Back to Blog
Blog7 min read

Ultimate SOC 2 Type 2 Compliance Checklist

A

Alexander Sverdlov

Security Analyst

4/1/2025
Ultimate SOC 2 Type 2 Compliance Checklist

This checklist provides a comprehensive framework for organizations preparing for a SOC 2 Type 2 audit, which evaluates controls over a period of time (typically 6-12 months).

We could have asked you for your email to access it, as most other companies do... but why would we? If you like what you see, you can reach out for a short introductory meeting. Who knows, you might like working with us? 

Soc2 checklist

Pre-Audit Preparation

Scoping and Planning

  • Define the scope of systems, data, and processes to be included
  • Identify which Trust Services Criteria will be in scope:
    • Security (required)
    • Availability
    • Processing Integrity
    • Confidentiality
    • Privacy
  • Establish audit timeframe (typically 6-12 months)
  • Select a qualified CPA firm for the audit
  • Create a project timeline with key milestones
  • Assign roles and responsibilities for the SOC 2 project
  • Conduct a kickoff meeting with key stakeholders

Gap Assessment

  • Perform a thorough gap analysis against applicable criteria
  • Document current controls and identify missing controls
  • Develop a remediation plan for identified gaps
  • Estimate resources required for remediation
  • Establish a timeline for implementing missing controls

Common Criteria (CC) - Security

CC1: Control Environment

  • Document organizational structure, reporting lines, and authority
  • Establish board oversight mechanisms for security
  • Define and communicate roles and responsibilities
  • Implement HR policies addressing hiring, training, and termination
  • Conduct regular security awareness training
  • Document commitment to integrity and ethical values
  • Establish accountability procedures for internal control responsibilities

CC2: Communication and Information

  • Document information security policies and procedures
  • Establish internal communication channels for security matters
  • Implement processes for communicating with external parties
  • Create procedures for whistleblower reporting
  • Document change management communication processes
  • Establish incident response communication protocols
  • Implement vendor management communication procedures

CC3: Risk Assessment

  • Establish formal risk assessment process
  • Document risks that could impact achievement of objectives
  • Analyze risks as basis for determining control activities
  • Consider potential for fraud in risk assessment
  • Identify and assess changes that could impact the system of internal control
  • Establish risk mitigation strategies
  • Document risk acceptance criteria and procedures

CC4: Monitoring Activities

  • Establish ongoing monitoring activities
  • Perform periodic evaluations of controls
  • Document procedures for control deficiency remediation
  • Implement internal audit functions or procedures
  • Create metrics and KPIs for monitoring security controls
  • Schedule regular management reviews of monitoring results
  • Document processes for escalating control failures

CC5: Control Activities

  • Implement access controls (physical and logical)
  • Establish system development lifecycle procedures
  • Document change management processes
  • Implement deployment management controls
  • Create baseline configuration standards
  • Establish system operation procedures
  • Implement data management controls
  • Document vulnerability management procedures

CC6: Logical and Physical Access Controls

  • Implement identity and access management procedures
  • Establish user provisioning and de-provisioning processes
  • Document access review procedures and schedule
  • Implement multi-factor authentication where appropriate
  • Establish password/authentication requirements
  • Document physical security controls
  • Implement network security controls
  • Establish endpoint protection mechanisms
  • Document encryption requirements for data at rest and in transit
  • Implement secure remote access solutions

CC7: System Operations

  • Establish vulnerability management program
  • Document malware prevention procedures
  • Implement incident response program
  • Create business continuity and disaster recovery plans
  • Document system monitoring procedures
  • Establish change management controls
  • Create capacity management procedures
  • Document problem management processes

CC8: Change Management

  • Establish change management policy
  • Document software development lifecycle
  • Implement segregation of duties for changes
  • Create testing requirements for changes
  • Document approval procedures for changes
  • Establish emergency change procedures
  • Implement version control systems
  • Document release management procedures

CC9: Risk Mitigation

  • Identify and select risk mitigation activities
  • Establish business continuity planning processes
  • Document insurance coverage for applicable risks
  • Implement vendor risk management procedures
  • Create incident response procedures
  • Document recovery time objectives (RTOs)
  • Establish recovery point objectives (RPOs)

Additional Trust Services Criteria (If Applicable)

Availability

  • Document system availability requirements
  • Establish capacity management procedures
  • Implement environmental protections
  • Create redundancy and failover mechanisms
  • Document backup procedures and schedules
  • Establish disaster recovery procedures
  • Implement monitoring for system availability
  • Document maintenance procedures

Processing Integrity

  • Establish input validation controls
  • Document processing accuracy procedures
  • Implement output reconciliation controls
  • Create data completeness verification procedures
  • Establish error handling procedures
  • Document quality assurance processes
  • Implement data transmission controls

Confidentiality

  • Document confidentiality requirements
  • Establish data classification procedures
  • Implement confidential information handling procedures
  • Create data retention and disposal policies
  • Document procedures for protecting confidential information
  • Establish confidentiality agreements
  • Implement controls for third-party handling of confidential information

Privacy

  • Document privacy notice
  • Establish procedures for collection of personal information
  • Implement choice and consent mechanisms
  • Create procedures for use, retention, and disposal
  • Document access procedures for individuals
  • Establish disclosure to third parties controls
  • Implement security for privacy controls
  • Document quality procedures for personal information
  • Establish monitoring and enforcement procedures

