SOC 2 Compliance Checklist

The SOC 2 audit is based on a set of criteria that are used in evaluating controls relevant to the security,
availability, processing integrity, confidentiality, or privacy of a system.

What system components are evaluated during a SOC 2 audit?

• Infrastructure (physical, IT, or other hardware such as mobile devices)

• Software (application programs and IT system software that supports application

programs, such as OS and utilities)

• People (all personnel involved in the use of the system)

• Processes (all automated and manual procedures)

• Data (transmission streams, files, databases, tables, and output used or processed by a system)

What are your auditors looking for?

• Fairness of the presentation of a description of a service organization’s system relevant to one

or more of the Trust Services Criteria

• Design and operating effectiveness of a service organization’s controls over a system relevant to
one or more of the Trust Services Criteria

What are the Trust Services Criteria?

Security Availability Confidentiality

Processing Integrity Privacy

Compliance Checklist
Do you have a defined organizational
structure?
Designate authorized employees to
develop and implement policies and
procedures
What are your background screening
procedures?
Do you have established workforce conduct
standards?
Do your clients and employees understand
their role in using your system or service?
Are system changes effectively
communicated to the appropriate personnel
in a timely manner?
Perform a Risk Assessment
Have you identified potential threats to
the system?
Have you analyzed the significance of
the risks associated with each threat?
What are your mitigation strategies for
those risks?
Perform regular vendor management
assessments
Develop policies and procedures that
address all controls
Annual policy and procedure review
Do you have physical and logical access
controls in place?
Is access to data, software, functions, and
other IT resources limited to authorized
personnel based on roles?
Restrict physical access to sensitive locations
to authorized personnel only.
Have you implemented an access control
system and implemented monitoring to
identify intrusions?
Develop and test incident response
procedures
Is software, hardware, and infrastructure
updated regularly as necessary?
Do you have a change management process
to address deficiencies in controls?
What are your backup and recovery policies?
How are you addressing environmental risks?
Has your disaster recovery plan been tested
and documented?
How are you ensuring data is being
processed, stored, and maintained
accurately and timely?
How are you protecting confidential
information against unauthorized access,
use, and disclosure?
Do you have a fully documented data
retention policy?