SOC 2 readiness looks straightforward until you try to produce it. Map your policies to Trust Services Criteria, document your controls, prepare evidence for the auditor. Then you discover that evidence doesn’t exist in the format you need, controls aren’t consistently applied, and the gap between what you document and what you do is wider than you realised.
This isn’t a documentation problem. It’s an evidence problem. SOC 2 doesn’t just want to know you have controls. It wants to see that controls operate effectively over time. That’s a fundamentally different requirement, and it’s where most readiness efforts fail.
Why policies aren’t enough
The first step in SOC 2 preparation is usually mapping your policies to the Trust Services Criteria. Security, Availability, Processing Integrity, Confidentiality, Privacy – whichever criteria apply to your service.
This part is straightforward. You have an Information Security Policy. You have an Incident Response Procedure. You have Access Control guidelines. Map them to the relevant criteria, job done.
Except the auditor doesn’t just want policies. They want evidence that the policies drive actual behaviour. That access is actually controlled the way the policy describes. That incidents are actually responded to according to your procedure. That the policy is more than intent – it’s practice.
We have a policy” is not evidence. The policy is the claim. The evidence is the proof. If you can’t demonstrate that the policy translates to consistent operational practice, you don’t have a control – you have documentation.
The operational evidence gap
SOC 2 Type 2 reports require evidence over a period of time – typically 3, 6, or 12 months. This is where readiness gets difficult.
The auditor doesn’t just want to see your access review process. They want to see access reviews actually conducted at the frequency your policy specifies. They want to see the results. They want to see remediation when reviews reveal inappropriate access.
If access reviews happen ad-hoc, or if they happened once but not consistently, or if they’re documented but the results aren’t acted on, you don’t have operational evidence. You have gaps.
The same applies to change management, incident response, vulnerability management, training, management reviews. The criteria are systematic. They require demonstrating that controls work consistently, not just that they exist.
Evidence doesn’t appear at audit time. It accumulates over time. SOC 2 readiness fails when organisations try to create this evidence retrospectively instead of capturing it as operations proceed.
The follow-up question problem
SOC 2 audits don’t just check if controls exist. They check if controls are effective by asking follow-up questions.
You have an incident response procedure. How many incidents occurred during the audit period? How were they handled? Were they escalated according to your procedure? What remediation occurred? How do you know the remediation was effective?
You conduct access reviews quarterly. Who conducts them? What triggers a review between quarterly cycles? What happens when inappropriate access is found? How is remediation tracked?
Why audits fail at the follow-up question. The first question is about whether the control exists. The follow-up question is about whether it works. If you can’t answer the follow-up, your control isn’t effective.
Training as evidence of competence, not attendance
SOC 2 requires evidence that personnel are trained on their security responsibilities. Most organisations provide generic security awareness training and treat completion records as sufficient evidence.
But SOC 2 cares about role-specific competence. Do engineers understand secure coding practices relevant to your service? Do support staff know how to handle customer data appropriately? Do admins understand their elevated privilege responsibilities?
Generic training doesn’t demonstrate this. Completion records don’t prove competence. They prove people attended.
The gap appears when the auditor asks role-specific questions. Can support staff explain how they verify identity before sharing customer information? Can engineers describe how they handle sensitive data in logs? If the answers reveal gaps, your training evidence doesn’t support your controls.
Attendance is not competence. SOC 2 evidence needs to show people can actually do what your policies require, not just that they were told about it.
The change management evidence trail
Change management is a control area where evidence problems become obvious quickly.
Your policy says all production changes require approval, testing, and documentation. The auditor asks to see change logs for the audit period.
If changes happened without documented approval, or testing evidence is missing, or changes were made directly to production without following the process, your control has exceptions. Exceptions create gaps. Gaps create findings.
The problem usually isn’t that you don’t manage changes. It’s that the management happens informally – Slack approvals, verbal testing confirmations, changes documented after the fact. This might be how things actually work, but it doesn’t produce the evidence trail SOC 2 requires.
Operational evidence requires systematic capture, not reconstructed documentation. If your change management happens in tools that don’t produce audit trails, you’ll struggle with readiness.
Other common evidence gaps
Beyond follow-up questions, training, and change management, other areas frequently create readiness challenges: screenshots that prove point-in-time state but not ongoing effectiveness, management reviews that happen informally without documentation, and vendor risk assessments that weren’t conducted systematically during vendor selection. Each reflects the same underlying issue – operational practices that work informally but don’t produce the evidence trail SOC 2 requires.
What readiness actually requires
Good SOC 2 readiness isn’t about better documentation. It’s about building operational practices that naturally produce the evidence SOC 2 requires.
This means:
- Making controls systematic rather than ad-hoc
- Capturing evidence as operations proceed, not retrospectively
- Creating trails that show controls operate over time, not just at a point in time
- Building competence that can withstand follow-up questions
Reports & Evidence supports this by treating evidence as an ongoing trail rather than a point-in-time collection exercise. The evidence exists because your governance produces it naturally, not because audit is approaching.
For training evidence specifically, Training Zone helps move from attendance tracking to competence demonstration – showing people can actually execute their responsibilities, not just that they completed a course.
And for the risk decisions that underpin SOC 2 controls, Risk Manager provides the decision context auditors ask about – why you chose these controls, what trade-offs you considered, how you monitor effectiveness.
The real value of readiness
SOC 2 readiness done well doesn’t just get you a report. It builds governance that produces audit evidence as a byproduct rather than as a separate activity.
When evidence is treated as a trail, not a document, readiness becomes straightforward. The audit asks for evidence that already exists because your operations create it systematically.
SOC 2 readiness fails when evidence is treated as a document, not a trail. Fix that, and readiness becomes a governance improvement exercise rather than an audit preparation panic.
