The SOC 2 Compliance Checklist: Everything Your Auditor Will Look For
A full SOC 2 compliance checklist is the difference between a clean opinion and months of back-and-forth on exceptions. This one maps directly to the Trust Services Criteria an independent auditor tests — organized by category, not by tool. Use it to run the program, not just to pass the audit.
This is the full-program view. If you want the shorter auditor-day version, read our SOC 2 audit checklist. If you are still scoping the engagement, start with SOC 2 for startups and SOC 2 Type 1 vs Type 2.
How This Checklist Maps to SOC 2
SOC 2 examines controls against the AICPA Trust Services Criteria (TSC). The Security category — the "Common Criteria" or CC series — is mandatory. Availability, Confidentiality, Processing Integrity, and Privacy are optional add-ons.
This checklist covers the Security CC criteria end-to-end. We grouped the 18 items under four practical headings: governance, access, operations, and evidence. Every item calls out the specific failure mode we see most often.
Governance and Risk
1. Information Security Policy
A formal, approved policy document that defines the program's scope and roles. Reviewed and signed off by leadership within the last 12 months. Distributed to every employee, with acknowledgment records.
Common gap: Policy exists in Google Drive, never read, never acknowledged.
2. Risk Assessment
A documented annual risk assessment covering the systems in scope, the threats considered, and the controls that mitigate them. Output: a risk register with owners and review dates.
Common gap: A one-time assessment from 18 months ago with no refresh and no register.
3. Vendor Risk Management
A vendor inventory with risk classifications. Evidence that high-risk vendors were assessed — SOC 2 reports reviewed, security questionnaires completed, Business Associate Agreements signed where applicable.
Common gap: AWS and Stripe are in scope but no one documented their SOC 2 review.
4. Code of Conduct and Confidentiality Agreements
Employees sign a code of conduct and a confidentiality agreement as part of onboarding. Signed copies stored in HR records.
Common gap: Verbal agreement only, or signed copies lost to a prior HRIS migration.
Access Control
5. Logical Access Provisioning
Every account — employee, contractor, service — is provisioned via a ticketed request with documented approval. Auditors sample 10–25 accounts and test each one.
Common gap: Accounts created in Slack DMs, no ticket, no approver named.
6. Multi-Factor Authentication
MFA enforced at the system level on every in-scope application. Not optional, not bypassable, no admin exemptions.
Common gap: MFA enabled by policy but not enforced technically. Admin accounts exempted.
7. Quarterly Access Reviews
At least quarterly, an accountable owner reviews who has access to each in-scope system. The review is documented: reviewer name, date, accounts examined, access removed.
Common gap: Reviews happen verbally in a standup. No written record.
8. Termination and Offboarding
Documented offboarding procedure. Same-day or next-business-day revocation across identity provider, source control, cloud accounts, and every in-scope SaaS tool.
Common gap: SSO disabled immediately but GitHub, AWS IAM, and Jira access linger for weeks.
9. Privileged Access Management
Admin and production-level access restricted to a defined list of roles. Access grants time-boxed where possible. Session logs retained.
Common gap: Every engineer has standing production admin from their first week.
Operations and Engineering
10. Change Management
Every production change ties to a ticket with documented peer review, approval, and deployment logs. Auditors will sample production deployments and check each one.
Common gap: Hotfixes pushed direct to main with no ticket or review.
11. Vulnerability Management
A documented process for identifying, prioritizing, and remediating vulnerabilities. Scanner coverage across application and infrastructure. A defined remediation SLA by severity, and evidence critical findings closed within SLA. Most teams align severity to the NIST CVSS.
Common gap: Scans run but findings sit in a dashboard no one owns.
12. Endpoint Protection
Managed endpoint detection, disk encryption, and screen lock enforced on every device with access to production data or source control. Coverage evidence from an MDM or EDR console.
Common gap: BYOD laptops outside MDM coverage. Disk encryption status unverified.
13. Logging and Monitoring
Centralized logging of authentication, privileged access, and production changes. Retention meeting the stated policy (90 days minimum, 12 months typical). Alerting on defined events.
Common gap: Logs collected but never reviewed. No defined alerting rules.
14. Encryption in Transit and at Rest
All customer data encrypted in transit via TLS 1.2 or higher. All data at rest encrypted. Configuration documented with evidence from the cloud console.
Common gap: In-transit encryption documented; at-rest undocumented across secondary data stores.
15. Backup and Recovery
Backups configured, scheduled, and retained per policy. Recovery testing performed at least annually with documented results. RPO and RTO targets stated and met.
Common gap: Backups run nightly. No one has restored from one in 18 months.
Evidence and Response
16. Incident Response Plan
A documented Incident Response Plan covering detection, triage, containment, communication, and post-incident review. Tested annually — a tabletop exercise is sufficient. Actual incidents logged and handled per the plan.
Common gap: Plan exists, never tested. No incident log for real events.
17. Security Awareness Training
Annual (or more frequent) security training for every employee. Completion records stored. Phishing simulations count as supporting evidence when results are retained.
Common gap: Training completed in Year 1, never repeated. Records lost.
18. Evidence Retention and Audit Trail
Every control has a named owner and a stated evidence source. Evidence is retained in a location the auditor can access — an automated GRC platform, a structured shared drive, or a ticketing system. At minimum 12 months of history.
Common gap: Evidence scattered across Slack, email, and personal Google Drives. Nothing the auditor can sample cleanly.
How Long Does the Checklist Take to Complete?
For a team starting from zero: 12–20 weeks to close the gaps, then 3–12 months of operation before Type II fieldwork. For a team with reasonable baseline hygiene: 6–10 weeks to formalize what already exists.
The variable that matters most is evidence discipline. Controls that run but leave no audit trail fail the sample test the same as controls that never ran at all.
What a SOC 2 Audit Costs Once the Checklist Is Done
Auditor fees for a first-year Type II vary by scope and auditor firm. Preparation labor — internal hours or a managed program — typically equals or exceeds the audit fee. Budget early and request quotes from multiple CPA firms.
Frequently Asked Questions
What is required for SOC 2 compliance? SOC 2 requires controls that meet the Trust Services Criteria in the categories you include in scope. Security is mandatory. The 18 items in this checklist cover the full Security criteria for most SaaS environments. A CPA firm then examines the controls and issues a report.
Is SOC 2 compliance mandatory? No law requires SOC 2. It is a market requirement driven by enterprise buyers. If your sales motion includes mid-market or enterprise customers, procurement will ask for it. Regulated industries may also layer SOC 2 on top of HIPAA or PCI-DSS requirements.
What documentation does SOC 2 require? At minimum: an information security policy, risk assessment, vendor inventory, access review logs, change management tickets, vulnerability scan results with remediation records, backup and recovery test results, incident response plan with test evidence, and training completion records. Every control needs a documented owner and an evidence source.
Ready to Start?
ShieldKey runs managed SOC 2 programs end-to-end — checklist to audit report. For full program scope and delivery model, see our SOC 2 Type II attestation service.