📋 COMPLIANCE GUIDE · JULY 2026

Free SOC 2 Gap Analysis
Checklist for SMBs

SOC 2 Type II failure is avoidable — but 70%+ of first-time audits uncover control gaps that were fixable before the engagement started. A structured gap analysis identifies what you have, what's missing, and what documentation needs to be created. Catching gaps before you hire an auditor saves $20,000–$60,000 in re-engagement fees.

📅 July 7, 2026 🔬 AICPA TSC framework · CyberStackHub assessments 👥 B2B SaaS / Tech SMBs ⏱ 12 min read

What Is a SOC 2 Gap Analysis?

A SOC 2 gap analysis is a structured review that compares your current security controls against the requirements of the 5 Trust Service Criteria (TSC) defined by the AICPA. It answers three questions:

  • What controls do you already have? — documented policies, technical configurations, evidence of operation.
  • What controls are missing? — criteria requirements with no corresponding control or documentation.
  • What documentation needs to be created? — controls that exist operationally but aren't documented in a form auditors can evaluate.

A gap analysis is not a formal audit. It's an internal readiness check performed before you engage a licensed CPA firm. The distinction matters: auditors bill by the hour for formal engagements. Walking into an audit with known documentation gaps burns expensive time fixing things you could have addressed for free. The gap analysis is the step that makes the audit efficient.

For most SMBs, the gap between "we do this operationally" and "we have documented evidence of this that satisfies SOC 2 requirements" is the primary risk. Controls often exist; auditor-ready documentation often doesn't.

The 5 Trust Service Criteria — What Gaps Look Like

SOC 2 is built on five Trust Service Criteria. Only Security (CC) is required for all SOC 2 audits. The other four are optional — you add them based on your product, customers, and contract requirements.

🔐 Security (CC)
REQUIRED — all SOC 2 audits

Covers logical access controls, vulnerability management, change management, monitoring, incident response, and risk assessment. Common gaps: no quarterly access reviews (CC6.1), no documented change approval workflow (CC8.1), no vulnerability scan schedule with remediation SLAs (CC7.1).

⚡ Availability (A)
Optional — add for SLA commitments

System available for operation as committed. Common gaps: no documented uptime SLAs or incident communication procedure, no DR/BC testing records, availability monitoring not formally configured or documented.

⚙️ Processing Integrity (PI)
Optional — fintech / payroll systems

System processing is complete, accurate, timely, and authorized. Common gaps: no transaction reconciliation process, no error detection/correction procedures, processing exceptions not formally logged and reviewed.

🔒 Confidentiality (C)
Optional — confidential customer data

Information designated as confidential is protected. Common gaps: no data classification policy, no documented encryption standards, confidentiality agreements with employees/contractors not consistently maintained.

👤 Privacy (P)
Optional — PII / consumer data

Personal information collected, used, retained, and disclosed per AICPA GAPP principles. Common gaps: no privacy notice, no data retention/deletion policy, no formal data subject request handling process.

For most B2B SaaS SMBs: Start with Security + Confidentiality. Add Availability if you publish uptime SLAs. Add Privacy if you handle consumer PII. Processing Integrity is rarely required unless you're in fintech or payroll processing.

Top 10 SOC 2 Control Gaps (Most Common Audit Failures)

These are the controls most commonly absent in SMBs at the 11–200 employee stage and most frequently cited in SOC 2 audit findings. Fix them in this order — items 1 and 2 fail the most.

Access Control Policy & Quarterly Reviews CC6.1 — Most Failed

Documented procedure for provisioning, modifying, and deprovisioning user access. Quarterly access reviews with recorded output showing who reviewed, who was removed, and when. Most SMBs manage access reasonably but have never written a policy or run a formal quarterly review — this is the evidence gap, not the control gap.

Change Management Process CC8.1 — Second Most Failed

Documented approval workflow for changes to production systems. GitHub PR policies with required reviewer counts satisfy this for most SMBs. The gap is usually documentation: teams that deploy via PR approval have the control; they just haven't written the policy that says so.

Vulnerability Management Program CC7.1

Regular vulnerability scans (monthly minimum) with documented remediation SLAs. Open vulnerabilities tracked with assigned owners and target dates. Most SMBs have no formal program and no documentation — occasional ad-hoc scans don't satisfy this criterion.

Risk Management Program CC9.1

Annual documented risk assessment covering threat landscape, asset inventory, and residual risk evaluation. The risk register drives prioritization of other controls. Common gap: no formal risk register exists; risks are managed informally in team knowledge.

MFA on All Production Systems & Admin Accounts CC6.3

MFA enforced on email, cloud infrastructure (AWS, GCP, Azure), code repositories, production databases, and all privileged accounts. Use authenticator apps, not SMS. Gap usually isn't MFA absence — it's that MFA isn't enforced via policy and its enforcement isn't documented.

