SOC 2 Security Readiness Checklist
Use this checklist to prepare for a SOC 2 audit focused on the Security Trust Services Criteria (TSC). For each control, ensure you have the proper evidence and corresponding policy in place.
SOC 2 Control | Evidence to Provide | Relevant Policy |
|---|---|---|
CC1.1 – Integrity and Ethical Values | Signed Code of Conduct (employee onboarding files); Disciplinary procedures (policy or doc) | Code of Conduct, Governance Policy |
CC1.2 – Board Oversight | Board meeting notes / leadership review; Risk or compliance updates shared with owners | Governance Policy |
CC1.3 – Structure, Authority & Responsibility | Org chart or leadership matrix; Documented roles in job descriptions | Roles & Responsibilities Policy, Org Structure Policy |
CC1.4 – Commitment to Competence | Job descriptions with qualifications; Hiring decisions / candidate evaluation examples | Hiring & Onboarding Policy, Security Training Policy |
CC1.5 – Accountability | RACI chart; Audit trail logs mapped to individual users | Governance Policy, Access Control Policy |
CC2.1 – Internal Communication of Objectives | Onboarding docs; Slack/email/Notion announcements | Communication Policy, Training Policy |
CC2.2 – Internal Communication of Responsibilities | Documentation of assigned duties (e.g., CTO for backups); Meeting minutes confirming ownership | Roles & Responsibilities Policy |
CC2.3 – External Communication | Incident notification templates; Public terms/privacy page; Customer comms (email copy) | Incident Response Policy, Privacy Policy |
CC3.1 – Specifies Objectives Clearly | Control objectives in risk register | Risk Management Policy |
CC3.2 – Identifies & Analyzes Risks | Risk register with likelihood/impact analysis; Risk scoring methodology | Risk Management Policy |
CC3.3 – Assesses Fraud Risk | Fraud risks in risk register; Hotline/contact method for employees | Code of Conduct, Whistleblower Policy |
CC3.4 – Identifies & Analyzes Significant Change | Risk reviews tied to changes (vendors, launches); Meeting notes or risk register updates | Change Management Policy, Risk Review Process |
CC4.1 – Ongoing/Separate Evaluations | Internal audit checklist; Annual security/self-assessments | Audit & Monitoring Policy |
CC4.2 – Evaluates & Communicates Deficiencies | Ticket/task backlog; Documentation of failures and remediation actions | Incident Response Policy, Monitoring Policy |
CC5.1 – Selects & Develops Control Activities | Policy-to-control mapping; GitHub/GitLab branch protections or pipeline rules | Access Control Policy, DevSecOps Policy |
CC5.2 – General Control Activities over Technology | CI/CD config (e.g., GitHub Actions); Production access logs or RBAC | System Security Policy, Change Management Policy |
CC5.3 – Deploys Controls via Policies & Procedures | Employee acknowledgment logs; Policies shared on intranet; Training sessions | All major policies above |
CC6.1 – Restricts Logical Access | RBAC screenshots; MFA settings in production | Access Control Policy |
CC6.2 – Identifies & Authenticates Users | SSO config screenshots; Login activity logs | Authentication Policy |
CC6.3 – Manages Access Rights | Termination checklist; Admin access reviews | Onboarding/Offboarding Policy |
CC6.4 – Protects Against Unauthorized Access | VPN config, firewall rules; Endpoint protection summary | System Security Policy |
CC7.1 – Detects & Monitors Deviations | Security incident alert rules; Monitoring dashboard screenshots | Logging & Monitoring Policy |
CC7.2 – Identifies Logging Events | Audit logs for services/repos; Log retention settings | Logging Policy |
CC7.3 – Evaluates Security Events | Incident tracking system; Post-incident review summary | Incident Response Policy |
CC7.4 – Responds to Security Incidents | Drill/tabletop evidence; Incident comms templates | Incident Response Policy |
CC8.1 – Authorizes & Manages Change | Pull request approvals; Deploy logs; Version control audit trails | Change Management Policy, SDLC Policy |
CC9.1 – Identifies & Mitigates Risks | Updated risk register post-incident; Mitigation tickets/tasks | Risk Management Policy |
CC9.2 – Manages Vendors & Third Parties | Vendor review checklist; Signed DPAs/assessments; SaaS provider inventory | Vendor Management Policy |