SOC 2

SOC 2 Readiness Checklist (2026): The Control-by-Control Guide with Owners and Evidence

A do-this-now SOC 2 readiness checklist mapped to the AICPA Trust Services Criteria (CC1–CC9), with a control owner and the exact evidence auditors accept for each item — plus policies, timeline, and a gap-assessment plan.

The short answer

A SOC 2 readiness checklist is a pre-audit worklist that maps every control you need to the AICPA Trust Services Criteria — the nine Common Criteria CC1–CC9 (which contain 32 individual criteria for Security) plus any optional categories — and, for each, names an owner and the evidence an auditor will accept. Work through it before your audit period opens: for a Type II, controls must operate throughout the observation window (commonly 3–12 months), so a gap found after the clock starts becomes a tested exception. First-time readiness typically takes one to five months.

Key takeaways

  • SOC 2 is criteria-based, not a fixed control count. The Security Common Criteria span 32 individual criteria across CC1–CC9 (CC6 alone has 8; CC7 has 5). You design your own controls to meet them, so the control tally varies by scope.
  • Only Security is mandatory. Availability, Processing Integrity, Confidentiality, and Privacy are optional categories you add based on the services you provide and the commitments you make to customers.
  • Finish the checklist before the observation window opens. A Type II tests operating effectiveness over the period; a control that starts late cannot be tested as having operated for the full window.
  • Owners and evidence are what auditors actually test. Assign each control to a role, and pre-stage the artifact (system report, ticket, review record) that proves it operated — screenshots alone rarely suffice.

SOC 2 readiness in one page

SOC 2 is governed by the AICPA’s 2017 Trust Services Criteria (with revised points of focus, 2022). An independent, licensed CPA firm examines management’s description of the system against those criteria and issues an opinion under the attestation standards (SSAE 18, AT-C section 205). Getting “ready” means every applicable criterion has a designed control, a named owner, and evidence that the control operated.

There are five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security — the Common Criteria — is the only mandatory category; the other four are added based on your services and customer commitments. The Common Criteria are organized into nine sections, CC1 through CC9, and the first five (CC1–CC5) map directly to the 17 principles of the COSO 2013 Internal Control – Integrated Framework that the criteria are built on. For the full taxonomy of each criterion, see our SOC 2 controls list by Trust Services Criteria; this page is the actionable worklist you run against it.

On budget and timeline, industry ranges are wide and no substitute for a scoped quote: a standalone readiness assessment commonly runs roughly $5K–$25K (external engagements often start near $10K), total first-year SOC 2 spend often lands between $30K–$150K depending on scope, readiness takes about one to five months, and a focused gap analysis one to four weeks. What’s new for 2026: buyers push security questionnaires earlier and expect near-continuous monitoring, and vendor and AI-tooling risk now draws direct scrutiny under CC9.2 (assessing vulnerabilities from vendor and business-partner relationships).

“The teams that sail through fieldwork are the ones that turned this checklist into calendar events months earlier — an owner on every control and the evidence generated in the normal course of work, not reconstructed the week before we arrive.”

— Sébastien Ruosch, CPA, Director of Audits at Auditsuisse

How to use this checklist (Type I vs Type II)

The checklist items are the same whether you pursue a Type I or a Type II — both examine controls against the identical Trust Services Criteria. What changes is the evidence window. A SOC 2 Type I attests to the suitability of the design of controls at a single point in time; a Type II attests to design and operating effectiveness over a period. That distinction dictates how much evidence you pre-stage and how early you must finish this list.

Type I vs Type II readiness differences
DimensionType I requirementType II requirement
What is testedDesign of controls as of one dateDesign and operating effectiveness over a period
Evidence windowPoint-in-time (an “as of” date)Full observation period, commonly 3–12 months
Evidence volumeOne representative sample per controlSamples drawn across the whole period
When to finish this checklistBefore the “as of” dateBefore the observation window opens
Best forUnblocking a deal fast; controls < 3 months oldEnterprise/regulated buyers; mature, evidenced controls

Practical rule: complete the checklist, then let controls run. For a Type II, any item still open when the observation clock starts is likely to surface as an exception, because there is no way to demonstrate it operated for the full window.

Step 1 — Define your audit scope and select Trust Services Criteria

Scope is the highest-leverage decision on this list because it cascades into every downstream control, evidence request, and cost driver. Start by drawing your system boundary: the infrastructure, software, people, data, and processes that deliver the service your customers rely on. Document data flows end to end, then decide which of the five categories are in scope. Almost everyone selects Security; add Availability if you make uptime commitments, Confidentiality if you handle sensitive customer data under NDA, Processing Integrity for transaction or data-processing services, and Privacy if you collect personal information. For the mechanics of drawing the boundary, follow our guide on how to scope systems for SOC 2.

