SOC 2 Guide

Which Policies Do You Need for SOC 2? The Full List

By Johnathan Christopherson · AuditWolf · Updated 2026

A SOC 2 program needs roughly 19 written policies, anchored by an Information Security Policy and covering access control, change management, vendor risk, incident response, and business continuity, each mapped to a Trust Services Criterion. Below is the full list, with one line on what each policy governs and the primary criterion an assessor will test it against. Policies alone don't pass an audit: your assessor samples evidence to confirm you actually operate the controls a policy claims. Treat these as the operating manual for your security program, not shelfware.

What role do policies play in a SOC 2 audit?

Policies are your documented control environment. They tell the assessor what you say you do; evidence proves you do it. During a Type II audit, an assessor picks a control from your policy and then samples records across the review period (quarterly access-review tickets, change tickets with approvals, deprovisioning logs) to confirm the control operated consistently. A policy with no matching evidence is a finding. Evidence with no governing policy is a gap in your control environment.

Most of these policies map to the Common Criteria (the CC series) under the Security category, which every SOC 2 report includes. If your report scopes in Availability, Confidentiality, Processing Integrity, or Privacy, you add criteria such as A1.2 for backups or C1.1 for confidential data handling, but the Security category carries the bulk of the policy load.

The 19 core SOC 2 policies, mapped to Trust Services Criteria

Here is the working list. Each entry states what the policy covers and the primary criterion an assessor will anchor to. References use the AICPA 2017 Trust Services Criteria, revised 2022.

Do you need all 19 policies for every SOC 2?

Not always identical, but close. A Security-only Type I or Type II expects nearly all of these, because the Common Criteria touch access, change, vendors, risk, incidents, monitoring, and personnel regardless of scope. Availability adds weight to your BC/DR and Backup policies (A1.x). Confidentiality sharpens Data Classification, Encryption, and Retention (C1.x). Privacy pulls in additional commitments that usually warrant a dedicated privacy notice and policy beyond this core set.

Smaller startups sometimes merge related policies, folding password requirements into Access Control, or Asset Management into the Information Security Policy. That works as long as the merged document still covers each criterion's points of focus. What does not work is a policy that describes controls you don't run. Assessors sample against every claim, so an aspirational policy generates findings, not credit. Write policies that match how you actually operate, then tighten operations, not the other way around.

How do assessors actually test these policies?

For a Type I, the assessor confirms the policies exist, are approved, and are designed to meet the criteria as of a point in time. For a Type II, they test operating effectiveness across the review period (commonly 3 to 12 months) by sampling. Expect requests like these: pull five terminations and show deprovisioning within your stated SLA; produce the last two quarterly access reviews with sign-off; show change tickets with peer review and approval for a sample of deploys; provide the annual risk assessment and evidence of remediation.

This is why the policy and the evidence trail have to agree. If your Access Control Policy says reviews happen quarterly, four review records had better exist over a one-year period. If your vendor policy requires reviewing subservice organizations' SOC 2 reports, keep those reports and your review notes. A bridge letter covers the gap between a vendor's report date and your audit date. Complementary User Entity Controls (CUECs) listed in your providers' reports are controls you own; note them so you don't assume the cloud covers something it doesn't.

Where the AuditWolf policy pack fits

Writing 19 policies from scratch is where most first-time SOC 2 programs stall. Each one has to be internally consistent, mapped to the right criteria, and describe controls you can actually evidence. The AuditWolf SOC 2 policy pack ships all of these as editable, criteria-mapped templates, so you customize instead of drafting from a blank page and then point your operations at what the documents claim.

The value isn't the Word files; it's the mapping and the realism. Templates that already tie each policy to CC6.1, CC7.x, CC8.1, and the availability and confidentiality criteria save weeks and prevent the classic mistake: a beautiful policy library that doesn't match how the company actually runs.

Skip the blank page

Get all 19 SOC 2 policies — editable, mapped to the Trust Services Criteria and ISO 27001, with a 90-day readiness plan and an evidence index.

Get the SOC 2 Policy Pack — $149

FAQ

How many policies do you need for SOC 2?

Most programs land on roughly 19 core policies, led by the Information Security Policy and covering access, change, vendor risk, incidents, continuity, and personnel. The exact count varies: smaller companies merge related policies (for example, passwords into access control), while scoping in Availability, Confidentiality, or Privacy adds emphasis or a dedicated policy. What matters is that every applicable Trust Services Criterion is addressed by a document you can evidence.

Are SOC 2 policies enough to pass the audit?

No. Policies define your stated controls, but a Type II assessor tests operating effectiveness by sampling evidence across the review period: deprovisioning records, quarterly access reviews, change tickets with approvals, restore tests. A policy without a matching evidence trail is a finding. Write policies that describe what you actually do, then keep the records that prove it.

What's the difference between a SOC 2 policy and a control?

A policy is the written rule ("access is reviewed quarterly"); a control is the activity that enforces it (the actual quarterly review, performed and signed off). Assessors map policies to Trust Services Criteria, then test the underlying controls against your evidence. You need both aligned: the policy sets the expectation and the control produces the proof.

A SOC 2 program needs about 19 policies mapped to Trust Services Criteria, but they only pass an audit when your evidence proves you actually run the controls they describe.