SOC 2 Free Readiness Checklist

SOC 2 readiness checklist (free)

Use this free SOC 2 readiness checklist to quickly assess how prepared your organisation is for a Type 1 or Type 2 report. Each question maps to the Trust Services Criteria—covering scope, TSC mapping, controls, monitoring and evidence—so you can see where you stand and what to prioritise next.

What this covers

Scope & system description, TSC mapping, operational controls, attribute criteria and audit readiness.

How scoring works

Select Yes / Partial / No for each question. We calculate an overall score and domain coverage automatically.

Free PDF output

Download a free, branded PDF with a score dial, domain breakdown, top gaps and detailed responses to share with leadership or your auditor.

Governance & Scope

System boundary, report scope and leadership oversight.

0/0 answered

System boundary & in-scope services defined for the system description?

Board/management oversight of security & compliance (charter, minutes)?

Policies/standards approved, communicated and reviewed at least annually?

TSC Mapping & Risk

Map controls to CC + relevant A/C/PI/P and assess risks.

0/0 answered

Controls mapped to CC and relevant A/C/PI/P criteria with clear rationale?

Risk assessment performed; risks link to controls and monitoring?

Controls & Operations

Change, access, SDLC and third-party management.

0/0 answered

Change management with approvals, testing, rollback and SoD where feasible?

Access provisioning reviews, least privilege and periodic recertifications?

Processing integrity via SDLC gates, peer review and automated tests?

Third-party risk management (due diligence, contracts, monitoring)?

Logging, Incidents & Evidence

Operational monitoring, IR, evidence and cadences.

0/0 answered

Centralised logging/monitoring for key events with alerting & ticket linkage?

Incident response plan, exercises and PIRs with corrective actions?

Evidence catalogued in SharePoint with sampling cadence and retention?

Attribute Criteria (A/C/PI/P)

Availability, Confidentiality, Processing Integrity, Privacy.

0/0 answered

Availability: capacity, redundancy and DR tests (RTO/RPO evidence)?

Confidentiality: encryption at rest/in transit and key management?

Privacy: notice, consent/rights (DSAR) and retention/disposal defined?

Type 1/2 & Audit Readiness

Period, population, sampling windows and prep.

0/0 answered

Type 1 / Type 2 plan agreed (period, population, sampling windows)?

SOC 2 readiness checklist (free)

What this covers

How scoring works

Free PDF output

Governance & Scope

TSC Mapping & Risk

Controls & Operations

Logging, Incidents & Evidence

Attribute Criteria (A/C/PI/P)

Type 1/2 & Audit Readiness

Before you download