Two scoping concepts trip up first-timers. Subservice organizations are the vendors that host or operate parts of your system (for example, your cloud provider). You either carve them out of your report — relying on their own SOC 2 and defining Complementary Subservice Organization Controls (CSOCs) — or use the inclusive method and test them directly. Separately, Complementary User Entity Controls (CUECs) are the controls your customers must operate for your controls to work (such as configuring their own SSO correctly); these belong in your system description, not your control set. Getting the carve-out boundary and CUECs right up front prevents a scope rewrite during fieldwork.

Step 2 — Assign control owners

Assign every control to a role, not a named person — people change, roles persist, and auditors evaluate whether responsibilities are clear and consistently executed over time. A lightweight RACI at the domain level is enough to start: an accountable owner, the contributing teams, a cadence, and the system of record where the evidence lives. This single table prevents the most common readiness failure, fragmented ownership, where engineering, IT, security, and legal each work from a different definition of “done.”

Control owner RACI matrix (starting point)
Control domainAccountable roleContributing teamsCadenceSystem of record
Access managementHead of Security / ITEngineering, People OpsQuarterly reviews; on-event provisioningOkta / identity provider
Change managementEngineering LeadProduct, QAPer changeGitHub + Jira
Vulnerability managementSecurity EngineerEngineering, DevOpsContinuous scan; monthly reviewScanner + ticketing
Incident responseHead of SecurityEngineering, Legal, CommsOn-event; annual testPagerDuty / IR runbook
Availability / BC-DRHead of InfrastructureEngineering, SecurityContinuous backup; annual recovery testCloud console + test records
Vendor / third-party riskSecurity / GRC LeadLegal, ProcurementAnnual; on-onboardingVendor register
HR / onboarding & offboardingPeople Ops LeadIT, Hiring managersOn-eventHRIS + ticketing

The SOC 2 readiness checklist by Trust Services Criteria

Below is the master worklist grouped by Common Criteria section. Each item names the mapped criterion, the owning role, and the evidence artifact an auditor will request. Work top to bottom; the access, operations, and change-management sections (CC6–CC8) draw the deepest scrutiny in every engagement. For the underlying criteria definitions behind each item, cross-reference the full controls list by Trust Services Criteria.

CC1 — Control Environment

CC1 establishes governance, integrity, and accountability. It maps to COSO’s control-environment component (principles 1–5). Note that the 2022 revised points of focus refined CC1.3 (adding a privacy-reporting-line consideration) and CC1.5 (accountability).

CC1 Control Environment — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
1Publish and sign a code of conductCC1.1People OpsSigned acknowledgments
2Maintain an org chart with defined security responsibilitiesCC1.3ExecutiveOrg chart, role descriptions
3Run background checks on new hiresCC1.1People OpsScreening records
4Conduct board / management oversight of securityCC1.2ExecutiveMeeting minutes
5Hold staff accountable via performance reviewsCC1.5People OpsReview records

CC2 — Communication & Information

CC2 covers how security information is generated and communicated internally and externally. The 2022 points of focus refreshed CC2.1 around asset classification and quality of information.

CC2 Communication & Information — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
6Publish security policies where staff can access themCC2.2SecurityPolicy portal, acknowledgments
7Maintain an asset inventory with data classificationCC2.1IT / SecurityAsset & classification register
8Provide a whistleblower / anonymous reporting channelCC2.2LegalChannel config, policy
9Communicate commitments to external usersCC2.3Legal / SecurityTerms, trust page, DPAs

CC3 — Risk Assessment

CC3 requires a documented, repeatable risk process, including fraud consideration. The 2022 points of focus updated CC3.2 (identifying risks, including from vendors and partners) and CC3.4 (assessing changes in internal and external threats).

CC3 Risk Assessment — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
10Perform an annual documented risk assessmentCC3.1–3.2Security / GRCRisk assessment report
11Maintain a risk register with treatment and ownersCC3.2Security / GRCRisk register
12Consider fraud risk explicitlyCC3.3ExecutiveRisk assessment section
13Reassess when threats or the business changeCC3.4Security / GRCChange-triggered reviews

CC4 — Monitoring Activities

CC4 covers ongoing and separate evaluations of your controls and how deficiencies are tracked to resolution.

