SOC2/Readiness Checklist

SOC2 Readiness Checklist 2026: 65 Controls Across 10 Domains

Use this checklist to assess your organization's SOC2 readiness before engaging an auditor. Work through each domain, note gaps, and use the time-to-remediate estimates to build a realistic preparation timeline. Download the printable PDF with scoring rubric below.

Updated: March 2026

This checklist covers all 10 SOC2 control domains: Access Control, Change Management, Risk Assessment, Monitoring & Detection, Incident Response, Vendor Management, Business Continuity, Data Handling, Security Training, and Physical Security. Each item maps to a specific AICPA Trust Services Criteria reference. Items marked as gaps before your audit start are findings your auditor will likely identify — address them first.

10CONTROL DOMAINS

65+CHECKLIST ITEMS

224HOURS TO REMEDIATE (ALL GAPS)

FREE DOWNLOAD

Download the full printable PDF checklist

Includes scoring rubric (Ready / Partial / Not Started) and time-to-remediate estimates for each gap. Printable format for internal use or sharing with your auditor during kickoff.

DOMAIN 01CC6.x

Access Control

MFA enforced for all users with access to production systems

Offboarding removes access within 24 hours of termination

Quarterly user access reviews documented with approvals

Privileged access (admin/root) limited to named individuals

Service accounts inventoried and reviewed annually

Password policy meets minimum requirements (12+ chars, complexity, rotation)

SSH keys and API keys rotated at least annually

Role-based access control implemented and documented

DOMAIN 02CC8.x

Change Management

All code changes require peer review before deployment

Production deployments require documented approval

Emergency changes have documented retrospective approval process

Test / dev / staging environments separated from production

Change management policy exists and is current (reviewed in last 12 months)

Rollback procedure documented for production deployments

Vulnerability scanning in CI/CD pipeline

DOMAIN 03CC3.x

Risk Assessment

Annual risk assessment performed and documented

Risk register maintained with owner and mitigation for each risk

New risks assessed when significant infrastructure changes made

Risk assessment methodology documented

Board or leadership informed of top risks annually

Third-party risk assessments conducted for critical vendors

DOMAIN 04CC7.x

Monitoring & Detection

Security event logging enabled across all production systems

Logs centralized and retained for minimum 90 days

Alerting configured for critical security events

Evidence of alert review and response documented monthly

SIEM or equivalent monitoring tool in place

Failed login attempt monitoring and alerting

Unusual access pattern detection

Annual penetration test performed by qualified third party

DOMAIN 05CC7.4, CC7.5

Incident Response

Incident response plan documented and approved

Incident response plan tested via tabletop exercise in last 12 months

Incident severity classification criteria defined

Customer notification procedures documented (including timing)

Incident tracking system captures all incidents

Post-incident reviews documented

DOMAIN 06CC9.2

Vendor Management

Inventory of all critical vendors and subservice organizations

Annual vendor risk assessments performed and documented

Vendor SOC2 reports (or equivalent) collected and reviewed

Vendor contracts include security and data handling requirements

Critical vendor offboarding procedure documented

Data processing agreements (DPAs) in place where required

DOMAIN 07A1.x

Business Continuity / Availability

Business continuity plan documented

RTO and RPO defined for all critical systems

Backup procedures documented and tested in last 12 months

Disaster recovery test performed and results documented

Redundancy implemented for critical infrastructure

Capacity planning process in place

Uptime monitoring with alerting in place

DOMAIN 08CC6.7, C1.x

Data Classification & Handling

Data classification policy defines sensitivity levels

Customer data encrypted at rest

Customer data encrypted in transit (TLS 1.2+ minimum)

Data retention and deletion procedures documented

Customer data deletion verified upon offboarding

Data inventory or mapping current

Personal data handling complies with applicable privacy laws

DOMAIN 09CC1.4, CC2.x

Security Awareness Training

Annual security awareness training for all employees

Training completion tracked and documented

Phishing simulation performed in last 12 months

New employee security training in onboarding

Acceptable use policy signed by all employees

Security responsibilities in job descriptions

DOMAIN 10CC6.4, CC6.5

Physical Security

Data center physical access controls documented (for cloud: shared responsibility model acknowledged)

If office hosts any production systems: physical access controls in place

Clean desk policy implemented

Employee device management policy (MDM or equivalent)

How to Estimate Your Readiness Score

Count your unchecked items in each domain. Use the table below to estimate total remediation hours. This gives you a realistic preparation timeline before contacting auditors.

