Valtik Studios
Free Resource · SOC 2 Type II

SOC 2 Type II Readiness Checklist

The checklist we use internally to run SOC 2 readiness assessments. Audit-accepted evidence patterns, not theoretical controls.

Get a Free Security CheckSee Services

Before the audit

  • Trust Services Criteria selection documented (Security is mandatory; most B2B SaaS add Availability and Confidentiality)
  • System description drafted — describes the services in scope, the infrastructure, and the subservice organizations
  • Commitments and service-level agreements documented (what you promise to customers)
  • Compliance automation platform configured (Vanta, Drata, Secureframe, Thoropass, or manual evidence collection)
  • Auditor selected and engagement letter signed

CC1: Control Environment

  • CC1.1 — Integrity and ethical values: code of conduct, ethics training, whistleblower mechanism
  • CC1.2 — Board independence and oversight: Board or advisory body formally constituted, cybersecurity reporting cadence
  • CC1.3 — Management structure, authority, and responsibility: org chart, written role descriptions for security-relevant positions
  • CC1.4 — Commitment to competence: HR policies, background checks, security training programs
  • CC1.5 — Accountability: performance evaluations include security responsibilities

CC2: Communication and Information

  • CC2.1 — Internal and external information flow: communication plan, stakeholder map
  • CC2.2 — Internal communication of objectives and responsibilities
  • CC2.3 — External communication relevant to internal controls (customer-facing policy updates, trust center)

CC3: Risk Assessment

  • CC3.1 — Risk assessment methodology documented and executed
  • CC3.2 — Changes assessed for risk (change management program)
  • CC3.3 — Fraud risk assessment (financial and operational)
  • CC3.4 — Changes to control environment tracked

CC4: Monitoring Activities

  • CC4.1 — Ongoing and separate evaluations (internal audit, control self-assessment)
  • CC4.2 — Deficiencies tracked and remediated (issue tracker, Jira, Linear)

CC5: Control Activities

  • CC5.1 — Control activities contribute to risk mitigation
  • CC5.2 — Technology controls support business processes
  • CC5.3 — Policies and procedures deployed

CC6: Logical and Physical Access (the big one)

  • CC6.1 — Logical access controls: SSO to all apps, MFA enforced, identity provider integrated with HR
  • CC6.2 — New access requires documented approval; access changes tracked
  • CC6.3 — Access removal on termination (auto-deprovisioning via SCIM or documented manual process with SLA)
  • CC6.4 — Access reviews quarterly (or better); documented sign-off from system owners
  • CC6.5 — Physical access controls (badge, visitor log, data center provider SOC 2 report)
  • CC6.6 — External access restricted (firewall rules, VPN, ZTNA)
  • CC6.7 — Data transmission encryption (TLS 1.2+, certificate management)
  • CC6.8 — Change management prevents unauthorized changes (PR reviews, pipeline gates)

CC7: System Operations

  • CC7.1 — Vulnerability management program (scanning, SLAs, remediation tracking)
  • CC7.2 — Anomaly detection and monitoring (SIEM, alerting, on-call rotation)
  • CC7.3 — Incident response program tested annually
  • CC7.4 — Vulnerabilities remediated per documented SLA
  • CC7.5 — Disaster recovery capability tested (RTO/RPO defined and validated)

CC8: Change Management

  • CC8.1 — Changes authorized, documented, tested, and approved before deployment

CC9: Risk Mitigation

  • CC9.1 — Risk assessment drives mitigation activities
  • CC9.2 — Vendor risk management program with documented assessments

Availability (if in scope)

  • A1.1 — System availability commitments met (uptime SLA evidence)
  • A1.2 — Environmental protections (data center redundancy)
  • A1.3 — Recovery plan tested

Confidentiality (if in scope)

  • C1.1 — Confidential information identified and maintained
  • C1.2 — Confidential information disposed of appropriately

Evidence patterns auditors accept

  • Policies — signed, dated, with version history and review cadence
  • Procedures — step-by-step operational guides
  • Screenshots — from production systems showing controls in place
  • Reports — from monitoring, vulnerability management, access reviews
  • Tickets — evidence of incident handling, change management, access provisioning
  • Training records — security awareness training completion
  • Vendor documents — BAAs, DPAs, vendor SOC 2 reports
  • Penetration test report — annual, from a qualified third party
The single most common first-time SOC 2 finding: policies written but not followed. If your policy says quarterly access reviews, your evidence must show four reviews in the observation period. If reality is different, update the policy to match reality — or make reality match the policy.

Related resources

Ready to start?

Free website security check — no obligation, no sales pitch. Delivered as a plain-English findings report in 48 hours.

Request Free Check