A SOC 2 readiness checklist is a pre-audit worklist that maps every control you need to the AICPA Trust Services Criteria — the nine Common Criteria CC1–CC9 (which contain 32 individual criteria for Security) plus any optional categories — and, for each, names an owner and the evidence an auditor will accept. Work through it before your audit period opens: for a Type II, controls must operate throughout the observation window (commonly 3–12 months), so a gap found after the clock starts becomes a tested exception. First-time readiness typically takes one to five months.
Key takeaways
- SOC 2 is criteria-based, not a fixed control count. The Security Common Criteria span 32 individual criteria across CC1–CC9 (CC6 alone has 8; CC7 has 5). You design your own controls to meet them, so the control tally varies by scope.
- Only Security is mandatory. Availability, Processing Integrity, Confidentiality, and Privacy are optional categories you add based on the services you provide and the commitments you make to customers.
- Finish the checklist before the observation window opens. A Type II tests operating effectiveness over the period; a control that starts late cannot be tested as having operated for the full window.
- Owners and evidence are what auditors actually test. Assign each control to a role, and pre-stage the artifact (system report, ticket, review record) that proves it operated — screenshots alone rarely suffice.
SOC 2 readiness in one page
SOC 2 is governed by the AICPA’s 2017 Trust Services Criteria (with revised points of focus, 2022). An independent, licensed CPA firm examines management’s description of the system against those criteria and issues an opinion under the attestation standards (SSAE 18, AT-C section 205). Getting “ready” means every applicable criterion has a designed control, a named owner, and evidence that the control operated.
There are five Trust Services Categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Security — the Common Criteria — is the only mandatory category; the other four are added based on your services and customer commitments. The Common Criteria are organized into nine sections, CC1 through CC9, and the first five (CC1–CC5) map directly to the 17 principles of the COSO 2013 Internal Control – Integrated Framework that the criteria are built on. For the full taxonomy of each criterion, see our SOC 2 controls list by Trust Services Criteria; this page is the actionable worklist you run against it.
On budget and timeline, industry ranges are wide and no substitute for a scoped quote: a standalone readiness assessment commonly runs roughly $5K–$25K (external engagements often start near $10K), total first-year SOC 2 spend often lands between $30K–$150K depending on scope, readiness takes about one to five months, and a focused gap analysis one to four weeks. What’s new for 2026: buyers push security questionnaires earlier and expect near-continuous monitoring, and vendor and AI-tooling risk now draws direct scrutiny under CC9.2 (assessing vulnerabilities from vendor and business-partner relationships).
“The teams that sail through fieldwork are the ones that turned this checklist into calendar events months earlier — an owner on every control and the evidence generated in the normal course of work, not reconstructed the week before we arrive.”
— Sébastien Ruosch, CPA, Director of Audits at Auditsuisse
How to use this checklist (Type I vs Type II)
The checklist items are the same whether you pursue a Type I or a Type II — both examine controls against the identical Trust Services Criteria. What changes is the evidence window. A SOC 2 Type I attests to the suitability of the design of controls at a single point in time; a Type II attests to design and operating effectiveness over a period. That distinction dictates how much evidence you pre-stage and how early you must finish this list.
| Dimension | Type I requirement | Type II requirement |
|---|---|---|
| What is tested | Design of controls as of one date | Design and operating effectiveness over a period |
| Evidence window | Point-in-time (an “as of” date) | Full observation period, commonly 3–12 months |
| Evidence volume | One representative sample per control | Samples drawn across the whole period |
| When to finish this checklist | Before the “as of” date | Before the observation window opens |
| Best for | Unblocking a deal fast; controls < 3 months old | Enterprise/regulated buyers; mature, evidenced controls |
Practical rule: complete the checklist, then let controls run. For a Type II, any item still open when the observation clock starts is likely to surface as an exception, because there is no way to demonstrate it operated for the full window.
