Logo
  • Sign In
Log In
  • SOC 2 Readiness Checklist

The Complete SOC 2 Readiness Checklist (2026)

87 control items across 8 categories. Used by Cyber Security Services on every SOC 2 readiness engagement. Free download — no email required for the on-page version.
This is the checklist we use internally at Cyber Security Services to take clients from kickoff to audit-ready. It covers every control category the AICPA Trust Services Criteria require, with practical guidance on what auditors actually look for.
Download the PDF checklist

How to Use This Checklist

This checklist is organized into 8 categories that map to the AICPA Trust Services Criteria. Each item is a control or piece of evidence that an auditor will look for.

Exists?

Do you have this control or document at all?

Documented?

Is the policy/procedure written down and approved?

Operating? 

Is there evidence (logs, tickets, signed forms) showing the control runs consistently?

A control that exists but isn’t documented will be flagged. A documented control that doesn’t operate will be flagged worse. The third column — operating with evidence — is where most first-time SOC 2 projects fail.

Time estimate: Work through this checklist with your team in 4–8 hours. Plan another 4–8 weeks to remediate the gaps you find.

The auditor needs to know what you’re claiming to control. These items define the boundary of your audit.
  • System description documented (services, infrastructure, software, people, data, processes)
  • Trust Services Criteria selected (Security required; Availability, Confidentiality, Processing Integrity, Privacy optional)
  • Audit scope boundary defined (which systems, environments, business units are in/out)
  • Customer commitments documented (SLAs, contractual security promises)
  • System boundary diagram created and current
  • Data flow diagrams for in-scope systems
  • Information security policy written, approved by leadership, reviewed annually
  • Acceptable use policy signed by all employees
  • Code of conduct / ethics policy documented
  • Roles and responsibilities matrix for security functions (RACI)
The largest category in most SOC 2 audits. Auditors will sample heavily here.
  • Multi-factor authentication required on all production systems
  • MFA required on all admin accounts (SSO, cloud, code repos)
  • Role-based access control (RBAC) implemented with least-privilege defaults
  • User access reviews performed at minimum quarterly with documentation
  • Privileged access management (PAM) for sensitive systems
  • Service account inventory maintained with ownership and rotation
  • Password policy documented and technically enforced (length, complexity, expiry where applicable)
  • Password manager required for all employees
  • SSO implemented for all SaaS applications where available
  • Automated provisioning of access tied to HR system
  • Automated deprovisioning within defined timeframe of employment change
  • Production access logs retained for minimum 12 months
  • Anomalous access alerts configured (impossible travel, after-hours admin actions)
  • Console / production access restricted to engineers with documented need
  • Customer data access logged and reviewable

How you run, watch, and protect your systems.

  • Centralized logging (SIEM or equivalent) deployed
  • Log retention policy documented (minimum 12 months typical)
  • Intrusion detection deployed on production environments
  • Endpoint detection and response (EDR) on all employee devices
  • Vulnerability scanning runs at minimum monthly
  • Vulnerability remediation SLAs documented (critical: 30 days, high: 60, etc.)
  • Patch management documented and operating with evidence
  • Backup procedures documented with retention schedule
  • Backup restoration tested at minimum annually with documentation
  • Disaster recovery plan documented and tested
  • Encryption at rest for all customer data
  • Encryption in transit (TLS 1.2+ minimum) for all customer data

How code and configuration changes reach production.

  • Change management policy documented
  • Code review required for all production changes
  • Separation of duties between developer and deployer (or compensating controls)
  • Change tickets linked to deployments (Jira/Linear → CI/CD)
  • Production deployment approval workflow documented
  • Rollback procedures documented and tested
  • Configuration management for production infrastructure (IaC, version control)
  • Emergency change procedures documented separately

How you identify, assess, and treat risk.

  • Risk assessment performed at minimum annually with documentation
  • Risk register maintained with treatment plans
  • Risk acceptance procedure documented (who approves accepted risk, at what level)
  • Risk owners assigned for each identified risk
  • Threat modeling performed for new features or material changes
  • Annual penetration test completed by qualified third party
  • Penetration test remediation tracked to closure
  • Compliance with applicable regulations (HIPAA, PCI, GDPR, etc.) documented
  • Risk reporting to leadership at minimum quarterly
  • Risk management process reviewed and approved annually

How you detect, respond to, and recover from security incidents.

