What are the five SOC 2 Trust Service Criteria?

Security (the only mandatory one, also called the Common Criteria), availability, confidentiality, processing integrity, and privacy. You choose which to include based on what matters to your customers, but every SOC 2 report must include security as its foundation.

What is the difference between Type I and Type II?

A Type I report assesses whether your controls are suitably designed at a single point in time. A Type II report tests whether those controls operated effectively over a period, typically three to twelve months. Type II carries far more weight with enterprise buyers but requires evidence collected throughout the window.

How does the readiness score work?

Each control you mark as in place scores full points, partial controls score half, and missing controls score zero. The tool averages these within each criterion to give a percentage, then flags categories below a healthy threshold so you know where remediation effort will move the needle most.

Do we need all five criteria?

No. Security is required, and you add the others only where relevant. A SaaS handling customer uptime commitments often adds availability; one processing regulated data adds confidentiality and privacy. Scoping in criteria you cannot evidence only adds audit cost and risk.

Is my assessment data uploaded?

No. Every answer and the resulting heat-map are computed in your browser. Nothing about your controls, gaps or organisation is sent to a server, logged or stored, so you can run an honest internal assessment without exposure.

SOC 2 Readiness Checker

A SOC 2 Readiness Checker that scores your control environment against the five Trust Service Criteria before you spend money on an auditor. SOC 2 is the dominant assurance standard for SaaS and cloud vendors, and most failed or delayed audits trace back to gaps that a structured self-assessment would have caught early. This tool is for startups and security leads preparing for a Type I or Type II report who want a clear, prioritised picture of where they stand.

How it works

SOC 2 is built on five criteria, with Security (the Common Criteria) mandatory and the others added by scope:

Security              (mandatory — Common Criteria)
Availability          (uptime / resilience commitments)
Confidentiality       (protecting confidential data)
Processing Integrity  (complete, accurate, timely processing)
Privacy               (notice, choice, handling of personal data)

Within your chosen criteria the tool presents control prompts grouped by category — access control and authentication, change management, monitoring and logging, incident response, vendor risk, backup and recovery, and so on. You mark each as in place, partial, or missing:

score = (in_place x 1 + partial x 0.5) / total controls in criterion

Reading the heat-map

The per-criterion percentages render as a colour-coded heat-map — green where you are audit-ready, amber where controls are partial, red where whole categories are missing. Concentrate remediation on the red and amber categories first, because they are the findings an auditor will raise. Remember that Type II additionally requires evidence over time: a control that exists today but has no logs, tickets or screenshots across the observation window will still fail testing. Use the heat-map to decide what to fix, then start collecting evidence well before your audit window opens.

Everything is calculated locally — none of your control data is uploaded or stored.