Step 1 — Define your audit scope and select Trust Services Criteria
Scope is the highest-leverage decision on this list because it cascades into every downstream control, evidence request, and cost driver. Start by drawing your system boundary: the infrastructure, software, people, data, and processes that deliver the service your customers rely on. Document data flows end to end, then decide which of the five categories are in scope. Almost everyone selects Security; add Availability if you make uptime commitments, Confidentiality if you handle sensitive customer data under NDA, Processing Integrity for transaction or data-processing services, and Privacy if you collect personal information. For the mechanics of drawing the boundary, follow our guide on how to scope systems for SOC 2.
Two scoping concepts trip up first-timers. Subservice organizations are the vendors that host or operate parts of your system (for example, your cloud provider). You either carve them out of your report — relying on their own SOC 2 and defining Complementary Subservice Organization Controls (CSOCs) — or use the inclusive method and test them directly. Separately, Complementary User Entity Controls (CUECs) are the controls your customers must operate for your controls to work (such as configuring their own SSO correctly); these belong in your system description, not your control set. Getting the carve-out boundary and CUECs right up front prevents a scope rewrite during fieldwork.
Step 2 — Assign control owners
Assign every control to a role, not a named person — people change, roles persist, and auditors evaluate whether responsibilities are clear and consistently executed over time. A lightweight RACI at the domain level is enough to start: an accountable owner, the contributing teams, a cadence, and the system of record where the evidence lives. This single table prevents the most common readiness failure, fragmented ownership, where engineering, IT, security, and legal each work from a different definition of “done.”
| Control domain | Accountable role | Contributing teams | Cadence | System of record |
|---|---|---|---|---|
| Access management | Head of Security / IT | Engineering, People Ops | Quarterly reviews; on-event provisioning | Okta / identity provider |
| Change management | Engineering Lead | Product, QA | Per change | GitHub + Jira |
| Vulnerability management | Security Engineer | Engineering, DevOps | Continuous scan; monthly review | Scanner + ticketing |
| Incident response | Head of Security | Engineering, Legal, Comms | On-event; annual test | PagerDuty / IR runbook |
| Availability / BC-DR | Head of Infrastructure | Engineering, Security | Continuous backup; annual recovery test | Cloud console + test records |
| Vendor / third-party risk | Security / GRC Lead | Legal, Procurement | Annual; on-onboarding | Vendor register |
| HR / onboarding & offboarding | People Ops Lead | IT, Hiring managers | On-event | HRIS + ticketing |
The SOC 2 readiness checklist by Trust Services Criteria
Below is the master worklist grouped by Common Criteria section. Each item names the mapped criterion, the owning role, and the evidence artifact an auditor will request. Work top to bottom; the access, operations, and change-management sections (CC6–CC8) draw the deepest scrutiny in every engagement. For the underlying criteria definitions behind each item, cross-reference the full controls list by Trust Services Criteria.
CC1 — Control Environment
CC1 establishes governance, integrity, and accountability. It maps to COSO’s control-environment component (principles 1–5). Note that the 2022 revised points of focus refined CC1.3 (adding a privacy-reporting-line consideration) and CC1.5 (accountability).
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 1 | Publish and sign a code of conduct | CC1.1 | People Ops | Signed acknowledgments | ☐ |
| 2 | Maintain an org chart with defined security responsibilities | CC1.3 | Executive | Org chart, role descriptions | ☐ |
| 3 | Run background checks on new hires | CC1.1 | People Ops | Screening records | ☐ |
| 4 | Conduct board / management oversight of security | CC1.2 | Executive | Meeting minutes | ☐ |
| 5 | Hold staff accountable via performance reviews | CC1.5 | People Ops | Review records | ☐ |
CC2 — Communication & Information
CC2 covers how security information is generated and communicated internally and externally. The 2022 points of focus refreshed CC2.1 around asset classification and quality of information.
