Plaidnox InfoSec
PLX-2025-012 . Confidential
Compliance AuditSOC 2 Readiness18 Gaps Found

SOC 2 Type II Readiness
[REDACTED]

Gap analysis against SOC 2 Trust Services Criteria for [REDACTED] ahead of their planned Type II observation window beginning Q3 2025. Engagement ref. ENG-2025-0520.

Report IDPLX-2025-012
Assessment DateFeb 17 . Feb 28, 2025
Readiness Score63% / 100
Assessed byPlaidnox InfoSec
01 . Overview

Readiness Summary

Plaidnox InfoSec completed a SOC 2 Type II readiness assessment for [REDACTED] covering all five Trust Services Criteria (TSC): Security (CC), Availability (A), Confidentiality (C), Processing Integrity (PI), and Privacy (P). The assessment reviewed 89 control points across the five criteria.

The overall readiness score is 63% with 56 controls demonstrating adequate evidence and 33 controls presenting gaps. Of the 33 gaps, 6 are rated Critical (likely to result in a qualified opinion if unresolved), 12 High (significant control weakness), and 15 Medium/Low. The planned Type II observation window should be delayed until Critical and High gaps are addressed.

02 . Trust Services Criteria Coverage

Criteria breakdown

89
Controls Assessed
56
Controls Adequate
18
Gaps (Critical+High)
63%
Readiness
CriteriaControlsAdequateGapsStatus
Security (CC)472819Not Ready
Availability (A)14122Near Ready
Confidentiality (C)1284Partial
Processing Integrity (PI)1165Partial
Privacy (P)523Not Ready
03 . Critical Gaps

Critical and High gaps requiring remediation

IDCriteriaGapPriority
GAP-001CC6No formal access review process . privileged access not reviewed quarterlyCritical
GAP-002CC7Vulnerability management programme absent . no documented scan or remediation processCritical
GAP-003CC8Change management process not formally documented or consistently followedCritical
GAP-004P1Personal data inventory incomplete . data flows undocumented for 3 of 5 processing activitiesCritical
GAP-005CC9Vendor risk management . 14 critical vendors have no security questionnaire on fileCritical
GAP-006CC5Risk assessment not formally conducted in last 12 monthsCritical
GAP-007CC6MFA not enforced for remote access to production systemsHigh
GAP-008CC7Intrusion detection absent on production network segmentHigh
?Full gap documentation for GAP-009 through GAP-033 is provided in the detailed annexe delivered under engagement agreement.
04 . Remediation Roadmap

Path to SOC 2 readiness

?Timeline: All 6 Critical gaps must be closed before the Type II observation window begins. Minimum 8-week remediation window recommended before engaging the external auditor.
GapActionTimelineOwner
GAP-001Implement quarterly access review with documented sign-off processWk 1-3IT / Compliance
GAP-002Deploy vulnerability scanner; document scan cadence and SLA remediation policyWk 1-4Plaidnox / IT
GAP-003Formalise change management policy and implement approval workflow in JiraWk 2-4Engineering Lead
GAP-004Complete GDPR/data flow mapping using Plaidnox Data Inventory templateWk 3-6DPO / Compliance
GAP-005Send security questionnaire to top 14 critical vendors; document responsesWk 2-8Procurement
GAP-006Conduct annual risk assessment using ISO 27005 methodology; document registerWk 4-6Plaidnox
Conclusion
SOC 2 Type II observation window should be delayed until the 6 Critical gaps are closed
At 63% readiness, [REDACTED] is not currently in a position to begin a SOC 2 Type II observation window without significant risk of a qualified or adverse opinion. An 8-12 week remediation programme addressing the Critical and High-priority gaps is required before engaging the external auditor. Plaidnox will provide evidence gathering support and a re-validation assessment at the end of the remediation cycle.
Plaidnox InfoSec . PLX-2025-012
Confidential . Authorised Distribution Only