How to take it.

For each question, pick the option that's most honest about your current state — not the policy on paper, not what you've planned. The diagnostic is most useful when it surfaces what isn't actually happening yet.

Self-reported, by design. This diagnostic is attestation — your honest read of your own organization — and that's a real signal: it starts the right conversation, and it's free because honesty does most of the work. What attestation can't do is verify itself. That's observation — first and mostly the human kind: being in the room while work happens, watching who speaks, who defers, and what goes unsaid. No system reveals that layer, and it's usually where the gap between the deck and delivery lives. Toolchain evidence can round out the picture where it's useful. An engagement picks up there, if the result warrants one. Trust the self-read; verify in the room.

Yes — documented and operating.Policy exists, evidence exists, it's actually happening.
Partial.Some of it is in place; pieces are missing or undocumented.
No.Not in place today, even informally.
Doesn't apply.Genuinely not relevant — e.g. no AI use yet, no customer data, etc.

Answer the questions above — your readiness report renders here once you're done.

Got the result. Now what?

30 minutes, free, no pitch. We'll walk through where the gaps sit, what's worth fixing before the next customer security review, and what an honest 90-day path to SOC2 + AI governance readiness looks like for a company your size.

Book a Discovery Call →