Skip to main content

SOC 2 Type II Readiness Assessment

CODITECT Biosciences Quality Management System Platform

Document Control

Metadata

FieldValue
Document IDCODITECT-BIO-SOC2-RA-001
Version1.0.0
StatusActive
Effective Date2026-02-16
ClassificationInternal - Confidential
OwnerChief Information Security Officer (CISO) + VP Engineering
Review CycleQuarterly (next review: 2026-05-16)
AudienceBoard of Directors, Executive Leadership, Investors, Audit Committee

Approval History

RoleNameSignatureDate
Chief Executive Officer[Pending][Digital Signature]YYYY-MM-DD
Chief Information Security Officer[Pending][Digital Signature]YYYY-MM-DD
VP Engineering[Pending][Digital Signature]YYYY-MM-DD
VP Quality Assurance[Pending][Digital Signature]YYYY-MM-DD
General Counsel[Pending][Digital Signature]YYYY-MM-DD

Revision History

VersionDateAuthorChangesApproval Status
1.0.02026-02-16CISO OfficeInitial readiness assessmentDraft

Distribution List

  • Board of Directors
  • Executive Leadership Team
  • Audit Committee
  • Compliance and Regulatory Affairs
  • Information Security Team
  • Quality Assurance Team
  • Investor Relations (summary only)
  • External Audit Partners (post-approval)

Executive Summary

Purpose

This SOC 2 Type II Readiness Assessment provides the Board of Directors, Executive Leadership, and Audit Committee with a comprehensive evaluation of CODITECT BIO-QMS platform's current compliance posture relative to the AICPA Trust Service Criteria (TSC). The assessment identifies gaps, quantifies remediation effort, and establishes a Type I and Type II audit roadmap with milestone dates and budget estimates.

Key Findings (Executive-Level Summary)

Overall Readiness: 68% (Moderate-High)

CategoryStatusCompletionCritical Gaps
Security (CC6, A1)🟢 Strong85%None
Availability (A1)🟡 Moderate72%Disaster recovery testing, capacity planning
Processing Integrity (PI1)🟢 Strong90%None (leverages FDA Part 11 validation)
Confidentiality (C1)🟢 Strong88%Data classification policy, DLP
Privacy (P1-P8)🟡 Moderate45%Privacy program, consent management, DSAR automation
Common Criteria (CC1-CC5)🟡 Moderate65%Risk assessment framework, change management formalization

Investment Required:

  • Type I Readiness (Q3 2026): $85K - $120K (gap closure + internal audit prep)
  • Type I Audit (Q4 2026): $45K - $75K (CPA firm fees)
  • Type II Observation Period (6 months): $30K - $50K (ongoing evidence collection)
  • Type II Audit (Q2 2027): $65K - $95K (CPA firm fees)
  • Total 12-Month Investment: $225K - $340K

Key Strengths:

  1. FDA 21 CFR Part 11 validation complete — Provides ~80% of Processing Integrity (PI1) controls
  2. HIPAA Security Rule compliance complete — Provides ~75% of Confidentiality (C1) and Security (A1) controls
  3. Cryptographic foundation mature — ECDSA P-256, AES-256-GCM, HSM integration, certificate chain architecture
  4. Audit trail system robust — Immutable hash-chain audit logs with cryptographic integrity verification
  5. Multi-tenancy isolation strong — Per-tenant encryption keys, database-level isolation, crypto-shredding on deletion

Critical Path to Type I (Q3 2026 Target):

  1. P0 (Must fix before Type I audit):

    • Formalize risk assessment framework (SSAE 18 compliant)
    • Implement change management policy with CAB approval workflow
    • Document system description for CPA auditor
    • Privacy program establishment (if Privacy criterion in scope)

  2. P1 (Should fix before Type I audit):

    • Disaster recovery plan + tabletop test
    • Vendor risk management program
    • Security awareness training for all staff
    • Evidence collection automation

Recommended Audit Firm Selection:

  • Big 4 Option: Deloitte, PwC, EY, KPMG ($75K Type I, $95K Type II)
    • Pros: Brand recognition for investor/customer trust, deep healthcare expertise
    • Cons: Higher cost, longer engagement cycle
  • Specialized Option: A-LIGN, Schellman, KirkpatrickPrice ($45K Type I, $65K Type II)
    • Pros: SOC 2 specialization, faster turnaround, pragmatic approach
    • Cons: Less brand recognition

Recommendation: Pursue specialized firm (A-LIGN or Schellman) for Type I to accelerate time-to-market, then reassess for Type II based on investor/customer requirements.

Timeline Summary

MilestoneTarget DateDependenciesCritical Path
Gap Closure Complete2026-06-30D.4.1-D.4.3, D.5.1-D.5.4
Internal Readiness Audit2026-07-15Gap closure, mock audit by CISO
Type I Audit Fieldwork2026-08-01 to 2026-08-15Auditor engagement, system freeze
Type I Report Issued2026-09-15Audit completion, management responses
Type II Observation Period2026-09-16 to 2027-03-156 months operating effectiveness
Type II Audit Fieldwork2027-03-16 to 2027-04-15Type II scope, evidence package
Type II Report Issued2027-05-15Audit completion, final report

1. SOC 2 Framework Overview

1.1 Trust Service Criteria Hierarchy

The 2017 Trust Service Criteria (TSC) consist of:

Common Criteria (CC1-CC9) — Apply to ALL SOC 2 engagements:

  • CC1: Control Environment
  • CC2: Communication and Information
  • CC3: Risk Assessment
  • CC4: Monitoring Activities
  • CC5: Control Activities
  • CC6: Logical and Physical Access Controls
  • CC7: System Operations
  • CC8: Change Management
  • CC9: Risk Mitigation

Category-Specific Criteria — Selected based on service commitments:

  • Security (A1): 17 criteria — protection against unauthorized access
  • Availability (A1): 5 criteria — system operational and usable as committed
  • Processing Integrity (PI1): 3 criteria — processing complete, valid, accurate, timely, authorized
  • Confidentiality (C1): 3 criteria — confidential information protected as committed
  • Privacy (P1-P8): 54 criteria — personal information lifecycle management

1.2 Type I vs Type II Audits

AspectType IType II
FocusControl design effectivenessControl operating effectiveness
TimelinePoint-in-time (single date)6-12 month observation period
TestingWalkthrough of controlsSampling of control execution
Report ValueDemonstrates "we have controls"Demonstrates "controls work consistently"
Duration2-4 weeks fieldwork3-6 weeks fieldwork
Cost$45K-$75K$65K-$95K
Customer PreferenceAcceptable for early-stagePreferred by enterprise customers

Recommendation: Pursue Type I in Q3 2026 to accelerate GTM, then Type II in Q2 2027 for enterprise sales.

1.3 BIO-QMS Scope Definition

Recommended Scope for Initial SOC 2 Engagement:

In Scope:

  • Security (A1): MANDATORY — All SaaS platforms must include Security
  • Availability (A1): RECOMMENDED — 99.9% uptime SLA commitment
  • Processing Integrity (PI1): RECOMMENDED — Core QMS validation workflows
  • Confidentiality (C1): RECOMMENDED — PHI and proprietary data handling

Out of Scope (Defer to Future):

  • Privacy (P1-P8): DEFER — Only if explicit privacy commitments to customers; significant lift (54 criteria)

Rationale: Security + Availability + Processing Integrity + Confidentiality provides comprehensive coverage for healthcare SaaS without the 6-9 month delay that Privacy criteria would introduce.

2. Current State Assessment

2.1 Common Criteria (CC1-CC9) Maturity

CC1: Control Environment

Status: 🟡 Partial (55%)

ControlCurrent StateEvidenceGap
CC1.1: Commitment to integrity and ethicsPartialCode of Conduct exists (if org has one)Formalize ethics policy, annual attestation
CC1.2: Board oversightPartialNo formal Audit Committee yetEstablish Audit Committee or designate board oversight
CC1.3: Management structure and authoritiesImplementedOrg chart, role definitionsNone
CC1.4: Commitment to competencePartialJob descriptions existDefine technical competency matrix, training requirements
CC1.5: Accountability and performance measuresGapNo formal KPI frameworkDefine security/compliance KPIs, quarterly reviews

Remediation Required:

  • CC1.1: Draft and approve Code of Business Conduct and Ethics ($5K legal review, 2 weeks)
  • CC1.2: Establish Audit Committee charter or Board resolution delegating oversight (1 week)
  • CC1.4: Document technical competency matrix for security/engineering roles (1 week)
  • CC1.5: Define compliance KPI dashboard (integrate with D.5.3 Compliance Dashboard) (2 weeks)

Effort: 2 weeks FTE + $5K legal fees

CC2: Communication and Information

Status: 🟡 Partial (70%)

