SOC 2 Readiness Checklist: Audit-Ready Preparation Guide

How to Use This Checklist

This checklist covers common controls across the five Trust Services Criteria. Use it to verify your readiness before engaging an auditor.

Governance & Organization

Foundation controls that support all Trust Services Criteria.

Policies & Procedures

• Information security policy documented and approved
• Acceptable use policy for employees
• Data classification policy
• Access control policy
• Change management policy
• Incident response policy/procedure
• Business continuity / disaster recovery policy
• Vendor management policy

Organization Structure

• Security responsibilities assigned (CISO, security team)
• Organizational chart available
• Board/management oversight of security documented
• Segregation of duties enforced

Risk Management

• Risk assessment process documented
• Risk assessment conducted and documented
• Risk treatment decisions documented
• Risk register maintained

Security (Common Criteria)

Required for all SOC 2 reports. These controls form the foundation.

CC1: Control Environment

• Commitment to integrity and ethical values documented
• Board exercises oversight of internal controls
• Authority and responsibility assigned and communicated
• Commitment to competence demonstrated
• Accountability for control responsibilities enforced

CC2: Communication & Information

• System description documented
• Internal communication of control responsibilities
• External communication policies established

CC3: Risk Assessment

• Clear objectives defined
• Risks to objectives identified and analyzed
• Fraud risk considered
• Change assessment process for significant changes

CC4: Monitoring

• Ongoing and/or separate evaluations of controls
• Control deficiencies communicated and addressed

CC5: Control Activities

• Control activities deployed through policies and procedures
• Technology-related controls selected and developed
• General technology controls implemented

CC6: Logical & Physical Access

• Logical access security software/infrastructure deployed
• New users authorized before access granted
• User access reviews performed periodically
• Access removal upon termination
• Physical access restricted to authorized personnel
• Physical access devices (badges, keys) managed
• Visitors escorted and logged

CC7: System Operations

• Intrusion detection and monitoring deployed
• Vulnerability management program
• Malware prevention controls
• Security event logging and monitoring
• Incident response procedures and testing

CC8: Change Management

• Changes authorized before implementation
• Change testing performed
• Change approval documented
• Emergency change procedures
• Baseline configurations established

CC9: Risk Mitigation

• Vendor/business partner risk assessed
• Vendor security requirements in contracts
• Insurance coverage appropriate

Availability (A Series)

Include if you make availability commitments to customers.

• A1.1: Capacity management and monitoring
• A1.2: Environmental protections (power, cooling, fire)
• A1.2: Backup and recovery procedures
• A1.2: Backup testing performed and documented
• A1.3: Business continuity plan documented
• A1.3: Disaster recovery plan documented
• A1.3: BC/DR plans tested

Confidentiality (C Series)

Include if you handle confidential business information.

• C1.1: Confidential information identified and classified
• C1.2: Confidential information protected during processing
• C1.2: Encryption for confidential data at rest and in transit
• C1.2: Access to confidential information restricted
• C1.2: Confidential data disposal procedures

Processing Integrity (PI Series)

Include if processing accuracy is critical to your service.

• PI1.1: Processing objectives defined
• PI1.2: Input validation controls
• PI1.3: Processing controls ensure completeness and accuracy
• PI1.4: Output procedures ensure completeness and accuracy
• PI1.5: Storage integrity maintained

Privacy (P Series)

Include if you collect and control personal information.

• P1.1: Privacy notice provided to data subjects
• P2.1: Consent obtained where required
• P3.1: Personal information collection limited to purpose
• P3.2: Explicit consent for sensitive information
• P4.1: Use limited to disclosed purposes
• P4.2: Retention limited to necessary period
• P4.3: Secure disposal of personal information
• P5.1: Access requests honored
• P5.2: Correction requests processed
• P6.1: Third-party disclosures controlled
• P6.2: Third parties comply with privacy requirements
• P7.1: Personal information quality maintained
• P8.1: Complaints and inquiries addressed

Evidence Collection Readiness

For Type II audits, ensure you can produce evidence for the observation period.

Evidence Types Needed

• Access provisioning/deprovisioning tickets
• Access review records
• Change management tickets
• Security awareness training completion
• Incident tickets and resolution records
• Vulnerability scan reports
• Penetration test reports
• Backup verification logs
• Vendor assessment records
• Meeting minutes (security reviews, risk discussions)

Evidence Collection Tips

• Use ticketing systems that retain history
• Automate evidence collection where possible
• Establish naming conventions for documents
• Maintain audit trail of control execution
• Don't wait until audit time to gather evidence

The best time to prepare for a SOC 2 audit is before you need the report. Controls that are genuinely embedded in operations produce evidence naturally; controls implemented just for audit create a scramble every year.

Frequently Asked Questions

What is a SOC 2 readiness assessment?

A SOC 2 readiness assessment is a pre-audit evaluation that identifies gaps between your current controls and SOC 2 requirements. It produces a detailed gap analysis with remediation recommendations, helping you address issues before the formal audit begins and preventing costly findings or exceptions in your report.

How long does SOC 2 readiness take?

The readiness assessment itself typically takes 4-8 weeks depending on organizational complexity. Remediation of identified gaps usually requires an additional 8-16 weeks. The total timeline from starting readiness to being audit-ready is typically 3-6 months.

What are the most common SOC 2 readiness gaps?

The most frequently identified gaps include missing formal information security policies, incomplete or undocumented access reviews, no formal risk assessment process, lack of change management evidence and approval records, and insufficient security monitoring and logging capabilities.

Should I start with SOC 2 Type I or Type II?

Type I is recommended as a starting point for first-time SOC 2 organizations. It validates that your control design is sound before committing to a Type II observation period. It also gives you a report to share with customers while you build the operating history needed for Type II.

Can I use a readiness checklist for SOC 2 Type II?

Yes, the same readiness checklist applies to both Type I and Type II. Type II adds the requirement that controls must operate effectively over a 3-12 month period, so you should also verify that your evidence collection processes are automated and sustainable for ongoing operation.