SOC 2 Readiness Roadmap
Document ID: SOC-004
Document owner: Jan Marc Castlunger (ISO)
Classification: Confidential
Version: 1.0
Last updated: March 2026
Next review: June 2026
1. Current Readiness Summary
| Category |
Readiness |
Criteria Met |
Gaps |
| Security (CC) |
🟡 80% |
30/33 |
CC6.4 partial (cloud-only — documented exception); CC7.2 partial (30-day log retention insufficient); CC1.4 partial (NDAs + background checks being formalised) |
| Availability (A) |
🟡 70% |
2/3 |
A1.1: Formal SLA documentation needed |
| Processing Integrity (PI) |
🟡 65% |
3/5 |
PI1.1, PI1.3: Formal accuracy and error monitoring |
| Confidentiality (C) |
🟢 100% |
2/2 |
None |
| Privacy (P) |
🟢 100% |
9/9 |
None |
| Overall |
🟡 ~80% |
46/52 |
6 gaps |
2. Gap Closure Plan
| Field |
Detail |
| TSC Reference |
A1.1 — Availability commitments |
| Gap |
No formal SLA document defining uptime commitments to customers |
| Action |
Create customer-facing SLA document; define internal availability targets |
| Owner |
Jan Marc Castlunger (ISO) |
| Target Date |
June 2026 |
| Evidence |
Published SLA; internal availability dashboard |
Gap 2: Processing Accuracy Monitoring (PI1.1)
| Field |
Detail |
| TSC Reference |
PI1.1 — Processing objectives |
| Gap |
OCR validation exists but no formal accuracy monitoring or reporting |
| Action |
Implement OCR accuracy dashboard; define accuracy KPIs; establish regular reporting |
| Owner |
Sebastian Windeck (CTO) |
| Target Date |
July 2026 |
| Evidence |
Accuracy dashboard; KPI reports |
Gap 3: Error Detection Dashboard (PI1.3)
| Field |
Detail |
| TSC Reference |
PI1.3 — Error detection |
| Gap |
Azure Monitor alerts exist but no dedicated error tracking dashboard for API processing |
| Action |
Build API error tracking dashboard; define error rate thresholds and alerting |
| Owner |
Sebastian Windeck (CTO) |
| Target Date |
July 2026 |
| Evidence |
Dashboard screenshots; alert configuration |
Gap 4: Log Retention Insufficient (CC7.2)
| Field |
Detail |
| TSC Reference |
CC7.2 — System monitoring |
| Gap |
AKS + Caddy rolling logs only retain 30 days; insufficient for incident forensics and compliance |
| Action |
Extend log retention to minimum 90 days (target: 12 months) using Azure Log Analytics or Blob archival |
| Owner |
Sebastian Windeck (CTO) |
| Target Date |
June 2026 |
| Evidence |
Azure log retention configuration; Blob storage policy |
| Risk Register |
R12 |
| Field |
Detail |
| TSC Reference |
CC1.4 — Hiring and termination |
| Gap |
Employment contracts exist but lack formal NDA or confidentiality clause |
| Action |
Implement standalone NDA or add formal confidentiality clause to all employment/contractor agreements |
| Owner |
Jan Marc Castlunger (ISO) |
| Target Date |
May 2026 |
| Evidence |
Signed NDAs; updated employment agreement template |
| Risk Register |
R14 |
Gap 6: Physical Security Documentation (CC6.4)
| Field |
Detail |
| TSC Reference |
CC6.4 — Physical access restrictions |
| Gap |
Cloud-only operation; no physical facility to secure |
| Action |
Document formal exception with compensating controls (device encryption, screen lock, remote wipe) |
| Owner |
Jan Marc Castlunger (ISO) |
| Target Date |
May 2026 |
| Evidence |
Exception document; device encryption verification |
3. Readiness Timeline
Q2 2026 Q3 2026 Q4 2026 Q1-Q2 2027
| | | |
Gap closure Readiness SOC 2 Type I Observation
SLA docs assessment Audit period
Monitoring Auditor Report
dashboards selection issued SOC 2 Type II
Detailed Timeline
| Phase |
Activity |
Target Date |
Status |
| Q2 2026 |
Close all 6 identified gaps |
June 2026 |
📋 Planned |
| Q2 2026 |
Update control activities and evidence index |
June 2026 |
📋 Planned |
| Q3 2026 |
Conduct internal SOC 2 readiness assessment |
July 2026 |
📋 Planned |
| Q3 2026 |
Select and engage CPA firm |
August 2026 |
📋 Planned |
| Q3 2026 |
Pre-audit preparation (evidence collection) |
September 2026 |
📋 Planned |
| Q4 2026 |
SOC 2 Type I audit (point-in-time) |
October-November 2026 |
📋 Planned |
| Q4 2026 |
SOC 2 Type I report issued |
December 2026 |
🎯 Target |
| Q4 2026 |
Begin observation period for Type II |
December 2026 |
📋 Planned |
| Q2-Q3 2027 |
SOC 2 Type II audit (6-12 month period) |
Q2-Q3 2027 |
📋 Planned |
4. Pre-Audit Checklist
Before engaging the SOC 2 auditor, complete the following:
- [ ] All 6 identified gaps closed and evidenced
- [ ] Evidence Index complete and up to date
- [ ] All control activities documented in Control Activities
- [ ] Trust Services Criteria Mapping reviewed and current
- [ ] Management representation letter prepared
- [ ] System description document drafted (describes Quick-ID system, boundaries, and components)
- [ ] All policies and procedures reviewed and approved within last 12 months
- [ ] Internal audit completed and corrective actions closed
5. Estimated Costs
| Item |
Estimated Range |
Notes |
| SOC 2 Type I audit |
$15,000 - $30,000 |
Point-in-time; lower cost |
| SOC 2 Type II audit |
$25,000 - $50,000 |
Covers observation period |
| Readiness assessment (optional) |
$5,000 - $15,000 |
Pre-audit gap analysis by CPA |
| Compliance tooling (optional) |
$500 - $2,000/month |
Vanta, Drata, or similar platform |
6. Success Criteria
| Metric |
Target |
| SOC 2 Type I report |
Unqualified opinion by December 2026 |
| SOC 2 Type II report |
Unqualified opinion by Q3 2027 |
| Zero critical findings |
No exceptions in Type I audit |
| Observation period coverage |
All controls operating effectively throughout |