SOC 2 Type II Readiness Checklist

# SOC 2 Type II Readiness Checklist Use this checklist to assess your readiness before engaging an auditor. Check each item as you implement it. --- ## CC1 — Control Environment - [ ] Information security policy documented and approved - [ ] Organizational chart with security responsibilities defined - [ ] Code of conduct / ethics policy published - [ ] Board/management oversight of security program documented - [ ] Security awareness training program implemented - [ ] Annual training completion tracked ## CC2 — Communication & Information - [ ] Internal security communication channels established (Slack, email) - [ ] External communication procedures documented (customer notifications) - [ ] System boundaries and data flows documented - [ ] Privacy notice published and accessible - [ ] Whistleblower / anonymous reporting channel available ## CC3 — Risk Assessment - [ ] Risk assessment methodology defined - [ ] Risk register created and populated - [ ] Risk scoring criteria established (likelihood × impact) - [ ] Risk owners assigned - [ ] Quarterly risk review process documented - [ ] Third-party risk included in assessment ## CC4 — Monitoring Activities - [ ] Continuous monitoring tools deployed (vulnerability scanner, SIEM) - [ ] Key metrics and KPIs defined - [ ] Alerting thresholds configured - [ ] Monthly security review meetings scheduled - [ ] Control effectiveness measured periodically ## CC5 — Control Activities - [ ] Logical access controls implemented (RBAC) - [ ] Change management process documented and followed - [ ] Configuration management standards defined - [ ] Segregation of duties enforced for critical functions - [ ] Technology controls map to control objectives ## CC6 — Logical & Physical Access - [ ] Multi-factor authentication enforced (all users) - [ ] Password policy enforced (complexity, rotation) - [ ] SSO configured for all SaaS applications - [ ] Quarterly access reviews conducted - [ ] Least-privilege principle documented and verified - [ ] Onboarding/offboarding access checklists in use - [ ] Encryption at rest enabled (all databases, backups) - [ ] Encryption in transit enforced (TLS 1.2+) - [ ] Physical access controls (office/datacenter) documented ## CC7 — System Operations - [ ] Vulnerability scanning running (weekly minimum) - [ ] Penetration testing completed (annual) - [ ] Incident response plan documented and tested - [ ] Log aggregation and monitoring in place - [ ] Alert triage and escalation procedures defined - [ ] Endpoint protection (EDR) deployed on all devices ## CC8 — Change Management - [ ] Change management policy documented - [ ] All code changes require PR with review - [ ] Branch protection enabled on main branches - [ ] CI/CD pipeline with automated testing - [ ] Deployment procedures documented - [ ] Rollback procedures tested ## CC9 — Risk Mitigation - [ ] Vendor management program established - [ ] Vendor risk assessments completed for critical vendors - [ ] Business associate / DPA agreements in place - [ ] Insurance coverage reviewed (cyber liability, E&O) ## A1 — Availability - [ ] RTO/RPO targets defined - [ ] Backup strategy documented and tested - [ ] Disaster recovery plan documented - [ ] DR testing conducted (quarterly recommended) - [ ] Uptime monitoring and status page operational --- ### Scoring - **90-100%** checked: Likely audit-ready - **70-89%** checked: Close — address remaining gaps - **50-69%** checked: Significant work remaining - **< 50%** checked: Early stages — prioritize P0 items --- *Last updated: [Date]*