The SOC 2 Readiness Checklist Nobody Hands You

Your first SOC 2 is mostly a documentation exercise wearing a security costume. The controls aren't exotic — they're the same hygiene a well-run IT team would do anyway. The painful part is that auditors want evidence, on a schedule, with named owners, going back at least three to six months.

Here's the checklist we walk clients through before they engage an auditor or sign up for a compliance automation platform. If you can answer "yes, and here's the artifact" to most of these, you're in good shape. If not, fix these first — it's cheaper than discovering the gap mid-audit.

Access management

• Every employee and contractor has a unique account in every system. No shared logins.
• MFA is enforced on email, SSO, source code, cloud console, and any system holding customer data.
• You can produce a list of every person with admin access to each tier-1 system, dated within the last quarter.
• You have a written offboarding checklist, and it's been followed for every departure in the last six months (with timestamps).
• Access reviews happen on a documented cadence (quarterly is typical) with sign-off from a manager.

Endpoint and device security

• Every company device is enrolled in MDM (Jamf, Kandji, Intune, etc.).
• Disk encryption is enforced and verifiable from the MDM dashboard.
• Screen lock policy is pushed via MDM (typically 5–15 minutes).
• Endpoint protection (CrowdStrike, SentinelOne, or built-in equivalents) is installed and reporting.
• You have a process for what happens when a laptop is lost or stolen, and it's been used at least once (or you've tested it).

Vendor and SaaS management

• You have a list of every SaaS app in use, who owns it, what data it touches, and the data classification.
• Critical vendors have a SOC 2 report on file, reviewed annually.
• New vendors go through a documented intake process before procurement.

Change management

• Production code requires pull request review before merge.
• Branch protection is enforced on the main branch (no direct pushes).
• Deployments are logged and traceable to a person and a commit.
• Infrastructure changes follow a similar review process.

Logging and monitoring

• Authentication events are logged for all tier-1 systems and retained for at least 12 months.
• Someone (or a tool) is reviewing logs for anomalies on a regular cadence.
• Critical alerts go to a channel with on-call coverage, not a dead inbox.

Policies and training

• You have written, dated, and approved policies for: information security, acceptable use, access control, incident response, vendor management, and change management.
• Every employee has acknowledged the policies (with a record of the acknowledgement).
• Annual security awareness training has been completed by 100% of employees, with completion records.

Incident response

• You have a written incident response plan that names roles, not just "the team."
• You've run at least one tabletop exercise in the last 12 months and have notes from it.
• Customer notification timelines are documented and align with your contractual obligations.

Backup and recovery

• Production data is backed up on a documented schedule.
• Backups have been restored at least once in the last year (a test counts).
• RTO and RPO are documented and realistic.

The meta-checklist

For every item above, an auditor will ask three questions: Is the control designed? (you have a policy), is it implemented?(you have a tool or process), and is it operating effectively?(you have evidence over time). Most failed audits are not because the company didn't care about security — it's because nobody was capturing the third one.

Start capturing evidence the day you decide to pursue SOC 2, even if the audit is six months away. The window matters more than the polish.