SOC 2 Free Readiness Checklist

Tell us about your environment

A few details to tailor your SOC 2 roadmap. Required fields are marked *.

Organisation name *

Your name *

Email (where to send your PDF copy) *

Primary sector *

Organisation size (FTE) *

What is driving this assessment? *

Target report type

Target timeline

1.Governance & Scope0/3 2.TSC Mapping & Risk0/2 3.Controls & Operations0/4 4.Logging, Incidents & Evidence0/3 5.Attribute Criteria0/3 6.Audit Readiness0/1

🏛️

Governance & Scope

System boundary, leadership oversight and approved policies.

Progress

0/3

Our system boundary and in-scope services are clearly defined and documented for the SOC 2 system description.

The system description is the foundation of a SOC 2 report — auditors will check it closely.

View evidence examples ->

A system description defining in-scope products, services, infrastructure and data flows.
Clear inclusions and exclusions (e.g. production systems in scope; internal test labs excluded).
Boundary diagrams showing users, systems, third parties and data movement.

Board or management actively oversees security and compliance — evidenced by charters and meeting minutes.

Active leadership oversight is a foundational SOC 2 common criteria requirement.

View evidence examples ->

A security or risk committee charter approved by the board or executive team.
Meeting minutes showing review of incidents, risks and audit readiness.
Assigned executive accountability for SOC 2 compliance.

Security policies and standards are approved, communicated to staff and reviewed at least annually.

Policies must be current, approved and demonstrably communicated — not just written.

View evidence examples ->

Approved security, access control, incident response and change management policies.
Version control with review and approval dates documented.
Evidence of staff communication or acknowledgement (training, intranet, onboarding).

🗺️

TSC Mapping & Risk

Control mapping to Trust Services Criteria and risk assessment.

Progress

0/2

Controls are mapped to the applicable Trust Services Criteria (CC1–CC9 plus any selected attribute criteria) with clear rationale.

Auditors expect traceability from each control to the applicable Trust Services Criteria.

View evidence examples ->

A control matrix mapping controls to CC1–CC9 and any selected Availability, Confidentiality, Processing Integrity or Privacy criteria.
Written rationale explaining why criteria are in or out of scope.
Consistent naming between policies, procedures and control descriptions.

A risk assessment has been performed and risks are linked to specific controls and monitoring activities.

Risk assessment should drive control selection and monitoring focus for SOC 2.

View evidence examples ->

Documented risk assessment covering security, availability and processing risks.
Risks linked to specific SOC 2 controls with owners and treatment plans.
Monitoring or KPIs aligned to high-risk areas reviewed at defined cadences.

⚙️

Controls & Operations

Change management, access, SDLC and third-party risk.

Progress

0/4

Change management includes approvals, testing, rollback procedures and separation of duties where feasible.

SOC 2 auditors sample change records — they need to show authorisation, testing and recoverability.

View evidence examples ->

Change tickets with approvals, test evidence and rollback plans.
Separation of duties between development and production deployment.
Emergency change procedure with post-implementation review records.

Access is provisioned on least privilege, reviewed periodically and recertified — with a joiners/movers/leavers process.

Access controls are heavily sampled in SOC 2 Type 2 — expect auditors to pull JML records.

View evidence examples ->

Joiner/mover/leaver process with documented approvals for each event.
Quarterly or semi-annual access reviews for critical systems.
Privileged access controls including MFA, separate admin accounts and logging.

Processing integrity is ensured through SDLC gates, peer review and automated testing.

Systems must process data accurately, completely and as authorised.

View evidence examples ->

SDLC stages with mandatory peer review and testing requirements.
Automated tests validating data accuracy, completeness and integrity.
Defect tracking and resolution records retained.

Third-party and subprocessor risks are assessed at onboarding and monitored on an ongoing basis with contractual controls in place.

SOC 2 requires you to manage risk introduced by vendors who access or process your systems.

View evidence examples ->

Vendor risk assessments based on criticality and data access before onboarding.
Contracts including security, confidentiality and incident notification clauses.
Ongoing monitoring via SOC reports, certifications or performance reviews.

📡

Logging, Incidents & Evidence

Centralised monitoring, incident response and evidence management.

Progress

0/3

Key security events are centrally logged and monitored, with alerts linked to tickets and reviewed at a defined cadence.

Monitoring must demonstrate timely detection and response to security events.

View evidence examples ->

Centralised logging for identity, infrastructure and application events.
Alerts integrated with ticketing or incident management tools.
Evidence of alert review and response at defined intervals.

An incident response plan exists, has been tested through exercises, and post-incident reviews drive corrective actions.

Preparedness and learning from incidents is a key SOC 2 common criteria expectation.

View evidence examples ->

Incident response plan with defined roles, severity levels and escalation paths.
Tabletop or simulated incident exercises conducted at least annually.
Post-incident reviews with corrective actions tracked to verified closure.

Evidence is catalogued in a central library with a defined sampling cadence and retention policy.

Type 2 auditors sample evidence across the audit period — it must be organised and retrievable.

View evidence examples ->

An evidence library in SharePoint with folder structure aligned to controls.
Defined sampling cadence (monthly, quarterly) for continuous evidence collection.
Retention and versioning enabled for all audit artefacts.

🔒

Attribute Criteria

Availability, Confidentiality, Processing Integrity and Privacy.

Progress

0/3

Availability controls are in place — including capacity monitoring, redundancy and tested disaster recovery with RTO/RPO evidence.

If Availability is in scope, auditors will look for both architecture and tested recovery evidence.

View evidence examples ->

Capacity and performance monitoring reports covering production systems.
Redundancy architecture diagrams showing failover capability.
Disaster recovery or backup restore test evidence demonstrating RTO/RPO is met.

Confidentiality controls cover encryption at rest and in transit, with documented key management procedures.

Sensitive data must be protected throughout its lifecycle — encryption configuration is sampled.

View evidence examples ->

Documented encryption standards for data at rest and in transit.
Key management procedures including access controls and rotation schedules.
Evidence of encryption configuration in production systems.

If Privacy criteria are in scope, we have a privacy notice, a process for handling data subject requests and defined retention and disposal procedures.

Privacy criteria require evidence of notice, consent handling and individual rights management.

View evidence examples ->

Published privacy notice describing data use, rights and contact details.
Process for handling data subject access, deletion and correction requests.
Documented retention schedules and secure disposal procedures.

✅

Audit Readiness

Type 1/2 planning, period, population and sampling windows.

Progress

0/1

The audit type (Type 1 or Type 2), reporting period, population and sampling windows have been agreed with the auditor.

Clear planning aligned with your auditor reduces delays and scope disputes.

View evidence examples ->

Defined audit type (Type 1 or Type 2) and agreed reporting period.
Agreed population and sampling approach documented with the auditor.
Audit readiness checklist and milestone timeline prepared.

Overall readiness

Answer questions to score

Governance & Scope -

TSC Mapping & Risk -

Controls & Operations -

Logging, Incidents & Evidence -

Attribute Criteria -

Audit Readiness -

0 of 16 questions answered

Available once all questions are answered

SOC 2 Readiness Checklist

Tell us about your environment

Governance & Scope

TSC Mapping & Risk

Controls & Operations

Logging, Incidents & Evidence

Attribute Criteria

Audit Readiness

Your report is ready