SOC 28 min read

SOC 2 Evidence Collection: The Complete Guide

Evidence is the backbone of your SOC 2 audit. Without proper evidence, you can't demonstrate that your controls are designed and operating effectively. This guide covers what evidence you need, how to collect it, and best practices for evidence management.

Key Takeaways

Point Summary
Evidence types Documentary, observational, inquiry, reperformance, and analytical
Collection methods Automated (APIs, integrations) + Manual (screenshots, exports, documents)
Key control areas Access Management, Change Management, Security Monitoring, Vulnerability Management, HR, Vendor Management, Business Continuity
Type 2 sampling 25-40 samples per recurring control across the full observation period
Best practice Continuous automated collection - don't scramble before audit

Quick Answer: Evidence proves your controls work. Use automated collection (API integrations) for ongoing evidence like user access and system configs. Manual collection for policies, meeting minutes, and approvals. Collect continuously, not just before audit.

What is SOC 2 Evidence?

Evidence is documentation that proves your controls exist and work as intended. Auditors examine evidence to form their opinion about your control environment.

Types of Evidence

Type Description Examples
Documentary Written policies and procedures Security policy, access control procedure
Observational Direct observation of controls Auditor watches access review process
Inquiry Interviews and discussions Auditor asks about incident response process
Reperformance Auditor tests the control themselves Auditor attempts unauthorized access
Analytical Analysis of data and trends Security metrics, log analysis

Evidence Characteristics

Good evidence is:

  • Relevant: Directly relates to the control being tested
  • Reliable: From trustworthy sources
  • Timely: From the audit period (for Type 2)
  • Complete: Covers the full scope of the control
  • Authentic: Not altered or fabricated

Evidence Requirements by Control Area

Access Management Evidence

Control Evidence Required
User Provisioning Access request tickets, approval records
User Deprovisioning Termination tickets, access removal evidence
Access Reviews Review documentation, approval records
MFA Configuration System screenshots, configuration exports
Role Definitions RBAC documentation, role assignments
Privileged Access Admin account list, privilege justifications

Sample evidence:

  • Screenshot of MFA enforcement settings
  • Export of user list with last login dates
  • Access review spreadsheet with approvals
  • Terminated employee access removal tickets

Change Management Evidence

Control Evidence Required
Change Requests Tickets showing request and description
Change Approvals Approval records before deployment
Testing Test results, QA sign-off
Code Review Pull request reviews, approval comments
Deployment Deployment logs, CI/CD records
Rollback Capability Rollback procedures, test records

Sample evidence:

  • GitHub pull request with review comments
  • JIRA tickets for change requests
  • CI/CD pipeline configuration
  • Deployment logs showing approval gates

Security Monitoring Evidence

Control Evidence Required
Log Collection Logging configuration, sample logs
Security Alerting Alert rules, sample alerts
Incident Detection Detection capabilities, alert examples
Log Retention Retention settings, old log availability
Monitoring Coverage Systems monitored, coverage documentation

Sample evidence:

  • SIEM/logging tool configuration screenshots
  • Alert rule definitions
  • Sample security alerts (redacted as needed)
  • Log retention policy settings

Vulnerability Management Evidence

Control Evidence Required
Vulnerability Scanning Scan reports, scan schedules
Remediation Tickets for remediation, closure evidence
Patch Management Patching records, patch status reports
Penetration Testing Pen test report, remediation evidence

Sample evidence:

  • Vulnerability scan reports (summary and details)
  • Remediation tickets showing fixes
  • Patch status dashboard screenshots
  • Annual penetration test report

Human Resources Evidence

Control Evidence Required
Background Checks Policy, sample verification (redacted)
Security Training Training content, completion records
Onboarding Checklist, security acknowledgments
Offboarding Termination checklist, access removal
Policy Acknowledgment Signed acknowledgments, tracking records

Sample evidence:

  • Training completion report from LMS
  • Signed policy acknowledgment
  • Background check confirmation (names redacted)
  • Onboarding/offboarding checklists

Vendor Management Evidence

Control Evidence Required
Vendor Inventory List of vendors, risk classifications
Risk Assessment Assessment questionnaires, results
Security Reviews Vendor SOC reports, security documentation
Contract Requirements Security clauses in contracts
Ongoing Monitoring Review schedules, monitoring records

Sample evidence:

  • Vendor inventory spreadsheet
  • Vendor risk assessment questionnaires
  • Vendor SOC 2 reports on file
  • Contract excerpts showing security requirements

Business Continuity Evidence

Control Evidence Required
BC/DR Plans Plan documents, review records
Backup Configuration Backup settings, schedules
Backup Testing Restore test results, test schedules
DR Testing DR test documentation, results
RTO/RPO Metrics Target definitions, achievement records

Sample evidence:

  • Business continuity plan document
  • Backup configuration screenshots
  • Backup restore test results
  • DR test report and findings

Evidence Collection Methods

Manual Collection

When to use: One-time or infrequent evidence
Process: Screenshots, exports, document gathering
Pros: Flexibility, control over content
Cons: Time-consuming, prone to gaps

Best practices:

  • Use consistent naming conventions
  • Include timestamps in screenshots
  • Document the source system
  • Redact sensitive information appropriately

Automated Collection

When to use: Ongoing, repetitive evidence
Process: API integrations, automated exports
Pros: Continuous, reliable, efficient
Cons: Setup required, may need customization

Common automation sources:

  • Cloud provider APIs (AWS, GCP, Azure)
  • Identity provider exports (Okta, Azure AD)
  • HRIS integrations (Rippling, Gusto)
  • Source control APIs (GitHub, GitLab)
  • Ticketing system exports (Jira, Linear)