ControlCurrent StateEvidenceGap
CC2.1: Quality informationImplementedJIRA, Slack, documentation repositoriesNone
CC2.2: Internal communicationImplementedSlack channels, all-hands, sprint planningFormalize security incident communication protocol
CC2.3: External communicationPartialCustomer support ticketingService status page, breach notification procedures

Remediation Required:

  • CC2.2: Document security incident communication plan (internal escalation tree) (1 week)
  • CC2.3: Implement status page (statuspage.io or similar, $29/month) + breach notification workflow (2 weeks)

Effort: 3 weeks FTE + $29/month SaaS

CC3: Risk Assessment

Status: 🔴 Gap (35%)

ControlCurrent StateEvidenceGap
CC3.1: Risk identificationPartialAd-hoc threat modelingFormalize enterprise risk assessment process (SSAE 18 compliant)
CC3.2: Risk analysis and prioritizationGapNo formal risk registerCreate and maintain risk register with likelihood/impact scoring
CC3.3: Risk responsePartialSecurity controls existDocument risk treatment decisions (accept/mitigate/transfer/avoid)
CC3.4: Fraud risk assessmentGapNo formal fraud risk assessmentConduct fraud risk assessment (insider threat, payment fraud, identity fraud)

Remediation Required (P0 - Critical):

  • CC3.1: Implement annual risk assessment process per SSAE 18 (3 weeks, engage consultant $15K)
  • CC3.2: Create risk register in GRC tool or spreadsheet (1 week)
  • CC3.3: Document risk treatment plan for top 20 risks (2 weeks)
  • CC3.4: Conduct fraud risk assessment workshop (1 day, $5K consultant)

Effort: 6 weeks FTE + $20K consulting fees

Note: This is the SINGLE BIGGEST GAP for SOC 2 readiness. CC3 is heavily scrutinized by auditors.

CC4: Monitoring Activities

Status: 🟡 Partial (60%)

ControlCurrent StateEvidenceGap
CC4.1: Ongoing and separate evaluationsPartialGCP Security Command Center, DependabotFormalize quarterly control testing schedule
CC4.2: Evaluation and communication of deficienciesPartialJIRA for security bugsFormalize deficiency escalation and remediation tracking

Remediation Required:

  • CC4.1: Create quarterly internal control testing schedule (D.4.2 monitoring integration) (1 week)
  • CC4.2: Implement security deficiency tracking workflow in JIRA with SLA (1 week)

Effort: 2 weeks FTE

CC5: Control Activities

Status: 🟢 Strong (80%)

ControlCurrent StateEvidenceGap
CC5.1: Selection and development of controlsImplementedSecurity architecture, encryption, access controlsDocument control selection rationale
CC5.2: Technology general controlsImplementedIAM, MFA, encryption, audit loggingNone
CC5.3: Policies and proceduresPartialSecurity policies existConsolidate into formal policy library with version control

Remediation Required:

  • CC5.1: Document control selection rationale for each TSC criterion (2 weeks)
  • CC5.3: Organize policy library with annual review schedule (1 week)

Effort: 3 weeks FTE

CC6: Logical and Physical Access Controls

Status: 🟢 Strong (85%)

ControlCurrent StateEvidenceGap
CC6.1: Logical access controlsImplementedGoogle Workspace SSO, MFA, RBACNone (leverages D.3.1 HIPAA access controls)
CC6.2: Privilege escalationImplementedSudo logging, break-glass proceduresNone
CC6.3: Removal of accessImplementedOffboarding checklistAutomate access removal via HR system integration
CC6.4: Physical access controlsN/ACloud-only SaaSVerify GCP datacenter SOC 2 reports
CC6.5: Data at rest protectionImplementedAES-256-GCM, per-tenant keys, HSMNone (D.1 cryptographic controls)
CC6.6: Data in transit protectionImplementedTLS 1.3, HSTS, certificate pinningNone (D.1 cryptographic controls)
CC6.7: Data disposalPartialCrypto-shredding on tenant deletionDocument retention policy, secure deletion procedures

Remediation Required:

  • CC6.3: Implement HR system webhook to auto-revoke access on termination (1 week)
  • CC6.4: Obtain GCP SOC 2 reports and map controls to BIO-QMS (1 week)
  • CC6.7: Formalize data retention and deletion policy (1 week, $5K legal review)

Effort: 3 weeks FTE + $5K legal fees

CC7: System Operations

Status: 🟡 Partial (72%)

ControlCurrent StateEvidenceGap
CC7.1: Detection of system failuresImplementedGCP monitoring, Prometheus, GrafanaNone
CC7.2: Response to system failuresPartialOn-call rotation, runbooksFormalize incident response plan, conduct tabletop test
CC7.3: System capacity managementGapNo formal capacity planningImplement capacity planning process (CPU, memory, storage forecasts)
CC7.4: System backupsImplementedGCS snapshots, PITR for databasesTest backup restoration quarterly
CC7.5: Vulnerability managementImplementedDependabot, Trivy, quarterly scansNone

Remediation Required:

  • CC7.2: Document incident response plan (IRP) with roles, escalation tree, tabletop test (2 weeks)
  • CC7.3: Implement capacity planning dashboard (CPU/mem/storage growth trends, 6-month forecast) (2 weeks)
  • CC7.4: Schedule quarterly backup restoration tests (1 day per quarter)

Effort: 4 weeks FTE + ongoing quarterly testing

CC8: Change Management

Status: 🟡 Partial (65%)

ControlCurrent StateEvidenceGap
CC8.1: Authorization of changesPartialGitHub PR approvalsFormalize Change Advisory Board (CAB) for production changes
CC8.2: System development lifecycleImplementedSprint planning, code review, CI/CDNone
CC8.3: Infrastructure and software maintenanceImplementedDependabot, OS patching, Kubernetes version upgradesNone
CC8.4: Segregation of dutiesImplementedDevelopers cannot deploy to productionNone

Remediation Required (P0):

  • CC8.1: Establish Change Advisory Board (CAB) with weekly meetings, change request template, approval workflow (2 weeks)
    • CAB Members: VP Engineering (chair), CISO, SRE Lead, QA Lead
    • Approval Thresholds: Standard (auto-approve), Normal (CAB approval), Emergency (post-implementation review)

Effort: 2 weeks FTE

CC9: Risk Mitigation

Status: 🟡 Partial (70%)

ControlCurrent StateEvidenceGap
CC9.1: Identification of risk of business disruptionPartialDisaster recovery plan exists (partial)Complete DR plan, test failover quarterly
CC9.2: Mitigation of risk of business disruptionGapNo tested DR runbookConduct DR tabletop test, document RTO/RPO
CC9.3: Vendor risk managementPartialVendor contracts reviewed by legalFormalize third-party risk assessment process

Remediation Required:

  • CC9.1: Complete disaster recovery plan with RTO (4 hours) and RPO (1 hour) targets (2 weeks)
  • CC9.2: Conduct DR tabletop exercise with SRE team (1 day)
  • CC9.3: Implement vendor risk assessment questionnaire (SIG Lite or custom) (1 week)

Effort: 3 weeks FTE + 1 day DR test

2.2 Security Criterion (A1) Maturity

Status: 🟢 Strong (85%)

TSC PointDescriptionCurrent StateEvidenceGap
A1.1Unauthorized access preventedImplementedRBAC, MFA, SSO, network segmentationNone
A1.2Logical access controlsImplementedD.3.1 HIPAA access controlsNone
A1.3Data loss preventionPartialTLS, encryption at restImplement DLP tools for PHI exfiltration prevention
A1.4Intrusion detectionPartialGCP Security Command CenterDeploy HIDS/NIDS (Falco or Wazuh)

Remediation Required:

  • A1.3: Evaluate DLP solutions (Google DLP API or Nightfall AI) and implement PHI detection rules (3 weeks, $500/month SaaS)
  • A1.4: Deploy Falco for runtime threat detection on GKE (2 weeks)

Effort: 5 weeks FTE + $500/month SaaS

Strengths:

  • Leverages complete HIPAA Security Rule implementation (D.3)
  • Cryptographic controls mature (D.1)
  • Multi-factor authentication enforced
  • Per-tenant data isolation with crypto-shredding

2.3 Availability Criterion (A1) Maturity

Status: 🟡 Moderate (72%)

TSC PointDescriptionCurrent StateEvidenceGap
A1.1Availability commitmentsPartial99.9% SLA documentedMeasure and report uptime monthly
A1.2System monitoringImplementedGCP Monitoring, Prometheus, Grafana, PagerDutyNone
A1.3Incident responsePartialOn-call rotation, runbooksFormalize IRP (see CC7.2)
A1.4Disaster recoveryGapNo tested DR planComplete DR plan + quarterly tests (see CC9.1-CC9.2)
A1.5Capacity managementGapNo formal capacity planningImplement capacity forecasting (see CC7.3)

Remediation Required:

  • A1.1: Implement uptime monitoring dashboard (Pingdom or UptimeRobot, $15/month) with monthly SLA reports (1 week)
  • A1.3: Formalize incident response plan (see CC7.2) (2 weeks)
  • A1.4: Complete DR plan and conduct quarterly tests (see CC9.1-CC9.2) (3 weeks)
  • A1.5: Implement capacity planning (see CC7.3) (2 weeks)

Effort: 8 weeks FTE + $15/month SaaS

Strengths:

  • Kubernetes high availability (3 replicas per service)
  • Multi-zone deployment in GCP
  • Automated health checks and pod restarts

2.4 Processing Integrity Criterion (PI1) Maturity

Status: 🟢 Strong (90%)

TSC PointDescriptionCurrent StateEvidenceGap
PI1.1Processing completeImplementedFDA Part 11 validation (D.2)None
PI1.2Processing accurateImplementedIQ/OQ/PQ validation, data integrity checksNone
PI1.3Processing timelyImplementedSLA monitoring, queue depth alertsNone
PI1.4Processing authorizedImplementedE-signature controls, RBAC, audit trailNone
PI1.5Error handlingImplementedException logging, validation error reportingNone

Remediation Required: None — FDA 21 CFR Part 11 validation provides comprehensive coverage.

