Ultimate SOC 2 Type 2 Compliance Checklist

This checklist provides a comprehensive framework for organizations preparing for a SOC 2 Type 2 audit, which evaluates controls over a period of time (typically 6-12 months).

We could have asked you for your email to access it, as most other companies do... but why would we? If you like what you see, you can reach out for a short introductory meeting. Who knows, you might like working with us? 

Pre-Audit Preparation

Scoping and Planning

• Define the scope of systems, data, and processes to be included
• Identify which Trust Services Criteria will be in scope:
  • Security (required)
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy
• Establish audit timeframe (typically 6-12 months)
• Select a qualified CPA firm for the audit
• Create a project timeline with key milestones
• Assign roles and responsibilities for the SOC 2 project
• Conduct a kickoff meeting with key stakeholders

Gap Assessment

• Perform a thorough gap analysis against applicable criteria
• Document current controls and identify missing controls
• Develop a remediation plan for identified gaps
• Estimate resources required for remediation
• Establish a timeline for implementing missing controls

Common Criteria (CC) - Security

CC1: Control Environment

• Document organizational structure, reporting lines, and authority
• Establish board oversight mechanisms for security
• Define and communicate roles and responsibilities
• Implement HR policies addressing hiring, training, and termination
• Conduct regular security awareness training
• Document commitment to integrity and ethical values
• Establish accountability procedures for internal control responsibilities

CC2: Communication and Information

• Document information security policies and procedures
• Establish internal communication channels for security matters
• Implement processes for communicating with external parties
• Create procedures for whistleblower reporting
• Document change management communication processes
• Establish incident response communication protocols
• Implement vendor management communication procedures

CC3: Risk Assessment

• Establish formal risk assessment process
• Document risks that could impact achievement of objectives
• Analyze risks as basis for determining control activities
• Consider potential for fraud in risk assessment
• Identify and assess changes that could impact the system of internal control
• Establish risk mitigation strategies
• Document risk acceptance criteria and procedures

CC4: Monitoring Activities

• Establish ongoing monitoring activities
• Perform periodic evaluations of controls
• Document procedures for control deficiency remediation
• Implement internal audit functions or procedures
• Create metrics and KPIs for monitoring security controls
• Schedule regular management reviews of monitoring results
• Document processes for escalating control failures

CC5: Control Activities

• Implement access controls (physical and logical)
• Establish system development lifecycle procedures
• Document change management processes
• Implement deployment management controls
• Create baseline configuration standards
• Establish system operation procedures
• Implement data management controls
• Document vulnerability management procedures

CC6: Logical and Physical Access Controls

• Implement identity and access management procedures
• Establish user provisioning and de-provisioning processes
• Document access review procedures and schedule
• Implement multi-factor authentication where appropriate
• Establish password/authentication requirements
• Document physical security controls
• Implement network security controls
• Establish endpoint protection mechanisms
• Document encryption requirements for data at rest and in transit
• Implement secure remote access solutions

CC7: System Operations

• Establish vulnerability management program
• Document malware prevention procedures
• Implement incident response program
• Create business continuity and disaster recovery plans
• Document system monitoring procedures
• Establish change management controls
• Create capacity management procedures
• Document problem management processes

CC8: Change Management

• Establish change management policy
• Document software development lifecycle
• Implement segregation of duties for changes
• Create testing requirements for changes
• Document approval procedures for changes
• Establish emergency change procedures
• Implement version control systems
• Document release management procedures

CC9: Risk Mitigation

• Identify and select risk mitigation activities
• Establish business continuity planning processes
• Document insurance coverage for applicable risks
• Implement vendor risk management procedures
• Create incident response procedures
• Document recovery time objectives (RTOs)
• Establish recovery point objectives (RPOs)

Additional Trust Services Criteria (If Applicable)

Availability

• Document system availability requirements
• Establish capacity management procedures
• Implement environmental protections
• Create redundancy and failover mechanisms
• Document backup procedures and schedules
• Establish disaster recovery procedures
• Implement monitoring for system availability
• Document maintenance procedures

