SOC 29 min read

SOC 2 Compliance Checklist: Your Complete Guide

This comprehensive checklist covers everything you need to prepare for a successful SOC 2 audit. Use it to track your progress from initial planning through audit completion.

Key Takeaways

Point Summary
9 phases Planning → Gap Assessment → Policies → Technical Controls → People Controls → Evidence → Pre-Audit → Audit → Post-Audit
Timeline 10 weeks from kickoff to report (plus 3-month observation for Type 2)
Core policies needed 15-20 security policies plus 8-10 operational procedures
Technical essentials MFA everywhere, encryption at rest/transit, logging, vulnerability scanning
Evidence types Automated (cloud integrations) and manual (policies, training records, reviews)

Quick Answer: SOC 2 preparation involves 9 phases over ~10 weeks. Key requirements include security policies, MFA on all systems, encryption, centralized logging, and quarterly access reviews.

Phase 1: Planning and Scoping (Week 1-2)

Define Your Audit Scope

  • Identify in-scope systems: List all systems, applications, and infrastructure that process customer data
  • Document service boundaries: Define what's included and excluded from scope
  • Select Trust Services Criteria: Security (required) + optional criteria based on business needs
  • Choose report type: Type 1 (point-in-time) or Type 2 (period assessment)
  • Define observation period: For Type 2, choose 3, 6, 9, or 12 months

Assemble Your Compliance Team

  • Assign SOC 2 owner: Executive sponsor with authority to drive compliance
  • Identify control owners: Person responsible for each control area
  • Engage IT/Engineering lead: Technical implementation responsibility
  • Involve HR: For personnel security controls
  • Select auditor: Choose a licensed CPA firm
  • Consider compliance partner: Platform and/or consulting support

Document Your System

  • Create system description: Narrative description of your services
  • Document infrastructure: Cloud providers, networks, data flows
  • Map data flows: How data moves through your systems
  • Identify third parties: Vendors, subprocessors, partners in scope

Phase 2: Gap Assessment (Week 2-3)

Evaluate Current Controls

  • Inventory existing controls: What security measures are already in place?
  • Map to SOC 2 requirements: Which controls satisfy which criteria?
  • Identify gaps: What's missing or insufficient?
  • Assess evidence availability: Can you prove controls are operating?

Create Remediation Plan

  • Prioritize gaps: Critical, high, medium, low priority
  • Assign owners: Who will fix each gap?
  • Set deadlines: When must each gap be closed?
  • Estimate resources: Time, budget, tools needed

Phase 3: Policy and Procedure Development (Week 3-4)

Core Security Policies

  • Information Security Policy: Overarching security governance
  • Acceptable Use Policy: Rules for system and data usage
  • Access Control Policy: User access management principles
  • Password Policy: Password requirements and management
  • Data Classification Policy: How data is categorized and handled
  • Encryption Policy: Encryption requirements for data at rest and in transit

Operational Procedures

  • Incident Response Plan: How to detect, respond to, and recover from incidents
  • Business Continuity Plan: How to maintain operations during disruptions
  • Disaster Recovery Plan: How to recover systems and data
  • Change Management Procedure: How changes are requested, approved, and deployed
  • Vulnerability Management Procedure: How vulnerabilities are identified and remediated
  • Vendor Management Procedure: How third parties are assessed and monitored

HR and Personnel Policies

  • Background Check Policy: Pre-employment screening requirements
  • Security Awareness Training Policy: Training requirements and frequency
  • Employee Onboarding Procedure: Security tasks for new hires
  • Employee Offboarding Procedure: Access removal and exit tasks
  • Code of Conduct: Expected behavior standards

Phase 4: Technical Control Implementation (Week 4-6)

Access Management

  • Multi-factor authentication (MFA): Enable on all critical systems

    • Cloud provider consoles (AWS, GCP, Azure)
    • Identity provider (Okta, Azure AD, Google Workspace)
    • Source code repositories (GitHub, GitLab)
    • Production databases and infrastructure
    • Admin consoles and dashboards

  • Role-based access control (RBAC): Implement least privilege

    • Define roles and permissions
    • Assign users to appropriate roles
    • Document role definitions
    • Remove excessive permissions

  • User lifecycle management

    • Provisioning process for new users
    • Access modification process
    • Timely deprovisioning for departures
    • Quarterly access reviews

Network and Infrastructure Security

  • Firewall configuration: Restrict inbound/outbound traffic
  • Network segmentation: Separate production from non-production
  • VPN/Zero Trust access: Secure remote access to internal resources
  • Web Application Firewall (WAF): Protect web applications
  • DDoS protection: Mitigate denial of service attacks

Data Protection

  • Encryption at rest: Encrypt stored data

    • Database encryption
    • File/object storage encryption
    • Backup encryption
    • Laptop/device encryption

  • Encryption in transit: Encrypt data in motion

    • TLS 1.2+ for all external connections
    • Internal service communication encryption
    • API encryption

  • Key management: Secure handling of encryption keys

    • Key storage (HSM, KMS)
    • Key rotation procedures
    • Key access controls

Endpoint Security

  • Mobile Device Management (MDM): Manage and secure devices

    • Device enrollment
    • Security policy enforcement
    • Remote wipe capability
    • Encryption verification

  • Endpoint Detection and Response (EDR): Detect and respond to threats

  • Antimalware protection: Prevent malware infections

  • Automatic updates: Keep systems patched

Monitoring and Logging

  • Centralized logging: Aggregate logs from all systems

    • Application logs
    • Infrastructure logs
    • Security logs
    • Access logs

