Framework readiness shows the current status of each in-scope framework in your environment. It reflects whether the requirements or controls that make up a framework meet the conditions for being "ready."
Use the readiness status to:
Track progress toward compliance.
Identify gaps in evidence or approvals.
Focus your efforts on what's needed to reach audit readiness.
Readiness is dependent on the other:
A framework is ready when its requirements or controls are ready.
A requirement is ready when all its mapped controls are ready.
A control is ready when all conditions for readiness are met.
SOC 2 Readiness
SOC 2 readiness is a critical part of preparing for compliance with the SOC 2 standards. It involves tracking and evaluating the readiness of your organization's controls or requirements to ensure they meet the necessary Trust Services Criteria (TSC). The readiness score indicates how prepared your organization is to successfully complete a SOC 2 audit.
View Framework Readiness
You can measure readiness by Controls or Requirements.
Controls (default): Readiness is based on the number of in-scope controls that are ready.
Requirements: Readiness is based on the number of in-scope requirements that are ready.
Use the toggle at the top of the Frameworks page to switch between these two options. When you change the toggle, the following pages are updated to reflect your selection:
The Frameworks page
Individual framework detail pages
The Readiness overview section on the Dashboard page.
Your selection applies only to your account. It does not affect other user's views.
When measuring SOC 2 readiness specifically, these measurement differences can significantly impact your readiness score. For example, in requirement-based measurement, if even one mapped control is not ready, the requirement will be marked as not ready, potentially resulting in a lower or even 0% readiness score despite progress on individual controls.
When is a Requirement Ready
A requirement is considered ready when all of its mapped controls are ready.
Scenario | Requirement status |
Requirement is mapped to multiple controls and one of the controls is not ready. | Not ready |
Mapped to zero controls | Not ready |
Mapped to multiple controls that are all ready | Ready |
You can filter requirements by their readiness status on a framework page—'Ready' or 'Not Ready'—to gauge what needs your attention. The filter on the left will always apply to Requirement readiness.
When a Control Is Ready
A control is considered ready when it meets all of the following criteria.
Scenario | Control status |
Control is mapped to multiple evidence and one of the evidence is not ready. | Not ready |
Control is not mapped to any evidence. | Not ready |
Control requires approval, and it hasn’t been approved. | Not ready |
Control is mapped to multiple evidence items, and all are valid and approved (if required). | Ready |
Evidence is considered valid if it meets all of the following conditions:
Tests are in a Passing state.
All mapped Policies have a published version.
Mapped Evidence Library artifacts are within their renewal date.
Mapped Miscellaneous evidence (files or URLs) is within its renewal date.
A control that requires approval is approved.
Evidence is considered invalid if any of the following conditions apply:
Tests are in a Failing state.
Mapped Policy is not published.
Mapped Evidence Library artifact has exceeded its renewal date.
Mapped Miscellaneous evidence (file or URL) has exceeded its renewal date.
A control that requires approval is not approved.
On the Controls page you can filter controls by their readiness status—'Ready' or 'Not Ready'—to gauge which controls need your attention.
Common Challenges and Troubleshooting Readiness Issues
Users sometimes encounter specific challenges when tracking framework readiness, particularly with SOC 2 compliance.
Why Does My Readiness Score Show 0%?
This issue often arises when using the requirement-based measurement. Since all controls mapped to a requirement must be ready for the requirement to be considered ready, even slight progress might not reflect in your score unless all related controls are marked as ready. You can troubleshoot this issue by switching between control-based and requirement-based perspectives to understand the discrepancy.
Actions Based on Readiness Status
Pre-Audit Checks
Once your readiness score reflects significant progress (e.g., a high percentage of readiness), it is recommended to schedule a Pre-Audit Check. This can be arranged by contacting your customer success manager or account manager.
Understanding SOC 2 Readiness Criteria
Your SOC 2 readiness partially depends on the Trust Services Criteria (TSC) in scope (e.g., Security and additional criteria relevant to your organization). Scoping is typically defined internally based on your business context, risks, and objectives. It is crucial to validate these definitions with your auditor for alignment. SOC 2 does not require specific controls but evaluates the extent to which selected controls meet the criteria.
Common Reasons for "Not Ready" Status
Several conditions can cause a DCF control to be marked as "Not Ready":
Failing Monitored Tests
A control linked to failing monitored tests will be marked "Not Ready" because the evidence it relies on is considered invalid. For example, DCF-55 is linked to Test 253, which monitors Azure Storage Accounts accessed via private endpoints. If this test is in a failing state, DCF-55 remains "Not Ready."
For more details on Test 253, visit: Azure Storage Accounts Accessed via Private Endpoints.
Outdated Mappings or Manual Updates
If a control has been replaced or updated within the framework and the customer has not manually updated their mapping, it may remain as "Not Ready." For instance, DCF-151 was replaced by DCF-478 in newer mappings, but if DCF-151 is still included in your mapping, it will retain its status unless updated manually.
To resolve the "Not Ready" status for a control, follow these steps:
Check Linked Test Results
Identify and review the tests linked to the control. Navigate to the test details provided in the platform or external resources (e.g., Test 253 for DCF-55).
Address the failing condition and re-run the test.
Validate Evidence
Ensure all monitored tests linked to the control are passing.
Verify that all mapped policies linked to the control are published.
Ensure any required approvals have been completed.
Update Mappings
Periodically review the mappings for your framework. If a replacement control exists (e.g., DCF-478 for DCF-151), update your system to reflect the latest standards.