Encryption at Rest and in Transit CC6.7

All sensitive data encrypted at rest (AES-256). TLS 1.2+ on all data in transit. Documented encryption policy specifying algorithms and key management. Cloud providers often handle this automatically — but it needs to be documented and the configuration verified.

Log Monitoring & Retention CC6.8

Centralized logging of security events from all production systems. Log retention policy (12 months minimum for SOC 2). Alerting on anomalous activity. AWS CloudTrail, GCP Cloud Logging, and Azure Monitor satisfy this with proper configuration — the gap is typically no documented retention policy and no alerting rules.

Availability Monitoring & SLA Documentation A1.1

Uptime monitoring with documented SLAs and incident communication procedures. Required only if adding the Availability criterion. Common gap: uptime monitoring exists (e.g. PagerDuty, Datadog) but no SLA is formally defined or communicated to customers in a contractual form.

Security Monitoring & Alerting CC4.1

Ongoing monitoring of the security posture with documented alert thresholds and response procedures. This goes beyond logging — it requires evidence of someone reviewing alerts and acting on them. Many SMBs configure monitoring tools but have no documented review cadence.

Security Awareness Training with Completion Records CC2.1

Annual security awareness training for all employees with documented completion records covering phishing, password hygiene, and incident reporting. The gap is almost always documentation: companies do informal training without generating completion records that satisfy auditor evidence requirements.

Run Your Free SOC 2 Gap Analysis — 5 Minutes

CyberStackHub's Compliance Gap Analysis identifies which SOC 2 controls you have, which you're missing, and generates a prioritized remediation roadmap. Free, no account required.

How to Prepare for Your SOC 2 Gap Assessment — Step by Step

Follow this 6-step process before engaging a CPA firm. Companies that complete this sequence first typically see 40–60% shorter audit timelines and avoid the most common re-engagement costs.

1

Map Data Flows and Identify Which TSCs Apply

Document what data your systems process, store, and transmit. Based on data types and customer requirements, determine which Trust Service Criteria are in scope. Security (CC) is always required. Add Availability if you have SLA commitments; Confidentiality if you handle proprietary customer data; Privacy if you process consumer PII.

2

Document Your Current Controls Inventory

Create a list of every existing security control: policies, procedures, technical configurations, and tools. Be specific — "we use AWS" is not a control; "we have a documented MFA policy enforced on all AWS IAM accounts, last reviewed 2026-01-15, with evidence at [location]" is a control. Controls that exist but aren't documented are invisible to auditors.

3

Run a Free Gap Analysis Tool

Compare your controls inventory against SOC 2 requirements. CyberStackHub's Compliance Gap Analysis scores your posture across all TSC categories and generates a prioritized gap list. This step converts your controls inventory from a list into an actionable remediation plan.

4

Prioritize Gaps by Audit Frequency

CC6.1 (access control documentation) and CC8.1 (change management) fail most frequently in SMB audits — fix these first. CC7.1 (vulnerability management) and CC6.3 (MFA enforcement documentation) are next. Prioritize documentation gaps over process gaps: you can document a working control in days; implementing a missing control takes weeks.

5

Implement Top-Priority Controls

For each high-priority gap, take three actions: write the policy, implement the technical control, and create evidence. For MFA: enforce via IAM policy, document the configuration. For IRP: use CyberStackHub's free IRP Generator. For access reviews: create a quarterly calendar cadence with a documented output template. Allow at least 30 days of operating evidence before engaging an auditor for Type I.

6

Engage Auditor for Type I Readiness Check

Once top-priority controls are in place with documented evidence, engage a licensed CPA firm for a Type I audit (point-in-time assessment of control design). Type I takes 3–6 months from starting controls. Cost: $15,000–$40,000 in auditor fees. Type I unblocks most enterprise deals immediately while you build toward Type II.

Security Posture Report — The Documentation SOC 2 Auditors Expect

Get a 47-page scored assessment across 8 security domains — access control, vulnerability management, incident response, vendor risk, and more. The documentation package SOC 2 auditors expect to see, generated in minutes. $19 one-time.

SOC 2 Gap Analysis Checklist (25 Items)

Use this checklist to evaluate your current SOC 2 readiness before engaging an auditor. Each item represents a control or documentation requirement that SOC 2 auditors commonly review.

