SOC 2 Confidentiality Readiness Checklist
Use this checklist to prepare for a SOC 2 audit focused on the “Confidentiality” Trust Services Criteria (TSC). For each control, ensure you have the proper evidence and corresponding policy in place.
SOC 2 Control | Evidence to Provide | Relevant Policies |
C1.1 Data Classification | Data classification standard, data mapping document, and asset inventory. | Data Classification Policy, Data Handling Policy |
C1.2 Identify Data Owners | Organizational chart with data ownership assignments, responsible team members. | Data Governance Policy |
C1.3 Maintain Confidentiality | Screenshots of access control lists (ACLs), role-based access control (RBAC) settings, and security group configurations. | Access Control Policy, Data Security Policy |
C1.4 Data in Use Protection | Documentation of data masking or tokenization for sensitive data in non-production environments. | Data Security Policy |
C1.5 Data in Transit Protection | Documentation of enforced TLS/SSL, VPN usage logs, and network diagrams showing secure tunnels. | Encryption Policy, Secure Communications Policy |
C1.6 Data at Rest Protection | Screenshots of disk encryption status on servers and laptops, database encryption settings. | Encryption Policy, Data Security Policy |
C2.1 Secure Disposal | Data retention schedule, data disposal logs, and secure data shredding reports. | Data Disposal Policy, Data Retention Policy |
C2.2 Dispose of Assets | Logs showing the secure sanitization of decommissioned hardware (e.g., hard drives, laptops). | Data Disposal Policy, Hardware Disposal Policy |
C3.1 Disclosure Protection | Third-party vendor agreements with confidentiality clauses, signed NDAs, and confidentiality logs. | Vendor Management Policy, Third-Party Risk Policy, NDA Policy |