logo
Sign UpSign InTry for free
SOC 2 COMPLIANCE CHECKLIST

SOC 2 compliance checklist

A practical SOC 2 compliance checklist covering Trust Service Criteria selection, control mapping, evidence gathering, auditor engagement, and report issuance - for both Type I and Type II engagements.

Official source:

Read the official AICPA SOC 2 standard
Download the checklist (PDF)Download DOCX
Who must comply with SOC 2

Who SOC 2 applies to

Technology service organisations that hold or process customer data and want to demonstrate trust through an independent AICPA-aligned report. Not a regulatory requirement - a market-driven standard.

Jurisdiction: US service organisations (global by reciprocal trust). Full name: Service Organization Control 2 (AICPA attestation standards - AT-C 105 and AT-C 205, as amended through SSAE No. 23 effective for engagements beginning on or after 15 December 2025).

SOC 2 Checklist

The SOC 2 compliance checklist

The high-level cycle. Each item below is the visible head of a fuller process - open it in the editor to flesh out the steps, owners, and decisions your team actually runs.

Download fillable PDFDownload DOCX

The PDF includes real fillable form fields - tick each checkbox in your PDF reader and fill in organisation name, owner, and dates. The DOCX is fully editable in Word, Google Docs, or any compatible editor.

  1. STEP 1

    Select the Trust Service Criteria - Security (mandatory) plus optional Availability, Confidentiality, Processing Integrity, or Privacy.

  2. STEP 2

    Decide between SOC 2 Type I (design at a point in time) or Type II (operating effectiveness over 6–12 months).

  3. STEP 3

    Inventory in-scope systems and document the system description per AICPA guidance.

  4. STEP 4

    Map controls to the chosen TSC criteria and identify owners for each.

  5. STEP 5

    Engage an AICPA-licensed CPA firm and complete a readiness assessment.

  6. STEP 6

    Remediate gaps from readiness and operate controls for the audit window (Type II).

  7. STEP 7

    Gather evidence throughout the audit window - screenshots, tickets, system reports.

  8. STEP 8

    Auditor performs fieldwork: inquiry, inspection, observation, re-performance.

  9. STEP 9

    Receive the SOC 2 report - opinion, system description, criteria, controls, tests, results.

  10. STEP 10

    Distribute the report under NDA to customers and prospects under your established sharing policy.

FILLABLE PDF PREVIEW

SOC 2 compliance checklist

Service Organization Control 2 (AICPA attestation standards - AT-C 105 and AT-C 205, as amended through SSAE No. 23 effective for engagements beginning on or after 15 December 2025)

Organisation

[Organisation name]

Owner

[Assigned to]

Target date

[Target completion date]

Reviewed by

[Reviewed by]

Select the Trust Service Criteria - Security (mandatory) plus optional Availability, Confidentiality, Processing Integrity, or Privacy.

Decide between SOC 2 Type I (design at a point in time) or Type II (operating effectiveness over 6–12 months).

Inventory in-scope systems and document the system description per AICPA guidance.

Map controls to the chosen TSC criteria and identify owners for each.

Engage an AICPA-licensed CPA firm and complete a readiness assessment.

+ 5 more checkboxes in the downloaded PDF
SOC 2 Process Map

SOC 2 as a process map

The end-to-end SOC 2 audit flow. The 6–12 month audit window in the middle is what separates Type II from Type I - and where most readiness programmes underestimate the evidence-collection burden.

Open in editor

SOC 2 compliance readiness and audit

A SOC 2 compliance process rendered as a BPMN 2.0 process map. Covers trust-service-criteria selection, control mapping, evidence gathering, AICPA-licensed CPA engagement, audit fieldwork, and SOC 2 report issuance for Type I or Type II engagements.

  1. Select the trust service criteria - Security (mandatory) plus any of Availability, Confidentiality, Processing Integrity, Privacy.
  2. Map your controls to the AICPA TSC criteria.
  3. Decide between SOC 2 Type I (design at a point in time) or Type II (operating effectiveness over 6–12 months).
  4. Engage an AICPA-licensed CPA firm and run a readiness assessment.
  5. Operate controls and gather evidence over the audit window.
  6. Auditor performs fieldwork and issues the SOC 2 report.
SOC 2 FAQ

Frequently asked questions

Type I or Type II?

Type I attests to control design at a point in time. Type II attests to operating effectiveness over a period (typically 6–12 months). Customers and procurement teams overwhelmingly expect Type II; Type I is most useful as an interim milestone for first-time auditees.

What are the Trust Service Criteria?

The five TSC are Security (Common Criteria - mandatory), Availability, Confidentiality, Processing Integrity, and Privacy. Most SOC 2 reports cover Security + one or two others depending on the service. Adding more criteria expands scope and audit cost.

How long does SOC 2 readiness take?

For most companies, 3–6 months from readiness assessment to a Type II audit window opening, then 6–12 months of operating before the auditor reports. Compressing the operating window is the single biggest constraint on calendar time.

Is SOC 2 the same as ISO 27001?

Both demonstrate information-security maturity, but they're different artefacts. ISO 27001 is a certification (yes/no, with a 3-year cycle); SOC 2 is an examination performed under the AICPA's attestation standards (AT-C 105/205) producing an opinion plus detailed evidence. Many service organisations carry both - ISO 27001 for European procurement, SOC 2 for North American.

More Compliance Checklists

Other compliance checklists

PCI DSS 4.0.1 compliance checklist

A practical PCI DSS 4.

SOX compliance checklist

A practical Sarbanes-Oxley compliance checklist focused on Section 404: scoping significant accounts and ITGCs, documenting control design, testing operating effectiveness, evaluating deficiencies, and supporting management's assertion.

CCPA / CPRA compliance checklist

A practical CCPA / CPRA compliance checklist covering personal-information inventory, privacy notice, consumer rights request workflow, vendor agreements, and staff training - the operational backbone for California consumer privacy obligations.

NIST RMF compliance checklist

A practical NIST compliance checklist focused on the SP 800-37 Rev 2 Risk Management Framework: Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor.

FedRAMP compliance checklist

A practical FedRAMP compliance checklist for cloud service providers: impact-level determination, agency sponsorship, 3PAO assessment, authorization package, and the continuous monitoring obligations that keep the ATO alive.

ITAR compliance checklist

A practical ITAR compliance checklist for entities that manufacture, broker, or export defense articles or technical data: USML determination, DDTC registration, Technology Control Plan, license / exemption strategy, and ongoing audit.

All compliance checklists

The full compliance hub - every checklist (HIPAA, SOC 2, PCI DSS, CMMC, NIST, FedRAMP, ITAR, DORA, SOX, CCPA) plus the regulation deep-dives (CPS 230, OSFI E-21, EU AI Act Annex IV) in one place.

Cosmic background pattern
Decorative rectangle pattern

Turn the SOC 2 checklist into a working process

Open the SOC 2 process map, rename the steps to match your organisation, and turn the checklist into a working procedure your team can run year after year.