How to Use This Checklist

This checklist covers common controls across the five Trust Services Criteria. Use it to verify your readiness before engaging an auditor.

Readiness Scoring

✓ Ready: Control implemented, documented, and evidence available
◐ Partial: Control exists but needs work or documentation
✗ Gap: Control missing—action required before audit

Governance & Organization

Foundation controls that support all Trust Services Criteria.

Policies & Procedures

  • Information security policy documented and approved
  • Acceptable use policy for employees
  • Data classification policy
  • Access control policy
  • Change management policy
  • Incident response policy/procedure
  • Business continuity / disaster recovery policy
  • Vendor management policy

Organization Structure

  • Security responsibilities assigned (CISO, security team)
  • Organizational chart available
  • Board/management oversight of security documented
  • Segregation of duties enforced

Risk Management

  • Risk assessment process documented
  • Risk assessment conducted and documented
  • Risk treatment decisions documented
  • Risk register maintained

Security (Common Criteria)

Required for all SOC 2 reports. These controls form the foundation.

CC1: Control Environment

  • Commitment to integrity and ethical values documented
  • Board exercises oversight of internal controls
  • Authority and responsibility assigned and communicated
  • Commitment to competence demonstrated
  • Accountability for control responsibilities enforced

CC2: Communication & Information

  • System description documented
  • Internal communication of control responsibilities
  • External communication policies established

CC3: Risk Assessment

  • Clear objectives defined
  • Risks to objectives identified and analyzed
  • Fraud risk considered
  • Change assessment process for significant changes

CC4: Monitoring

  • Ongoing and/or separate evaluations of controls
  • Control deficiencies communicated and addressed

CC5: Control Activities

  • Control activities deployed through policies and procedures
  • Technology-related controls selected and developed
  • General technology controls implemented

CC6: Logical & Physical Access

  • Logical access security software/infrastructure deployed
  • New users authorized before access granted
  • User access reviews performed periodically
  • Access removal upon termination
  • Physical access restricted to authorized personnel
  • Physical access devices (badges, keys) managed
  • Visitors escorted and logged

CC7: System Operations

  • Intrusion detection and monitoring deployed
  • Vulnerability management program
  • Malware prevention controls
  • Security event logging and monitoring
  • Incident response procedures and testing

CC8: Change Management

  • Changes authorized before implementation
  • Change testing performed
  • Change approval documented
  • Emergency change procedures
  • Baseline configurations established

CC9: Risk Mitigation

  • Vendor/business partner risk assessed
  • Vendor security requirements in contracts
  • Insurance coverage appropriate

Availability (A Series)

Include if you make availability commitments to customers.

  • A1.1: Capacity management and monitoring
  • A1.2: Environmental protections (power, cooling, fire)
  • A1.2: Backup and recovery procedures
  • A1.2: Backup testing performed and documented
  • A1.3: Business continuity plan documented
  • A1.3: Disaster recovery plan documented
  • A1.3: BC/DR plans tested

Confidentiality (C Series)

Include if you handle confidential business information.

  • C1.1: Confidential information identified and classified
  • C1.2: Confidential information protected during processing
  • C1.2: Encryption for confidential data at rest and in transit
  • C1.2: Access to confidential information restricted
  • C1.2: Confidential data disposal procedures

Processing Integrity (PI Series)

Include if processing accuracy is critical to your service.

  • PI1.1: Processing objectives defined
  • PI1.2: Input validation controls
  • PI1.3: Processing controls ensure completeness and accuracy
  • PI1.4: Output procedures ensure completeness and accuracy
  • PI1.5: Storage integrity maintained

Privacy (P Series)

Include if you collect and control personal information.

  • P1.1: Privacy notice provided to data subjects
  • P2.1: Consent obtained where required
  • P3.1: Personal information collection limited to purpose
  • P3.2: Explicit consent for sensitive information
  • P4.1: Use limited to disclosed purposes
  • P4.2: Retention limited to necessary period
  • P4.3: Secure disposal of personal information
  • P5.1: Access requests honored
  • P5.2: Correction requests processed
  • P6.1: Third-party disclosures controlled
  • P6.2: Third parties comply with privacy requirements
  • P7.1: Personal information quality maintained
  • P8.1: Complaints and inquiries addressed

Evidence Collection Readiness

For Type II audits, ensure you can produce evidence for the observation period.

Evidence Types Needed

  • Access provisioning/deprovisioning tickets
  • Access review records
  • Change management tickets
  • Security awareness training completion
  • Incident tickets and resolution records
  • Vulnerability scan reports
  • Penetration test reports
  • Backup verification logs
  • Vendor assessment records
  • Meeting minutes (security reviews, risk discussions)

Evidence Collection Tips

  • Use ticketing systems that retain history
  • Automate evidence collection where possible
  • Establish naming conventions for documents
  • Maintain audit trail of control execution
  • Don't wait until audit time to gather evidence

The best time to prepare for a SOC 2 audit is before you need the report. Controls that are genuinely embedded in operations produce evidence naturally; controls implemented just for audit create a scramble every year.

SOC 2 Checklist Readiness