SOC 2 Availability Readiness Checklist
Use this checklist to prepare for a SOC 2 audit focused on the “Availability” Trust Services Criteria (TSC). For each control, ensure you have the proper evidence and corresponding policy in place.
SOC 2 Control | Evidence to Provide | Relevant Policies |
A1.1 Capacity Planning | Capacity planning document, system monitoring reports, and capacity utilization reports. | Capacity Management Policy |
A1.2 Environmental Protection | Documentation of power backups (UPS), fire suppression systems, and HVAC controls. | Environmental Controls Policy, Physical Security Policy |
A1.3 Backup & Recovery Testing | Backup logs showing successful backups, and a signed-off report from a full-scale disaster recovery test. | Backup and Recovery Policy |
A1.4 Incident Response | Incident Response Plan, runbooks for common incidents (e.g., database outage), and logs of incident drills. | Incident Response Plan |
A1.5 Disaster Recovery Plan | A documented Disaster Recovery Plan (DRP) and a Business Continuity Plan (BCP). | Disaster Recovery Plan, Business Continuity Plan |
A1.6 System Monitoring | Screenshots of system uptime dashboards (e.g., DataDog, New Relic) and logs of system alerts. | Monitoring Policy |
A1.7 Redundancy & Failover | Network diagrams illustrating redundancy, and documentation of failover testing. | Infrastructure Policy, Disaster Recovery Plan |
A1.8 Security Monitoring | Logs from intrusion detection systems (IDS), web application firewalls (WAF), and security event monitoring. | Logging and Monitoring Policy |