Processing Integrity

• Establish input validation controls
• Document processing accuracy procedures
• Implement output reconciliation controls
• Create data completeness verification procedures
• Establish error handling procedures
• Document quality assurance processes
• Implement data transmission controls

Confidentiality

• Document confidentiality requirements
• Establish data classification procedures
• Implement confidential information handling procedures
• Create data retention and disposal policies
• Document procedures for protecting confidential information
• Establish confidentiality agreements
• Implement controls for third-party handling of confidential information

Privacy

• Document privacy notice
• Establish procedures for collection of personal information
• Implement choice and consent mechanisms
• Create procedures for use, retention, and disposal
• Document access procedures for individuals
• Establish disclosure to third parties controls
• Implement security for privacy controls
• Document quality procedures for personal information
• Establish monitoring and enforcement procedures

Evidence Collection and Documentation

Policies and Procedures

• Information security policies
• HR policies and procedures
• Operational procedures
• Business continuity and disaster recovery plans
• Risk management policies
• Change management procedures
• Incident response plan
• Access control policies
• Vendor management procedures
• Data classification and handling procedures

Technical Documentation

• Network diagrams
• System architecture documentation
• Data flow diagrams
• Asset inventory
• Baseline configurations
• Encryption standards

Evidence of Control Operation

• Access reviews (quarterly at minimum)
• Change records with approvals
• Vulnerability scan results
• Penetration test reports
• Security incident reports
• Training completion records
• Risk assessment results
• Business continuity test results
• System monitoring logs
• Vendor assessments
• Background check confirmations
• Employee onboarding/offboarding documentation
• Patch management records

Audit Preparation

Documentation Organization

• Create a centralized repository for all evidence
• Organize evidence by control objective
• Establish naming conventions for files
• Create a mapping of controls to Trust Services Criteria
• Prepare a population list for sample-based testing

Audit Support

• Assign point person(s) for auditor questions
• Schedule regular status meetings during audit
• Prepare walkthrough schedules and participants
• Document known issues and remediation plans
• Create a glossary of terms and acronyms
• Prepare system demonstrations as needed

Final Preparation

• Conduct readiness assessment with internal team
• Perform mock audit interviews
• Review all documentation for completeness
• Address any open remediation items
• Brief executives on audit process and expectations
• Confirm auditor access requirements

Post-Audit Activities

Remediation

• Document any control deficiencies identified
• Create remediation plans with timelines
• Assign ownership for each remediation item
• Establish tracking mechanism for remediation
• Schedule regular status updates on remediation

Report Review

• Review draft report for factual accuracy
• Prepare management responses for exceptions
• Obtain final report
• Distribute report to stakeholders as appropriate

Continuous Improvement

• Update control documentation based on audit findings
• Refine evidence collection processes
• Improve automation of controls where possible
• Schedule regular internal compliance reviews
• Update control monitoring procedures

Stakeholder Management

Internal Communications

• Brief executive team on audit progress and results
• Communicate expectations to all employees
• Provide updates to board/audit committee
• Share lessons learned with implementation team

External Communications

• Prepare customer-facing communications about SOC 2
• Develop process for sharing report with customers
• Create NDA for report distribution
• Document frequently asked questions for sales/support teams

---

Glossary of SOC 2 Terms

SOC 2: System and Organization Controls 2, a framework for assessing an organization's controls relevant to security, availability, processing integrity, confidentiality, and privacy.

Type 2 Report: An attestation covering both the suitability of the design and operating effectiveness of controls over a period of time.

Trust Services Criteria: The framework established by the AICPA used to evaluate and report on controls.

Control Environment: The set of standards, processes, and structures that provide the basis for carrying out internal control across the organization.

Control Activities: The actions established through policies and procedures that help ensure management's directives are carried out.

CPA Firm: A Certified Public Accountant firm that performs the SOC 2 audit.

AICPA: American Institute of Certified Public Accountants, the organization that developed the SOC framework.

Control Deficiency: A shortcoming in a control or a combination of controls.

System Description: A narrative description of the system being audited.

Complementary User Entity Controls: Controls that the service organization assumes will be implemented by user entities.

See also: How to secure a digital wallet: A Comprehensive Guide