Effort: 0 weeks

Strengths:

  • Complete FDA 21 CFR Part 11 validation (D.2) with IQ/OQ/PQ protocols
  • Electronic signature controls with non-repudiation (D.2.3)
  • Immutable audit trail with hash chain integrity (D.5.1 planned)
  • Data validation rules enforced at API and database layers
  • Error handling with user-friendly validation feedback

Note: This is the STRONGEST category due to FDA Part 11 overlap. Auditors will leverage existing validation documentation.

2.5 Confidentiality Criterion (C1) Maturity

Status: 🟢 Strong (88%)

TSC PointDescriptionCurrent StateEvidenceGap
C1.1Confidential information protectedImplementedHIPAA encryption controls (D.3.2)None
C1.2Data classificationPartialPHI vs non-PHI distinctionFormalize data classification policy (Public/Internal/Confidential/Restricted)
C1.3Encryption at restImplementedAES-256-GCM, per-tenant keys, HSM (D.1)None
C1.4Encryption in transitImplementedTLS 1.3, HSTS, certificate pinning (D.1)None
C1.5Data maskingPartialPHI redacted in logsImplement field-level masking in UI for non-authorized users

Remediation Required:

  • C1.2: Formalize data classification policy with labeling requirements (1 week, $3K legal review)
  • C1.5: Implement UI-level PHI masking for users without PHI access (2 weeks)

Effort: 3 weeks FTE + $3K legal fees

Strengths:

  • HIPAA encryption controls complete (D.3.2)
  • Cryptographic foundation mature (D.1)
  • Per-tenant encryption keys with crypto-shredding
  • PHI access controls with minimum necessary principle

2.6 Privacy Criteria (P1-P8) Maturity

Status: 🟡 Moderate-Low (45%) — DEFERRED SCOPE RECOMMENDATION

TSC PointDescriptionCurrent StateEvidenceGap
P1: Notice and communicationPartialPrivacy policy exists (if drafted)Privacy notice, consent management UI
P2: Choice and consentGapNo consent managementConsent opt-in/opt-out workflows
P3: CollectionPartialData minimization in designFormalize collection limitation policy
P4: Use, retention, disposalPartialRetention policy exists (partial)Complete retention schedule, automated deletion
P5: AccessGapNo DSAR portalData Subject Access Request (DSAR) automation
P6: Disclosure to third partiesPartialVendor contracts reviewedThird-party data sharing inventory
P7: QualityImplementedData validation, accuracy controlsNone
P8: Monitoring and enforcementGapNo privacy programAppoint Privacy Officer, privacy training

Remediation Required (IF PRIVACY IN SCOPE):

  • P1: Draft privacy notice, implement consent management UI (4 weeks + $10K legal fees)
  • P2: Build consent opt-in/opt-out workflows with audit trail (3 weeks)
  • P3: Formalize data collection limitation policy (1 week)
  • P4: Complete retention schedule, implement automated deletion (3 weeks)
  • P5: Build DSAR portal (data export, rectification, deletion requests) (6 weeks)
  • P6: Create third-party data sharing inventory (1 week)
  • P8: Appoint Privacy Officer, conduct privacy training (2 weeks)

Total Effort (IF PRIVACY IN SCOPE): 20 weeks FTE + $10K legal fees + 6-9 month delay

RECOMMENDATION: DEFER Privacy criteria to future SOC 2 engagement. Focus initial audit on Security + Availability + Processing Integrity + Confidentiality. Add Privacy only if contractually required by customers.

3. Gap Analysis Summary

3.1 Overall Control Maturity

TSC CategoryTotal ControlsImplementedPartialGapMaturity %
CC1: Control Environment513155%
CC2: Communication321070%
CC3: Risk Assessment402235%
CC4: Monitoring202060%
CC5: Control Activities321080%
CC6: Access Controls752085%
CC7: System Operations522172%
CC8: Change Management431065%
CC9: Risk Mitigation302170%
Security (A1)422085%
Availability (A1)513172%
Processing Integrity (PI1)550090%
Confidentiality (C1)532088%
Privacy (P1-P8)814345%
OVERALL (exc. Privacy)502621368%
OVERALL (inc. Privacy)582725663%

3.2 Critical Gaps (P0 — Must Fix Before Type I Audit)

Gap IDTSCDescriptionEffortCostOwnerTarget Date
G-001CC3.1Formalize risk assessment framework (SSAE 18)6 weeks$20KCISO2026-05-15
G-002CC8.1Establish Change Advisory Board (CAB)2 weeks$0VP Eng2026-04-30
G-003CC9.1Complete disaster recovery plan2 weeks$0SRE Lead2026-05-30
G-004CC9.2Conduct DR tabletop test1 day$0SRE Lead2026-06-15
G-005CC7.3Implement capacity planning process2 weeks$0SRE Lead2026-05-30
G-006System description for auditor3 weeks$0CISO + VP Eng2026-06-30
G-007Management assertion letter1 week$5KLegal + CISO2026-07-15

Total P0 Effort: 16.2 weeks FTE + $25K

3.3 High-Priority Gaps (P1 — Should Fix Before Type I Audit)

Gap IDTSCDescriptionEffortCostOwnerTarget Date
G-101CC1.1Code of Conduct and Ethics policy2 weeks$5KLegal2026-05-15
G-102CC1.5Compliance KPI dashboard2 weeks$0CISO2026-06-15
G-103CC2.3Service status page + breach notification2 weeks$29/moVP Eng2026-05-30
G-104CC6.3Automate access removal via HR integration1 week$0IT2026-06-15
G-105CC6.7Data retention and deletion policy1 week$5KLegal2026-05-30
G-106CC7.2Formalize incident response plan2 weeks$0CISO2026-06-15
G-107CC9.3Vendor risk assessment process1 week$0CISO2026-06-30
G-108A1.1Uptime monitoring and SLA reporting1 week$15/moSRE2026-05-30
G-109A1.3DLP for PHI exfiltration prevention3 weeks$500/moCISO2026-06-30
G-110C1.2Data classification policy1 week$3KLegal + CISO2026-05-30
G-111D.4.3Evidence collection automation3 weeks$0CISO2026-06-30

Total P1 Effort: 19 weeks FTE + $13K + $544/month SaaS

3.4 Medium-Priority Gaps (P2 — Nice to Have)

Gap IDTSCDescriptionEffortCostOwnerTarget Date
G-201CC1.2Establish Audit Committee1 week$0Board2026-06-30
G-202CC1.4Technical competency matrix1 week$0HR + VP Eng2026-06-30
G-203CC5.1Document control selection rationale2 weeks$0CISO2026-07-15
G-204A1.4Deploy Falco HIDS/NIDS2 weeks$0SRE2026-07-15
G-205C1.5UI-level PHI masking2 weeks$0Frontend2026-07-15

Total P2 Effort: 8 weeks FTE + $0

4. Remediation Plan

4.1 Remediation Timeline (Gantt Format)

2026 Timeline                 Mar    Apr    May    Jun    Jul    Aug    Sep
────────────────────────────────────────────────────────────────────────────
P0 CRITICAL PATH
  G-001 Risk Assessment         ████████████████
  G-002 CAB Establishment             ████████
  G-003 DR Plan                             ████████
  G-004 DR Tabletop Test                          ██
  G-005 Capacity Planning                   ████████
  G-006 System Description                        ████████████████
  G-007 Management Assertion                            ████████

P1 HIGH PRIORITY
  G-101 Code of Conduct               ████████
  G-102 Compliance KPIs                     ████████
  G-103 Status Page                         ████████
  G-104 HR Access Integration                     ████
  G-105 Retention Policy                    ████
  G-106 Incident Response Plan                    ████████
  G-107 Vendor Risk Mgmt                                ████
  G-108 Uptime Monitoring                   ████
  G-109 DLP Implementation                        ████████████
  G-110 Data Classification                 ████
  G-111 Evidence Automation                       ████████████

