SOC 2 Readiness Checklist

System boundary, report scope and leadership oversight.

0/0 answered

System boundary & in-scope services defined for the system description?

Board/management oversight of security & compliance (charter, minutes)?

Policies/standards approved, communicated and reviewed at least annually?

Map controls to CC + relevant A/C/PI/P and assess risks.

0/0 answered

Controls mapped to CC and relevant A/C/PI/P criteria with clear rationale?

Risk assessment performed; risks link to controls and monitoring?

Change, access, SDLC and third-party management.

0/0 answered

Change management with approvals, testing, rollback and SoD where feasible?

Access provisioning reviews, least privilege and periodic recertifications?

Processing integrity via SDLC gates, peer review and automated tests?

Third-party risk management (due diligence, contracts, monitoring)?

Operational monitoring, IR, evidence and cadences.

0/0 answered

Centralised logging/monitoring for key events with alerting & ticket linkage?

Incident response plan, exercises and PIRs with corrective actions?

Evidence catalogued in SharePoint with sampling cadence and retention?

Availability, Confidentiality, Processing Integrity, Privacy.

0/0 answered

Availability: capacity, redundancy and DR tests (RTO/RPO evidence)?

Confidentiality: encryption at rest/in transit and key management?

Privacy: notice, consent/rights (DSAR) and retention/disposal defined?

Period, population, sampling windows and prep.

0/0 answered

Type 1 / Type 2 plan agreed (period, population, sampling windows)?

Welcome to Country