SOC 2 Compliance Checklist: Step-by-Step Preparation Guide

This checklist covers the essential items for SOC 2 compliance, organized by Trust Services Criteria. Focus on the Security (Common Criteria) section first, as it is required for every SOC 2 audit. Then add items from Availability, Confidentiality, Processing Integrity, and Privacy based on your specific scope.

Each item references the relevant Trust Services Criteria number so you can map it to the official AICPA framework. Use this as a starting point, not a complete list. Your specific controls will depend on your technology stack, business model, and customer requirements.

Information security policy (CC1.1): Document your organization's commitment to security, roles and responsibilities, and policy review schedule.

Risk assessment process (CC3.1, CC3.2): Identify risks to your systems and data. Assess likelihood and impact. Document mitigation strategies for each risk.

Risk register (CC3.2): Maintain a register of identified risks with owners, mitigation plans, and review dates. SimpleAudit generates an initial risk register using AI based on your company profile.

Board or management oversight (CC1.2): Document how leadership reviews and approves security decisions. For startups, this can be a quarterly review by founders.

Code of conduct (CC1.1): Establish behavioral expectations for employees regarding data handling, acceptable use, and reporting obligations.

Multi-factor authentication (CC6.1): Enable MFA for all production systems, cloud accounts, and critical business applications. This is one of the most commonly tested controls.

Role-based access control (CC6.1): Define access roles and assign permissions based on job function. Document who has access to what and why.

Access provisioning and deprovisioning (CC6.2): Establish processes for granting access when employees join and revoking access when they leave. Test that terminated employees cannot access systems.

Quarterly access reviews (CC6.2): Review access permissions quarterly. Document who performed the review, what was found, and what actions were taken.

Password policy (CC6.1): Require strong passwords (minimum 12 characters, complexity requirements). Enforce through technical controls, not just policy.

Security monitoring (CC7.2): Implement logging and monitoring for production systems. Capture authentication events, system changes, and security-relevant activities.

Incident response plan (CC7.3): Document how you detect, respond to, and recover from security incidents. Include roles, communication procedures, and post-incident review.

Vulnerability management (CC7.1): Scan for vulnerabilities regularly (at least quarterly). Patch critical vulnerabilities within defined timeframes.

Backup and recovery (CC7.5): Back up critical data regularly. Test recovery procedures at least annually. Document recovery time and recovery point objectives.

Change management (CC8.1): Establish a process for reviewing, testing, and approving changes before they reach production. Include code reviews, testing requirements, and rollback procedures.

Vendor inventory (CC9.2): Maintain a list of all third-party vendors that access, process, or store your data. Include their purpose, data access level, and risk classification.

Vendor risk assessment (CC9.2): Assess each vendor's security posture. Request SOC 2 reports, security certifications, or security questionnaire responses.

Vendor agreements (CC9.2): Ensure contracts include data protection requirements, breach notification obligations, and right to audit.

Ongoing monitoring (CC9.2): Review vendor security posture periodically. Track when vendor certifications expire and request updated documentation.

Encryption at rest (CC6.1): Encrypt sensitive data stored in databases, file systems, and backups. Use AES-256 or equivalent.

Encryption in transit (CC6.1): Enforce TLS 1.2 or higher for all data transmission. Redirect HTTP to HTTPS. Use certificate management.

Data classification (CC6.5): Define categories for your data (public, internal, confidential, restricted). Apply appropriate controls based on classification.

Data retention and disposal (CC6.5): Define how long you retain different types of data. Establish procedures for secure disposal when data is no longer needed.

Background checks (CC1.4): Conduct background checks for employees with access to sensitive systems and data. Document the process and results.

Security awareness training (CC1.4): Provide security training to all employees at onboarding and annually. Cover phishing, data handling, incident reporting, and acceptable use.

Confidentiality agreements (CC1.4): Require all employees and contractors to sign confidentiality or non-disclosure agreements before accessing company systems.

Termination procedures (CC6.2): Revoke all access within 24 hours of employment termination. Collect company devices. Document the offboarding process.

Evidence organization: Collect and organize evidence for each control. Use a tool like SimpleAudit's Evidence Vault to maintain version-controlled evidence with full audit trails.

Control testing: Test your own controls before the auditor does. Run through each checklist item and verify you can produce evidence that the control is operating.

Policy review: Ensure all policies are current, approved, and accessible to relevant employees. Policies should be reviewed at least annually.

Gap assessment: Compare your current controls against the Trust Services Criteria. Address any gaps before engaging the auditor.

Auditor selection: Choose an auditor experienced with companies your size. Request references. Compare fees and timelines from at least 2-3 firms.