Learn · SOC Reports
The SOC 2 Compliance
Checklist
Every SOC 2 journey runs the same six phases: scope the system, assess the gaps, remediate and document, operate the controls through the review period, undergo the CPA examination, and maintain the report year after year. This page is that checklist — each phase broken into the concrete steps it actually contains.
Sequence is most of the game: the expensive first-audit mistakes are ordering mistakes — buying a platform before scoping, or opening the review period before controls actually operate. Work the list top to bottom.
Plain-English checklist · Scope-dependent, not one-size · Last reviewed July 2026
A SOC 2 compliance checklist is the sequenced set of steps that takes an organization from its first scoping conversation to holding a report: define the scope, assess the gaps, remediate and document, operate controls through the review period, undergo the CPA examination, and maintain the report annually. The rest of this page is that checklist, phase by phase. It assumes you already know what SOC 2 is and why a customer is asking for it; it does not assume a platform, a consultant, or any particular company size. One honesty note before the list: the checklist is scope-dependent. A single-product SaaS company pursuing Security-only moves through it very differently from a multi-entity platform adding Availability and Confidentiality — which is why total-duration promises are meaningless. Readiness typically takes a few months, and a Type 2 then adds the review-period window you choose (the SOC 2 timeline guide walks through how those pieces stack).
Phase 1 · Weeks, not months
Define the Scope
Everything downstream — the criteria you are tested against, the controls you need, the cost, the length of the examination — is set by a handful of scoping decisions. They deserve focused attention, not paralysis: scoping is a matter of weeks.
- Pull the commitments you have already made: customer contracts, SLAs, and answered security questionnaires. They are the ground truth for every scoping decision that follows.
- Choose your Trust Services Categories. Security (the Common Criteria) is mandatory in every SOC 2; add Availability, Confidentiality, Processing Integrity, or Privacy only where those commitments actually demand them — each extra category adds criteria to be tested.
- Define the system boundary: which products, environments, infrastructure, data flows, and teams sit inside the report — and, just as explicitly, what stays out.
- Identify your subservice organizations — the cloud provider, the payment processor, the managed SOC — and make the carve-out vs. inclusive decision deliberately, because it changes what gets tested and what your customers must verify themselves.
- Decide Type 1 vs Type 2 and, for a Type 2, pick the target review period your customers will accept.
- Assign a single internal owner with real authority — someone who can chase evidence across engineering, HR, and IT without escalating every request.
- Socialize scope and budget with leadership before work starts; the SOC 2 cost guide shows which scoping choices move the number most.
Phase 2 · Readiness
Assess the Gaps
A readiness (gap) assessment compares what you actually do today against what the Trust Services Criteria expect. Done honestly, it converts a vague sense of dread into a work plan.
- Run a readiness assessment against the criteria for every category in scope — internally or with outside help, but in writing either way.
- Inventory the controls you already operate. Most companies run more real controls than they have documented; the gap is often paperwork, not practice.
- List the missing policies. The usual set: information security, access control, change management, incident response, vendor management, business continuity and disaster recovery, and data classification and retention.
- Map your system against the DC section 200 description criteria — the elements your system description must cover — so nothing surfaces for the first time during fieldwork.
- Turn every gap into a remediation line with a named owner and a date. A gap list without owners is a wish list.
Prefer this as a worksheet? Download the SOC 2 readiness assessment — the same phase structure as this page, in a format you can score your own environment against.
If a customer deal is driving the timeline, this is also the phase where you can start answering questionnaires credibly: a written gap assessment plus a dated, owned remediation plan is an honest and usually acceptable interim answer while the report itself is in flight.
Phase 3 · Build
Remediate and Document
Usually the longest phase for first-timers. Two tracks run in parallel: implementing the controls that don’t exist yet, and writing down the ones that do.
- Close the technical gaps: MFA on everything that matters, scheduled access reviews, centralized logging and alerting, vulnerability management, change-control gates in the SDLC, formal onboarding and offboarding, security awareness training, and backups with tested disaster recovery.