Evidence Collection and Documentation

Policies and Procedures

  • Information security policies
  • HR policies and procedures
  • Operational procedures
  • Business continuity and disaster recovery plans
  • Risk management policies
  • Change management procedures
  • Incident response plan
  • Access control policies
  • Vendor management procedures
  • Data classification and handling procedures

Technical Documentation

  • Network diagrams
  • System architecture documentation
  • Data flow diagrams
  • Asset inventory
  • Baseline configurations
  • Encryption standards

Evidence of Control Operation

  • Access reviews (quarterly at minimum)
  • Change records with approvals
  • Vulnerability scan results
  • Penetration test reports
  • Security incident reports
  • Training completion records
  • Risk assessment results
  • Business continuity test results
  • System monitoring logs
  • Vendor assessments
  • Background check confirmations
  • Employee onboarding/offboarding documentation
  • Patch management records

Audit Preparation

Documentation Organization

  • Create a centralized repository for all evidence
  • Organize evidence by control objective
  • Establish naming conventions for files
  • Create a mapping of controls to Trust Services Criteria
  • Prepare a population list for sample-based testing

Audit Support

  • Assign point person(s) for auditor questions
  • Schedule regular status meetings during audit
  • Prepare walkthrough schedules and participants
  • Document known issues and remediation plans
  • Create a glossary of terms and acronyms
  • Prepare system demonstrations as needed

Final Preparation

  • Conduct readiness assessment with internal team
  • Perform mock audit interviews
  • Review all documentation for completeness
  • Address any open remediation items
  • Brief executives on audit process and expectations
  • Confirm auditor access requirements

Post-Audit Activities

Remediation

  • Document any control deficiencies identified
  • Create remediation plans with timelines
  • Assign ownership for each remediation item
  • Establish tracking mechanism for remediation
  • Schedule regular status updates on remediation

Report Review

  • Review draft report for factual accuracy
  • Prepare management responses for exceptions
  • Obtain final report
  • Distribute report to stakeholders as appropriate

Continuous Improvement

  • Update control documentation based on audit findings
  • Refine evidence collection processes
  • Improve automation of controls where possible
  • Schedule regular internal compliance reviews
  • Update control monitoring procedures

Stakeholder Management

Internal Communications

  • Brief executive team on audit progress and results
  • Communicate expectations to all employees
  • Provide updates to board/audit committee
  • Share lessons learned with implementation team

External Communications

  • Prepare customer-facing communications about SOC 2
  • Develop process for sharing report with customers
  • Create NDA for report distribution
  • Document frequently asked questions for sales/support teams

Glossary of SOC 2 Terms

SOC 2: System and Organization Controls 2, a framework for assessing an organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy.

Five Things Your SOC 2 Type 2 Checklist Must Include The essentials for a defensible Type 2 audit. Control universe Complete inventory of in-scope controls per TSC selection Evidence vault Organized evidence collection per control, continuous Operational cadence Quarterly access reviews, monthly metrics, annual policies Incident log Complete log of incidents with response evidence over observation period Vendor reviews Subprocessor inventory with annual review evidence
Figure 1. Five Things Your SOC 2 Type 2 Checklist Must Include.

Type 2 Report: An attestation covering both the suitability of the design and operating effectiveness of controls over a period of time.

Trust Services Criteria: The framework established by the AICPA used to evaluate and report on controls.

Control Environment: The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

Type 2 Done Right vs Done Wrong Two approaches that produce different outcomes. Type 2 done wrong - Cram evidence at audit time - Vendor risk via outdated SOC 2s - Access reviews skipped - Policies on paper, not practiced - Incident response untested - Subprocessor list stale - Surprise findings in audit Type 2 done right - Continuous evidence collection - Annual vendor SOC 2 refresh process - Quarterly access reviews documented - Policies live in operations - IR tested with tabletop annually - Subprocessor list maintained - Audit becomes routine confirmation
Figure 2. Type 2 Done Right vs Done Wrong.

Control Activities: The actions established through policies and procedures that help ensure management's directives are carried out.

CPA Firm: A Certified Public Accountant firm that performs the SOC 2 audit.

AICPA: American Institute of Certified Public Accountants, the organization that developed the SOC framework.

Type 2 Audit Cycle (12-Month View) What sustained Type 2 readiness looks like across a year. 1 Month 1-2 Audit prep, scope confirmation, evidence vault structure 2 Month 3-9 Operating period - continuous evidence collection 3 Month 10-11 Pre-audit walkthrough, gap closure, evidence consolidation 4 Month 12 Auditor fieldwork, findings response, report issuance
Figure 3. Type 2 Audit Cycle (12-Month View).

Control Deficiency: A shortcoming in a control or a combination of controls.

System Description: A narrative description of the system being audited.

Complementary User Entity Controls: Controls that the service organization assumes will be implemented by user entities.

See also: How to secure a digital wallet: A Comprehensive Guide

Related services from Atlant Security: SOC 2 Readiness, IT Security Audit, Virtual CISO. Book a discovery call to discuss your specific situation.

Alexander Sverdlov

Alexander Sverdlov

Founder of Atlant Security. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.