SOC 2 Guide

SOC 2 Compliance Checklist (Step by Step)

By Johnathan Christopherson · AuditWolf · Updated 2026

A SOC 2 compliance checklist runs in six phases: define your scope and Trust Services Criteria, adopt the roughly 19 policies assessors expect to see, turn on core controls like MFA and logging, collect evidence, run a readiness assessment, then engage a licensed CPA firm for the examination. Working them in that order keeps a first-time effort from stalling, because each phase produces the artifacts the next one depends on. This guide sequences the work the way a practitioner runs it, with the specific controls and criteria references assessors actually test. It assumes you are a founder, first security hire, or vCISO who needs to reach an audit-ready state without wasted motion.

What is the first step in a SOC 2 checklist?

Define your scope before you touch a single control. Scope has two parts: the system boundary (which product, environment, and supporting infrastructure the report covers) and which of the five Trust Services Criteria you include. Every SOC 2 report includes Security, the Common Criteria (the CC-series), because it is mandatory. Availability, Confidentiality, Processing Integrity, and Privacy are optional, and you add them only when a customer contract or your data profile justifies the extra evidence burden.

Most SaaS companies scope Security plus Availability and Confidentiality for their first report, and leave Processing Integrity and Privacy out until a deal forces the issue. Adding criteria you cannot support with real controls is the most common way teams inflate their own timeline. Write the scope down in one paragraph and get your prospective assessor to sanity-check it before you build anything.

Which policies does SOC 2 require?

SOC 2 does not hand you a fixed policy list, but assessors consistently expect roughly 19 written policies that map to the Common Criteria. These are the documented management assertions behind your controls, and CC1 through CC5 (the control environment, communication, risk assessment, and monitoring criteria) are largely evidenced through them. Auto-generated boilerplate that nobody follows is worse than none, because the assessor will ask for evidence that the policy is operating and you will have nothing to show.

Write or adopt each policy, assign an owner, and get formal management approval with a date. Then make day-to-day practice match what the document says, since a Type II examination tests operation over time, not just the existence of the PDF.

What core controls do I need to turn on?

This is where the checklist meets reality. The CC6 criteria (logical and physical access) and CC7 (system operations) drive most of the technical controls an assessor samples, so implement these first and let them run long enough to generate evidence. CC6.1 covers restricting logical access, and CC7.4 covers responding to security incidents, to name two the assessor will test directly.

Turn on enforced MFA across all admin and production access, and apply least privilege so engineers hold only the entitlements their role needs. Run access reviews at least quarterly and keep the signed results. Encrypt data at rest with AES-256 and in transit with TLS 1.2 or higher. Enable centralized logging and alerting, and retain logs for at least 90 days (many teams keep a year for Availability). Tie access provisioning and deprovisioning to a ticketed joiner/mover/leaver workflow so terminations are revoked within your stated SLA, typically 24 hours.

How do I collect evidence and run a gap assessment?

Evidence is the proof each control operated during the period, not a description of it. Collect screenshots, config exports, ticket samples, access-review sign-offs, and log samples, and organize them by criterion so an assessor can trace a control to its artifact. Type I samples evidence as of a single date; Type II samples throughout a period, usually three to twelve months, so capture evidence continuously rather than scrambling at the end.

Then run a readiness (gap) assessment against the full Common Criteria, either internally or with a consultant. This is a rehearsal of the real examination: you map every criterion to a control and an artifact, flag the gaps, and remediate before a CPA sees them. Finding a missing quarterly access review yourself costs a day; finding it as an exception in your final report means a documented control deviation your customers read, and enough material exceptions can push the auditor toward a qualified opinion. A free SOC 2 checklist is a fine way to structure this pass, and a paid policy-and-evidence pack shortcuts the document-heavy phases if you would rather not write 19 policies from scratch.

When do I engage the CPA firm?

Only a licensed CPA firm can issue a SOC 2 report, so engage one after your readiness assessment is clean, not before. Selecting the assessor early for a kickoff conversation is smart, but the formal examination should start once controls are operating and evidence is flowing. For a Type II, the assessor observes your controls across the full audit period, so a premature start just means more exceptions on paper.

Expect the assessor to request a description of your system, sample your evidence, and review any subservice organizations you rely on. When a vendor like your cloud provider carries controls on your behalf, you lean on their SOC 2 report and a bridge letter to cover the gap between their report date and yours. Watch for Complementary User Entity Controls (CUECs) in those reports: they are the controls the vendor assumes you operate, and your assessor will check that you actually do.

Skip the blank page

Get all 19 SOC 2 policies — editable, mapped to the Trust Services Criteria and ISO 27001, with a 90-day readiness plan and an evidence index.

Get the SOC 2 Policy Pack — $149

FAQ

How long does the SOC 2 checklist take to complete?

Reaching an audit-ready state typically takes two to four months for a focused team, covering scoping, policies, control implementation, and a gap assessment. A Type I examination then completes in a few weeks against a single date. A Type II adds the observation period on top, usually three to twelve months, because the assessor must watch your controls operate over time before issuing the report.

Do I need a Type I or Type II report first?

Many companies start with a Type I to prove controls are designed correctly at a point in time, then follow with a Type II that proves they operated effectively over a period. If your customers only accept a Type II, you can skip Type I and go straight to a shorter observation window, often three months, to get a first report faster. The right choice depends on what your sales pipeline actually requires.

Can I complete a SOC 2 audit without a CPA firm?

No. A SOC 2 examination must be performed by an independent, state-licensed CPA firm under the AICPA's attestation standards (SSAE 18), and only that firm can issue the report. Compliance-automation platforms and consultants can prepare you and manage evidence, but they cannot sign the opinion. Budget for the CPA engagement separately from any tooling or readiness work, and select the firm before your examination period begins.

Work the SOC 2 checklist in order: scope and criteria, then policies, then controls, then evidence, then a gap assessment, then the CPA examination. Each phase produces the artifacts the next one needs, so skipping ahead is what causes first-time efforts to stall.