🔐 Security — Logical Access Controls (CC6)
CC6.1 — Documented access control policy with provisioning, review, and deprovisioning procedures
CC6.1 — Quarterly access reviews completed with documented output (who reviewed, changes made, date)
CC6.3 — MFA enforced on all production systems, admin accounts, and cloud infrastructure via policy
CC6.7 — Encryption policy documenting AES-256 at rest + TLS 1.2+ in transit for all sensitive data
CC6.8 — Centralized logging of security events with documented 12-month retention policy
⚙️ Security — System Operations (CC7–CC8)
CC7.1 — Vulnerability management program with monthly scans and documented remediation SLAs
CC7.2 — Security alerts monitored with documented review cadence and response procedures
CC8.1 — Change management policy with documented approval workflow for production deployments
CC8.1 — Evidence of change approvals (PR history, change tickets) maintained and accessible
CC9.1 — Annual risk assessment with documented risk register, asset inventory, and residual risk review
📋 Security — Risk & Governance (CC2–CC4)
CC2.1 — Security awareness training with annual completion records for all employees
CC4.1 — Security monitoring program with documented alert thresholds and escalation procedures
CC5.2 — Incident response plan documented, tested annually, and updated after any significant incident
CC9.2 — Vendor risk management: formal security review process for third-party vendors, annual re-assessment
CC1.1 — Security policies formally approved by management and communicated to all staff
⚡ Availability (A) — Add if including Availability criterion
A1.1 — Uptime SLAs formally defined, communicated to customers, and monitored with alerting
A1.2 — Incident communication procedure: how customers are notified of outages, with documented timelines
A1.3 — DR/BC plan documented and tested annually with recovery time objectives (RTOs) defined
🔒 Confidentiality (C) — Add if handling confidential customer data
C1.1 — Data classification policy defining what constitutes confidential information
C1.2 — NDAs / confidentiality agreements in place with all employees, contractors, and relevant vendors
C1.2 — Data destruction / disposal procedure for confidential data at end-of-life
👤 Privacy (P) — Add if processing consumer PII
P1.1 — Privacy notice published and accessible to all individuals whose data is collected
P4.1 — Data retention and deletion policy: how long PII is kept and how it's deleted
P6.1 — Data subject access request (DSAR) process: how individuals can request their data
P7.1 — Breach notification procedure covering notification to individuals and supervisory authorities

GDPR Gap Analysis — What US SMBs Need to Know

If your company handles personal data of EU residents — EU customers, EU employees, or EU website visitors — you're subject to GDPR regardless of where your company is headquartered. Fines reach €20 million or 4% of global annual revenue, whichever is higher.

A GDPR gap analysis compares your data handling practices against the 7 GDPR principles: Lawfulness & Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity & Confidentiality, and Accountability. Here are the 8 most common GDPR gaps for US-based SMBs:

1. No Data Processing Agreements (DPAs) with processors

GDPR Article 28 requires a written DPA with every vendor that processes EU personal data on your behalf (your email platform, CRM, cloud infrastructure provider, analytics tools). Most US SMBs have dozens of vendors processing EU data with no DPA in place.

2. No cookie consent mechanism

Analytics, advertising, and tracking cookies require prior informed consent from EU visitors. A cookie banner that defaults to "accepted" or buries opt-out doesn't satisfy GDPR requirements. Consent must be freely given, specific, informed, and unambiguous.

3. No privacy-by-design review in product development

GDPR Article 25 requires privacy to be considered at the design phase of new products and features, not added retroactively. Most US SMBs have no privacy review step in their development process or product roadmap.

4. No data subject access request (DSAR) process

EU individuals have the right to access, correct, and delete their personal data. You must respond to DSARs within 30 days. Most US SMBs have no documented DSAR process and no way to fulfill requests systematically across all data stores.

5. No 72-hour breach notification procedure

GDPR requires notifying the relevant supervisory authority within 72 hours of discovering a personal data breach. Many US SMBs have no documented breach notification procedure, and certainly not one calibrated to the 72-hour GDPR window.

6. No data retention policy

GDPR's Storage Limitation principle requires that personal data not be kept longer than necessary. US SMBs commonly retain customer data indefinitely — no deletion schedules, no data lifecycle management, no documented retention rationale.

7. No privacy notice for employees

EU employee data (HR records, payroll, monitoring) requires a separate privacy notice. US SMBs with EU employees — even a single remote hire — need a compliant employee data notice under GDPR Article 13.

8. No legitimate interest assessments (LIAs)

If you rely on "legitimate interests" as your legal basis for any data processing, GDPR requires a documented legitimate interest assessment (LIA) balancing your interests against data subjects' rights. Most US SMBs using this basis have never documented an LIA.

For a comprehensive GDPR compliance framework, see our GDPR Compliance Guide →

Frequently Asked Questions

What is a SOC 2 gap analysis?

