not consistently performed or retained. High Privileged or terminated users may retain inappropriate access to customer systems or internal platforms. Implement quarterly access review workflow with screenshots, approvals, exceptions, and remediation evidence. IT Manager / Network Administrator 30–45 days
F-03 Vendor risk management process is incomplete. High Third-party risk may not be evaluated for vendors supporting customer services or sensitive data. Create vendor inventory, risk tiering model, vendor review checklist, and annual review evidence repository. Operations / Compliance Owner 45 days
F-04 Change management records do not consistently include approval, testing, and implementation evidence. Medium Auditor may not be able to verify that in-scope production changes were authorized and tested. Standardize change request form and require approval, testing, implementation, and emergency change fields. Network Engineer / IT Manager 45–60 days
F-05 Incident response plan exists informally but has not been tested. Medium Response roles, escalation, communication, and evidence retention may be unclear during an incident. Create formal incident response plan and perform tabletop test with attendance and lessons learned. Security Lead / Management 60 days
4. Evidence Preparation Checklist

Evidence Required Before Audit

  • Approved information security policy package
  • Access review reports and remediation evidence
  • User onboarding and termination samples
  • Privileged access approvals and justification
  • MFA enforcement screenshots and conditional access records
  • Risk assessment report and risk register
  • Vendor inventory and vendor review evidence
  • Change management tickets with approvals and testing
  • Vulnerability scan results and remediation tracking
  • Backup reports and restoration test evidence

OC Security Audit Support

OC Security Audit helps organize evidence into a structured readiness repository so management, IT, security, and the eventual CPA audit team can quickly understand the control environment.

  • Evidence request list
  • Evidence tracker
  • Document naming guidance
  • Control owner mapping
  • Final evidence readiness review
5. Policy and Procedure Documentation Package
Document Purpose Current Status Required Action Owner
Information Security Policy Defines security governance, responsibilities, and control expectations. Needs Update Update to include SOC 2 scope, control owners, review cadence, and management approval. Security Lead
Access Control Policy Defines user provisioning, deprovisioning, MFA, least privilege, and access reviews. Missing Detail Add privileged access workflow, quarterly reviews, exception handling, and evidence retention. IT Manager
Vendor Risk Management Policy Defines vendor onboarding, risk tiering, review, and monitoring process. Missing Create vendor policy, review checklist, security documentation request process, and annual review cadence. Operations
Incident Response Plan Defines detection, escalation, containment, communication, investigation, and lessons learned. Partial Formalize plan and perform tabletop test. Security Lead
Business Continuity and Disaster Recovery Plan Defines continuity procedures, recovery objectives, backup testing, and escalation. Partial Document RTO/RPO, backup ownership, restoration testing, and annual review. IT Manager
6. Readiness Roadmap and Audit Preparation Timeline

OC Security Audit recommends a phased readiness approach to reduce audit surprises and create repeatable controls before IT Perfection begins the formal SOC 2 audit process.

Phase 1: StabilizeConfirm scope, assign owners, collect existing policies, and create the readiness tracker.
Phase 2: RemediateClose high-priority control gaps related to access, risk, vendors, change management, and evidence.
Phase 3: OperateRun the controls for a defined period and retain consistent evidence for operating effectiveness.
Phase 4: PreparePerform final readiness review and organize handoff materials for the independent CPA audit process.
7. Final Readiness Opinion and Next Steps

Sample Final Readiness Opinion

Based on the readiness review performed, IT Perfection is partially ready for SOC 2 preparation. The organization has several technical safeguards and operational practices in place, but additional work is required to formalize governance, document control operation, prepare evidence, complete risk assessment, review vendors, and demonstrate consistent execution of controls.

  • Complete high-priority remediation before entering the formal audit window.
  • Maintain access review, change management, vendor review, and incident response evidence.
  • Approve SOC 2 policy package and assign control owners.
  • Conduct final readiness review with OC Security Audit before audit handoff.
OC Security Audit Deliverable

Prepare Your Company Before the SOC 2 Audit

OC Security Audit helps companies with SOC 2 readiness consulting, gap assessment, control mapping, policy documentation, risk assessment, vendor review, evidence preparation, remediation support, and final audit preparation.

Contact OC Security Audit View Security Audit Services