/resources / soc2-readiness-checklist
PDF + CSVFREE · EMAIL-GATED60 ITEMS

SOC 2 Readiness Checklist.
Sixty items. Evidence-named.

Sixty checklist items spanning every common criterion (CC1-CC9) plus the Availability and Confidentiality categories most Type II reports cover. Each item names the artefact your auditor will ask for — not what you should "have a policy for".

What is inside

Auditor-grade readiness, in 60 items.

  • 60 line items grouped across CC1-CC9, Availability (A) and Confidentiality (C)
  • Each item names the evidence artefact and the owner role expected to produce it
  • CSV is column-named for direct import into Drata / Vanta / Secureframe / spreadsheet
  • PDF version is annotated with the typical CC7.1 pentest-evidence pitfalls
  • References AICPA Trust Services Criteria 2017 (as revised) without restating proprietary text
Table of contents

All eleven sections — 60 items total.

  1. CC1

    Control Environment

    5 items

    Board charter, security org chart, code of conduct, background checks, written security policy with annual review evidence.

  2. CC2

    Communication & Information

    5 items

    Internal security comms cadence, customer security commitments (in MSA / DPA), incident-comm runbook, vendor security disclosures, whistle-blower channel.

  3. CC3

    Risk Assessment

    6 items

    Annual risk register, threat modelling per major release, change-risk classification, vendor risk register, fraud-risk consideration, business-impact analysis.

  4. CC4

    Monitoring Activities

    5 items

    Continuous-control monitoring tooling, deviation alerting, internal audit cadence, management remediation tracker, audit committee escalation route.

  5. CC5

    Control Activities

    5 items

    Documented control matrix, segregation of duties evidence, technology-general-controls inventory, baseline configuration standards, deployment policy.

  6. CC6

    Logical & Physical Access

    9 items

    SSO + MFA enforcement, role inventory + access reviews, joiner-mover-leaver, privileged access management, secrets management, data-classification labels, device-management, key-management policy, physical access logs (or hosting attestation).

  7. CC7

    System Operations

    9 items

    External pentest within audit window, retest letter, vulnerability scanning evidence, IDS/IPS or EDR coverage, log centralisation, log-retention policy, incident-response runbook + tabletop, on-call rota, post-incident review template.

  8. CC8

    Change Management

    6 items

    Change-management policy, ticket-to-PR linkage, code review enforcement, automated test gates, separation between developer + deployer, emergency-change process.

  9. CC9

    Risk Mitigation

    4 items

    Cyber-insurance policy, business continuity plan + test evidence, disaster recovery plan + test evidence, vendor SLA tracking.

  10. A

    Availability criteria

    3 items

    Capacity-management evidence, backup + restore test evidence, RTO / RPO commitments documented and measured.

  11. C

    Confidentiality criteria

    3 items

    Data classification scheme applied to repositories + stores, encryption-in-transit + at-rest evidence, secure-disposal procedure with audit log.

Related reading

Use this checklist alongside.

Service

Compliance Testing

CC7.1-grade pentest evidence packaged for auditor consumption.

Service

VAPT

A CREST-aligned VAPT engagement with the deliverable package CC7.1 expects.

Blog

SOC 2 Type II — Timeline & Cost

90-day pre-audit calendar and budget bands at Series A through Series C.

Blog

SOC 2 Type II vs Type I

Which one to start with at your stage — and the 90-day Type II sequencing rule.

Need a CC7.1-grade pentest before your Type II window?

The most common Type II finding we see is "pentest deliverable is a CSV from a scanner". Auditors mark CC7.1 ineffective. A 30-minute scoping call is free and you leave with a written sequencing plan.

Book a Scoping CallSee Other Resources