CC4 Monitoring Activities — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
14Run ongoing control monitoring (automated where possible)CC4.1SecurityMonitoring dashboards / alerts
15Track and remediate identified deficienciesCC4.2Security / GRCDeficiency / issue log
16Perform periodic internal control reviewsCC4.1GRC / Internal auditReview records

CC5 — Control Activities

CC5 is where policy becomes procedure. It maps to COSO’s control-activities component and covers segregation of duties and technology general controls.

CC5 Control Activities — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
17Map each policy to an operating procedureCC5.1–5.2Security / GRCPolicy-to-procedure matrix
18Implement segregation of duties for sensitive actionsCC5.1Engineering / FinanceRole definitions, approvals
19Deploy technology general controlsCC5.2IT / EngineeringConfiguration standards

CC6 — Logical & Physical Access Controls

CC6 is the most heavily tested section — it contains eight criteria (CC6.1–CC6.8), the most of any section. Expect deep sampling of provisioning, access reviews, and encryption. Get this block right and most engagements go smoothly.

CC6 Logical & Physical Access Controls — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
20Enforce MFA on all production and admin accessCC6.1Security / ITIdP config, MFA report
21Provision access on a least-privilege basisCC6.1–6.3Security / ITAccess-request tickets
22Deprovision access on termination promptlyCC6.2–6.3People Ops / ITOffboarding tickets, timestamps
23Perform periodic user access reviewsCC6.2–6.3SecuritySigned access-review records
24Encrypt data in transit and at restCC6.1, CC6.7EngineeringTLS config, KMS / disk-encryption proof
25Control physical access to facilities / data centersCC6.4IT / FacilitiesBadge logs or provider SOC report
26Securely dispose of data and assetsCC6.5ITDisposal / wipe records

CC7 — System Operations

CC7 contains five criteria (CC7.1–CC7.5) covering monitoring, vulnerability management, and incident response — the detect-and-respond core of the program.

CC7 System Operations — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
27Centralize logging and monitoring (SIEM / alerting)CC7.2SecurityLog config, alert samples
28Run vulnerability scans on a defined cadenceCC7.1SecurityScan reports, remediation tickets
29Maintain and test an incident response planCC7.3–7.4Head of SecurityIR plan, tabletop / incident records
30Define recovery from identified incidentsCC7.5Head of SecurityPost-incident reviews

CC8 — Change Management

CC8 (CC8.1) covers the SDLC: how changes are requested, reviewed, tested, approved, and deployed, including patching.

CC8 Change Management — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
31Require peer code review before mergeCC8.1EngineeringPull-request approvals
32Require approval and testing before production deployCC8.1EngineeringChange tickets, CI records
33Identify, test, and apply patches on a cadenceCC8.1DevOpsPatch / dependency logs
34Separate development from productionCC8.1EngineeringEnvironment config

CC9 — Risk Mitigation

CC9 covers how you mitigate risk from business disruptions (CC9.1) and from vendor and business-partner relationships (CC9.2). Note the mapping nuance: CC9.1 addresses risk-mitigation planning for disruptions, but the operational recovery objectives — backups and recovery testing — are anchored in the Availability category (A1.2, A1.3), not CC9. The 2022 points of focus specifically expanded CC9.2 to assess vulnerabilities arising from vendor and business-partner relationships.

CC9 Risk Mitigation — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
35Document business-disruption risk mitigation (incl. insurance)CC9.1Executive / FinanceBC plan, insurance policy
36Assess vendor / third-party risk before and during useCC9.2Security / GRCVendor reviews, SOC reports on file
37Assess risk from AI and new tooling vendorsCC9.2Security / GRCVendor risk assessments

Optional categories — Availability, Processing Integrity, Confidentiality, Privacy

Add these only where they match your services and customer commitments. This is also where operational business continuity and disaster recovery (BC/DR) properly live, under Availability.

Optional TSC categories — readiness items
#Checklist itemCriteriaOwnerEvidenceDone
38Perform and test backups; run a recovery testA1.2–A1.3InfrastructureBackup logs, DR test report
39Monitor capacity against availability commitmentsA1.1InfrastructureCapacity monitoring
40Validate processing completeness and accuracyPI1.1–PI1.5EngineeringInput/output reconciliation
41Protect confidential information per commitmentsC1.1–C1.2SecurityClassification & handling records
42Operate a privacy program across the data lifecycleP1–P8Privacy / LegalPrivacy notice, consent, DSAR log

Policy documentation checklist

Auditors expect a written, approved, and communicated policy behind the operating controls above. Policies alone do not pass an audit — operating effectiveness does — but missing or stale policies are among the most common early findings. Each policy needs an owner and a review cadence (annual is standard).