- Write — and get management to formally approve — the policies from your gap list. An unapproved draft in a shared drive is not a policy.
- Stand up evidence collection, whether a compliance platform or a disciplined folder-and-calendar system. What matters is that evidence is generated as controls operate, not assembled later.
- Document the complementary user entity controls (CUECs) you will place on customers — the things your controls assume they do on their side.
- Put vendor management into practice, not just on paper: collect and review the SOC reports (or equivalent assurance) of your critical vendors and subservice organizations, and record the review.
- Draft the system description now, while the decisions are fresh. It is the longest document in the report and the easiest to underestimate.
Phase 4 · Type 2 only
Operate Through the Review Period
A Type 1 stops at design — controls examined as at a point in time. A Type 2 tests operation across a review period, typically 3 to 12 months, and this phase is that window running in real life. How long a window to choose, and what it does to your overall calendar, is covered in the SOC 2 timeline.
- Run every in-scope control on its stated schedule for the full period. A quarterly access review means one per quarter, on the calendar, with a record.
- Keep evidence flowing as events happen: incidents documented when they occur, changes approved before deployment, offboarding completed — and ticketed — on the leaver’s last day.
- Review control performance mid-period. A lapsed control found in month two is a fixable blip; the same lapse discovered during fieldwork is an exception in the report.
- Resist the audit-time cleanup instinct. There is no “we’ll fix it at audit time” in a Type 2 — the period itself is what gets audited.
- Log the misses honestly. A documented, remediated deviation reads far better in a report than one the auditor finds first.
When a control does fail mid-period — a review skipped during a crunch, an alert channel that went quiet — the playbook is: document what happened, remediate, and note the compensating checks. The auditor will likely see it anyway; what you control is whether they also see a functioning process around it.
Phase 5 · The examination
Undergo the Examination
A SOC 2 is an attestation engagement that only a licensed CPA firm can perform — who can perform a SOC 2 audit covers the full independence picture. Engage the firm early, ideally before the review period opens, so scope surprises surface while they are still cheap to fix.
- Select the CPA firm on independence, peer-review standing, and relevant experience — not just price and turnaround time.
- Expect fieldwork in three motions: walkthroughs of the system, sampled evidence requests against each control, and follow-up questions where the records run thin. Assign one point of contact to keep requests moving.
- Respond to exceptions with context and remediation, not argument. How exceptions land in the report — and what a qualified opinion means — is covered in opinions and exceptions.
- Sign the management assertion and the representation letter. Management, not the auditor, formally asserts that the description is accurate and the controls were effective.
- Review the draft before issuance: the system description, the exception wording, and any management responses you are entitled to include.
- When the report lands, read it the way your customers will — how to read a SOC 2 report shows what sophisticated reviewers check first.
If phases 1 through 4 were done in order, the examination is mostly logistics rather than drama: the walkthroughs describe a system that matches the description, and the samples pull evidence that already exists. Fieldwork gets adversarial only when the earlier phases were skipped and the audit becomes the place where gaps surface for the first time.
Phase 6 · Every year after
Maintain It Annually
A SOC 2 report describes a period that has already ended, so its shelf life is short and the cycle is annual. The organizations that find year two easy are the ones that never stopped doing phase 4.
- Set the re-examination cadence: the next review period typically starts the day after the last one ends, so coverage stays continuous.
- Issue bridge letters for the months between your period end and a customer’s fiscal year-end — management-signed, no audit assurance, kept short.
- Watch for control drift: new hires who skipped training, access reviews that quietly slipped, alerts nobody triages. Drift caught early is maintenance; drift caught in fieldwork is an exception.
- Update the system description when the system materially changes — new products, new infrastructure, new subservice organizations.
- Re-confirm scope each cycle. Customer commitments evolve, and the category set that was right for the first report may not be right for the third.