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 6 | Publish security policies where staff can access them | CC2.2 | Security | Policy portal, acknowledgments | ☐ |
| 7 | Maintain an asset inventory with data classification | CC2.1 | IT / Security | Asset & classification register | ☐ |
| 8 | Provide a whistleblower / anonymous reporting channel | CC2.2 | Legal | Channel config, policy | ☐ |
| 9 | Communicate commitments to external users | CC2.3 | Legal / Security | Terms, trust page, DPAs | ☐ |
CC3 — Risk Assessment
CC3 requires a documented, repeatable risk process, including fraud consideration. The 2022 points of focus updated CC3.2 (identifying risks, including from vendors and partners) and CC3.4 (assessing changes in internal and external threats).
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 10 | Perform an annual documented risk assessment | CC3.1–3.2 | Security / GRC | Risk assessment report | ☐ |
| 11 | Maintain a risk register with treatment and owners | CC3.2 | Security / GRC | Risk register | ☐ |
| 12 | Consider fraud risk explicitly | CC3.3 | Executive | Risk assessment section | ☐ |
| 13 | Reassess when threats or the business change | CC3.4 | Security / GRC | Change-triggered reviews | ☐ |
CC4 — Monitoring Activities
CC4 covers ongoing and separate evaluations of your controls and how deficiencies are tracked to resolution.
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 14 | Run ongoing control monitoring (automated where possible) | CC4.1 | Security | Monitoring dashboards / alerts | ☐ |
| 15 | Track and remediate identified deficiencies | CC4.2 | Security / GRC | Deficiency / issue log | ☐ |
| 16 | Perform periodic internal control reviews | CC4.1 | GRC / Internal audit | Review records | ☐ |
CC5 — Control Activities
CC5 is where policy becomes procedure. It maps to COSO’s control-activities component and covers segregation of duties and technology general controls.
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 17 | Map each policy to an operating procedure | CC5.1–5.2 | Security / GRC | Policy-to-procedure matrix | ☐ |
| 18 | Implement segregation of duties for sensitive actions | CC5.1 | Engineering / Finance | Role definitions, approvals | ☐ |
| 19 | Deploy technology general controls | CC5.2 | IT / Engineering | Configuration standards | ☐ |
CC6 — Logical & Physical Access Controls
CC6 is the most heavily tested section — it contains eight criteria (CC6.1–CC6.8), the most of any section. Expect deep sampling of provisioning, access reviews, and encryption. Get this block right and most engagements go smoothly.
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 20 | Enforce MFA on all production and admin access | CC6.1 | Security / IT | IdP config, MFA report | ☐ |
| 21 | Provision access on a least-privilege basis | CC6.1–6.3 | Security / IT | Access-request tickets | ☐ |
| 22 | Deprovision access on termination promptly | CC6.2–6.3 | People Ops / IT | Offboarding tickets, timestamps | ☐ |
| 23 | Perform periodic user access reviews | CC6.2–6.3 | Security | Signed access-review records | ☐ |
| 24 | Encrypt data in transit and at rest | CC6.1, CC6.7 | Engineering | TLS config, KMS / disk-encryption proof | ☐ |
| 25 | Control physical access to facilities / data centers | CC6.4 | IT / Facilities | Badge logs or provider SOC report | ☐ |
| 26 | Securely dispose of data and assets | CC6.5 | IT | Disposal / wipe records | ☐ |
CC7 — System Operations
CC7 contains five criteria (CC7.1–CC7.5) covering monitoring, vulnerability management, and incident response — the detect-and-respond core of the program.
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 27 | Centralize logging and monitoring (SIEM / alerting) | CC7.2 | Security | Log config, alert samples | ☐ |
| 28 | Run vulnerability scans on a defined cadence | CC7.1 | Security | Scan reports, remediation tickets | ☐ |
| 29 | Maintain and test an incident response plan | CC7.3–7.4 | Head of Security | IR plan, tabletop / incident records | ☐ |
| 30 | Define recovery from identified incidents | CC7.5 | Head of Security | Post-incident reviews | ☐ |
CC8 — Change Management
CC8 (CC8.1) covers the SDLC: how changes are requested, reviewed, tested, approved, and deployed, including patching.