Required SOC 2 policies (owner and review cadence)
Required policyMapped criteriaOwnerReview cadence
Information Security PolicyCC1, CC2, CC5Head of SecurityAnnual
Access Control PolicyCC6Security / ITAnnual
Change Management PolicyCC8Engineering LeadAnnual
Incident Response PolicyCC7Head of SecurityAnnual + post-incident
Vendor / Third-Party Management PolicyCC9.2Security / GRCAnnual
Business Continuity & Disaster Recovery PlanCC9.1, A1.2–A1.3Head of InfrastructureAnnual + test
Data Classification PolicyCC2.1, C1.1SecurityAnnual
Acceptable Use PolicyCC1.1, CC6People Ops / SecurityAnnual
Risk Assessment PolicyCC3Security / GRCAnnual

Evidence strategy — what auditors accept and how to collect it

Evidence quality determines audit velocity. Strong evidence is complete, timely, attributable, and reproducible: each artifact shows who performed the control, when, what was reviewed, and how exceptions were handled. Screenshots alone rarely satisfy this bar — a screenshot proves a setting on one day, whereas a system-generated report (a config export, an audit log, a ticket history) demonstrates the control operated across the period. For a Type II, favor system reports and pull them throughout the window, not the week before fieldwork.

Evidence artifact library by control area
Control areaExample artifactSource systemCollection frequency
Access reviewsSigned quarterly access reviewOkta / identity providerQuarterly
Provisioning / deprovisioningOnboarding & offboarding tickets with timestampsJira / ticketingPer event
Change managementPull-request approvals and change ticketsGitHub + JiraPer change
Infrastructure loggingAudit trail / API activity logsAWS CloudTrailContinuous
Vulnerability managementScan reports and remediation ticketsScanner + ticketingPer scan cadence
Incident responseIncident records and tabletop test notesPagerDuty / runbookPer event + annual
BC / DRBackup logs and recovery-test reportCloud consoleContinuous + annual test

Store evidence in a governed repository with stable naming and version control, and retain it for at least the full observation period. On the tooling question: compliance automation platforms such as Vanta, Drata, Secureframe, and Sprinto connect directly to systems like Okta, AWS, and GitHub to collect much of this evidence continuously and flag drift. That accelerates readiness, but the platform cannot issue the opinion — at fieldwork the platform exports the evidence to the CPA firm, which independently examines it and signs the report. The platform is the evidence engine; the licensed CPA firm is the auditor.

Run a readiness (gap) assessment before fieldwork

A readiness assessment is the pre-audit dry run that turns this checklist into a scored plan. Strictly, the gap analysis is one component — the control-mapping diagnostic that compares your current controls against the criteria — nested inside the broader readiness assessment, which also covers scope selection, the system description, and evidence preparation. It produces no formal opinion; its job is to surface missing controls and weak evidence while you can still fix them cheaply. It is optional but strongly recommended for first-time auditees.

A useful and often-misunderstood point about independence: under AICPA rules, the same CPA firm that will issue your SOC 2 opinion may perform the readiness assessment as a separate non-attest service, provided it applies safeguards for the self-review threat — management owns every remediation decision, and the firm does not later audit its own work product. This lets you keep one expert team across readiness and audit rather than paying two firms to learn your environment. Our audit methodology details how we run that hand-off cleanly.

Readiness timeline and sequencing

Readiness typically runs one to five months for a first-time team, with the gap analysis itself taking one to four weeks. Sequence the work so scope and ownership are settled before you spend effort implementing controls, and so all controls are live before any Type II observation window opens. For the full end-to-end schedule through fieldwork and report delivery, see our SOC 2 audit timeline.

Readiness sequencing (illustrative; varies with scope)
PhaseMilestoneChecklist itemsGate to proceed
Weeks 1–2Scope & category selectionStep 1 (boundary, data flows, CUECs/CSOCs)Signed-off scope document
Weeks 2–3Ownership & policiesStep 2 RACI; policy checklistEvery control has an owner
Weeks 3–8Control implementationCC1–CC9 items; optional categoriesControls live and operating
Weeks 6–10Evidence operationsEvidence library; automation connectedArtifacts generating automatically
Weeks 8–12Readiness / gap assessmentGap analysis; remediationGaps closed → open observation window

Common gaps this checklist prevents

Most first-time exceptions cluster in a handful of predictable places: incomplete or late user access reviews, deprovisioning that lags terminations, change tickets missing approvals, vulnerability findings without remediation evidence, and BC/DR plans that were never actually tested. Each maps to a specific item above — which is why finishing the checklist before the window opens is the cheapest possible insurance. For remediation detail on each pattern, see our guide to common SOC 2 findings and how to fix them.

