Compliance365 — Cyber, Privacy & AI Compliance Compliance365

SOC 2 readiness checklist (free)

Use this free SOC 2 readiness checklist to quickly assess how prepared your organisation is for a Type 1 or Type 2 report. Each question maps to the Trust Services Criteria—covering scope, TSC mapping, controls, monitoring and evidence—so you can see where you stand and what to prioritise next.

What this covers

Scope & system description, TSC mapping, operational controls, attribute criteria and audit readiness.

How scoring works

Select Yes / Partial / No for each question. We calculate an overall score and domain coverage automatically.

Free PDF output

Download a free, branded PDF with a score dial, domain breakdown, top gaps and detailed responses to share with leadership or your auditor.

ISO 27001 ISO 27701 ISO 42001 Essential Eight SOC 2 DISP / ISM / IRAP

Governance & Scope

System boundary, report scope and leadership oversight.

0/0 answered
Clearly define what systems, services and components are covered by the SOC 2 report.
Show examples
  • A system description defining in-scope products, services, infrastructure and data flows.
  • Clear inclusions/exclusions (e.g. production systems in scope; internal test labs excluded).
  • Boundary diagrams showing users, systems, third parties and data movement.
Demonstrate active oversight of security, risk and compliance at a leadership level.
Show examples
  • Security or risk committee charter approved by the board or executive team.
  • Meeting minutes showing review of incidents, risks and audit readiness.
  • Assigned executive accountability for SOC 2 compliance.
Policies must be current, approved and communicated—not just written.
Show examples
  • Approved security, access control, incident response and change management policies.
  • Version control with review/approval dates.
  • Evidence of staff communication or acknowledgement (training, intranet, onboarding).

TSC Mapping & Risk

Map controls to CC + relevant A/C/PI/P and assess risks.

0/0 answered
Auditors expect traceability from controls to applicable Trust Services Criteria.
Show examples
  • Control matrix mapping controls to CC1–CC9 and selected Availability, Confidentiality, PI or Privacy criteria.
  • Written rationale explaining why criteria are in or out of scope.
  • Consistent naming between policies, procedures and control descriptions.
Risk assessment should drive control selection and monitoring focus.
Show examples
  • Documented risk assessment covering security, availability and processing risks.
  • Risks linked to specific SOC 2 controls.
  • Monitoring or KPIs aligned to high-risk areas.

Controls & Operations

Change, access, SDLC and third-party management.

0/0 answered
Show that system changes are authorised, tested and recoverable.
Show examples
  • Change tickets with approvals, test evidence and rollback plans.
  • Separation of duties between development and production deployment.
  • Emergency change procedure with post-implementation review.
Access should be role-based, time-bound and regularly reviewed.
Show examples
  • Joiner/mover/leaver process with documented approvals.
  • Quarterly or semi-annual access reviews for critical systems.
  • Privileged access controls (MFA, separate admin accounts, logging).
Ensure systems process data accurately, completely and as intended.
Show examples
  • SDLC stages with peer review and testing requirements.
  • Automated tests validating data accuracy and integrity.
  • Defect tracking and resolution records.
SOC 2 requires you to manage risk introduced by vendors and subprocessors.
Show examples
  • Vendor risk assessments based on criticality and data access.
  • Contracts including security, confidentiality and incident notification clauses.
  • Ongoing monitoring (SOC reports, certifications, performance reviews).

Logging, Incidents & Evidence

Operational monitoring, IR, evidence and cadences.

0/0 answered
Monitoring should support timely detection and response to security events.
Show examples
  • Centralised logging for identity, infrastructure and applications.
  • Alerts integrated with ticketing or incident management tools.
  • Evidence of alert review and response.
Demonstrate preparedness and learning from incidents.
Show examples
  • Incident response plan with roles, severity levels and escalation paths.
  • Tabletop or simulated incident exercises.
  • Post-incident reviews with corrective actions tracked to closure.
Evidence must be organised, repeatable and audit-ready.
Show examples
  • Evidence library in SharePoint with folder structure aligned to controls.
  • Defined sampling cadence (monthly, quarterly) for Type 2.
  • Retention and versioning enabled for audit artefacts.

Attribute Criteria (A/C/PI/P)

Availability, Confidentiality, Processing Integrity, Privacy.

0/0 answered
Availability controls must demonstrate resilience and recovery capability.
Show examples
  • Capacity and performance monitoring reports.
  • Redundancy architecture diagrams.
  • Disaster recovery or backup restore test evidence meeting RTO/RPO.
Protect sensitive data throughout its lifecycle.
Show examples
  • Encryption standards for data at rest and in transit.
  • Key management procedures and access controls.
  • Evidence of encryption configuration in production systems.
If Privacy criteria are in scope, show how personal data is handled lawfully.
Show examples
  • Published privacy notice describing data use and rights.
  • Process for handling data subject requests (access, deletion).
  • Retention and secure disposal procedures.

Type 1/2 & Audit Readiness

Period, population, sampling windows and prep.

0/0 answered
Clear planning reduces audit delays and scope disputes.
Show examples
  • Defined audit type (Type 1 or Type 2) and reporting period.
  • Agreed population and sampling approach with the auditor.
  • Audit readiness checklist and timeline.
0%
Not started

Answer the questions to see your readiness.

📞 Microsoft Teams