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 31 | Require peer code review before merge | CC8.1 | Engineering | Pull-request approvals | ☐ |
| 32 | Require approval and testing before production deploy | CC8.1 | Engineering | Change tickets, CI records | ☐ |
| 33 | Identify, test, and apply patches on a cadence | CC8.1 | DevOps | Patch / dependency logs | ☐ |
| 34 | Separate development from production | CC8.1 | Engineering | Environment config | ☐ |
CC9 — Risk Mitigation
CC9 covers how you mitigate risk from business disruptions (CC9.1) and from vendor and business-partner relationships (CC9.2). Note the mapping nuance: CC9.1 addresses risk-mitigation planning for disruptions, but the operational recovery objectives — backups and recovery testing — are anchored in the Availability category (A1.2, A1.3), not CC9. The 2022 points of focus specifically expanded CC9.2 to assess vulnerabilities arising from vendor and business-partner relationships.
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 35 | Document business-disruption risk mitigation (incl. insurance) | CC9.1 | Executive / Finance | BC plan, insurance policy | ☐ |
| 36 | Assess vendor / third-party risk before and during use | CC9.2 | Security / GRC | Vendor reviews, SOC reports on file | ☐ |
| 37 | Assess risk from AI and new tooling vendors | CC9.2 | Security / GRC | Vendor risk assessments | ☐ |
Optional categories — Availability, Processing Integrity, Confidentiality, Privacy
Add these only where they match your services and customer commitments. This is also where operational business continuity and disaster recovery (BC/DR) properly live, under Availability.
| # | Checklist item | Criteria | Owner | Evidence | Done |
|---|---|---|---|---|---|
| 38 | Perform and test backups; run a recovery test | A1.2–A1.3 | Infrastructure | Backup logs, DR test report | ☐ |
| 39 | Monitor capacity against availability commitments | A1.1 | Infrastructure | Capacity monitoring | ☐ |
| 40 | Validate processing completeness and accuracy | PI1.1–PI1.5 | Engineering | Input/output reconciliation | ☐ |
| 41 | Protect confidential information per commitments | C1.1–C1.2 | Security | Classification & handling records | ☐ |
| 42 | Operate a privacy program across the data lifecycle | P1–P8 | Privacy / Legal | Privacy notice, consent, DSAR log | ☐ |
Policy documentation checklist
Auditors expect a written, approved, and communicated policy behind the operating controls above. Policies alone do not pass an audit — operating effectiveness does — but missing or stale policies are among the most common early findings. Each policy needs an owner and a review cadence (annual is standard).
| Required policy | Mapped criteria | Owner | Review cadence |
|---|---|---|---|
| Information Security Policy | CC1, CC2, CC5 | Head of Security | Annual |
| Access Control Policy | CC6 | Security / IT | Annual |
| Change Management Policy | CC8 | Engineering Lead | Annual |
| Incident Response Policy | CC7 | Head of Security | Annual + post-incident |
| Vendor / Third-Party Management Policy | CC9.2 | Security / GRC | Annual |
| Business Continuity & Disaster Recovery Plan | CC9.1, A1.2–A1.3 | Head of Infrastructure | Annual + test |
| Data Classification Policy | CC2.1, C1.1 | Security | Annual |
| Acceptable Use Policy | CC1.1, CC6 | People Ops / Security | Annual |
| Risk Assessment Policy | CC3 | Security / GRC | Annual |
Evidence strategy — what auditors accept and how to collect it
Evidence quality determines audit velocity. Strong evidence is complete, timely, attributable, and reproducible: each artifact shows who performed the control, when, what was reviewed, and how exceptions were handled. Screenshots alone rarely satisfy this bar — a screenshot proves a setting on one day, whereas a system-generated report (a config export, an audit log, a ticket history) demonstrates the control operated across the period. For a Type II, favor system reports and pull them throughout the window, not the week before fieldwork.
