Compliance Audit Readiness Score
Estimate your organization's overall compliance audit readiness by rating key control domains. Each domain is weighted by its typical audit importance.
Are policies written, approved, and accessible?
Completion rates, frequency, and documentation of training.
Role-based access, MFA, periodic access reviews.
Documented risk register, risk reviews, mitigation plans.
Incident response plan, log retention, breach notification procedures.
Vendor assessments, contracts with compliance clauses, ongoing monitoring.
Frequency of internal audits, findings remediation, evidence collection.
Encryption, data classification, retention/disposal policies.
Documented change requests, approvals, testing, and rollback procedures.
BCP/DR plans documented, tested, and updated regularly.
Formula
Weighted Readiness Score (0–100):
Score = [Σ (Domain Scorei × Weighti)] × 10
Where each Domain Score is rated 0–10 and weights are:
- Policy & Procedure Documentation — 15%
- Access Controls & Identity Management — 15%
- Risk Assessment & Management — 12%
- Incident Response & Logging — 12%
- Employee Training & Awareness — 10%
- Internal Audit & Self-Assessment — 10%
- Data Protection & Privacy Controls — 10%
- Business Continuity & Disaster Recovery — 10%
- Vendor & Third-Party Management — 8%
- Change Management Controls — 8%
Readiness Bands: ≥85 = Audit-Ready | 70–84 = Mostly Ready | 50–69 = Partially Ready | <50 = Not Ready
Assumptions & References
- Domain weights are derived from control emphasis in ISO/IEC 27001:2022, SOC 2 Trust Services Criteria, and the NIST Cybersecurity Framework (CSF 2.0).
- Scores are self-assessed; actual audit outcomes depend on auditor judgment and evidence quality.
- A score of 10 in any domain implies full documentation, implementation, testing, and evidence availability — not merely policy existence.
- Weights sum to exactly 1.0 (100%), ensuring the output is a true weighted average scaled to 100.
- This tool is intended for internal gap analysis and pre-audit planning, not as a substitute for a formal third-party audit.
- Reference: AICPA SOC 2 Guide; NIST SP 800-53 Rev. 5; ISO 27001 Annex A controls.