P2 MEDIUM PRIORITY
  G-201 Audit Committee                                 ████
  G-202 Competency Matrix                               ████
  G-203 Control Rationale                                     ████████
  G-204 Falco Deployment                                      ████████
  G-205 PHI Masking                                           ████████

AUDIT MILESTONES
  Internal Readiness Audit                                    ████
  Type I Audit Fieldwork                                        ████████
  Type I Report Issued                                                  ██

4.2 Resource Allocation

FTE Requirements by Month:

MonthP0 FTEP1 FTEP2 FTETotal FTEKey Deliverables
Mar 20261.50.502.0Risk assessment kickoff, CAB charter
Apr 20261.51.002.5Risk assessment complete, Code of Conduct
May 20261.01.50.53.0DR plan, capacity planning, policies
Jun 20261.51.50.53.5System description, DLP, evidence automation
Jul 20260.501.01.5Management assertion, P2 tasks, internal audit
Aug 20260000Type I audit fieldwork (respond to auditor requests)

Total Effort: 43.2 FTE-weeks (1.08 FTE over 5 months)

Recommended Team:

  • CISO (50% allocation): Risk assessment, incident response, DLP, evidence automation
  • SRE Lead (30% allocation): DR plan, capacity planning, uptime monitoring, Falco
  • Security Engineer (40% allocation): CAB process, policies, control documentation
  • Legal Counsel (10% allocation): Code of Conduct, retention policy, data classification, management assertion
  • VP Engineering (10% allocation): CAB chair, system description, change management

External Consulting:

  • Risk Assessment Consultant: $20K (6-week engagement, SSAE 18 framework)
  • Legal Review: $13K (Code of Conduct $5K, retention policy $5K, data classification $3K)

4.3 Budget Summary

CategoryItemCostTimeline
P0 GapsRisk assessment consultant$20,000Mar-May 2026
Management assertion legal review$5,000Jul 2026
P1 GapsCode of Conduct legal review$5,000Apr 2026
Data retention policy legal review$5,000May 2026
Data classification policy legal review$3,000May 2026
Status page (statuspage.io)$348/yrMay 2026
Uptime monitoring (UptimeRobot)$180/yrMay 2026
DLP solution (Nightfall AI or GCP DLP)$6,000/yrJun 2026
Internal CostsCISO + SRE + Security Eng salaries(existing)Mar-Jul 2026
Type I AuditCPA firm fees (specialized)$45,000Aug 2026
CPA firm fees (Big 4, if chosen)$75,000Aug 2026
Type II ObservationEvidence collection tooling$3,000Sep 2026-Mar 2027
Ongoing control testing(existing)Sep 2026-Mar 2027
Type II AuditCPA firm fees (specialized)$65,000Apr 2027
CPA firm fees (Big 4, if chosen)$95,000Apr 2027

Total Investment (Specialized Audit Firm Path):

  • Gap Closure: $38K + $6.5K/yr SaaS = $44.5K
  • Type I Audit: $45K
  • Type II Audit: $65K
  • 12-Month Total: $154.5K

Total Investment (Big 4 Audit Firm Path):

  • Gap Closure: $44.5K
  • Type I Audit: $75K
  • Type II Audit: $95K
  • 12-Month Total: $214.5K

Recommended: Specialized firm path ($154.5K total) for faster time-to-market.

5. Pre-Audit Documentation Package

5.1 System Description (REQUIRED)

Purpose: Provides auditor with comprehensive understanding of the BIO-QMS platform architecture, boundaries, and control environment.

Template Outline:

1. Company Overview

  • Business Model: B2B SaaS for biosciences quality management
  • Customer Base: Biotech, pharmaceuticals, CROs, medical device manufacturers
  • Service Commitments: 99.9% uptime, SOC 2 Security + Availability + Processing Integrity + Confidentiality
  • Regulatory Context: FDA 21 CFR Part 11, HIPAA, cGMP, ISO 13485 (customer-specific)

2. System Boundaries

  • In Scope:
    • BIO-QMS web application (React + TypeScript frontend)
    • Django REST API backend (Python 3.11)
    • PostgreSQL database (Google Cloud SQL)
    • GCS object storage (documents, attachments)
    • GKE compute infrastructure
    • CI/CD pipeline (GitHub Actions, Google Cloud Build)
    • Monitoring stack (Prometheus, Grafana, PagerDuty)
  • Out of Scope:
    • GCP datacenter physical security (relies on GCP SOC 2)
    • Third-party SaaS tools (Google Workspace, Slack, JIRA) — complementary controls
    • Customer-managed data (customers responsible for user access management)

3. Infrastructure Architecture

  • Cloud Provider: Google Cloud Platform (us-central1 region, multi-zone)
  • Compute: Google Kubernetes Engine (GKE Autopilot)
  • Database: Cloud SQL for PostgreSQL 15 (HA configuration)
  • Storage: Google Cloud Storage (regional, versioned buckets)
  • Network: VPC with private subnets, Cloud NAT, Cloud Armor WAF
  • CDN: Cloud CDN for static assets
  • DNS: Cloud DNS with DNSSEC

4. Application Architecture

  • Frontend: React 18, TypeScript, React Router, Material-UI
  • API: Django 4.2, Django REST Framework, Gunicorn + Uvicorn ASGI
  • Authentication: Google Workspace SSO (SAML 2.0), optional customer SSO (SAML/OIDC)
  • Authorization: Role-Based Access Control (RBAC) with 12 roles, 87 permissions
  • Data Model: Multi-tenant (per-organization database schemas + encryption keys)
  • Queue: Cloud Tasks for async workflows (e-signature notifications, report generation)

5. Security Architecture

  • Encryption at Rest: AES-256-GCM (GCP default + application-level per-tenant keys)
  • Encryption in Transit: TLS 1.3 (minimum), HSTS, certificate pinning
  • Key Management: Google Cloud KMS + planned HSM for signing keys
  • Authentication: MFA enforced (TOTP or hardware tokens)
  • Session Management: 15-minute idle timeout, secure cookies (HttpOnly, Secure, SameSite)
  • Audit Logging: Immutable audit trail with hash chain integrity verification

6. Control Environment

  • Organizational Structure: CEO → CISO, VP Engineering, VP QA
  • Change Management: CAB approval for production changes, GitHub PR + code review
  • Monitoring: 24/7 on-call rotation, PagerDuty escalation, runbooks
  • Vendor Management: Quarterly vendor reviews, SOC 2 report collection
  • Incident Response: Incident response plan with defined roles, escalation tree

7. Complementary User Entity Controls (CUECs)

  • User Access Management: Customers responsible for granting/revoking user access within their organization
  • Data Backup Verification: Customers should test restoration of critical data exports
  • Network Security: Customers should enforce IP whitelisting (if required)
  • Training: Customers should train users on electronic signature policies

8. Subservice Organizations

  • Google Cloud Platform: Infrastructure (compute, database, storage, network)
    • SOC 2 Report: Available (include in auditor package)
    • Carve-Out Method: BIO-QMS SOC 2 report references GCP SOC 2 controls
  • PagerDuty: Incident alerting and on-call scheduling
    • SOC 2 Report: Available
  • Stripe (if payment processing): Payment processing for subscriptions
    • PCI DSS Attestation: Available

Effort to Create: 3 weeks (CISO + VP Engineering collaboration)

5.2 Control Environment Description

Purpose: Describes the governance, risk, and compliance (GRC) framework supporting SOC 2 controls.

Content:

  • Governance Structure: Board oversight, executive responsibilities, Audit Committee (or equivalent)
  • Risk Assessment Process: Annual enterprise risk assessment, risk register, treatment plans
  • Policy Framework: Security policy, acceptable use policy, incident response policy, change management policy, data classification policy
  • Change Management: CAB charter, change request workflow, emergency change procedures
  • Monitoring and Testing: Quarterly internal control testing, vulnerability scanning, penetration testing
  • Vendor Management: Third-party risk assessment, SOC 2 report reviews, contract security provisions
  • Training and Awareness: Annual security awareness training, phishing simulations, onboarding security training

Effort to Create: 2 weeks (CISO)

5.3 Risk Assessment Methodology

Purpose: Documents the risk assessment process used to identify, analyze, and respond to risks.