| Control area | Example artifact | Source system | Collection frequency |
|---|---|---|---|
| Access reviews | Signed quarterly access review | Okta / identity provider | Quarterly |
| Provisioning / deprovisioning | Onboarding & offboarding tickets with timestamps | Jira / ticketing | Per event |
| Change management | Pull-request approvals and change tickets | GitHub + Jira | Per change |
| Infrastructure logging | Audit trail / API activity logs | AWS CloudTrail | Continuous |
| Vulnerability management | Scan reports and remediation tickets | Scanner + ticketing | Per scan cadence |
| Incident response | Incident records and tabletop test notes | PagerDuty / runbook | Per event + annual |
| BC / DR | Backup logs and recovery-test report | Cloud console | Continuous + annual test |
Store evidence in a governed repository with stable naming and version control, and retain it for at least the full observation period. On the tooling question: compliance automation platforms such as Vanta, Drata, Secureframe, and Sprinto connect directly to systems like Okta, AWS, and GitHub to collect much of this evidence continuously and flag drift. That accelerates readiness, but the platform cannot issue the opinion — at fieldwork the platform exports the evidence to the CPA firm, which independently examines it and signs the report. The platform is the evidence engine; the licensed CPA firm is the auditor.
Run a readiness (gap) assessment before fieldwork
A readiness assessment is the pre-audit dry run that turns this checklist into a scored plan. Strictly, the gap analysis is one component — the control-mapping diagnostic that compares your current controls against the criteria — nested inside the broader readiness assessment, which also covers scope selection, the system description, and evidence preparation. It produces no formal opinion; its job is to surface missing controls and weak evidence while you can still fix them cheaply. It is optional but strongly recommended for first-time auditees.
A useful and often-misunderstood point about independence: under AICPA rules, the same CPA firm that will issue your SOC 2 opinion may perform the readiness assessment as a separate non-attest service, provided it applies safeguards for the self-review threat — management owns every remediation decision, and the firm does not later audit its own work product. This lets you keep one expert team across readiness and audit rather than paying two firms to learn your environment. Our audit methodology details how we run that hand-off cleanly.
Readiness timeline and sequencing
Readiness typically runs one to five months for a first-time team, with the gap analysis itself taking one to four weeks. Sequence the work so scope and ownership are settled before you spend effort implementing controls, and so all controls are live before any Type II observation window opens. For the full end-to-end schedule through fieldwork and report delivery, see our SOC 2 audit timeline.
| Phase | Milestone | Checklist items | Gate to proceed |
|---|---|---|---|
| Weeks 1–2 | Scope & category selection | Step 1 (boundary, data flows, CUECs/CSOCs) | Signed-off scope document |
| Weeks 2–3 | Ownership & policies | Step 2 RACI; policy checklist | Every control has an owner |
| Weeks 3–8 | Control implementation | CC1–CC9 items; optional categories | Controls live and operating |
| Weeks 6–10 | Evidence operations | Evidence library; automation connected | Artifacts generating automatically |
| Weeks 8–12 | Readiness / gap assessment | Gap analysis; remediation | Gaps closed → open observation window |
Common gaps this checklist prevents
Most first-time exceptions cluster in a handful of predictable places: incomplete or late user access reviews, deprovisioning that lags terminations, change tickets missing approvals, vulnerability findings without remediation evidence, and BC/DR plans that were never actually tested. Each maps to a specific item above — which is why finishing the checklist before the window opens is the cheapest possible insurance. For remediation detail on each pattern, see our guide to common SOC 2 findings and how to fix them.
Multi-framework leverage — reusing SOC 2 evidence for HIPAA and GDPR
Most SOC 2 controls do double duty. If you handle protected health information, the access, encryption, logging, incident-response, and vendor controls above overlap substantially with the safeguards expected under a HIPAA program — map them once and collect evidence once. Similarly, teams serving EU customers can reuse the Privacy (P1–P8), access, and vendor evidence to support GDPR obligations, layering framework-specific requirements on top. The winning pattern is one control register, one evidence repository, and one governance cadence with framework overlays, rather than parallel programs that duplicate testing and burn out the same owners.