  • Incident response plan documented
  • Incident classification scheme defined (severity levels)
  • Incident response team identified with on-call rotation
  • Communication templates for incident communications (internal, customers, regulators)
  • Breach notification procedures aligned with applicable laws
  • Tabletop exercises performed at minimum annually
  • Tabletop documentation retained showing scenario, participants, lessons learned
  • Incident ticket history retained for sampling
  • Post-incident reviews documented for material incidents

People are the largest control surface. Auditors will sample heavily.

  • Background checks performed for all employees pre-hire
  • Background check documentation retained (verification of completion, not full reports)
  • Onboarding security training required within defined timeframe of start
  • Annual security training required for all employees
  • Training completion records retained
  • Phishing simulations run at minimum quarterly
  • Phishing simulation results tracked with remediation training for failures
  • Confidentiality agreements signed by all employees
  • Offboarding checklist documented and completed for every termination
  • Asset return documented at termination (laptops, badges, etc.)
  • Access revocation timing documented (immediate for involuntary, defined timeframe for voluntary)
  • Contractor / consultant security requirements documented

Auditors heavily scrutinize how you manage third-party risk.

  • Vendor inventory maintained (often not just a spreadsheet — auditors want a system)
  • Vendor classification by risk level (critical, high, moderate, low)
  • Vendor security assessment completed before onboarding for critical/high risk vendors
  • Vendor SOC 2 reports collected for all critical vendors
  • Vendor contracts include security and confidentiality terms
  • Data processing agreements (DPAs) in place where required
  • Vendor offboarding procedure documented
  • Annual vendor reassessment for critical vendors
  • Vendor incident notification requirements in contracts
  • Subprocessor list maintained if applicable
  • Vendor risk reviewed in risk register

Auditors heavily scrutinize how you manage third-party risk.

  • Access review documentation (last 4 quarters for Type II)
  • Change tickets linked to deployments (sample for testing)
  • Vulnerability scan reports and remediation evidence
  • Penetration test report and remediation tracker
  • Risk assessment with sign-off
  • Incident response tabletop documentation
  • Training completion records
  • Phishing simulation results
  • Background check completion verification
  • Onboarding and offboarding checklists (samples)
  • Vendor risk assessments for critical vendors
  • Customer data encryption verification
  • Backup restoration test documentation
  • Disaster recovery test documentation
  • Policy review and re-approval records
  • Quarterly risk reporting to leadership
  • Board / leadership oversight documentation
  • Annual policy acknowledgments by employees

What To Do With This Checklist

If most items are missing or undocumented: you’re in early-stage readiness. Plan 12–20 weeks of work before scheduling your audit.

If most items exist but aren’t documented: you’re in policy and evidence mode. Plan 6–10 weeks of work focused on documentation.

If items are documented but you can’t produce evidence: you’re in evidence operations mode. Plan 8–12 weeks of running the controls before the audit window opens.

Want help running this readiness?

Cyber Security Services takes most clients from gap assessment to audit-ready in 8–16 weeks. We bring this checklist, the policy templates, and the audit liaison experience.

Book a free scoping call

Frequently Asked Questions

How long does SOC 2 readiness take?
Most organizations need 8–16 weeks of readiness work before an audit, plus a 6–12 month Type II observation period.
Yes. Many companies do their first readiness internally using a checklist like this. The risk is missing nuance auditors will catch — and discovering it during the audit when remediation is expensive.
The AICPA Trust Services Criteria are written at a principles level. This checklist translates those principles into concrete controls and evidence items.
Most do. Some (like subprocessor lists or DPAs) only apply if you have specific business arrangements. A scoping call clarifies which items are required for your specific audit.
You’re probably going to receive exceptions on your report. The honest answer is to either delay the audit or set expectations with customers that your first report won’t be clean. Compressed timelines rarely produce clean reports.
Most readiness engagements (including Cyber Security Services) include pre-built policy templates calibrated to your environment. DIY templates are available online but typically require significant customization.
About 70% overlap. ISO 27001 has additional management system requirements (ISMS, internal audit, management review) that SOC 2 doesn’t.
A spreadsheet works fine for the first audit. GRC platforms become valuable for ongoing compliance, not for one-time readiness.

Want Us to Run This Readiness for You?

Cyber Security Services has guided dozens of organizations through this exact checklist. We bring the methodology, the policy templates, and the auditor relationships.

Book your free scoping call

What you get: – Gap assessment against this checklist – Prioritized remediation roadmap with effort estimates – Pre-built policy templates calibrated to your environment – Direct audit liaison and evidence support

Book a free 30-minute scoping call. We’ll review your environment, your timeline, and your customer requirements — and give you an honest scope and price.