Domain	Controls	Hours to remediate all gaps	Typical priority
Access Control	8	40 hrs	Critical
Change Management	7	24 hrs	Critical
Risk Assessment	6	20 hrs	High
Monitoring & Detection	8	32 hrs	High
Incident Response	6	16 hrs	High
Vendor Management	6	20 hrs	Medium
Business Continuity	7	28 hrs	Medium
Data Classification & Handling	7	24 hrs	High
Security Awareness Training	6	12 hrs	Medium
Physical Security	4	8 hrs	Low

SCORING GUIDE

0–10 gapsAudit-readyEngage an auditor now. Minor gaps can be addressed during readiness.

11–25 gaps2–3 months to readyFocus on Critical and High priority domains first. Consider GRC platform.

26–50 gaps4–6 months to readySignificant work needed. Start with Access Control and Change Management.

50+ gaps6+ months to readyStart with a GRC platform to accelerate. Do not engage an auditor yet.

Frequently Asked Questions

How long does it take to complete SOC2 readiness preparation?

For a company starting from scratch, readiness preparation typically takes 8–16 weeks. The wide range reflects starting state: a company with documented policies and active access reviews might be ready in 6 weeks; a company with no policies and no formal change management process might take 4–6 months. The fastest path is to use a GRC platform (Vanta, Drata) that automates evidence collection and provides policy templates, which can significantly compress the preparation timeline.

What's the difference between a readiness assessment and the actual SOC2 audit?

A readiness assessment is an internal review (or an informal pre-audit review with your auditor) that identifies gaps before the formal audit begins. It does not produce a SOC2 report and has no official standing. The actual SOC2 audit is performed by a licensed CPA firm following AICPA standards, results in an official Type 1 or Type 2 report, and is what enterprise buyers require. Completing this checklist is a self-administered readiness assessment — use it to find gaps before your auditor does.

Can I use this checklist to estimate audit costs?

Partially. Auditors quote based on scope (which TSC), company size, and complexity — not purely on control gaps. However, companies that are well-prepared (mostly green on this checklist) consistently receive lower quotes because auditors spend fewer hours on your engagement. As a rough rule: each significant gap area (access reviews never done, no documented policies, no evidence of monitoring) adds 4–8 hours of auditor time to your engagement at $200–$400/hour.

What happens if I fail a SOC2 control during the audit?

There is no pass/fail. SOC2 auditors report what they found — controls that operated effectively and controls that did not. A finding in your report means your report includes a description of the exception, which you must then remediate for the next audit period. For Type 1, a finding means that specific control was not designed correctly. For Type 2, it means the control did not operate consistently during the observation period. Most enterprise buyers accept reports with minor findings; significant findings across core access control or change management can affect deal progress.

Should I do a Type 1 or Type 2 audit first?

If you have an enterprise deal that requires SOC2 now, do Type 1 first. It is faster (6–8 weeks vs 10–14 months), cheaper, and produces a real report you can share with prospects while your Type 2 observation period runs. If you have no immediate deal requirement and are planning ahead, skip Type 1 and go straight to a 6-month Type 2 observation period to save the Type 1 audit cost and get to the more valuable report faster. See our complete guide on Type 1 vs Type 2 for the full analysis.

RELATED GUIDES

→ SOC2 for Startups: When to Start, What It Costs → SOC2 for SaaS Companies: The 2026 Practical Guide → SOC2 Type 1 vs Type 2: Which Do You Need?→ Complete SOC2 Audit Cost Breakdown 2026 → SOC2 Compliance Automation Tools Compared

Ready to engage an auditor?

Once you have completed your readiness preparation, use our Match Wizard to find auditors that specialize in your company size and industry — matched to your stage, timeline, and audit scope.

Find an Auditor Estimate Audit Cost →