Download the SOC 2 readiness checklist
Want this as a working spreadsheet with the checkboxes, owners, and evidence columns ready to assign? We’ll send the full control-by-control template — and, on a short scoping call, tell you exactly which optional categories your buyers will require — when you book time with our team. It is the same worklist we run with clients before fieldwork.
Frequently asked questions
What is a SOC 2 readiness checklist?
A SOC 2 readiness checklist is a pre-audit worklist that maps each control your organization needs to the AICPA Trust Services Criteria (CC1–CC9 plus any optional categories), names a control owner, and specifies the evidence required. Completing it before the audit period begins closes gaps and prevents exceptions during fieldwork.
How many controls are in a SOC 2 audit?
SOC 2 has no fixed number of controls. The AICPA defines criteria — the nine Common Criteria (CC1–CC9) for Security, which contain 32 individual criteria, plus additional criteria for Availability, Processing Integrity, Confidentiality, and Privacy. Each organization designs its own controls to meet those criteria, so the control count varies by system and scope.
How long does it take to get SOC 2 ready?
First-time teams typically need one to five months to complete readiness — assigning owners, implementing controls, writing policies, and starting evidence collection. A Type I can follow immediately; a Type II then requires an observation period, commonly three to twelve months, during which controls must operate continuously.
What is the difference between a readiness assessment and a SOC 2 audit?
A readiness assessment is an informal pre-audit review that identifies missing controls and evidence and produces no formal opinion; the gap analysis is the control-mapping diagnostic nested inside it. The SOC 2 audit is a formal examination by a licensed CPA firm that results in an attestation report opining on control design (Type I) and operating effectiveness (Type II).
What evidence do you need for a SOC 2 audit?
SOC 2 evidence includes policies (access control, change management, incident response, vendor management), configuration proof (MFA, encryption, logging), and operational records — access reviews, provisioning and deprovisioning tickets, change approvals, vulnerability scans, incident logs, and BC/DR test results — covering the entire review period, not just the audit date.
Can I use Vanta or Drata to get SOC 2 ready?
Compliance automation platforms like Vanta, Drata, Secureframe, and Sprinto accelerate readiness by continuously collecting evidence and monitoring controls, but they cannot issue the report. A SOC 2 opinion must be signed by an independent licensed CPA firm that performs the examination and reviews the exported evidence during fieldwork.
Do I need a SOC 2 Type I before a Type II?
No. A Type I is optional. Many teams go straight to Type II, but a Type I can be issued quickly to satisfy an urgent buyer request while the Type II observation period runs. The readiness checklist is the same for both; only the evidence window differs — a point in time for Type I versus a full period for Type II.
Can the CPA firm that runs my readiness assessment also do the audit?
Yes. Under AICPA independence rules the same CPA firm may perform a readiness assessment as a separate non-attest service and still issue the SOC 2 opinion, provided it applies safeguards for the self-review threat — for example, management owns all remediation decisions and the firm does not audit its own work product.
Sources & further reading
- AICPA & CIMA — 2017 Trust Services Criteria (With Revised Points of Focus — 2022), TSP section 100.
- AICPA & CIMA — SOC 2® — SOC for Service Organizations: Trust Services Criteria.
- COSO — Internal Control – Integrated Framework (2013), 17 principles; the foundation CC1–CC5 map to.
- AICPA — Statement on Standards for Attestation Engagements No. 18 (SSAE 18); SOC 2 examinations are performed under AT-C section 205.
Work with a licensed CPA firm
Auditsuisse is a US & Swiss licensed CPA firm. We’ll pressure-test your scope, run a readiness assessment as a separate non-attest engagement, and quote a fixed fee for the audit — see our SOC 2 audit services or book a scoping call.
Request Consultation