SOC 2 Readiness Quick Score
Enterprise buyers put SOC 2 in the security questionnaire, and a failed audit or stalled readiness project burns weeks of budget. Before you engage a CPA firm, you need an honest read on where you actually stand. This free interactive tool scores you against 20 representative controls from the SOC 2 Trust Services Criteria — anchored on the mandatory Common Criteria (Security) and including optional Availability, Confidentiality, Processing Integrity, and Privacy. You get a live readiness score, a per-category breakdown, a plain-English verdict, the specific gaps driving your number, and an exportable report you can hand to your auditor or your readiness partner. Built by a Texas MSP — accurate, and clearly not an audit or legal advice.
SOC 2 Readiness Quick Score
20 questions across the SOC 2 Trust Services Criteria — anchored on the Common Criteria (Security) that every SOC 2 requires, plus optional Availability, Confidentiality, Processing Integrity, and Privacy. Mark each as In Place / Partial / No for a live readiness score, category breakdown, and verdict. 100% browser-only — nothing is sent to LayerLogix.
Logical Access Controls
Role-based access with least privilege
CC6.1 — Logical access to systems and data is restricted by role, provisioned on a least-privilege basis, and reviewed periodically.
Formal onboarding/offboarding access workflow
CC6.2 — Access is granted on hire and revoked on termination through a documented, ticketed workflow with management approval.
MFA on all remote and admin access
CC6.6 — Multi-factor authentication is enforced for VPN, cloud admin consoles, email, and any internet-facing system.
Physical Access Controls
Physical access to facilities restricted
CC6.4 — Physical access to offices, server rooms, and data centers is restricted and logged (badge readers, visitor logs, or a SOC 2 data-center attestation).
Change Management
Documented change management process
CC8.1 — Changes to infrastructure and applications are tracked, peer-reviewed, tested, and approved before production deployment.
Separation of dev/test/production
CC8.2 — Development and test environments are logically separated from production, and developers do not push directly to prod without review.
Risk Assessment
Annual documented risk assessment
CC3.1 — A formal risk assessment identifying threats, likelihood, and impact is performed and documented at least annually.
Risks tracked to remediation
CC3.2 — Identified risks are assigned owners, prioritized, and tracked through a risk register or remediation plan.
Monitoring
Centralized logging and alerting
CC7.2 — Security events are logged centrally and monitored for anomalies (SIEM, EDR/MDR, or a managed security service).
Vulnerability scanning / detection
CC7.1 — Vulnerability scanning, patch management, and configuration monitoring detect deviations from secure baselines.
Vendor Management
Third-party/vendor risk reviews
CC9.2 — Critical vendors are inventoried and assessed for security (SOC 2 reports, security questionnaires, or contractual safeguards).
Incident Response
Documented incident response plan
CC7.3 — A written incident response plan defines roles, escalation, communication, and is tested at least annually.
Incidents logged and post-mortemed
CC7.4 — Security incidents are recorded, contained, and reviewed in a post-incident analysis with corrective actions.
Policies & Governance
Approved infosec policies in place
CC2.2 — Information security policies are documented, approved by management, and communicated to all personnel.
Security awareness training program
CC1.4 — All staff complete security awareness training on hire and at least annually, with completion tracked.
Controls monitored for effectiveness
CC4.1 — Management evaluates whether controls are operating effectively through internal review, audits, or continuous monitoring.
Availability (optional)
Backups, redundancy, and DR plan
A1.2 — Backups are performed, tested, and a disaster-recovery / business-continuity plan defines recovery objectives. Only in scope if you include the Availability category.
Confidentiality (optional)
Confidential data identified and encrypted
C1.1 — Confidential information is classified, encrypted at rest and in transit, and retention/disposal is defined. Only in scope if you include the Confidentiality category.
Processing Integrity (optional)
Processing accuracy and validation controls
PI1.1 — Inputs and outputs are validated, errors are detected and corrected, and processing is complete and accurate. Only in scope if you include the Processing Integrity category.
Privacy (optional)
Privacy notice and consent handling
P1.1 — Personal information collection, use, retention, and disposal align with a published privacy notice and applicable law. Only in scope if you include the Privacy category.
- CC6.1 — Role-based access with least privilege
- CC6.2 — Formal onboarding/offboarding access workflow
- CC6.6 — MFA on all remote and admin access
- CC6.4 — Physical access to facilities restricted
Self-assessment only — not an audit and not legal advice. A SOC 2 report is issued solely by a licensed CPA firm.
What We Offer
Comprehensive solutions tailored for Houston-area businesses
20 Trust Services Criteria Controls
Anchored on the Common Criteria (Security) that every SOC 2 requires — access controls, change management, risk assessment, monitoring, vendor management, incident response, and governance — plus optional Availability, Confidentiality, Processing Integrity, and Privacy.
Live Readiness Score
Real-time scoring against the Common Criteria backbone, with thresholds calibrated to where auditors actually start a Type I engagement (90%+ readiness).
Per-Category Breakdown
See exactly which TSC areas are pulling your score down — logical access, monitoring, incident response, vendor risk, and more — with a visual bar for each.
Readiness Verdict + Next Steps
Get a plain-English verdict (Type I ready, close, significant gaps, or early stage) and a prioritized remediation list driven by your actual gaps.
Gap Report Export
Download a dated text report of your control-by-control status, category scores, gaps, and recommended next steps. Bring it to your auditor or your readiness partner.
100% Browser-Only
Nothing is sent to LayerLogix servers, never logged, never stored. Your assessment stays on your device — no email gate, no signup.
Why Choose LayerLogix?
Serving businesses throughout the Greater Houston area including Houston, The Woodlands, Sugar Land, Dallas, Fort Worth, Austin, San Antonio.
Know Before You Pay an Auditor
A failed Type I or a stalled readiness project burns weeks and budget. Score yourself first so you walk into the audit with eyes open.
Prioritize the Right Controls
Most teams over-invest in policy paperwork and under-invest in MFA, logging, and incident response — the technical controls auditors scrutinize first.
Win the Deal Faster
Enterprise prospects increasingly require a SOC 2 in the security questionnaire. A readiness score tells you how far you are from unblocking that revenue.
Defensible Documentation
Export a dated gap report you can attach to your readiness plan or hand to your vCISO, MSP, or CPA firm.
Free Forever
No email gate, no signup, no upsell on the tool itself. We earn the conversation by giving away the tool.
Our Process
Frequently Asked Questions
Is this an official SOC 2 audit?▼
What is the difference between Type I and Type II?▼
Why does the tool center on the Common Criteria (Security)?▼
What score do I need to be ready for an audit?▼
Is my data sent anywhere?▼
What do I do after exporting my report?▼
Do you provide SOC 2 Readiness Quick Score in Houston and nearby areas?▼
What does SOC 2 Readiness Quick Score cost for a Houston business?▼
Ready to Get Started?
Contact LayerLogix today for a free consultation. We serve businesses throughout Houston, The Woodlands, Sugar Land, and the surrounding Greater Houston area.