  • Security monitoring: Detect security events

    • Alerting rules configured
    • 24/7 monitoring (or appropriate coverage)
    • Alert response procedures

  • Log retention: Retain logs for required period (typically 90+ days)

Vulnerability Management

  • Vulnerability scanning: Regular automated scans

    • Infrastructure scanning
    • Application scanning
    • Container scanning
    • Dependency scanning

  • Penetration testing: Annual third-party testing

  • Remediation tracking: Process to fix identified vulnerabilities

  • Patch management: Regular patching of systems

Change Management

  • Change request process: Formal process for requesting changes
  • Change approval workflow: Required approvals before deployment
  • Code review requirements: Peer review of code changes
  • Testing requirements: Changes tested before production
  • Deployment automation: CI/CD pipeline with controls
  • Rollback procedures: Ability to revert changes

Backup and Recovery

  • Backup configuration: Regular automated backups

    • Database backups
    • Configuration backups
    • Critical data backups

  • Backup testing: Regular restore testing

  • Offsite storage: Backups stored in separate location

  • Recovery procedures: Documented recovery steps

Phase 5: People and Process Controls (Week 4-6)

Security Awareness Training

  • Training program: Implement security awareness training
  • New hire training: Training within first week of employment
  • Annual refresher: Annual training for all employees
  • Role-specific training: Additional training for technical roles
  • Completion tracking: Records of training completion

Background Checks

  • Pre-employment screening: Background checks for new hires
  • Screening criteria: Define what's checked (criminal, employment, education)
  • Documentation: Records of completed checks

Access Reviews

  • Quarterly user access reviews: Review who has access to what
  • Privileged access reviews: Extra scrutiny for admin access
  • Review documentation: Evidence of reviews and actions taken
  • Remediation tracking: Remove inappropriate access

Vendor Management

  • Vendor inventory: List of all third-party vendors
  • Risk assessment: Evaluate vendor security posture
  • Security requirements: Contractual security obligations
  • Ongoing monitoring: Regular vendor reviews

Phase 6: Evidence Collection (Ongoing)

Automated Evidence

  • Connect cloud providers: AWS, GCP, Azure API integrations
  • Connect identity providers: Okta, Azure AD, Google Workspace
  • Connect HR systems: Rippling, Gusto, BambooHR
  • Connect source control: GitHub, GitLab, Bitbucket
  • Connect monitoring tools: Datadog, CloudWatch, etc.

Manual Evidence

  • Policy documents: Current versions of all policies
  • Meeting minutes: Security review and risk assessment meetings
  • Training records: Completion certificates and attendance
  • Background check confirmations: Verification of completed checks
  • Access review documentation: Evidence of quarterly reviews
  • Incident reports: Documentation of any security incidents
  • Change records: Change request tickets and approvals
  • Vendor assessments: Third-party security reviews

Phase 7: Pre-Audit Preparation (Week 6-7)

Internal Readiness Assessment

  • Control walkthrough: Walk through each control with owner
  • Evidence review: Verify all evidence is collected and current
  • Gap closure verification: Confirm all remediation is complete
  • Mock audit: Internal review simulating auditor process

Auditor Preparation

  • Schedule kickoff: Set date for audit start
  • Prepare populations: Identify sample populations for testing
  • Organize evidence: Structure evidence for easy auditor access
  • Assign point of contact: Single person to coordinate with auditor
  • Brief control owners: Prepare team for auditor interviews

Phase 8: The Audit (Week 7-10)

Audit Execution

  • Kickoff meeting: Meet with auditor to review scope and approach
  • Evidence submission: Provide requested evidence promptly
  • Walkthroughs: Support auditor walkthroughs of controls
  • Interviews: Participate in auditor interviews
  • Sample testing support: Provide samples as requested

Issue Resolution

  • Address findings promptly: Fix issues identified during audit
  • Document remediation: Provide evidence of fixes
  • Clarify misunderstandings: Explain controls if auditor has questions

Report Review

  • Review draft report: Check for accuracy
  • Provide corrections: Identify any factual errors
  • Accept final report: Sign off on final version

Phase 9: Post-Audit (Ongoing)

Report Distribution

  • Publish to Trust Center: Make report available to customers
  • Update marketing materials: Reference SOC 2 attestation
  • Notify sales team: Enable use of report in sales process

Continuous Compliance

  • Maintain controls: Continue operating all controls
  • Continuous monitoring: Keep monitoring systems active
  • Evidence collection: Continue collecting evidence for next audit
  • Address changes: Update controls when systems change

Prepare for Next Audit

  • Plan renewal audit: Schedule next audit (Type 2 or renewal)
  • Review this year's lessons: What could be improved?
  • Update scope if needed: Add criteria or systems as needed

Quick Reference: Key Deadlines

Milestone Target Week
Scope defined Week 1
Gap assessment complete Week 3
Policies finalized Week 4
Technical controls implemented Week 6
Evidence collection complete Week 7
Audit kickoff Week 8
Report received Week 10

Checklist Download

Save this checklist and track your progress. Consider using a project management tool to assign tasks and monitor completion.

Need help working through this checklist? Get expert guidance →

← PreviousSOC 2 Type 1 vs Type 2: Understanding Your OptionsNext →How Long Does SOC 2 Take?
Back to SOC 2 guides