A SOC 2 gap analysis is a structured comparison of your current security controls against the requirements of the SOC 2 Trust Service Criteria. It identifies what controls you have documented and operating, what's missing entirely, and what documentation needs to be created before you engage an auditor. A gap analysis is not a formal audit — it's an internal readiness check. Completing one before engaging a CPA firm saves $20,000–$60,000 in re-engagement fees by preventing audit failures on fixable documentation gaps.

How long does a SOC 2 gap analysis take?

A basic SOC 2 gap analysis takes 1–2 weeks for most SMBs. Using a structured tool like CyberStackHub's free Compliance Gap Analysis compresses the initial assessment to under an hour. A thorough gap analysis reviewing all documentation, system configurations, and vendor relationships takes 2–4 weeks. Remediating identified gaps typically takes 2–6 additional months depending on your current security maturity.

What's the difference between a SOC 2 gap analysis and a SOC 2 audit?

A SOC 2 gap analysis is an internal readiness exercise you do before hiring an auditor — it identifies what's missing so you can fix it. A SOC 2 audit is a formal engagement with a licensed CPA firm that results in an official SOC 2 report. Auditors issue opinions on whether your controls are properly designed (Type I, point-in-time) or operating effectively over 6–12 months (Type II, continuous). The gap analysis is diagnostic and preparatory; the audit is formal and results in a shareable compliance report. Always run a gap analysis first — presenting an auditor with known gaps wastes expensive billable hours on fixable issues.

What are the most common SOC 2 control gaps for SMBs?

Based on CyberStackHub compliance gap assessment data, the most common SOC 2 control gaps for SMBs are: (1) No documented access control policy or quarterly access reviews (CC6.1 — most common failure). (2) No formal change management process with documented approvals (CC8.1 — second most common). (3) MFA not enforced via policy with documented evidence (CC6.3). (4) No formal vulnerability management program with remediation SLAs (CC7.1). (5) Security awareness training without documented completion records. (6) Incident response plan exists but hasn't been tested or isn't documented. (7) No formal vendor risk management process.

Can I do a SOC 2 gap analysis myself?

Yes — a SOC 2 gap analysis is something your team can do without hiring a consultant. The AICPA publishes the Trust Services Criteria with specific control requirements. For most SMBs, the Security (CC) criterion is required, and the gap analysis focuses on whether controls in CC6 through CC9 are documented and operating. CyberStackHub's free Compliance Gap Analysis automates this assessment — you answer questions about your current controls and receive a scored gap report with prioritized remediation steps. More complex organizations (multi-cloud, financial services, healthcare) may benefit from an external readiness consultant.

What does a SOC 2 gap assessment cost?

A self-directed SOC 2 gap assessment costs nothing beyond internal time (typically 20–80 hours). CyberStackHub's Compliance Gap Analysis tool is free. A consultant-led gap assessment costs $5,000–$20,000. Compliance automation platforms (Vanta, Drata, Sprinto) include gap assessment features in their $7,000–$20,000/year subscriptions. The gap assessment cost is minimal compared to the cost of a failed audit re-engagement ($15,000–$40,000 per engagement), making it the highest-ROI step in the SOC 2 journey.

What is a GDPR gap analysis?

A GDPR gap analysis compares your data handling practices against the requirements of the General Data Protection Regulation. The GDPR is structured around 7 data protection principles: Lawfulness/Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity/Confidentiality, and Accountability. A gap analysis identifies where your practices fall short — for example, whether you have valid consent mechanisms, documented data processing agreements with vendors, a DSAR process, and a 72-hour breach notification procedure. For US companies handling EU customer data, GDPR gaps are the most common unaddressed compliance risk.

Do US companies need a GDPR gap analysis?

US companies need a GDPR gap analysis if they handle personal data of EU residents — regardless of where the company is located. GDPR applies based on where data subjects are, not where the company is headquartered. A US SaaS company with EU customers, a US e-commerce site shipping to EU addresses, or a US company with EU remote employees is subject to GDPR. Penalties reach €20 million or 4% of global annual revenue. For most US SMBs, the primary GDPR gaps are: missing data processing agreements (DPAs) with vendors, no cookie consent mechanism, no DSAR process, and no 72-hour breach notification procedure.

Related Resources

Protect Your SOC 2 Readiness Period with Cyber Insurance

The period between starting SOC 2 preparation and completing your Type II audit is when your risk exposure is highest — you've identified gaps but haven't fully closed them. Corgi cyber liability insurance covers residual risk during audit preparation. SOC 2 certification can reduce your premiums.

Free Tool

Know where your SOC 2 gaps are — before your auditor does.

Run a free compliance gap analysis in 5 minutes. See which SOC 2 controls you're missing, get a prioritized remediation roadmap, and generate the documentation auditors expect.

Run Free Gap Analysis →

No signup required · Results in 5 minutes · Your data never shared