SOC 2 Compliance Calendar (Security Trust Criteria)
This calendar provides a structured, annual plan to stay audit-ready under the SOC 2 Security trust criteria. Activities are spread throughout the year to reduce operational disruption and ensure continuous compliance.
Quarterly Tasks (Do Every Quarter)
These tasks reinforce operational consistency and risk awareness across your team.
Annual Timeline
Month | Activity | SOC 2 Controls |
|---|---|---|
January | Re-certify and document all key policies (passwords, access, incident response, onboarding/offboarding) | CC1.1 – CC1.3 |
Launch full security awareness training for all team members | CC2.2, CC5.2 | |
Reassess risk register and update mitigation plans | CC3.1 – CC3.4 | |
February | Business Continuity Tabletop Exercise | CC4.1 |
Vendor and third-party access review | CC9.2, CC9.3 | |
March | Penetration Test (external vendor or internal) | CC7.1, CC7.3 |
April | Data classification and retention audit | CC8.1, CC8.2 |
May | Backup & restore testing for disaster recovery | CC5.3, CC6.1 |
June | Physical security review (if applicable for hybrid or co-working setups) | CC6.6 |
July | Incident Response Tabletop Drill | CC7.4, CC7.5 |
August | Policy updates for any new tools, systems, or regions | CC1.3, CC2.1 |
September | Asset inventory and device list review | CC6.1 |
October | Review and update employee access control list | CC6.3 |
November | SOC 2 internal readiness checklist walkthrough | All |
December | Freeze change logs and finalize audit evidence | All |