SOC 2 Readiness Assessment Questionnaire

Carbide

Assess Your Readiness for SOC 2 (Common Criteria)

Is your organization prepared to meet the rigorous security standards required for SOC 2 compliance?

Carbide’s SOC 2 Readiness Assessment helps you evaluate your current security posture against the Common Criteria and identify critical areas for improvement.

With this assessment, you’ll:

Gauge your alignment with SOC 2 Trust Services Criteria
Identify security gaps that could impact your compliance status
Receive clear guidance on strengthening your security controls
Build confidence in your SOC 2 compliance journey

Take the first step toward SOC 2 certification today. Complete our assessment and receive a comprehensive report evaluating your readiness and outlining actionable next steps.

Please answer each question based on your company's current practices.

Does your company have documented policies for information security?(Required)

Fully documented and regularly updated.

Partially documented.

Informally managed, not documented.

No policies in place.

Have employees received training on security policies within the last year?(Required)

Yes, comprehensive training.

Some training, but limited.

Informal or ad hoc training.

No training provided.

How often are user access rights reviewed?(Required)

Quarterly or more frequently.

Annually.

Only upon request.

Rarely or never.

Do you require Multi-Factor Authentication (MFA) to access critical systems?(Required)

Yes, required for all systems.

Required for some critical systems.

Optional, not enforced.

Not implemented.

Are security incidents formally tracked and documented?(Required)

Yes, consistently documented and reviewed.

Occasionally documented.

Informally tracked, no formal documentation.

Not tracked/documented.

Does your organization conduct regular vulnerability scanning?(Required)

Yes, quarterly or more frequently.

Annually.

Occasionally or informally.

Not conducted.

Does your organization conduct penetration testing regularly?(Required)

Yes, annually or more frequently.

Occasionally or informally.

Only after incidents.

Not conducted.

Are systems regularly patched and updated?(Required)

Consistently, according to documented schedules.

Occasionally or informally.

Only when issues arise.

Rarely or never.

Does your organization have documented change management procedures for software/systems changes?(Required)

Yes, fully documented and followed.

Partially documented.

Informally managed.

Not documented.

How does your organization handle data backups?(Required)

Regular automated backups with testing.

Manual or occasional backups.

Informal backup practices.

No defined backup practices.

Is your physical office space secured (e.g., card access, visitor logs)?(Required)

Yes, with formal access controls.

Partially secured.

Informally secured.

No physical office or fully remote.

Do you have documented procedures for employee onboarding and offboarding?(Required)

Fully documented and enforced.

Partially documented.

Informal procedures only.

No procedures.

Are background checks conducted for employees with access to sensitive data?(Required)

Yes, for all relevant roles.

Sometimes, depending on role.

Informal reference checks only.

No background checks.

Is data encrypted in transit and at rest?(Required)

Yes, fully encrypted in transit and at rest.

Partially encrypted.

Only encrypted in transit.

Not encrypted.

Do you have formal contracts or agreements in place with third-party vendors?(Required)

Yes, fully managed agreements.

Basic agreements with limited review.

Informal agreements.

No agreements.

Do you conduct security assessments on third-party contractors and software providers?(Required)

Regular, formal assessments.

Occasionally or informally.

Only during initial selection.

Not conducted.

Is there a documented business continuity or disaster recovery plan?(Required)

Yes, tested and regularly updated.

Yes, but not tested regularly.

Informal or incomplete plan.

No plan.

Do you regularly test your incident response and business continuity/disaster recovery plans?(Required)

Yes, tested annually or more frequently.

Tested occasionally.

Informally tested.

Never tested.

Do you monitor and log access to sensitive systems and data?(Required)

Yes, actively monitored and logged.

Partially or occasionally monitored.

Informally tracked.

No monitoring or logging.

Is endpoint protection (antivirus, malware protection) installed and maintained on workstations and laptops?(Required)

Yes, consistently across all devices.

Partially deployed or maintained.

Informally or occasionally.

Not installed.

Is there a formal process for identifying and mitigating business risks?(Required)

Fully documented and regularly reviewed.

Informally conducted.

Only ad hoc reviews.

No process.

Do you regularly review security roles and responsibilities within your company?(Required)

Quarterly or more frequently.

Annually.

Occasionally or informally.

Rarely or never.

Are your incident response procedures documented and communicated to relevant staff?(Required)

Yes, documented and regularly tested.

Documented, not regularly tested.

Informal procedures.

No incident response procedures.

Does management regularly review security performance and effectiveness?(Required)

Quarterly or more frequently.

Annually.

Occasionally or informally.

Rarely or never.

Do you have formal procedures for ensuring compliance with applicable regulations (e.g., GDPR, CCPA)?(Required)

Fully documented and regularly reviewed.

Partially documented.

Informal practices only.

No formal compliance procedures.

Please fill out the following to get your report.

Name(Required)

First Last

Email Address(Required)

Company(Required)

How did you hear about us?

By submitting this request you consent to receive emails from Carbide. You can opt-out from receiving emails at any time.

Stay up-to-date on all things Carbide

Get expert security & privacy guidance delivered straight to your inbox.

Email(Required)

Signup Consent(Required)

Subscribe and stay informed.(Required)

CAPTCHA

Phone

This field is for validation purposes and should be left unchanged.

What We Do

Platform
Trust Center
Cloud Monitoring
Integrations
Penetration Testing

Frameworks

CCPA
CCCS
CMMC
GDPR
HIPAA
ISO 27001
NIST 800-53
NIST 800-171
PCI DSS
PIPEDA
SOC 2

Resources

All Resources
Case Studies
Blog
Videos
eBooks
News
Glossary

Company

About Carbide
MSP Partners
Customers
Careers
Contact

Carbide Reviews

•Privacy Notice
•Terms of Service