SOC 2 Compliance Checklist
A practical, step-by-step guide to preparing for SOC 2 Type II certification, covering the five trust service criteria and common implementation patterns.
Trust Service Criteria
Security (Required)
Protection against unauthorized access. Covers firewalls, access controls, encryption, and intrusion detection.
Availability
System uptime and disaster recovery. Covers SLAs, redundancy, backups, and incident response procedures.
Processing Integrity
System processing is complete, valid, and timely. Covers data validation, error handling, and audit trails.
Confidentiality
Data classified as confidential is properly protected. Covers encryption, access controls, and data lifecycle.
Implementation Checklist
Access Control
- MFA for all employees and admin accounts
- RBAC with documented permission matrices
- Quarterly access reviews with evidence
- Automated deprovisioning on termination
Change Management
- Version control for all code and infrastructure
- Code review required before merge
- Separate dev/staging/production environments
- Change advisory board for production changes
Incident Response
- Documented incident response plan
- Defined severity levels and escalation paths
- Post-incident review process
- Customer notification procedures
Monitoring
- Centralized logging with 90-day retention
- Real-time alerting for security events
- Uptime monitoring for all customer-facing services
- Vulnerability scanning on weekly schedule
Timeline
Gap assessment: document current controls, identify missing policies, and prioritize remediation work.
Remediation: implement missing controls, write policies, and configure monitoring and alerting tools.
Evidence collection: gather screenshots, logs, and documentation for each control. Do a dry-run audit internally.
Observation period: auditor monitors your controls over 3-6 months for Type II (ongoing effectiveness).
Preparing for SOC 2? Get in touch and we will help you get audit-ready.