SOC 2 Type 1 / Type 2
AICPA Trust Services Criteria. Security, availability, processing integrity, confidentiality, privacy. Coverage of every applicable common criterion.
audit prep · 06
Know where your controls fall short before the auditor does.
A gap analysis against SOC 2, ISO 27001, HIPAA, PCI DSS, NIST 800-53, or another framework. We map your existing controls, flag the gaps, and hand back a prioritized remediation plan with the evidence your auditor expects.
01. in scope
What's in scope.
Frameworks we cover.
ISO/IEC 27001:2022
Information security management system. All Annex A controls, the SoA, and the management-system clauses. Aligned with the 93 updated controls.
HIPAA Security Rule
Administrative, physical, and technical safeguards under 45 CFR 164. Plus a Business Associate Agreement review and breach-notification readiness.
PCI DSS 4.0
All 12 requirements. Scope reduction guidance, network segmentation review, ROC vs SAQ recommendation.
NIST SP 800-53 / CSF 2.0
Federal control set or the lighter Cybersecurity Framework. For FedRAMP, CMMC, or anyone selling into US government.
Industry-specific frameworks
NYDFS Part 500, GLBA, FFIEC, FERPA, GDPR Art. 32. Custom mappings on request.
02. how we work
How we work on it.
How a gap analysis runs.
- Scoping call60 minutes. We learn the target framework, the systems in scope, the audit deadline, and what you have already documented.
- Document and interview phaseTwo weeks. We read every policy, run-book, and architecture diagram you have, then interview the owners of each control area.
- Control mappingEvery applicable control mapped to your evidence (or marked as gap). Spreadsheet hand-off in the format your auditor expects.
- Remediation roadmapFindings ranked by audit risk and engineering effort. What to fix this sprint, this quarter, and before the audit date.
- Evidence pre-walkBefore the auditor arrives, we do a dry-run review of evidence quality. Cheaper to fix a weak control narrative now than during fieldwork.
03. deliverables
What you walk away with.
What you walk away with.
Control-coverage matrix
Every control, current state, evidence pointer, gap classification, owner, suggested remediation. Drop-in for your GRC tool.
Prioritized remediation plan
Findings ranked by audit risk, customer-deal risk, and engineering cost. Three buckets: this sprint, this quarter, before audit.
Policy and procedure gap list
Where the written policy disagrees with what engineering actually does. Fix the doc or fix the practice; we flag the right call.
Evidence template pack
For SOC 2 and ISO 27001: ready-to-use evidence templates (change management log, access review log, vendor risk log, incident log) tuned to what auditors accept.
Auditor-question prep
The 20 questions your auditor will ask in fieldwork, with the answers you can give and the docs you should have ready.
Optional auditor introduction
If you do not have one, we introduce vetted firms across the US and EU. We do not take referral fees.
04. when
When teams hire us for this.
When a gap analysis is the right move.
You committed to a SOC 2 by Q3
You signed a customer contract with a SOC 2 deadline. You need to know what you can finish in time before you spend on the audit.
You are mid-implementation
You have started controls but you do not know if what you built will hold up. We give the assessment now, while you can still fix it.
You changed frameworks
Moving from SOC 2 to ISO 27001, or adding HIPAA on top. We map your current state against the new framework so you do not start from zero.
You failed something
A finding came back in audit fieldwork. We do focused remediation and a re-audit prep so the next attempt is clean.
05. faq
Questions before the call.
Gap analysis FAQ.
Are you the auditor?
No, and we will never be. A gap analysis from us is independent. You take it to the auditor of your choice.
How long does a gap analysis take?
Three to six weeks for a typical SaaS organization, depending on scope and document availability. Fastest if your policies and architecture diagrams are current.
Can you fix the gaps?
We document the gaps and tell you what to fix. We do not implement controls inside your environment as part of a gap analysis. An advisory retainer can cover the implementation work.
Do you do shared assessments?
Yes. CAIQ, SIG, and custom vendor questionnaires can be prepared as a side-output of the gap analysis.
What if the framework changes mid-project?
We track the standard versions. ISO 27001:2022 mapping, PCI 4.0 mapping, SOC 2 with the latest TSC update. If a standard changes during our engagement, we adjust at no extra cost.
06. compliance pentest
If your framework requires a pentest.
SOC 2, PCI DSS, HIPAA, ISO 27001, and FedRAMP each require or strongly expect a penetration test alongside the gap analysis. We cover both — and know what each auditor expects from the pentest report.
SOC 2 penetration test
TSC CC6.1, CC6.6, CC7.1, CC8.1. Named methodology, CVSS 4.0 severity, retest evidence, and attestation letter in the format auditors accepted after the 2024 TSC update.
PCI DSS penetration test
Requirement 11.3.1 and 11.3.2. Internal and external tests of the CDE boundary. Segmentation validation, QSA-ready deliverables.
HIPAA penetration test
Security Rule §164.308(a)(8). ePHI scope, BAA execution before testing, findings format aligned with OCR enforcement expectations.
ISO 27001 penetration test
Annex A.8.8 and A.8.29. ISMS scope alignment, 2022 control mapping, certification-body evidence format.
FedRAMP penetration test
CA-8 and NIST SP 800-115. Rules of engagement, 3PAO-compatible deliverables, Moderate and High baseline scope.
Need an honest read on your audit readiness?
A 60-minute call covers your target framework, deadline, and likely top-three gaps. We will tell you if a gap analysis is the right next step or if you can go straight to audit.