Hybrid Approach (Recommended)

Combine automated and manual collection:

Evidence Type Collection Method
System configurations Automated
User lists and access Automated
Policies and procedures Manual
Training completion Automated
Meeting minutes Manual
Ticket samples Automated selection, manual review
Scan reports Automated
Test results Mixed

Evidence Organization

Folder Structure

SOC 2 Evidence/

  • 01-Access-Control/
    • User-Provisioning/
    • Access-Reviews/
    • MFA-Configuration/
    • Privileged-Access/
  • 02-Change-Management/
    • Change-Requests/
    • Code-Reviews/
    • Deployment-Records/
  • 03-Security-Operations/
    • Vulnerability-Scans/
    • Security-Monitoring/
    • Incident-Response/
  • 04-HR-Security/
    • Background-Checks/
    • Training-Records/
    • Onboarding-Offboarding/
  • 05-Vendor-Management/
    • Vendor-Inventory/
    • Risk-Assessments/
    • SOC-Reports/
  • 06-Business-Continuity/
    • BC-DR-Plans/
    • Backup-Testing/
    • DR-Testing/
  • 07-Policies/
    • Current-Policies/
    • Policy-Acknowledgments/

Naming Conventions

Use consistent naming:

[YYYY-MM-DD]_[Category]_[Description].[ext]

Examples:
2024-01-15_Access-Review_Q1-Engineering.xlsx
2024-02-01_Vuln-Scan_External-Infrastructure.pdf
2024-03-10_Training_Security-Awareness-Completion.csv

Version Control

For policies and procedures:

  • Include version numbers
  • Track change history
  • Maintain previous versions
  • Document approval dates

Evidence for Type 1 vs Type 2

Type 1 Evidence

Focus on design at a point in time:

  • Current policy documents
  • Current system configurations
  • Current user lists
  • Process documentation
  • Screenshots showing current state

Type 2 Evidence

Focus on operation over the period:

Everything in Type 1, plus:

  • Evidence from throughout the observation period
  • Samples demonstrating consistent operation
  • Multiple instances of recurring controls
  • Evidence of changes and responses during period

Sample populations for Type 2:

Control Sample Size Period
User provisioning 25 new hires Full period
User terminations All terminations Full period
Access reviews All quarterly reviews Full period
Change deployments 25-40 changes Full period
Security incidents All incidents Full period
Vulnerability scans Monthly scans Full period

Evidence Quality Tips

Do's

  • Timestamp everything: Show when evidence was captured
  • Show full context: Include system name, date, user
  • Use native exports: System exports > screenshots when possible
  • Redact appropriately: Protect sensitive data while maintaining validity
  • Be consistent: Same format, naming, organization throughout

Don'ts

  • Don't fabricate: Never create false evidence
  • Don't cherry-pick: Provide complete samples, not just favorable ones
  • Don't over-redact: Auditors need to verify evidence
  • Don't delay: Collect evidence continuously, not right before audit
  • Don't assume: Verify what auditors actually need

Preparing Evidence for Auditors

Pre-Audit Preparation

  1. Organize: Structure evidence by control area
  2. Index: Create evidence inventory with descriptions
  3. Verify: Confirm all required evidence is collected
  4. Review: Check quality and completeness
  5. Stage: Upload to auditor-accessible location

During the Audit

  • Respond to requests promptly (within 24-48 hours)
  • Provide clear explanations with evidence
  • Clarify scope or context when needed
  • Track all requests and responses
  • Escalate blockers immediately

Evidence Request Management

Request Type Target Response
Standard evidence 24 hours
Population samples 48 hours
Clarifications Same day
Additional walkthroughs Schedule within 3 days

Common Evidence Pitfalls

Pitfall 1: Evidence Gaps

Problem: Missing evidence for certain controls

Prevention:

  • Use SOC 2 evidence checklist
  • Verify coverage before audit
  • Automate ongoing collection

Pitfall 2: Stale Evidence

Problem: Evidence is outdated or from wrong period

Prevention:

  • Collect continuously throughout period
  • Refresh evidence monthly
  • Timestamp all evidence

Pitfall 3: Inconsistent Evidence

Problem: Evidence contradicts other evidence or policies

Prevention:

  • Align evidence with policy requirements
  • Review for consistency before submission
  • Address discrepancies proactively

Pitfall 4: Over-Redaction

Problem: Evidence is too redacted to be useful

Prevention:

  • Consult auditor on redaction needs
  • Preserve essential information
  • Offer unredacted viewing if needed

Pitfall 5: Last-Minute Collection

Problem: Scrambling to collect evidence before audit

Prevention:

  • Automate evidence collection
  • Set monthly evidence review reminders
  • Use compliance platform with continuous monitoring

The Bastion Approach

Automated Evidence Collection

Bastion automatically collects evidence from:

  • Cloud providers (AWS, GCP, Azure)
  • Identity providers (Okta, Azure AD, Google Workspace)
  • Source control (GitHub, GitLab)
  • HR systems (Rippling, Gusto, BambooHR)
  • MDM platforms
  • And 100+ other integrations

Continuous Monitoring

  • Evidence collected in real-time
  • Gaps identified automatically
  • Alerts when evidence goes stale
  • Audit-ready at any time

Auditor Portal

  • Organized evidence library
  • Easy auditor access
  • Request tracking
  • Communication history

Expert Support

Your dedicated vCISO:

  • Reviews evidence completeness
  • Identifies gaps before auditors
  • Prepares evidence narratives
  • Supports auditor inquiries

Need help with evidence collection? Talk to our team →

← PreviousEssential SOC 2 Policies: What You Need and WhyNext →Maintaining SOC 2 Compliance Year Over Year
Back to SOC 2 guides