SOC 2 readiness assessment cost: what you actually pay for.
Three things buyers conflate
When a vendor or consultant quotes a "readiness fee", they are usually pricing one or more of three distinct workstreams. Recognising the difference is the most useful budget skill.
| Workstream | What it produces | Typical price |
|---|---|---|
| Gap analysis | Controls inventory, gap log with severity, no roadmap | £0 – £8,000 |
| Readiness assessment proper | Gap log + evidence map + remediation order + timeline | £8,000 – £20,000 |
| Remediation engagement | Hands-on policy authoring, control build, evidence setup | £10,000 – £85,000 |
GRC platforms usually include the gap analysis as part of the subscription. They sometimes include a light readiness assessment. They almost never include serious remediation work, which sits with the platform's partner consultant network.
What a readiness deliverable should contain
A defensible readiness deliverable is not a slide deck. It is a controls inventory listing every Trust Services Criterion in scope and the corresponding control. It is a gap log with severity rated against the audit firm's expected criteria. It is an evidence map showing where each piece of evidence will live and how it will be collected. It is a recommended remediation order, prioritised by audit risk, and a calendar timeline that fits inside the audit window.
If the readiness deliverable lacks the evidence map, the engagement was a gap analysis dressed as readiness. If it lacks the remediation order, the consultant is leaving the prioritisation problem to the customer. Press for those two before signing a readiness SOW.
Cost ranges by approach
| Approach | Cost | Time | What is included |
|---|---|---|---|
| GRC platform included | £0 incremental | 2 to 4 weeks | Automated controls inventory, gap analysis, evidence map. Light remediation guidance. Heavy lift on customer team for remediation. |
| Boutique consultant | £8,000 – £25,000 | 4 to 8 weeks | Full readiness assessment plus 5 to 15 days of advisory time across remediation. Best fit for first-time SOC 2 with limited internal capacity. |
| Big-firm advisory | £25,000 – £80,000 | 6 to 12 weeks | Full readiness, structured remediation engagement, project management. Justifies the cost only at scale-up size or with complex multi-entity scope. |
The remediation cost curve
When the readiness reveals significant gaps, the remediation engagement can run 5 to 10x the readiness fee itself. The shape of that curve depends entirely on existing maturity.
| Starting maturity | Typical remediation cost | What drives it |
|---|---|---|
| Low (no formal controls, no policies, ad-hoc access management) | £40,000 – £85,000 | Build the entire control set from scratch: policies, access reviews, change management, vendor management, incident response. |
| Medium (informal controls, some policies, partial automation) | £18,000 – £45,000 | Formalise existing practice, fill the ten or so gaps the audit firm will care about, build the evidence trail. |
| High (existing security programme, prior ISO 27001 or similar) | £5,000 – £18,000 | Mostly mapping and evidence work. Most controls already exist; the question is whether they are auditable. |
What teams underestimate
Re-readiness after remediation is often skipped to save 5 to 10 percent of the engagement cost. It is the wrong line item to cut. Surprise findings in the actual audit cost more in calendar time than a re-readiness pass costs in cash. Build a small re-readiness budget into the readiness SOW from the start, and use it.
Where the readiness work is heavier on the Type 2 path, see the Type 1 vs Type 2 page. Where the platform-included readiness is the right call, see the GRC platforms page. Where scope drives the gap count, see the Trust Services Criteria page.