Multi-framework leverage — reusing SOC 2 evidence for HIPAA and GDPR

Most SOC 2 controls do double duty. If you handle protected health information, the access, encryption, logging, incident-response, and vendor controls above overlap substantially with the safeguards expected under a HIPAA program — map them once and collect evidence once. Similarly, teams serving EU customers can reuse the Privacy (P1–P8), access, and vendor evidence to support GDPR obligations, layering framework-specific requirements on top. The winning pattern is one control register, one evidence repository, and one governance cadence with framework overlays, rather than parallel programs that duplicate testing and burn out the same owners.

Download the SOC 2 readiness checklist

Want this as a working spreadsheet with the checkboxes, owners, and evidence columns ready to assign? We’ll send the full control-by-control template — and, on a short scoping call, tell you exactly which optional categories your buyers will require — when you book time with our team. It is the same worklist we run with clients before fieldwork.

Frequently asked questions

What is a SOC 2 readiness checklist?

A SOC 2 readiness checklist is a pre-audit worklist that maps each control your organization needs to the AICPA Trust Services Criteria (CC1–CC9 plus any optional categories), names a control owner, and specifies the evidence required. Completing it before the audit period begins closes gaps and prevents exceptions during fieldwork.

How many controls are in a SOC 2 audit?

SOC 2 has no fixed number of controls. The AICPA defines criteria — the nine Common Criteria (CC1–CC9) for Security, which contain 32 individual criteria, plus additional criteria for Availability, Processing Integrity, Confidentiality, and Privacy. Each organization designs its own controls to meet those criteria, so the control count varies by system and scope.

How long does it take to get SOC 2 ready?

First-time teams typically need one to five months to complete readiness — assigning owners, implementing controls, writing policies, and starting evidence collection. A Type I can follow immediately; a Type II then requires an observation period, commonly three to twelve months, during which controls must operate continuously.

What is the difference between a readiness assessment and a SOC 2 audit?

A readiness assessment is an informal pre-audit review that identifies missing controls and evidence and produces no formal opinion; the gap analysis is the control-mapping diagnostic nested inside it. The SOC 2 audit is a formal examination by a licensed CPA firm that results in an attestation report opining on control design (Type I) and operating effectiveness (Type II).

What evidence do you need for a SOC 2 audit?

SOC 2 evidence includes policies (access control, change management, incident response, vendor management), configuration proof (MFA, encryption, logging), and operational records — access reviews, provisioning and deprovisioning tickets, change approvals, vulnerability scans, incident logs, and BC/DR test results — covering the entire review period, not just the audit date.

Can I use Vanta or Drata to get SOC 2 ready?

Compliance automation platforms like Vanta, Drata, Secureframe, and Sprinto accelerate readiness by continuously collecting evidence and monitoring controls, but they cannot issue the report. A SOC 2 opinion must be signed by an independent licensed CPA firm that performs the examination and reviews the exported evidence during fieldwork.

Do I need a SOC 2 Type I before a Type II?

No. A Type I is optional. Many teams go straight to Type II, but a Type I can be issued quickly to satisfy an urgent buyer request while the Type II observation period runs. The readiness checklist is the same for both; only the evidence window differs — a point in time for Type I versus a full period for Type II.

Can the CPA firm that runs my readiness assessment also do the audit?

Yes. Under AICPA independence rules the same CPA firm may perform a readiness assessment as a separate non-attest service and still issue the SOC 2 opinion, provided it applies safeguards for the self-review threat — for example, management owns all remediation decisions and the firm does not audit its own work product.

Sources & further reading

  1. AICPA & CIMA — 2017 Trust Services Criteria (With Revised Points of Focus — 2022), TSP section 100.
  2. AICPA & CIMA — SOC 2® — SOC for Service Organizations: Trust Services Criteria.
  3. COSO — Internal Control – Integrated Framework (2013), 17 principles; the foundation CC1–CC5 map to.
  4. AICPA — Statement on Standards for Attestation Engagements No. 18 (SSAE 18); SOC 2 examinations are performed under AT-C section 205.
Sébastien Ruosch Reviewed by Sébastien Ruosch, CPA (US & Swiss licensed), Director of Audits at Auditsuisse. Last reviewed July 1, 2026.

Work with a licensed CPA firm

Auditsuisse is a US & Swiss licensed CPA firm. We’ll pressure-test your scope, run a readiness assessment as a separate non-attest engagement, and quote a fixed fee for the audit — see our SOC 2 audit services or book a scoping call.

Request Consultation
Back to top ↑