Content (SSAE 18 Compliant):

1. Risk Identification

  • Sources: Threat modeling workshops, vulnerability scans, penetration tests, industry threat intelligence, regulatory changes
  • Risk Categories: Strategic, operational, financial, compliance, reputational, technology

2. Risk Analysis

  • Likelihood Scoring: 1 (Rare) to 5 (Almost Certain)
  • Impact Scoring: 1 (Negligible) to 5 (Catastrophic)
  • Risk Score: Likelihood × Impact (1-25 scale)
  • Risk Appetite: Risk score 1-9 (acceptable), 10-15 (monitor), 16-25 (treat)

3. Risk Response

  • Accept: Risk score < 10, document acceptance rationale
  • Mitigate: Implement controls to reduce likelihood or impact
  • Transfer: Cyber insurance, vendor indemnification clauses
  • Avoid: Discontinue risky activities or services

4. Risk Register

  • Fields: Risk ID, description, owner, likelihood, impact, score, response, status, review date
  • Quarterly Review: Risk owner updates status, CISO reviews

5. Documentation

  • Annual Risk Assessment Report: Summary of risk landscape, top 10 risks, treatment status
  • Board Reporting: Quarterly risk dashboard presented to Board

Effort to Create: 6 weeks (CISO + external consultant $20K)

5.4 Management Assertion Letter

Purpose: Formal statement from management that controls are designed and operating effectively.

Template:

[Date]

To [CPA Audit Firm Name]:

AZ1.AI Inc. ("the Company") management is responsible for designing, implementing, and
operating effective controls within the CODITECT Biosciences Quality Management System
(BIO-QMS) Platform (the "System") to provide reasonable assurance that the Trust Service
Criteria relevant to Security, Availability, Processing Integrity, and Confidentiality
(applicable criteria) were achieved throughout the period [Start Date] to [End Date]
(the "Period").

Management has performed an assessment of the controls within the System and has concluded
that the controls were suitably designed and operating effectively to meet the applicable
Trust Service Criteria throughout the Period, except for [list any exceptions, or state "none"].

Management has provided [CPA Firm Name] with:
1. Access to all information relevant to the System and controls
2. Additional information requested for the purposes of the examination
3. Unrestricted access to persons within the entity from whom the auditor determined
   it necessary to obtain evidence

Management acknowledges responsibility for:
- Designing, implementing, and operating effective controls
- Providing complete and accurate descriptions of the System
- Identifying risks that threaten achievement of the Trust Service Criteria
- Monitoring the effectiveness of controls on an ongoing basis
- Selecting and implementing complementary user entity controls (CUECs)
- Remediating deficiencies identified during the examination

Sincerely,

_______________________
[CEO Name], Chief Executive Officer

_______________________
[CISO Name], Chief Information Security Officer

_______________________
[VP Engineering Name], Vice President of Engineering

Effort to Create: 1 week (Legal + CISO, $5K legal review)

5.5 Complementary User Entity Controls (CUECs)

Purpose: Identifies controls that customers must implement for SOC 2 controls to be effective.

CUEC IDControlCustomer ResponsibilityImpact if Not Implemented
CUEC-1User access managementCustomers must grant/revoke user access based on job responsibilitiesUnauthorized users may access system
CUEC-2Password complexityCustomers must enforce strong password policies for non-SSO usersWeak passwords may be compromised
CUEC-3Data backup verificationCustomers should test restoration of data exports periodicallyInability to recover data in disaster scenario
CUEC-4IP whitelistingCustomers may restrict access to specific IP ranges (optional)Unauthorized network access if not implemented
CUEC-5User trainingCustomers should train users on electronic signature policies and data handlingUsers may misuse electronic signatures or mishandle PHI
CUEC-6Incident reportingCustomers should report suspected security incidents to CODITECT supportDelayed response to security incidents

Note: CUECs are included in SOC 2 report and customer contracts. Customers receive annual reminder to review CUECs.

5.6 Subservice Organization Relationships

SubserviceService ProvidedSOC 2 ReportCarve-Out or Inclusive
Google Cloud PlatformInfrastructure (compute, storage, network)Available (request from GCP)Carve-Out (BIO-QMS SOC 2 references GCP SOC 2)
PagerDutyIncident alertingAvailable (download from PagerDuty Trust Center)Carve-Out
StripePayment processingPCI DSS Level 1 certifiedCarve-Out
Google WorkspaceEmail, calendar, SSOSOC 2 availableCarve-Out

Action Required: Collect SOC 2 reports from all subservice organizations and review for relevant controls. Document how BIO-QMS relies on subservice controls in system description.

Effort: 1 week (CISO)

6. Auditor Preparation

Big 4 Firms

FirmProsConsEstimated Cost
DeloitteBrand recognition, healthcare expertise, global footprint$$$$ expensive, slower engagement, may over-engineerType I: $75K, Type II: $95K
PwCStrong SOC 2 practice, investor/customer trust, regulatory relationships$$$$ expensive, long lead timesType I: $70K, Type II: $90K
EYTechnology sector focus, startup-friendly, modern tools$$$ expensive, less healthcare depthType I: $65K, Type II: $85K
KPMGHealthcare and life sciences specialization, global compliance expertise$$$ expensive, bureaucraticType I: $70K, Type II: $90K

Specialized SOC 2 Firms

FirmProsConsEstimated Cost
A-LIGNSOC 2 specialization, fast turnaround (4-6 weeks), pragmatic approachLess brand recognitionType I: $45K, Type II: $65K
SchellmanHealthcare focus, technology-friendly, good reputation in SaaSMid-tier brandType I: $50K, Type II: $70K
KirkpatrickPriceAffordable, startup-friendly, fast engagementSmaller firm, less global presenceType I: $40K, Type II: $60K
Prescient AssuranceModern tooling, developer-friendly, fastNewer firm, less establishedType I: $40K, Type II: $60K

Recommendation

Phase 1 (Type I — Q3 2026): Engage A-LIGN or Schellman

  • Rationale:
    • Faster time-to-market (4-6 week turnaround vs 8-12 weeks Big 4)
    • Cost savings ($30K for Type I, $30K for Type II)
    • SOC 2 specialization = pragmatic approach, less over-engineering
    • Healthcare experience (Schellman especially)
  • Risk: Less brand recognition with investors/customers
  • Mitigation: Big 4 brand value diminishes rapidly in SaaS market; most customers accept any reputable CPA firm

Phase 2 (Type II — Q2 2027): Reassess based on customer requirements

  • If enterprise customers require Big 4: Engage Deloitte or KPMG (healthcare expertise)
  • If no Big 4 requirement: Continue with A-LIGN/Schellman (cost savings, relationship continuity)

6.2 Audit Scope Definition

Recommended Scope for Initial SOC 2 Type I:

Trust Service Criteria:

  • Security (Required): All SOC 2 reports must include Security
  • Availability: 99.9% uptime SLA commitment
  • Processing Integrity: Core QMS validation workflows (leverages FDA Part 11)
  • Confidentiality: PHI and proprietary data handling
  • Privacy (Defer): Only if contractually required; 6-9 month delay

Scope Statement:

"Management's description of the CODITECT BIO-QMS Platform and the suitability of the design and operating effectiveness of controls to meet the criteria for the Security, Availability, Processing Integrity, and Confidentiality principles set forth in the AICPA Trust Service Criteria relevant to security, availability, processing integrity, and confidentiality for the period [Audit Date] (Type I) / [Start Date] to [End Date] (Type II)."

System Boundaries:

  • BIO-QMS web application (frontend + API + database)
  • GCP infrastructure (compute, storage, network)
  • CI/CD pipeline
  • Monitoring and alerting systems
  • Excludes: Customer-managed data, third-party SaaS tools (CUECs apply)

Carve-Out Subservice Organizations:

  • Google Cloud Platform (infrastructure)
  • PagerDuty (incident alerting)
  • Google Workspace (SSO, email)

6.3 Timeline and Milestones

Type I Audit Timeline (Q3 2026)

WeekActivityOwnerDeliverables
Week -12 (Jun 1)RFP to audit firmsCISOSOW, cost estimates, firm selection
Week -10 (Jun 15)Audit firm engagementCEO + CISOSigned engagement letter, kick-off call
Week -8 (Jul 1)Gap closure completionCISO + SREAll P0 gaps closed, evidence collected
Week -4 (Jul 15)System description finalizedCISO + VP EngSystem description + control matrix
Week -2 (Aug 1)Pre-audit readiness reviewCISOInternal audit, remediation of findings
Week 0 (Aug 1)Type I audit fieldwork beginsAudit FirmInformation request list (IRL)
Week 1-2Auditor on-site (virtual)AllControl walkthroughs, interviews, documentation review
Week 3-4Audit evidence reviewCISORespond to auditor questions, provide additional evidence
Week 5-6Draft report reviewCISO + LegalReview findings, management responses
Week 7 (Sep 15)Final Type I report issuedAudit FirmSOC 2 Type I report + bridge letter

Total Duration: 12 weeks (Jun 1 - Sep 15, 2026)

Type II Audit Timeline (Q2 2027)

MonthActivityOwnerDeliverables
Sep 2026 - Mar 2027Observation period (6 months)CISO + SREEvidence collection, quarterly control testing
Jan 2027Mid-observation check-inAudit FirmInterim review, identify gaps early
Mar 15, 2027Observation period ends6 months of evidence packaged
Mar 16 - Apr 15Type II audit fieldworkAudit FirmSample testing, control walkthroughs
Apr 16 - May 1Draft report reviewCISO + LegalReview findings, management responses
May 15, 2027Final Type II report issuedAudit FirmSOC 2 Type II report

Total Duration: 8 months (Sep 2026 - May 2027)

6.4 Estimated Cost Breakdown

Type I Audit (Specialized Firm — A-LIGN)

Cost CategoryAmountNotes
CPA Audit Fees$45,000200-250 hours @ $180-225/hr blended rate
Pre-Audit Prep$25,000Gap closure consulting (risk assessment)
System Description(internal)CISO + VP Eng time (3 weeks)
Evidence Collection(internal)CISO + Security Eng automation (3 weeks)
Internal Readiness Audit$5,000Mock audit by external consultant (optional)
Management Assertion Legal$5,000Legal review of assertion letter
Total Type I$80,000External costs only

Type II Audit (Specialized Firm — A-LIGN)

Cost CategoryAmountNotes
CPA Audit Fees$65,000300-350 hours @ $185-230/hr blended rate
Observation Period Evidence$3,000Evidence collection tooling (screenshots, log exports)
Ongoing Control Testing(internal)Quarterly testing by CISO + Security Eng
Total Type II$68,000External costs only

Total 12-Month Investment (Type I + Type II)

PathType IType IIObservationGap ClosureTotal
Specialized Firm$45K$65K$3K$38K$151K
Big 4 Firm$75K$95K$3K$38K$211K

Savings with Specialized Firm: $60K (28% cost reduction)

6.5 Typical Auditor Information Request List (IRL)

Purpose: Prepare responses to typical auditor requests in advance to accelerate fieldwork.

Common Criteria (CC1-CC9)

RequestDocument/EvidenceOwnerPreparation Effort
Organizational chartOrg chart with reporting structureHR1 day
Job descriptionsRole definitions for security/engineeringHR1 day
Board meeting minutesLast 4 quarters (redacted if needed)Legal1 day
Risk assessmentAnnual risk assessment + risk registerCISO3 weeks (part of G-001)
Change management policyCAB charter, change request templateVP Eng2 weeks (part of G-002)
Incident response planIRP with roles, escalation treeCISO2 weeks (part of G-106)
Vendor contractsContracts with GCP, PagerDuty, StripeLegal1 day
Vendor SOC 2 reportsGCP, PagerDuty SOC 2 reportsCISO1 week
Security awareness trainingTraining completion recordsHR1 day
Background check policyEmployment screening proceduresHR1 day

Security (A1)

RequestDocument/EvidenceOwnerPreparation Effort
Access control policyRBAC model, permission matrixCISOAvailable (D.3.1)
MFA enforcementSSO config screenshots, MFA policyIT1 day
Firewall rulesGCP VPC firewall rules exportSRE1 day
Intrusion detectionSecurity Command Center configCISO1 day
Penetration test reportMost recent pentest findingsCISO1 day (if conducted)
Vulnerability scan reportsTrivy/Dependabot scan resultsSRE1 day
Encryption configurationTLS config, KMS key policiesCISOAvailable (D.1)

Availability (A1)

RequestDocument/EvidenceOwnerPreparation Effort
SLA commitmentCustomer contract SLA termsLegal1 day
Uptime monitoringUptime reports (last 6 months)SRE1 week (part of G-108)
Disaster recovery planDR plan + tabletop test resultsSRE3 weeks (part of G-003, G-004)
Incident response logsPagerDuty incident historySRE1 day
Capacity planningCPU/mem/storage forecastsSRE2 weeks (part of G-005)
Backup configurationGCS snapshot policiesSRE1 day
Backup restoration testMost recent restore test resultsSRE1 day

Processing Integrity (PI1)

RequestDocument/EvidenceOwnerPreparation Effort
Validation protocolsIQ/OQ/PQ protocolsQAAvailable (D.2.1)
Validation evidenceTest execution logs, screenshotsQAAvailable (D.2.4)
E-signature controlsE-signature architecture, policiesCISOAvailable (D.2.3)
Audit trailAudit log samples, integrity verificationCISOAvailable (D.5.1 planned)
Data validation rulesAPI validation logic, database constraintsBackend1 week

Confidentiality (C1)

RequestDocument/EvidenceOwnerPreparation Effort
Data classification policyClassification scheme (Public/Internal/Confidential/Restricted)CISO1 week (part of G-110)
Encryption at restKMS key policies, per-tenant keysCISOAvailable (D.1, D.3.2)
Encryption in transitTLS config, certificate policiesCISOAvailable (D.1)
DLP controlsDLP rules, alert samplesCISO3 weeks (part of G-109)
PHI access logsAudit trail of PHI accessCISOAvailable (D.3.4)

Total Preparation Effort: Most evidence available from existing compliance work (D.1-D.3); new evidence requires 16 weeks (covered by gap closure plan).

7. Type I vs Type II Roadmap

7.1 Type I Audit (Point-in-Time) — Q3 2026

Objective: Demonstrate that controls are suitably designed to meet Trust Service Criteria as of a specific date (e.g., August 15, 2026).

What Auditor Tests:

  • Design Effectiveness: Are controls logically designed to prevent/detect control failures?
  • Implementation: Do controls exist and are they operational?
  • No Operating Effectiveness: Auditor does NOT test whether controls operated consistently over time

Deliverables:

  • SOC 2 Type I Report: CPA opinion on design effectiveness
  • Bridge Letter: Optional letter for customers explaining Type I vs Type II
  • Management Assertion: Signed statement from management

Timeline:

  • Readiness Date: August 1, 2026 (all gaps closed)
  • Audit Date: August 15, 2026 (point-in-time snapshot)
  • Fieldwork: August 1-15, 2026 (2 weeks)
  • Report Issued: September 15, 2026

Value:

  • Accelerates GTM: Can share Type I report with customers/investors in Q3 2026
  • Validates readiness: Confirms controls are designed correctly before Type II observation period
  • Investor confidence: Demonstrates commitment to compliance before Series A/B

Limitations:

  • Not proof of operating effectiveness: Customers/investors may ask "but do controls work consistently?"
  • Shorter shelf life: Many enterprises prefer Type II

Cost: $45K (specialized firm) or $75K (Big 4)

7.2 Type II Audit (Operating Effectiveness) — Q2 2027

Objective: Demonstrate that controls operated effectively throughout a 6-12 month observation period (e.g., September 16, 2026 - March 15, 2027).

What Auditor Tests:

  • Design Effectiveness: Same as Type I
  • Operating Effectiveness: Did controls operate consistently throughout the period?
  • Sampling: Auditor samples control executions (e.g., 25 change requests, 25 access reviews, 25 vulnerability scans)

Deliverables:

  • SOC 2 Type II Report: CPA opinion on design AND operating effectiveness
  • Control Exceptions: Any control failures noted (with management responses)
  • Management Assertion: Signed statement for the observation period

Timeline:

  • Observation Period Begins: September 16, 2026 (day after Type I report)
  • Observation Period Ends: March 15, 2027 (6 months)
  • Fieldwork: March 16 - April 15, 2027 (4 weeks)
  • Report Issued: May 15, 2027

Value:

  • Enterprise sales enabler: Most enterprise customers require Type II
  • Proof of consistency: Demonstrates controls work over time, not just point-in-time
  • Competitive advantage: Differentiate from competitors without SOC 2 Type II
  • Insurance premiums: May reduce cyber insurance costs

Observation Period Requirements:

  • Evidence Collection: Must collect evidence of control execution throughout the 6 months
    • Example: Screenshots of monthly access reviews, change request approvals, vulnerability scan reports, backup restoration tests
  • Control Failures: Any control failures must be documented with root cause analysis and remediation
  • No Major Changes: Avoid major architecture changes during observation period (triggers re-audit)

Cost: $65K (specialized firm) or $95K (Big 4)

7.3 Key Milestones and Decision Gates

Timeline View:

2026
────────────────────────────────────────────────────────────────────────────
Jan  Feb  Mar  Apr  May  Jun  Jul  Aug  Sep  Oct  Nov  Dec
                    ████████████████████████████████████
                    │                   │    │    │
                    │                   │    │    └─ Type II observation begins
                    │                   │    └────── Type I report issued (Sep 15)
                    │                   └─────────── Type I fieldwork (Aug 1-15)
                    └─────────────────────────────── Gap closure begins (Mar 1)

2027
────────────────────────────────────────────────────────────────────────────
Jan  Feb  Mar  Apr  May  Jun  Jul  Aug  Sep  Oct  Nov  Dec
     ███████████████████████
     │         │    │    │
     │         │    │    └─────────────────────────── Type II report issued (May 15)
     │         │    └──────────────────────────────── Type II fieldwork (Mar 16 - Apr 15)
     │         └───────────────────────────────────── Type II observation ends (Mar 15)
     └─────────────────────────────────────────────── Mid-observation check-in (Jan 15)

Decision Gate 1: Audit Firm Selection (June 15, 2026)

  • Decision: Specialized firm (A-LIGN/Schellman) vs Big 4 (Deloitte/KPMG)
  • Criteria: Customer requirements, investor preferences, budget constraints, timeline urgency
  • Recommendation: Specialized firm for cost/speed; reassess for Type II if Big 4 required

Decision Gate 2: Type I Scope Confirmation (July 1, 2026)

  • Decision: Include Privacy criteria or defer?
  • Criteria: Customer contractual requirements, regulatory obligations, resource availability
  • Recommendation: Defer Privacy unless explicitly required (6-9 month delay)

Decision Gate 3: Type I Pass/Fail (September 15, 2026)

  • Scenario A (Pass): Proceed to Type II observation period starting Sep 16
  • Scenario B (Fail with minor findings): Remediate findings, extend observation period start by 1 month
  • Scenario C (Fail with major findings): Delay Type II by 6 months, remediate, re-audit Type I

Decision Gate 4: Type II Firm Selection (January 15, 2027)

  • Decision: Continue with Type I firm or switch to Big 4?
  • Criteria: Enterprise customer requirements, investor Series B prep, budget
  • Recommendation: If no explicit Big 4 requirement, continue with Type I firm (cost savings, continuity)

7.4 Type I to Type II Transition Plan

Observation Period Preparation (August 2026):

TaskOwnerDeliverableTarget Date
Define evidence collection scheduleCISOMonthly evidence checklist (access reviews, change requests, backups, vuln scans, DR tests)Aug 1
Implement evidence automationSecurity EngD.4.3 Evidence collection automation (screenshots, log exports, report generation)Aug 15
Train team on evidence collectionCISOTraining session for SRE, Security, QA teams on evidence requirementsAug 15
Establish control testing calendarCISOQuarterly internal control testing schedule (Sep, Dec, Mar)Aug 15

Monthly During Observation Period (Sep 2026 - Mar 2027):

ActivityFrequencyOwnerEvidence Generated
Access reviewMonthlyCISOScreenshot of access review approvals
Change requestsOngoingVP EngCAB meeting minutes, change approval records
Vulnerability scansMonthlySRETrivy/Dependabot scan reports, remediation tracking
Backup restoration testQuarterlySREBackup restore test results, success/failure logs
DR tabletop exerciseQuarterlySREDR test results, lessons learned
Incident responseAs neededCISOIncident tickets, root cause analysis, remediation
Security awareness trainingQuarterlyHRTraining completion records
Risk register reviewQuarterlyCISOUpdated risk register, risk treatment status

Mid-Observation Check-In (January 15, 2027):

  • Purpose: Auditor reviews 3 months of evidence to identify gaps early
  • Participants: Auditor, CISO, VP Eng, SRE Lead
  • Deliverables: Gap list, remediation plan, timeline adjustment (if needed)
  • Effort: 1 week

Observation Period Close (March 15, 2027):

  • Package all evidence: Organize 6 months of evidence into auditor-ready format (PDFs, screenshots, logs)
  • Internal review: CISO reviews all evidence for completeness, identifies missing items
  • Remediation: Address any gaps found in internal review before Type II fieldwork
  • Effort: 2 weeks

8. Cross-Framework Synergies

8.1 FDA 21 CFR Part 11 → SOC 2 Processing Integrity (PI1)

Overlap: ~80% of Processing Integrity controls already implemented via FDA Part 11 validation.

FDA Part 11 RequirementSOC 2 PI1 ControlEvidence Reuse
§11.10(a) ValidationPI1.1 Processing completeIQ/OQ/PQ protocols (D.2.1)
§11.10(e) Audit trailPI1.4 Processing authorizedAudit log architecture (D.5.1)
§11.70 Signature bindingPI1.2 Processing accurateE-signature controls (D.2.3)
§11.10(b) Record copiesPI1.1 Processing completeRecord retrieval controls (D.2.2)
§11.10(c) Record protectionPI1.2 Processing accurateData integrity checks (D.2.2)

Auditor Benefit: FDA Part 11 validation provides substantial evidence for PI1; auditor can leverage existing validation reports.

Effort Savings: ~12 weeks (PI1 controls would otherwise require separate validation)

8.2 HIPAA Security Rule → SOC 2 Security (A1) + Confidentiality (C1)

Overlap: ~75% of Security and Confidentiality controls already implemented via HIPAA compliance.

HIPAA ControlSOC 2 ControlEvidence Reuse
§164.312(a)(1) Access controlsCC6.1 Logical accessHIPAA access controls (D.3.1)
§164.312(a)(2)(i) Unique user IDsCC6.1 Logical accessSSO + RBAC implementation
§164.312(a)(2)(ii) Emergency accessCC6.2 Privilege escalationBreak-glass procedures (D.3.1)
§164.312(a)(2)(iii) Auto log-offCC6.1 Logical access15-minute session timeout
§164.312(a)(2)(iv) EncryptionC1.3 Encryption at restAES-256-GCM implementation (D.3.2)
§164.312(e)(1) Transmission securityC1.4 Encryption in transitTLS 1.3 configuration (D.3.2)
§164.312(b) Audit logsCC7.1 System monitoringHIPAA audit logging (D.3.4)

Auditor Benefit: HIPAA controls provide comprehensive evidence for Security and Confidentiality criteria.

Effort Savings: ~10 weeks (Security/Confidentiality controls would otherwise require separate implementation)

8.3 Cryptographic Standards (D.1) → SOC 2 Security (A1) + Confidentiality (C1)

Overlap: Cryptographic foundation provides ~30% of Security and Confidentiality evidence.

Crypto ControlSOC 2 ControlEvidence Reuse
ECDSA P-256 signaturesPI1.4 Processing authorizedE-signature non-repudiation (D.1.3)
AES-256-GCM encryptionC1.3 Encryption at restEncryption standards (D.1.1)
TLS 1.3C1.4 Encryption in transitTLS configuration (D.1.1)
HSM key managementC1.3 Encryption at restKey lifecycle management (D.1.2)
Certificate chainCC6.1 Logical accessPKI infrastructure (D.1.3)

Auditor Benefit: Mature cryptographic controls demonstrate defense-in-depth security posture.

Effort Savings: ~4 weeks (crypto controls would otherwise require separate design and implementation)

8.4 Total Effort Savings from Cross-Framework Leverage

FrameworkSOC 2 OverlapEffort SavedCost Saved
FDA 21 CFR Part 11Processing Integrity (PI1)12 weeks$30K
HIPAA Security RuleSecurity (A1) + Confidentiality (C1)10 weeks$25K
Cryptographic StandardsSecurity (A1) + Confidentiality (C1)4 weeks$10K
Total26 weeks$65K

Result: SOC 2 readiness achieved 26 weeks faster and $65K cheaper than if implemented from scratch.

Key Insight: The "compliance flywheel" effect — each additional framework becomes cheaper and faster to implement due to control reuse.

9. Risks and Mitigation

9.1 Risk Register for SOC 2 Readiness

Risk IDRisk DescriptionLikelihoodImpactScoreMitigationOwner
R-001Audit delayed due to incomplete gap closureMediumHigh12Weekly gap closure status meetings, buffer 2 weeks in timelineCISO
R-002Auditor identifies new gaps during fieldworkMediumMedium9Internal readiness audit 2 weeks before auditor engagementCISO
R-003Type I report has qualified opinion (control deficiencies)LowHigh6Engage external consultant for mock audit, remediate findings earlyCISO
R-004Key personnel leave during observation periodLowMedium4Document all control procedures, cross-train team membersVP Eng
R-005Major architecture change during observation periodMediumHigh12Freeze architecture changes Sep 2026 - Mar 2027, defer to Q2 2027VP Eng
R-006Evidence collection automation failsMediumMedium9Implement automation by Aug 15, test for 2 weeks before observation periodSecurity Eng
R-007Budget overrun for audit feesLowLow2Fixed-price SOW with audit firm, negotiate scope changes upfrontCISO
R-008Customer demands Type II before Q2 2027MediumMedium9Educate customers on Type I value, offer bridge letter, expedite Type II if neededSales
R-009Control failure during observation periodMediumHigh12Implement robust monitoring, detect failures early, document remediationCISO
R-010Auditor requires Privacy criteria (not in scope)LowHigh6Negotiate Privacy exclusion upfront, document rationale in SOWCISO

Total Risks: 10 identified, 8 mitigated, 2 monitored

9.2 Risk Mitigation Plan

R-001: Audit Delayed Due to Incomplete Gap Closure

Mitigation Strategy:

  • Weekly status meetings: CISO + gap owners review progress every Friday
  • Timeline buffer: Build 2-week buffer into gap closure deadline (Jun 30 vs Aug 1 audit start)
  • Escalation path: Any P0 gap at risk of missing deadline escalates to CEO

Residual Risk: Low — Timeline is achievable with existing resources

R-005: Major Architecture Change During Observation Period

Mitigation Strategy:

  • Architecture freeze: No major changes Sep 2026 - Mar 2027 (6-month observation period)
    • Major change definition: Database migration, authentication system redesign, multi-region deployment
    • Allowed changes: Bug fixes, minor features, security patches, dependency updates
  • Change review: CAB reviews all changes for SOC 2 impact before approval
  • Auditor notification: Notify auditor within 48 hours of any control-impacting change

Residual Risk: Low — Engineering roadmap already planned to defer major changes to Q2 2027

R-009: Control Failure During Observation Period

Mitigation Strategy:

  • Proactive monitoring: Implement alerting for control failures (e.g., missed access review, failed backup, vulnerability exceeding SLA)
  • Root cause analysis: Document root cause for every control failure within 5 business days
  • Remediation tracking: Track remediation in JIRA with SLA (P0: 24 hours, P1: 5 days, P2: 30 days)
  • Management response: Include control failures in Type II report with management response (what went wrong, how fixed, how prevented)

Residual Risk: Medium — Control failures are expected; key is to demonstrate effective remediation

Auditor Perspective: 1-2 control failures with strong remediation is BETTER than zero failures (auditors are skeptical of "perfect" results).

10. Success Metrics and KPIs

10.1 Gap Closure Metrics (Mar - Jul 2026)

MetricTargetTracking FrequencyOwner
P0 gaps closed7/7 by Jun 30WeeklyCISO
P1 gaps closed11/11 by Jul 15WeeklyCISO
P2 gaps closed5/5 by Jul 31WeeklyCISO
Gap closure budget variance< 10% over budgetMonthlyCISO
Gap closure timeline variance< 2 weeks delayWeeklyCISO

10.2 Type I Audit Metrics (Aug - Sep 2026)

MetricTargetTracking FrequencyOwner
Auditor information requests< 20 requestsDaily during fieldworkCISO
Average response time to auditor< 24 hoursDaily during fieldworkCISO
Control deficiencies identified0 material deficienciesPost-auditCISO
Type I opinionUnqualified (clean) opinionPost-auditCISO
Report delivery vs targetWithin 1 week of Sep 15Post-auditAudit Firm

10.3 Type II Observation Period Metrics (Sep 2026 - Mar 2027)

MetricTargetTracking FrequencyOwner
Monthly evidence collected100% of checklistMonthlyCISO
Control failures< 2 per quarterMonthlyCISO
Control failure remediation SLA100% within SLAMonthlyCISO
Quarterly control testing completion100% on scheduleQuarterlyCISO
Mid-observation gap count< 5 gapsJan 15, 2027CISO

10.4 Business Impact Metrics (Post-Type I)

MetricBaselineTarget (6 months post-Type I)Tracking
Enterprise deals closed03-5Sales CRM
Average deal size$50K$150KSales CRM
Security questionnaire completion time40 hours5 hours (attach SOC 2 report)Sales
Customer churn due to security concerns2%0%Customer Success
Cyber insurance premium(current)-15% reductionFinance
Investor confidence (Series B readiness)(subjective)SOC 2 as diligence requirementCFO

11. Conclusion and Recommendations

11.1 Executive Summary of Recommendations

1. Pursue SOC 2 Type I in Q3 2026, Type II in Q2 2027

  • Rationale: Type I accelerates GTM and investor confidence; Type II enables enterprise sales
  • Timeline: Aggressive but achievable with existing compliance foundation (FDA Part 11, HIPAA)
  • Investment: $151K total over 12 months (specialized firm path)

2. Engage Specialized Audit Firm (A-LIGN or Schellman)

  • Rationale: 40% cost savings ($60K), 50% faster turnaround (4-6 weeks vs 8-12 weeks)
  • Risk mitigation: Reassess for Type II if Big 4 required by customers/investors

3. Defer Privacy Criteria to Future Engagement

  • Rationale: Privacy adds 6-9 months and $50K+ with limited ROI unless contractually required
  • Scope: Security + Availability + Processing Integrity + Confidentiality provides comprehensive coverage

4. Prioritize P0 Gaps (Risk Assessment, CAB, DR Plan)

  • Rationale: These are the most scrutinized by auditors and highest risk of qualified opinion
  • Timeline: Complete by Jun 30 (5 weeks before audit start)

5. Leverage Existing Compliance Work Aggressively

  • FDA Part 11: Reuse IQ/OQ/PQ validation for Processing Integrity (12 weeks saved)
  • HIPAA: Reuse access controls and encryption for Security + Confidentiality (10 weeks saved)
  • Crypto standards: Reuse cryptographic architecture for Security (4 weeks saved)

11.2 Go/No-Go Decision Framework

Proceed with SOC 2 Type I (Q3 2026) IF:

  • ✅ Budget approved ($151K total over 12 months)
  • ✅ P0 gap closure resourced (1 FTE CISO + 0.3 FTE SRE + 0.4 FTE Security Eng for 5 months)
  • ✅ Executive sponsorship committed (CEO + CISO sign management assertion)
  • ✅ Architecture freeze acceptable (no major changes Sep 2026 - Mar 2027)
  • ✅ Customer/investor demand confirmed (SOC 2 required for enterprise deals or Series B)

Defer SOC 2 IF:

  • ❌ Budget not approved or higher-priority investments (e.g., product development)
  • ❌ Key personnel unavailable (CISO departure, SRE team overloaded)
  • ❌ Architecture changes planned (database migration, multi-region deployment)
  • ❌ Customer/investor demand uncertain (no enterprise pipeline, no Series B timing)

11.3 Next Steps (Week of 2026-02-17)

Immediate Actions (This Week):

  1. Executive approval: Present this assessment to CEO + Board for budget and timeline approval
  2. Audit firm RFP: Send RFP to A-LIGN, Schellman, KirkpatrickPrice (target: 3 proposals by Mar 1)
  3. Gap closure kickoff: CISO + VP Eng + SRE Lead align on gap ownership and timeline
  4. Risk assessment consultant: Engage external consultant for CC3 gap closure (target: start Mar 1)

30-Day Actions (By Mar 17):

  1. Audit firm selection: Review proposals, negotiate SOW, sign engagement letter by Mar 15
  2. P0 gap closure begins: Risk assessment kickoff, CAB charter drafted
  3. Evidence automation scoped: Security Eng scopes D.4.3 evidence collection automation
  4. Internal readiness calendar: CISO publishes weekly status meeting schedule + Gantt timeline

60-Day Actions (By Apr 17):

  1. Risk assessment complete: Risk register finalized, treatment plans documented
  2. CAB operational: First CAB meeting held, change requests approved
  3. P1 gap closure 50% complete: Code of Conduct, status page, policies in progress

90-Day Actions (By May 17):

  1. P0 gap closure complete: All 7 P0 gaps closed and evidenced
  2. P1 gap closure 80% complete: Only DLP and evidence automation remaining
  3. System description drafted: CISO + VP Eng draft system description for auditor review

12. Appendices

Appendix A: Trust Service Criteria Control Mapping

See detailed control-by-control mapping in docs/compliance/soc2-trust-service-criteria-mapping.md (D.4.1 deliverable, not yet created).

Appendix B: Evidence Collection Checklist

See monthly evidence collection checklist in D.4.3 Evidence Collection Automation implementation.

Appendix C: Risk Assessment Template

See SSAE 18 compliant risk assessment template in G-001 remediation deliverable.

Appendix D: CAB Charter and Change Request Template

See CAB charter and change request template in G-002 remediation deliverable.

Appendix E: Disaster Recovery Plan Template

See DR plan template in G-003 remediation deliverable.

Appendix F: Glossary

TermDefinition
AICPAAmerican Institute of Certified Public Accountants — professional body that publishes TSC
Carve-Out MethodSOC 2 approach where subservice organization controls are referenced but not tested
CUECComplementary User Entity Control — controls customers must implement
IRLInformation Request List — auditor's list of requested documents/evidence
Observation Period6-12 month period during which Type II auditor tests control operating effectiveness
SSAE 18Statement on Standards for Attestation Engagements No. 18 — audit standard for SOC 2
TSCTrust Service Criteria — AICPA's 2017 criteria for SOC 2 audits
Type IPoint-in-time audit of control design effectiveness
Type IIPeriod-of-time audit of control design AND operating effectiveness

Document History

VersionDateAuthorChanges
1.0.02026-02-16CISO OfficeInitial readiness assessment

Document ID: CODITECT-BIO-SOC2-RA-001 Classification: Internal - Confidential Next Review: 2026-05-16 Owner: Chief Information Security Officer (CISO) + VP Engineering

End of Document

Total Lines: 2,347