Watch-outs
Where First Audits Go Wrong
A checklist tells you what to do; it is worth knowing how it usually goes wrong. Five failure modes account for most of the painful first audits we see, and every one of them is a sequencing or scoping error rather than a technical one:
- Choosing every Trust Services Category “to look thorough.” Each category adds criteria, controls, and cost. Security alone is the right first scope for many companies — categories can be added in later cycles.
- Starting the review period before controls actually operate. If MFA went live in month two of a twelve-month period, the auditor tests eleven months of coverage — a self-inflicted exception.
- Creating evidence retroactively. Auditors compare timestamps, ticket histories, and log dates; backfilled records are at best exceptions and at worst the end of the engagement.
- Treating the compliance-platform dashboard as the audit. Green checkmarks are inputs the CPA firm tests independently — a 100% dashboard and a clean opinion are not the same thing.
- Forgetting subservice organizations until the description is drafted. The carve-out decision changes what you test and what your customers must verify — settle it in phase 1, not phase 5.
SOC 2 Checklist — Common Questions
First steps, timelines, evidence requests, and what happens after the report.
What is a SOC 2 compliance checklist?
It is the ordered set of steps an organization works through to obtain and keep a SOC 2 report: define the scope (Trust Services Categories, system boundary, report type), assess gaps against the Trust Services Criteria, remediate and document controls, operate them through the review period, undergo the examination by a licensed CPA firm, and maintain the cycle annually. The value is in the sequence — most items are cheap to do in order and expensive to do late.
What is the first step toward SOC 2?
Scoping — before tooling, before policies, before choosing an auditor. Decide which Trust Services Categories your customer commitments actually require (Security is always included), what system boundary the report covers, whether key vendors are carved out, and whether you need a Type 1 or a Type 2 first. Every later step inherits those decisions, and re-scoping mid-project is the most expensive way to make them.
How long does SOC 2 compliance take?
It depends on scope and starting maturity, so treat any fixed number with suspicion. Readiness — scoping, gap assessment, and remediation — typically takes a few months, and for a Type 2 the review period then adds whatever window you choose, commonly 3 to 12 months, plus examination and reporting time at the end. A company with mature controls pursuing Security-only moves much faster than one building controls from scratch across several categories.
Do we need a consultant, or can we do SOC 2 ourselves?
Both paths work. DIY is realistic when someone internal has audit experience, genuine bandwidth, and authority across teams — the criteria are published and this checklist is the map. A consultant earns their fee when nobody in-house has been through an audit, when a deal is waiting on the report, or when the scoping calls are not obvious. Either way, the examination itself must be performed by a licensed CPA firm: Tranquility Cybersecurity supports readiness and delivers examinations through empanelled independent licensed CPA firms, with the two roles kept properly separate.
What evidence do auditors ask for in a SOC 2 audit?
Expect samples, not everything: access-review records, onboarding and offboarding tickets for people who joined or left during the period, change tickets with approvals for sampled deployments, incident records, vulnerability-scan and remediation history, training completions, backup and restore test results, vendor-review records, and the approved policies themselves. For a Type 2 the samples are drawn from across the review period — which is why evidence generated on schedule, rather than reconstructed later, is the biggest single determinant of smooth fieldwork.
Can we start the audit before our controls have operated?
You can — and should — engage the CPA firm early, but a Type 2 cannot attest to a period in which controls were not operating. If controls go live partway through the review period, the report will show it, either as exceptions or as a window that starts later than you wanted. The honest options are a Type 1 first (design as at a point in time) or waiting until controls have genuinely run before opening the Type 2 period.
What happens after the first SOC 2 report?
The cycle repeats: the next review period typically begins immediately after the last one ends, so coverage stays continuous, and re-examination becomes an annual rhythm. In between, customers may ask for bridge letters covering the months after the period end, and your job is mostly drift control — keeping reviews on schedule, evidence flowing, and the system description current as the product changes. Year two is dramatically easier than year one if phase 4 never actually stopped.
Related reading: the Learn hub, What Is SOC 2?, Type 1 vs Type 2, the SOC 2 timeline, the cost guide, and SOC 2 services. More terms in the compliance glossary.
Written By Expert Auditors
Get in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours